Getting Infected over a Network

Discussion in 'other security issues & news' started by nineine, Sep 26, 2009.

Thread Status:
Not open for further replies.
  1. nineine

    nineine Registered Member

    Joined:
    Sep 13, 2009
    Posts:
    140
    Heres a little something I have been curious about for a long time. I have my computer connected on a home network of 3 computers. All of them have file/printer sharing turned on so we can see files/folders that are shared on each others pc.

    Now what I want to know is, is it possible for my pc to get infected with this kind of setup if I do not actually open any of the shared files from other pcs? So if I am on PC1 and I look in the PC2's shared folder, will I be safe from infection until I actually execute an infected file? What if PC2 is infected with malware but the specific shared file the I choose to open is not infected? I hope you guys can clear up this confusion for me.

    I am in the process of selecting security software, backing up data formatting and, installing new OSes on all of our home computers. One thing I have been seriously considering doing is completely disabling file and printer sharing through both windows and a software firewall. The answers from this thread will allow me to make a final decision on this.

    Oh and one more extra question. Is it possible to stop computers from being able to share and even see eachother via a router and/or its built in firewall? Thanks everyone!
     
  2. estervantes

    estervantes Registered Member

    Joined:
    Nov 15, 2007
    Posts:
    44
    I am relatively uninformed about computing and networks, but as no one else has responded to your appeal, I suggest that you open Network and Sharing in Vista ( or the equivalent file in XP) and read about the options available there. Bearing in mind my lack of expertise in this area, I think it unlikely that you would get infected without executing files on other networked computers. Of course , you can set folder and file permissions for each user for folders and files you wish to share thereby minimizing the capacity of infected computers in the network to infect other computers. SRP and forced sandboxing for such folders would probably further reduce the possibility of infection.

    I hope someone knowledgeable about networking can comment on securing home networks.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    If the malware happened to be the Conficker worm and the PCs did not have the MS08-067 patch installed, the worm would spread via the open TCP ports 139 and 445 used for file sharing.

    This was one of the reasons the worm was able to infect so many computers in bunches on networks.

    ----
    rich
     
  4. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    In a local environment, you do have to have some level of trust. But, you can tweak things here and there. For example, you can set your server service (xp) to manual. In this fashion, you can only be 'browsed' when you start the server service. You can create shares (when the server service is running) and set permissions etc. Then keep the server service off. Now, you can browse other computers that have thier server service on, but they cannot browse you because you are not really visible, in a sense.

    Start or stop the server service from command line.
    Slow way: net start server (net stop server)
    Fast way: sc start lanmanserver (sc stop lanmanserver)

    You can also play with your firewall and netbios ports. 137,138 & 139. You may use WFW, a 3rd party firewall or ipsec rules. By opening or closing different ports, you will be visible or not in different fashions. I cannot remember offhand now, but I think only allowing 139 kept you from being 'resolved'. Meaning you are not really publicly declaring yourself present. But, if you were to use the run box and enter in your ip, such as this
    \\192.168.0.4
    presuming your IP is .4, then another computer could connect directly to you. When 139 (I think) is open and the others closed, just using a run box like this
    \\ComputerName
    will not work. It must be in the form of an ip address, again as long as your server service is running.

    You can also play around with your ICMP settings, opening and closing different ones to get the effect of being able to recieve some sorts of replies, but not replying yourself. It has been some time since I messed with those, but it is interesting how all of these things relate to how 'stealthy' you are in your own LAN.

    However, perhaps the single greatest threat that I am aware of in my feeble skills revolves around what service or program you have running that is holding a port open for communcation that could be exploited. For example, if you have some chat program running, and another comptuer in your LAN picks up a virus which is designed to exploit the opening of your chat program, then you are under attack from within. I don't know of a way around that except to ensure your programs are patched and some more advanced firewall configs.

    Of course take a grain of salt with everything. HIPS or other security measures could shore up your defenses. But forget them and play with your network and the settings you have available, learn a little something. You may not understand why it happens, but knowing that it does and how to implement it goes a long way. A long way towards something, but I am not sure what, other than time spent 'geeking' lol.

    Sul.
     
Loading...
Thread Status:
Not open for further replies.