Ann Arbor Business to Business
Small Business and the Internet

A Trojan at the Firewall

August 2003

By Mike Gould

A recent article in the New York Times detailed evidence that the Russian Mafia is attempting to hijack unsuspecting PCs in this country. I'm not making this up. Similar to a virus attack, a hijack happens when an unprotected PC harbors an unsuspected bit of software that carries out nefarious deeds, such as shilling for porn sites or scamming PayPal users. PCs at risk are ones that are attached to the Internet directly via DSL or cable modem, but not protected by a firewall.

What's a Firewall? A firewall is a piece of hardware or software that sits between you and the Internet, protecting you from a variety of badness. This is a brief overview intended to spur you into investigating the matter further. Remember: the PC you save could be your own and it might already be compromised. Business users are advised to seek professional help.

NOTE: The following is intended for broadbanded Windows users only. Users of Macs and any flavor of Unix can sit this one out, although you can snicker from time to time at all the woe that Windows folks have to endure, courtesy of the machinations of Bill Gates, et al. (Truth be told, though, a firewall is always a good idea; it may only be a matter of time before hackers figure out a way to compromise Macs and Unix boxen as well.)

In other words, you are at risk if you (A) use Windows and (2) are connected to the Internet via Comcast or DSL without installing special software or a router. Folks connecting with regular modems aren't generally connected long enough for bad guys to get to your computer, but this might not always be the case.

How Does This Happen? This threat is so new that the exact means of infection is unknown. Initially reported on 7/11/03, this has been now classified as a trojan (as in "trojan horse") and given the name of backdoor.migmaf ("migmaf" stands for "migrant mafia"). A trojan is like a virus in that it is software that is invasive, stealthy and evil, but it differs in that a virus lives to reproduce - a trojan has other aims. This is one of the first recorded trojans that seems to be aimed at making money; it lives to turn your PC into a money-collecting robot, acting as a conduit for credit card numbers extracted via chicanery. The backdoor reference describes how your computer has been left with an open "back door", i.e., its connection to the Internet, allowing the take-over.

More information is available here:

http://www.lurhq.com/migmaf.html http://www.symantec.com/avcenter/venc/data/backdoor.migmaf.html

Whatever the means of entry, once the software has attacked your system, it sets itself up in business, running in the background as long as your PC is running and connected. This exploit (or 'sploit, as hacker feats are called) is made possible by turning your computer into what is known as a reverse proxy server. The Times describes it thusly:

(the trojan)…turns a computer into a conduit for content from a server while making it appear to be that server.

In other words, your computer appears to others as the source of come-ons for porn, scams, or whatever. Not a good situation.

How Do You Protect Yourself?
Install a firewall. A firewall in your car sits between you and the engine, protecting you from exploding pistons, or something. A firewall for your computer sits as a physical box next to your cable modem or inside your DSL router, or sits as software, keeping an eye out for suspicious activities. Sort of like Cerberos guarding the gates of Hell.

I have a router attached to my Comcast-supplied cable modem, sitting between the modem and my computer. Any malefactor trying to sneak in via my cable hookup will see my router but not my computer, which is safely ensconced on the other side. A properly-configured DSL box also acts as a router.

Routers are now inexpensive commodity items, available from CompUSA and hundreds of sites on the Web. I have a Linksys router, and it has worked just fine for a couple of years now.

You can read more about routers in an article I wrote here a while ago ("Touting Routers"):

http://mondodyne.com/b2b/smbiznet.33.shtml

On the software side, there are many firewall products available. Here is a site that specializes in reviews and listings of such:

http://www.firewallguide.com/

Port Scanners
And here is a way to test your system for porosity: there are sites which will scan your PC for you, looking for ways in. Big Hairy Caveat: this sort of thing is not without risks; as a port scan (a server somewhere looking for backdoors to your system) will also give the scanner information it can use to compromise your security. I would suggest only running this if you are fairly sure you are protected, or with a router or something standing by to implement if the report comes back that you are vulnerable. That said, here are some analyzers for you:

http://security.symantec.com/sscv6/home.asp?j=1&langid=ie&venid=sym&plfid=10&pkj=TBKQLSIVFWMFKPXKBQW (This is home of Symantec, a respected vendor of anti-virus software)

https://grc.com/x/ne.dll?bh0bkyd2

http://www.auditmypc.com/

I ran all of the above on my router-protected Mac, and, as expected, got a clean bill of health. I hope you do as well.

The Big Three things to do to protect your system
Install the latest patches from Microsoft, which correct known weaknesses.
Install anti-virus software and keep it updated.
Install a firewall.

A big Mondo thanks to David Bloom and fellow Factotem.com members Richard Stiennon and Nanette Andrusiak who aided greatly in the preparation of this article.

Mike Gould is a mouse wrangler for the U of M, runs MondoDyne Web Works, is a member of Fac·totem.com, and welcomes comments addressed to mgould@mondodyne.com.

MonodoDyne <M> The Sound of One Hand Clicking...
734 904 0659
Entire Site © 2018, Mike Gould - All Rights Reserved