Malware – Viruses, Worms, and Trojans (Oh My!)
 |
Tuesday, November 8th, 2011 (No comments yet) |
Malware is a term for any computer code that is intended to any combination of the following:
- Provide access to your computer
Some code gives hackers the ability to access and modify files on your computer. If you're lucky, they will just browse around and leave stuff alone. Others might change your wallpaper or leave a text file so you know they were there (which, while frightening, is typically harmless).
A real prankster might randomize the filenames in your primary documents folder or replace a slide in your Friday presentation with a highly explicit photo (again, irritating, but generally harmless).
- Steal
Home computers have goodies like personal information, financial data, and login information to web services. This type of data is used for single instance theft, long term identity theft, or to mask the bad guy's activities by using your online accounts as if it was their own.
- Exploit
There are many illegal things that aren't safe for a hacker to do on their own machine so if they can manage to make your computer do it for them, they will. This includes attacking other machines, sending Spam, or providing a place to store illegal pornography or hacked software.
- Destroy
Either to cover their tracks after one of the above or because they're plain mean, one of the worst things that malware writers will do is to destroy data on your machine. In some cases, it's possible to erase your entire hard drive sending all your hard work into the binary abyss.
- Spread
One of the primary functions of malware is to spread. It has become a challenge of sorts, a "who can beat the world's record?" sort of game for hackers. The winner in this game to have their virus spread as fast, as far, or as virulently as possible.
In the end, some spreading malware is brilliantly crafted and some is simple, but all are dangerous to the Internet-dependent world.
- Help?
Believe it or not, there was at least one case where someone wrote malware to help people. One frustrated computer user knew that there was a software update to fix a security hole in Windows XP, but many people weren't downloading it. As a result, they were vulnerable to viruses. So, rather than stew about it, he took action.
Using pulicly available infomration, he wrote a virus that exploited the hole. The virus was supposed to take over the machine, download the software patch and install it, then spread to other machines. Our good samaritan may have had honest intentions, but as it spread, it disrupted the target machines and left security holes in it's wake.
Why should you care?
These vicious programs are inconvenient at best and disastrous at worst… and that's just for an individual. Taken in a world context, the Internet and systems that depend on it (which is expanding every day) could be interrupted or shut down.
Soon, money will exist only in cyberspace and telephone lines will be a thing kids laugh about in history books. With greater dependence on computers, so increases the risks associated with malware.
The three major forms of malware are listed below along with simple and effective strategies for dealing with them.
Trojans
What is it?
A trojan is any program that has a secret function to do the bad stuff listed above. They are often disguised as a normal program and may even provide the function you expected, but with a catch.
How do you get it?
If you see a "free" utility to organize all your computer wallpapers, you may decide, "hey! that's cool" and give it a try. The problem is that any software you load on your computer (from a store or the Internet) has a chance of containing secret code. Generally, store-bought software is much lower risk, but this isn't always the case.
How do you protect against it?
-
Get an anti-virus and use it!
An Anti Virus – Most anti-virus programs will also scan for trojans. As trojans are discovered, anti-virus companies add their signature to their list of bad stuff to scan for. However, this will only work if you have an anti-virus installed, you must update it regularly (every day or every few days), and you must scan your computer with it (every week or more frequently if you can).
-
Use software that's more likely to be safe – Large software vendors can't tolerate the legal ramifications and bad press that comes with discovery of a trojan. It is also more likely that trojans will be discovered because of the large user base and greater scrutiny given to products from large software vendors. For these reasons, most store-bought software can be reasonably trusted.
Even safer are programs written under an open source philosophy (where hundreds or thousands of individuals from diverse backgrounds can review and contribute to the code). Hiding a trojan in these is next to impossible when it only takes one honest author of the program to discover and blow the whistle. As a bonus, most open-source software is freely available online!
-
Use a software firewall – When a program attempts to contact someone on the Internet or someone on the Internet tries to connect to you, the software firewall will block it, alert you or both. This is similar to the bouncers who control access to night clubs. If the connection (either in or out) is unexpected or unknown, it is blocked.
By using a software firewall, you can have assurance that randomly downloaded software is safe. For example, if you download a "free" calculator program and it tries to connect to the Internet (which a calculator program shouldn't have to do), you can bet that something is up.
Some programs try to connect to the Internet to get updates or perform other legitimate tasks, but in general, I block anything from accessing the Internet unless it needs to (Internet browsers for example)
Worms
What is it?
Worms are programs, but unlike trojans, they are designed to spread without your help. Worms can be far more dangerous because they can spread from computer to computer very rapidly, sometimes choking the Internet with their traffic. A classic example is the Sapphire worm of 2003. Evil though it was, you have to respect a program that infected 90% of all vulnerable systems in only 10 minutes.Why do bad guys use them?
Worms always begin with a vulnerability. Let's take for example, that a particular server product has a flaw that, if attacked, will let a hacker control your computer. After gaining access, the hacker installs some of his software on your machine that will send Spam for him, then attacks another machine from yours.
A worm is simple an automated script that performs these functions for the hacker. The general formula is: attack, do something, spread.
How do you get it?
You must be running the software that the worm is designed to exploit on a machine that's connected to the Internet (some worms spread other ways, but the Internet is the most common). For example, the many exploits that target Windows-based systems won't affect Apple products.
How do you protect against it?
-
Don't run buggy software – Certain brands of software are historically more vulnerable than others. If you have the choice, choose a software vendor with a better track record.
-
Update software often – Most software vendors offer free, online software updates so that when a vulnerability is discovered, it can be patched in a hurry.
-
Use a software firewall – Most people have no idea what kind of services are running on their computer. One way to get a handle on it is to run your software firewall which will alert you to any programs that try to listen for connections. If it's a service you know shouldn't be running, use your firewall to block it.
-
Anti-virus – Depending on the worm's function, an anti-virus can help protect your computer. For example, if a worm tries to erase your hard drive, your anti-virus may notice and stop it (I've actually seen this).
Anti-virus! Get one and use it!Also, worms are always associated with a file of some kind. Virus scans can find and remove these files (most of the time).
Viruses
What is it?
Viruses are a special topic that are near and dear to my heart as you will soon learn. But before that, a virus is most like a worm, but can be more restricted in the following ways:
- Viruses aren't full programs. They require a "host" to run.
- They can only run when the host is running. So like the worm, they can only infect certain programs, but instead of running free once they get in, they can only run while the program they infect continues to run.
- They are more limited to their activities. For example, a worm can do anything a computer can be programmed to do while a virus may be limited based on what functions its host program can perform.
- They don't actively spread, they travel by being attached to other things like programs or e-mails and can't perform their dastardly deed until that program or e-mail is run/opened.
Why do bad guys use them?
For any of the reasons listed above. Viruses in particular are written because they use the host software to do most of their work, so in general, viruses are much faster and easier to write.
How do you get it?
Like worms, you have to be running the software with the vulnerability. The virus will take advantage of the coding flaw to make its own code part of the normal execution of the program. This way, every time the program is run, the virus is too.
How do you protect against it?
- Anti-virus – Use an anti-virus. Update it regularly. Set it to scan your computer a minimum of once or twice a week.
Special Topic – Macro Viruses
Background
You've probably heard of macro viruses. You receive an e-mail with an interesting sounding subject line like "I love you". When you open the file, there's a document attached and you're curious so you open it to see what it is. OH NO! IT'S A VIRUS!
Macro viruses are interesting in that they infect documents rather than programs. This is because macro-viruses don't need to take advantage of any exploit and they don't have to alter the host program to operate. No, macro viruses work because the target programs actually look for and execute any macro code it finds in your file.
What is a macro?
Your boss has given you a task. Copy all cells from a spreadsheet into a text document, but only if the value is more than five. Though there are many ways to do this, let's say you choose to manually click on a cell, copy it, change to the text document, and paste it.
After the first 70 or so, you start to think "there must be a better way!" Enter the macro. A macro will take a series of repeated steps (such as the one just described) and repeat it. In this case, you might write a macro that, when activated, checks the current cell for a value more than five and copies it to the text file if it is. Following that, the macro checks to see if the next cell down is blank and if not, moves to the next cell down and repeats itself.
People who work with documents quite a bit can find macros to be a very useful way to automate a series of menial tasks that repeat.
Microsoft Office?
Of all productivity suites, Microsoft Office is by far the most used. Nearly every large corporation runs it and many students and home users do too. Being a feature loaded program, Microsoft certainly couldn't ignore macros.
It just so happened that there was already a coding language that Microsoft used to write applications for Windows called Visual Basic. By adding an interface to the language from within the Office products, their users could write code snippets to do dang near anything.
The macro virus
Here's the problem, not everyone who writes macros is a good person. Since macros are easy to write and launch whenever a document is opened, they are extremely enticing to virus writers.
Just imagine! In less than 20 minutes, I can write a virus in a Word document that when sent to any user of Microsoft Outlook, will activate and spread to the next user. That's quite an exciting prospect for such a small investment of time on my part.
Fixing the problem… sort of
Much work has been done to mitigate the threat of this fast growing type of virus. Anti-virus programs have been altered to look for macros, special macro-virus scanners have been developed that you can buy separately, and a huge effort accross the computing community has been made to educate users about the dangers of opening attachments from users you don't know.
Wow. So much work for a problem that I could fix in 20 minutes. "20 minutes?" you say? Yes. Possibly less.
The REAL problem
Document files such as music, video, and text are made to contain data, NOT CODE. Getting a virus from an e-mail is like walking downtown, looking accross the street at a movie poster, and getting a venereal disease. How on earth does a virus magically appear from simply looking at static data? It doesn't.
It is impossible to get a virus from an e-mail or any other type of static data file… without help that is. Microsoft's implementation of macros is to scan for and execute macros when a file is opened. This is like a guy hiding in the bushes waiting to stick people with needles full of VD when they look at the movie posters.
Please note that I don't mean to imply that Microsoft is the only company whose software is suceptible to macro viruses, but it is certainly their popularity (large amount of vulnerable hosts) combined with a poorly thought-out macro function that is why this is such a problem.
The REAL solution
There are several. Microsoft could restrict the commands that macros perform so that "bad" behavior couldn't happen. Any file with macros could pop up a warning before any were executed allowing the user to prevent code from launching when they know a particular file should only contain data. And the best of all: Make OFF the default setting for macros!
The reason that macros are so dangerous is that there are so many computers out there that are suceptible. If we eliminate the "hosts", a macro would not spread as fast or as far. To do this, Microsoft could issue a patch that turns off macros in all office products. Anyone advanced enough to write macros would also be savvy enough to turn the function back on while the vast majority of normal users (home users, students, business people who don't use such advanced documents) would never notice them missing and would no longer be part of the pool of possible hosts.
By removing a giant percentage of the available hosts, macro viruses would falter and fade into the annals of history. How long would it take Microsoft to write such a patch? I'm guessing about twenty minutes. How long would it take them to change the default in their office products to "macros off"? Mere seconds.
Why they haven't done it
The simple answer is it isn't profitable. For some reason that I'm not privvy to, Microsoft must believe that this would inconvenience or impose upon some set of their customer base to a degree that it wouldn't be worth protecting the world's computing community.
I happen to know at least one Microsoft programmer and he's one of the smartest and most honest people I know. There's no way that people of their caliber aren't able to work out the solution as fast and easily as I did. I'm guessing some might even have fixed it the way I did.. and how you can too.
How you can fix it
Do what I did. Uninstall the Visual Basic Scripting feature.
-
Go to Add/Remove Programs and click the CHANGE button for Microsoft Office (In Windows XP)
Step one to solving the macro virus problem -
Make sure the option for Adding or Removing features is selected then click NEXT
Remove the Visual Basic Scripting feature from Office - step 2 -
Click the + next to "Office Shared Features" and click the down arrow next to "Visual Basic for Applications". Select "Not Available" and click UPDATE and you're done!
While you're here, you can get rid of that annoying office assistant (just a few items above the Visual Basic option). Turn it off the same way.
The last step to removing macros from office - also where you can kill clippy (or get rid of the office assistant in other words)
For now, this will render you 100% immune from all Microsoft Office macro viruses.
Too late!
What do you do if it's too late and prevention didn't work? There is a way to semi-manually work through the settings and problems as described in this guide by Select Real Security. In it, he lists steps and tools for repairing the system from most types of attack in a fairly easy to understand way. Note that I have not personally validated the tools he recommends so you'll need to do some research first.
However, I should also point out that I wouldn't personally do the things described in that guide because it's fairly time consuming and isn't necessary in most cases. It's easy enough to use freely available anti-virus recovery disks (see a collection of them and a tool for loading and using them here) instead. Worst case, I think it would be a better use of time and more effective at the same time to carefully backup all the data on the system and reinstall it from scratch.
That said, different techniques are used for different situations, so use what works for you.
