Malware: Viruses, Worms, Trojan Horses, & Spyware
What They Are & How to Deal with Them
Jay Stamps, [email protected], 723-0018ITSS Help Desk Level 1 Training, November 18, 2004
Course Objectives Understand what malware is, where it
comes from, and what it does Diagnose compromised or infected
computers based on reported symptoms Basic troubleshooting techniques for
possibly compromised computers Research & diagnostic tools Prevention: Worth a pound of cure!
It’s Been a Rough Few Years for Windows PCs…
Sorry… But that was the last picture you’re
going to see in this presentation! The good news is that your instructor
loves questions, and you’re cordially invited to interrupt him at any time, or save your questions for later
It’s a cliché, but there are no “dumb questions”: The point is to learn
And if I don’t have a good answer, I’ll suggest that you make finding one part of your homework assignment!
What’s “Malware”? Shortened form of “malicious software”
But it’s not always really malicious So “malware” is a general term for:
Computer and macro viruses of any kind Internet and mass-mailing worms Trojan horses, backdoors and rootkits Other computer exploits, bots, zombies Spyware, adware, and other software
installed on a computer without the user’s knowledge or informed consent
And then there are the “hoax viruses”…
Why Use the Word “Virus”? The analogy with biological viruses
Computer viruses exist to self-replicate They can often adapt (mutate) to survive They might or might not harm the host They “infect” by inserting themselves into a
“healthy” system (be it a computer program or living organism)
The term “virus” is heavily overused That’s why we’re talking about “malware”
But when someone’s PC is misbehaving… They call 5-HELP and say, “I’ve got a virus!”
Are Only PCs Affected? The answer is “No” Are Macintoshes immune?
The answer is “yes and no” - sort of… The first virus in 1982 infected Apple IIs A great deal of malware - some of it not so
malicious - existed for Mac OS “Classic” Are there any Mac OS X malware
programs? Well, not in the wild, not yet… What about Unix and Linux OSes?
Lots of malware is in circulation for these platforms - lots!
Why Does Malware Exist? When “viruses” first became common…
And “normal people” began to use personal computers…
If a “virus” struck, they were confused, alarmed, felt violated…
They’d ask, “Where do these things come from?” and “How did I get infected?” Often they’d feel embarrassed, like they’d
picked up an STD in a reckless moment… When told, “People deliberately create
viruses,” they’d properly ask, “Why?” What do you think? Why does malware
exist? (Possible homework assignment!)
Brief History of Malware “Viruses” appeared in early 1980s
Very soon after first personal computers They spread by floppy disks, later via
“bootleg” & other software on “BBSes” They often weren’t meant to be destructive
Internet “worms” arrived in late 1980s “There may be a virus loose on the
internet.” - Andy Sudduth of Harvard University, 34 minutes past midnight, November 3, 1988
Brief History Continued First mass-mailing worm came in 1999
Usually called the “Melissa virus” It was also a “macro virus” Infected file had to be opened in MS Word
Spyware hits the scene around 2000 “Adware” claims to be legitimate, legal “Browser hijacking” is common symptom
Other exploits, trojans, backdoors… Have been around for a long time Hackers target entities for malicious attack,
or may want “free” computing resources
We’ll Stick to MS Windows The majority of computer users at
Stanford have Microsoft Windows PCs The majority of malware “in the wild”
today attacks only Windows PCs Malware is very platform-dependent
Microsoft has only recently made computer security a priority
In the past… MS tended to “enable everything by default” Network-connected “services” running on a
computer are an open invitation to hackers
Why So Much Malware? Is malware becoming more common? Yes!!! It is!!! (and harder to fight off) Why might that be? The Internet! Plus all the high-powered
PCs in homes & offices connected to it Why does that make a difference? As with biological viruses, lots of people
(or computers) are rubbing up against each other in a common space; and computers (like people) don’t always cover their mouths when they sneeze…
“Help! I’ve Got a Virus!” A lot of people self-diagnose (wrongly)
“Doc, I think I’ve got the flu.” “How much did you drink last night?” “Uh, three six packs. I think. I don’t really remember…”
Only a few years ago… Most folks who thought their PC had a
viral infection were wrong! When PCs behaved strangely, usually
there was a problem with the OS or an application that was not at all virus-related
Today that’s still true, but…
Today That’s True, But… Malware is more common, while OSes
and applications are both more feature-laden and (often) more robust More features mean more potential
vulnerabilities for hackers to exploit Greater robustness means strange behavior
is somewhat likelier to be caused by malware Plus more people use protective software
Few people these days are unaware of the necessity of running antivirus software
Some people even use it correctly!
You Answer a Call to 5-HELP And the caller begins to explain…
“I think my PC has a virus” Maybe it does, and maybe it doesn’t We’ll look at diagnostic approaches presently
“I got an email from the Security Office…” Get the details, but… A referral to the Level 2 Help Desk, or local or
contract support is probably the right move If Networking or the Security Office has noticed a
problem, the computer is almost certainly hacked If the caller has self-diagnosed, or if you
suspect malware is involved, you ask…
The Usual Questions 1 If a caller’s PC might have an infection,
or otherwise be compromised: Ask what version of Windows they’re using Ask them if they’re keeping it patched Ask them if they’re using antivirus software,
and if it’s up-to-date For Windows 2000 & XP, ask them if they
have good passwords for all user accounts Ask them if they use a firewall
The caller may not know the answers to some of these questions, of course…
The Usual Questions 2 So you may need to guide the caller to
learn the answers to these questions To check if Windows is properly updated,
have the caller visit: http://windowsupdate.microsoft.com Launch Symantec AntiVirus to check the
date of the virus definitions file To check password strength, use the
Stanford Security Self-Help tool Windows XP has a built-in firewall, as do
many broadband routers
The Answers If a user can’t access the network, that
problem is likely not caused by malware If a user can’t run, install or update SAV
or other security software, that’s a clue that the PC has been infected by a worm
If Windows isn’t patched, and/or AV software is out of date, and/or user accounts have weak passwords, the PC is definitely vulnerable to compromise
If the web browser (especially IE) goes to unexpected sites, suspect spyware
More Symptoms We’ve just looked at a couple of
common symptoms of malware Here are some other possible signs:
Sluggishness One or more unexpected restarts Frequent system crashes Constant hard disk activity Generalized “strange behavior”
Hackers try to hide their presence: If they’re good, they will succeed
Worms and some viruses do likewise
Steps to Recovery Most symptoms of malware also have
other, more mundane causes If there’s any reason to suspect the
presence of malware on a user’s PC, update virus definitions, disconnect the network cable, and run a full antivirus scan of all hard drives
Install and run SpySweeper And always, always teach computer
users how to protect themselves from malware! Prevention is key!
Mass-Mailing Worms Mass-mailing worms are one of the most
common vectors for malware Most people know not to open
“suspicious” email attachments But the worm writers are getting a lot
craftier, and the attachments often look less “suspicious” these days
Many people are still confused by sender address “spoofing” Mass-mailing worms mail themselves out
using randomly chosen sender addresses
I Got a “Suspicious” Email A caller might say:
I got a strange email message from my bank (or a bank I don’t even use), etc.
I got a message from my “system administrator” telling me to do something
I got a message from a friend telling me there’s some file I’m supposed to delete
Such messages are usually “phishing” attacks, or “hoax viruses” Delete the email message; don’t do what it
says; never give out private information
Top 6 PC Security Must-Dos Patch Windows automatically
New patches 2nd Tuesday of each month Use BigFix & Windows Automatic Updates
Use strong passwords (even better, pass phrases) for all user accounts
Use a firewall, such as Windows XP’s built-in software firewall
Use and properly maintain good antivirus software
Don’t open suspicious email attachments Disable Windows File & Printer Sharing
Tools for Prevention Essential Stanford Software
http://ess.stanford.edu Symantec AntiVirus BigFix client SpySweeper Security Self-Help Tool Use the Firefox web browser (not IE)
Stanford Secure Computing web site http://securecomputing.stanford.edu
Microsoft Baseline Security Analyzer http://support.microsoft.com/kb/320454
Questions? Research Tools If you’ve been saving up questions,
now’s your chance! Tools for research & troubleshooting:
http://support.microsoft.com/kb/129972 http://www.google.com http://www.sarc.com http://www.mcafeesecurity.com/us/security/home.asp http://housecall.trendmicro.com/ http://en.wikipedia.org/wiki/Computer_virus http://www.spywareinfo.com/ http://support.microsoft.com http://www.microsoft.com/technet http://www.cert.org/ http://www.cisecurity.org/