A Free Educational Resource Created by Carnegie Mellon University to Empower You to Secure Your Part of Cyberspace

Malware

Programs that are designed to harm your computer

Malware consists of programs such as viruses, worms, Trojan horses, and rootkits that are designed to harm your computer.

  • A computer virus is a program that attaches itself to an application or "host file" and then spreads by making copies of itself. Some type of human action (e.g. opening an attachment) is always required for a virus to take effect. Once a virus gets onto your computer it might modify, delete, or steal your files, make your system crash, or take over your machine.

  • A computer worm is like a virus, but it infects other computers all by itself, without human action and without a host file. It usually infects other computers by sending emails to all the names in your email address book.

  • A Trojan horse is a program that tricks you into running it by appearing useful or harmless. However, once it is run it damages your computer, usually by providing "back door" access to the computer. This allows hackers to control or use your computer, destroy or steal files, install viruses or spyware, or run arbitrary programs.

  • A rootkit is a program that allows an intruder to gain access to your system without your knowledge by hiding what it is doing on the system. The intruder can then install difficult-to-detect back doors into your system to seize control.

There are many ways that malware can get into your system. One of the biggest dangers is opening email attachments that contain malware. You can also get malware from downloading infected files when file sharing, from clicking on links in instant messenger or chat rooms, or from active content applications on Web pages.

Protective Measures

Practices

  • Delete suspicious emails with attachments: Attachments are the main way malware gets onto your computer. Attachments include office document files (e.g., with .doc or .xls suffixes), program files (e.g., with .exe or .bat suffixes), and compressed files (e.g., with .zip suffixes), all of which can contain malware. The CERT Coordination Center advises users to apply the so-called "KRESV" test to detect suspicious emails. KRESV stands for:

    • Know: Do you know the sender?
    • Received: Have you received email from the sender before?
    • Expect: Are you expecting the e-mail?
    • Sense: Do the subject header and attachment name make sense?
    • Virus: Does it contain a virus? You will need antivirus software to check this.

    If an email with attachments fails any of these tests, delete it. If you know the sender, contact him or her to make sure that the message is legitimate.

  • Download anti-virus updates: Installing anti-virus software is the first step towards protecting yourself against viruses (see Tools below). But for this software to do its job, you must keep it up to date with information on the latest viruses. New viruses are constantly being created. Anti-virus software vendors try to keep up with these new viruses by issuing virus signature updates and making them available online. Falling behind on updates can allow a new virus to slip through without being detected by the anti-virus software. Most anti-virus software has an option for automatic updates or notification of update availability.

  • Only perform file transfers from trusted sources: This reduces your risk of downloading files infected with malware and introduces accountability, so that you have a better chance of getting a response if you do have a problem.

  • Scan all files that you receive through file transfer: It is a good idea to scan the files that you receive from P2P networks with your anti-virus software to detect malware. This may slow down the transfer, but it will help keep your computer safe.

  • Avoid clicking on links: Links are commonly used in community applications, especially with instant messaging. Be aware that these links may actually download malware onto your computer.

  • Perform frequent backups: Save your important data on a regular basis so that you can recover from a malware attack or intrusion. Thumb drives, CDs, and DVDs are good storage and transport media for large amounts of data. If possible, store your backup media in different location from the computer itself to keep them from both being destroyed in a fire or other disaster.

Settings

  • Set your anti-virus package for "Real-time Protection": Anti-virus software should provide the option of real-time protection, which means that it actively checks files that come into your system while you work. This lowers your chances of contracting a computer virus. To set real-time protection (using Symantec Norton Antivirus as an example), right-click on the Symantec Norton Antivirus icon in the icon tray in the right-hand bottom corner of the screen, then select "Enable File System Real-time Protection."

  • Set your anti-virus package for the types of files you want it to check: To set the types of files the anti-virus software will check, click on Start, then Programs, and start your anti-virus package. Usually, the program gives you the option of choosing between a few scanning methods. Symantec, for example, offers:

    • Scanning all files: All files on the computer will be checked regardless of the extension or file type.
    • Scanning by file type: The package will check all files of the chosen type, regardless of the potentially deceptive file extension. This is especially important in catching files with a double ending such as ".gif.doc".
    • Scanning by file extension: This scan is the fastest, since only files with the chosen extension will be checked.

    If you have a different brand of antivirus software, consult the manual for instructions on how to configure the settings for real-time scanning and scanning method.

  • Set your web browser security level to Medium or High: Your browser's security level setting determines how much active content it allows. Internet Explorer has pre-defined "Default Level" security levels to choose from. You may also customize these Default Level security settings, which is more involved than simply selecting a Default Level.

    To set a pre-defined Default Level:

    1. In Internet Explorer, click on Tools > Internet Options.
    2. Select the Security tab and click the Default Level button.
    3. Make sure the Internet zone (globe icon) is selected in the window, and move the slider to Medium-High or High. Click Apply.

    Note the differences between the settings:

    • The Medium security setting generally allows active content. The browser will run programs, sometimes only after prompting you, that perform animations, allow the browser to read documents in various formats, and otherwise improve your browsing experience. However, this also allows these programs to possibly introduce malicious or unwanted code or files to your computer.
    • The High security setting prevents active content entirely. While this gives your computer better protection from malware, it may prevent you from viewing content on many Web sites.

Tools

  • Anti-virus software: The popularity of the Microsoft Windows operating system makes it a prime target for hackers and other virus writers, so anti-virus software is crucial for users of this system. Anti-virus software works by identifying files that match definitions of known viruses and keeping them from infecting the system. Make sure that your virus definitions are kept up to date by automatically or manually downloading them from your software manufacturer's Web site. Do not install more than one anti-virus program because incompatibility issues between the programs may end up leaving your system unprotected.

    Two popular anti-virus packages are Symantec’s Norton AntiVirus  and McAfee AntiVirus . AVG , AntiVir  and ClamWin  are free alternatives. The major anti-virus programs, such as Symantec and McAfee, can protect against worms and Trojan horses as well as viruses.

    PDA and mobile phone anti-virus applications normally interact with the full version on a PC and hold fewer virus definitions. New virus updates are automatically transferred from your desktop computer each time you synchronize your PDA. Therefore it is important to keep your desktop computer's anti-virus software updated and synchronize your PDA regularly. Some commonly used anti-virus packages are Trend Micro's PC-cillin for Wireless  and Symantec AntiVirus for Windows Mobile .

  • Firewall: A firewall is like a security guard for your computer that monitors the traffic into and out of your computer. A firewall is your first line of defense against intrusions, especially Trojan horses. One popular firewall is Symantec's Norton Personal Firewall . The Windows operating systems such as Windows XP and Windows Vista  include a firewall that is turned on automatically. This built-in firewall is described in more detail on the Microsoft site .

  • Malware removal applications: Malware removal applications can remove viruses and other harmful programs that might have been installed in your computer without your knowledge. There are many commercial and free malware removal applications, including Spybot , Ad-Aware , and Pest Patrol . They are designed to remove spyware, pop-up ads, and malware that traditional anti-virus packages don't remove completely.

  • Rootkit detection software: Rootkits cannot be detected by ordinary anti-virus programs because they are very good at hiding themselves. You need special software to detect rootkits, such as RootkitRevealer  by SysInternals and F-Secure Blacklight .

Legal Issues

Ethical

The intentional distribution of malware is clearly unethical, since it disrupts and sometimes disables computers and can cause financial and productivity losses. Accessing hacker sites and trying out their tools is at best unwise, and using these tools against computers other than your own without permission is likely to be unethical or illegal, depending on the nature of the tools.

Legal

Intentional distribution of malware is considered illegal worldwide. Famous malware programs like Code Red and the Melissa virus caused several million dollars in losses, and each started in a simple malware application. The creator of the Melissa virus was prosecuted under Title 18, United States Code, Section 1030  and sentenced to 20 months in prison and a $5,000 fine.

References

Links

My home page