Pessah Cleansing, PC Style

 

By David Shamah, The Jerusalem Post, Friday, April 22 2005

 

So how are the Pessah preparations going? By now, the house ought to be clean and neat – all ready for the kids to start messing up again. Bread crumbs re one thing, but matzo is even messier, so you'll want to keep that vacuum and broom oiled and ready to go. It's important, though, not to forget the true meaning of the holiday – the "inside" part, as opposed to the external cleaning that takes place. The idea that you want to clear out the leaven outside, in your home, as well as on the inside, in your inner being, is a common one among Jewish philosophers and kabblists.

 

As the human world goes, so does the computer world. Your PC, too, goes through the same internal and external preparation process. You flip over your keyboard to shake out the crumbs and maybe dust off the fan. But that's just the external cleaning process. Inside, your computer needs to make a fresh start, as well.

 

All winter, you've been collecting "leaven" – viruses and suspicious e-mails with all sorts of attachments you make sure never to open, of course (this is a good place to note that a plain text e-mail, as annoying as it may be, cannot harm your computer; in order to do that, the e-mail must have an attachment). You've got an anti-virus program, and a firewall. But even with all that protection, your computer is still vulnerable – to trojans, the preferred method used by Internet no-goodniks these days to wreak their particular brand of havoc.

 

A virus, as we all know by now, is a program that, if left to run unfettered, will attempt to execute itself and cause whatever type of destruction its makers intend. Usually, viruses are designed to take advantage of known security holes in Windows, such as areas of the Registry that have been publicized as being "weak," i.e. vulnerable to some sort of DLL replacement or the like, to allow a remote user to take control of your system for their own nefarious purposes.

 

If a virus operates like a regular program, how does Windows differentiate between "regular" programs and viruses? On its own, it cannot; the only way your system can know which programs are safe and which aren’t is by using an anti-virus program. These programs are always updating their profiles, which are basically lists of programs that are known to be problematic. As long as you keep your profile up to date and keep your anti-virus program active, you should be able to successfully avoid viruses that come in e-mails or Internet downloads. Recently, I've been using Avast anti-virus, a free program that efficiently checks every download and incoming pieve of e-mail for garbage. It downloads updates to its profiles every day, and even announces vocally when it has found a virus (get it from http://www.avast.com/eng/products.html; free for home/non-commercial users).

 

So far, so good. By now, everyone is aware of the efficacy of anti-virus programs, and no sane person would try to work with the Internet or e-mail without one. But remember, your anti-virus program is only as good as its profile.

 

What happens if a hazardous program is not in an anti-virus program's database? What if it does not have the characteristics of a "bad" program – at least at first? There is a whole class of programs out there, called trojans, that start out by doing nothing, and later, on a signal from its master, will attempt to do all sorts of nefarious things, like steal passwords, use your computer to send spam, or destroy your Windows installation – just for the fun of it.

These trojan programs, named after the infamous Trojan Horse of Greek mythology, comes disguised as a legitimate program, or a subroutine of a program you download. Sometimes, a trojan "hatches" into a virus while it's on your hard drive, but then it is likely to be caught by an antivirus program, ruining the "fun" for the anti-social jerk who sent it to you in the first place.

 

To avoid detection, many trojans consist of very simple components when they arrive on your computer – basically, they act as clients to connect you to a server, which gives it instructions of what to do on your system (if this sounds to you like what a cookie does, you're right; the significance of this will become clear below). In fact, you can get trojans just by surfing to a Web page, if it disguises itself as a cookie and you have your default Web surfing options to accept cookies!

 

Some trojans have been known to confiscate portions of your system and enslave it to its own purpose; using your e-mail account to send someone else's spam is a common application for trojan clients of remote servers. Viruses can do this as well, but again, chances are you will catch a virus that does this, because it is listed as a "bad" program and it functions as a program from within your computer. But if a remote server is operating something inside your system from outside the computer, with the only evidence being a simple set of connection instructions and a process in your process list, you may not realize something is wrong until it actually goes wrong.

 

Unless you get a copy of Ewido, that is. Ewido does for trojans what anti-virus programs do for viruses – it gets them at the root, before they have a chance to hatch.

 

Ewido works the same way as anti-virus programs, scanning your system and automatically downloading an updated database of new threats daily. But Ewido has a considerably harder task than "regular" anti-virus programs. Viruses more or less thrive on the naievete of e-mail recipients, who, when told to "look at this amazing picture!", say "OK", click on the attachment, and open the floodgates of hell on their systems. But trojans are much sneakier by nature. So, the "signatures" Ewido searches for in files are much more subtle.

 

Among the tricks employed by trojan makers is packing their payload in super-compression programs, unreachable by anti-virus programs. Two of the most popular trojan transport tools are UPX and Aspack, which not only compress executables – they encrypt them as well. It also checks for "bound" trojans – programs that attach themselves (or are attached by someone) to a "legitimate" download, hiding in the background until you decompress or install the software you've downloaded, thereby installing itself too. When you run the legit program, the trojan program runs as well.

Dialers, which will force your dial-up modem to call expensive toll numbers, worms, which specialize in distributing themselves to people in your e-mail address book, and keyloggers, which try to record your keystrokes in the hope that you will type out your credit card number, are among the tasks trojans may try to carry out.

 

But Ewido knows what to watch out for. It's signature files encompass no fewer than 105,000 things to watch out for! Running it on my system, it discovered a suspicious file in a compressed (zipped) folder; I haven't had the nerve to open up the file and see if it really is suspicious.  That file, along with any other suspects Ewido rounds up, can be deleted immediately or put into quarantine for later analysis.

 

I mentioned before that a cookie – even a legitimate one - has some properties in common with trojans, in that they allow an entity off your computer to have access to data inside your hard drive. And hiding nefarious trojans inside a cookie-type file is a known method of distributing trojans, as we mentioned. So it was no surprise to me that the vast majority of suspicious files Ewido picked up were cookie files, which I also quarantined for later examination. If they check out, I can tell Ewido that they're kosher; otherwise, I can blast them to oblivion. And when you kill off a baddie, the program will get rid of all the debris – leftover files, folders, etc.

 

Ewido updates itself regularly, comes in a bunch of languages, and even provides e-mail support – in its free version! There is also a premium version that allows real-time scanning of files as they come in and automatic updates (the free version does not have a scheduler), as well as protection from trojans that try to disable Ewido (you get the full power of Ewido for 14 days; afterwards the premium version costs $29.95). Anti-virus is nice, but Ewido is what you need for a total pre – or post – Pessah cleaning

 

Download Ewido  from http://www.ewido.net/en. For Windows 2000/XP.

 

ds@newzgeek.com