[Zsd-news] ZSD Newsletter: Viruses, Trojans and Worms
I. Forbes
iforbes@zsd.co.za
Wed, 27 Aug 2003 14:53:25 +0200
Hi All
It has been a busy month for security problems on the internet.
Firstly there was the development of "identity fraud" of internet
banking accounts, "blaster worm" has been making life difficult in
many large organizations and finally the "sobig.f" worm has made
itself felt - interestingly enough it appeared on the scene after I
wrote the first draft of this newsletter. Happily I can report that we
have had no reports of this virus being delivered to our users by
ZSD's e-mail server. However our mailboxes are overflowing with
warnings, error messages and sanitized copies of the worm.
I would like to take a step back from the media hype and have a
look at what these "malware" programs are, what they do, and what
simple precautions every user can take to prevent themselves from
becoming a victim.
HOW DO MALWARE PROGRAMS GET ONTO YOUR
COMPUTER?
They can be:
- attached to an e-mail message
- downloaded from a web site
- found on floppy disks that have been used on "infected" machines.
- found on CD roms and other media which were compiled in an
"infected" environment.
- copied directly onto your PC from over a private LAN or internet
connection.
The one thing in common with all of these is that there is a
breakdown in the security controls of the PC. Either a program on
the computer, or the computer's operator, has to be "tricked" into
downloading and executing the malware program.
The program will then modify the hard drive so that the malware
program will be started next time the computer is rebooted. It may
also take steps to copy itself onto other computers, eg by sending
out e-mails, searching (or "scanning") for other computers on a
network, and writing copies of itself into stiffy drives and shared
networked drives. Often more than one of the methods will be
employed.
WHAT DO THESE PROGRAMS DO?
The people who write these programs often incorporate a "payload".
This is something the program does to make the user aware of
itself. Often the payload simply displays a message. However nasty
payloads can delete information on hard drives. The most infamous
was the "Chernobyl" virus which exploited the fact that modern
computers allow the "BIOS" program to be updated and used this
functionality to damage it instead. The BIOS is the program that you
see running when you switch on the computer before it starts to load
the operating system. Computers damaged by the Chernobyl virus
could often only be repaired with the assistance of the
manufacturer. Some people had to replace their motherboards.
The recent ABSA Bank case involved a payload which monitored
keystrokes. When it had identified an internet account login it e-
mailed the details to an account where the fraudster could collect
them.
There are also un-intentional payloads. For instance confidential
information may be included in e-mails sent in the malware.
Undoing the changes done by these programs is often not that
easy. The malware can make many changes to the system settings.
These must be found and put back to their original state. It often
happens that the computer is "cleaned" only to immediately be re-
infected because one copy of the virus was left undetected, or
another PC on the local area network is still infected. Often by the
time virus has been removed, enough files and the settings have
been changed to force an entire reload of the machine anyway.
Thus virus removal often requires the assistance of a skilled
technician.
HOW YOU CAN PROTECT YOURSELF
The one thing in common with all of these programs, is they have to
"trick" something, either the computer or its operator, into allowing
the programs to be installed on the system.
There are a number of steps you can take, and I will deal with them
in the in order of importance.
- Don't let yourself get "Tricked"
This is easier said than done. The "tricks" come in many forms and
avoiding them requires vigilance. Be very careful opening e-mail
attachments from strange sources. Be warned that the "From:"
address on incoming e-mail is easily forged and on viruses (and
spam) it normally is. Don't double click on things without thinking
and if your computer stops and asks you a "Do want to do this" type
of question, don't say yes unless you know that that you trust the
program.
One outrageous "trick" was an e-mail which claimed to send the
receiver a greeting card from a friend. To view the greeting card one
had to download and install a program. When the program was
installed it displayed a box with "conditions of use" and asked "do
you accept?" in the format that we have become familiar with. To
continue one had to accept the conditions. The program then
displayed the greeting card as well as some advertising. Then
came the sting - it proceeded to mail greeting cards to everybody in
the user's address book, personalized as being from that user. The
"trick" was in the conditions of use that the user agreed to when the
program was installed. These described exactly what the program
was going to do and required the user to agree to this - but who
stops to read that fine print? The distributors of the program got a
lot of publicity for their advertisers - and an extremely bad reputation
too.
- Don't run susceptible programs if you do not have to.
Often programs, which can compromise security, are installed on
computers, when they are not actually required. A typical example
of this is the "File and Printer Sharing" program on Microsoft
Windows computers. If you do not explicitly need to share these
resources, uninstall the program. If you do need to share them set
up password control. Make your share folder "read only" if possible
and don't share your entire drive.
Switching off some of the "bells and whistles" on your software - like
the preview feature on Outlook Express can also close the door on
many potential virus attacks.
- Don't run software with known vulnerabilities.
Their are many programs with known bugs which are subject to
getting "tricked". If you have one these running on your computer,
you are a sitting duck waiting for the next round of virus infections -
even if you run anti-virus software.
Many "Linux" users boast that their computers are immune to
viruses. This is largely true - partially because of the way that
operating system is designed which makes it much harder to write a
virus to infect the system - and partially because there are so many
more "Windows" systems which makes "Linux" a less attractive
target for virus authors. Windows users can avoid most common
viruses by using an alternate e-mail program like "Pegasus Mail"
available free from http://www.pmail.com. However it not every user
who wants to break away from the popular software and not every
network administrator would recommend (or allow) their users to do
this.
For pure Microsoft customers, the simplest way to check your
computer for the presence of known bugs is the "Windows Update"
service. Open Internet Explorer and point it at
http://windowsupdate.microsoft.com and follow the instructions. It
will download a program onto your computer which will check the
versions of all Microsoft programs installed on it. It will then advise
which "patch" files you need to update your system and prompt you
to download and install them. As with all good systems this one
does have its limitations. Often the recommended downloads can be
very large (20 mB or more) and can take many hours to download
over a dial-up modem. (Make sure your browser's "proxy server" is
properly configured before you start - this can save a significant
amount of time.) Installing the patches can sometimes have side
effects and break other software running on your computer.
- Run an anti-virus program and keep it up to date.
The important thing to remember with an anti-virus program, is that
is is only as good as its last pattern file update. Thus these
programs should never be relied on to provide 100% protection.
Anti-virus programs themselves are prone to bugs, especially on
slower PC's, they can cause more problems than they solve.
However, despite these limitations, anti-virus software can be a
good investment when compared to the cost of downtime associated
with a full blown virus infection.
WHO IS TO BLAME?
Many users are suffering as a result of "malware" attacks. This is
exactly why software vendors make you agree to their terms before
you can install their software, and why banks make you sign an
application form covered in fine print before they will open an
account.
Do we blame the virus authors? That won't help, they are they just
misguided individuals exploiting gaping security holes in popular
software programs.
Do we blame the software giants, for supplying defective products?
Imagine if car or aircraft manufacturers supplied products with
defects like those found in popular software. Clearly one large
vendor seems unable or un-willing to supply a secure product. We
seem to accept this, much as we accept our Telecommunications
monopoly. Hopefully pressure will eventually force a change.
Perhaps we should blame the end users themselves. They are the
ones demanding user friendly "features" in their software. Often
these features can only implemented by compromising the design of
the program with respect to security. They are the ones who run
poorly configured systems and who neglect to install vital security
updates. They are also the ones who end up paying in the long run
and they are the ones who have the power to make things change.
The truth is that if the industry paid the same attention to the
malware problem as was paid to the "Year 2000" problem, a lot
could be done to stop the rot in relatively short time.
Ian Forbes
--
Ian Forbes ZSD
http://www.zsd.co.za
Office: +27 21 683-1388 Fax: +27 21 674-1106
Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa