1. What is malware, and what are the most common types?
Malware (from malicious software) is any type of programming intended to cause harm. Viruses, worms, spyware, and Trojan horses are the most common examples of malware. Among other things, a malware infection can: corrupt files, alter or delete data, distribute confidential data, disable hardware, deny legitimate user access, and cause a hard drive to crash. Frequently, malware is also designed to send itself from your e-mail account to all the friends and colleagues in your address book. The results of malware infection include wasted resources, compromised systems, lack of regulatory compliance, lost or stolen data, and the loss of user and client confidence.
Common types of malware:
- Viruses self-replicate within computers and across networks and alter files or data. They usually require some action on the user's part to start, most often just clicking an executable file attachment on an e-mail (although embedded programming in an e-mail message can execute a virus program). Typically, people think that the file came to them from a trusted source or is something they want to see.
- Worms are a virus variant that can infect a computer without any user interaction. A worm doesn't alter files, but resides in active memory and duplicates itself. Worms use parts of an operating system that are automatic and usually invisible to the user. It is common for worms to be noticed only when their uncontrolled replication consumes system resources, slowing or halting other tasks.
- Trojans are malicious coding hidden in within innocuous programming or data in such a way that it can get control and do its chosen form of damage, such as ruining the file allocation table on your hard disk. A Trojan horse may be widely redistributed along with a virus.
- Spyware is programming that is put into your computer to secretly gather information and relay it to advertisers or other interested parties. Spyware can get in a computer as a software virus or as the result of installing a new program. Although not malicious in intent, spyware is often installed without your consent and even without your knowledge, as a drive-by download or as the result of clicking some option in a deceptive pop-up window. By the same token, adware, which usually includes spyware components, can also be considered malware.
- Browser hijackers are programs that alter your computer's browser settings so that you are redirected to Web sites you had no intention of visiting. Most browser hijackers alter default home pages and search pages to those of their customers, who pay for that service because of the traffic it generates. More virulent versions often: add bookmarks for pornographic Web sites to the users' own bookmark collection; generate pornographic pop-up windows faster than the user can click them shut; and redirect users to pornographic sites when they inadvertently mistype a URL or enter a URL without the www. preface. Poorly coded browser hijackers -- which, unsurprisingly, are common -- may also slow your computer down and cause browser crashes.
Although each type of malware has defining characteristics, the distinctions between them are becoming blurred because blended threats are becoming increasingly common. Blended threats combine characteristics of more than one type of malware to maximize the damage they cause and the speed of contagion.
Table of Contents
Marshall Brain explains "How Computer Viruses Work."
SearchSecurity.com offers a selection of resources about common vulnerabilities and prevention tips.
Sophos provides a white paper called "Computer viruses demystified"
Our Information Kit: Spyware has more in-depth information.
2. How is most malware distributed?
Typically, malware is distributed in one of three methods: by e-mail, either through a virus-laden attachment or code embedded in the message body; in an infected application; or through infected code on a Web site. Originally, removable media -- typically a floppy diskette -- was the vehicle most malware took to get to your computer, but now the vast majority of malware is distributed electronically. According to various reports, the percentage of viruses currently transmitted by e-mail is from 87-93%.
Table of Contents
3. What are the future trends for malware distribution?
Although most widely distributed malware of recent years has arrived via e-mail attachment, infected Web sites and program downloads are having an increasing impact. Matt Fisher, a security engineer with SPI Dynamics, spoke recently about the need for greater Web site security at an anti-hacking workshop in Toronto. Fisher claimed that almost every Web site has serious vulnerabilities that allow a hacker easy access. According to Fisher, the problem is that security isn't built into Web applications, and as a result, an attacker can often hack into a site simply by viewing a Web page's source, grabbing some information from the commented code, and entering it into the address bar.
In June 2004, a Web-based attack was carried out in which compromised sites ran Java Script at the bottom of pages. The programming attempted to access a file stored on another server. Authorities believe that the intent was to steal credit card information from visitors to the compromised sites. Although the responsible Web site has been shut down, the same ploy is likely to be used by others in the future.
Many security experts believe that the newer communications channels, such as instant messaging and VoIP, pose a very serious threat to networks. According to Gartner Group research, 58% of network security managers stated that instant messaging poses the most dangerous security risk to their enterprise. Symantec Security Response predicts that the next major worm exploit will be IM-based. Furthermore, according to chief of research Eric Chien, every free IM client that the company has examined contains exploitable vulnerabilities.
Table of Contents
4. How bad is the malware problem?
2003 was the worst year to date for exploits and there are no indications that the number and severity of attacks will do anything but increase.
- Code Red infected every vulnerable computer on the Internet within 14 hours; Slammer did the same in 20 minutes. An IM exploit could spread to half a million computers in just 30 seconds (Symantec Security Response)
- In 2001, one in 300 e-mails contained a virus; for 2004, that number is predicted to be one in 100 (MessageLabs)
- Attacks increased tenfold in the past ten years, from 1,334 reported attacks in 1993 to 137,529 in 2003 (CERT Coordination Center)
- 20-40 new or variant virus threats were reported daily to TrendMicro in 2003
- The number of attacks between January and June, 2003 exceeded 70,000 -- double those of the previous year (Reuters)
- Ninety-two out of 300 randomly selected companies suffered a major (more than 25 computers affected) virus attack in 2003 (Computer Virus Prevalence Report)
- Companies in the above survey reported that 11% of their computers were infected in any given month (Computer Virus Prevalence Report)
- Spyware is estimated to be present on about 90% of computers with a broadband connnection (Scott Culp, Microsoft)
- Spyware is responsible for about a third of all Windows application crashes(Scott Culp, Microsoft)
- Viruses cost businesses around the world $55 billion in 2003, up from $13 billion in 2001 (TrendMicro)
Symantec has a comprehensive list of security worries and what to do about them inThreats to instant messaging.
PC Magazine has an article called "The Next Big Virus Threat: Instant Messaging."
SearchSmallBiz.com describes "10 steps to a holistic secure messaging strategy."
A SearchSecurity.com article explains how "Instant messaging creates security headaches for enterprises."
5. Why are the number of malware attacks increasing so rapidly?
- The ongoing increase in computer literacy: more and more people, all around the world, have the technology and knowledge that allows them to create and distribute malware.
- Tools required for attacks are ever more widely available over the Internet, so that even people with only very rudimentary knowledge can launch attacks without much difficulty.
- Older threats often remain active for an extended period of time, or enjoy a resurgence, so that while new malware is constantly being released, it supplements older threats rather than replacing them.
- Some reports from the underworld of malware creators suggest that there's a very active competition among virus writers to see who can wreak the greatest havoc.
- The complexity of modern software makes it harder for developers to detect and correct vulnerabilities.
- According to many experts, spam -- which has increased in volume exponentially in the last few years -- and malware are being used in conjunction to maximize the distribution of both.
6. What's the spam-malware connection?
Although malware-laden messages are often thought to be a different category of unwanted e-mail, they generally fit the criteria for spam:
A. They're unsolicited; and
B. They're sent in bulk.
A number of analysts, such as Natasha David of IDC, predict that spam will emerge as the most common means of virus dissemination in 2004.
Ed Skoudis, author of Malware: Fighting Malicious Code explains how it works: "Malware and spam are working together in a vicious cycle. Attackers use spam to spread backdoors to machines via mass e-mailings. Unwitting users execute these e-mail attachments, thereby installing the backdoor onto their systems. Attackers then use the newly infected system as a bounce-off point to send even more spam while laundering their source address and evading e-mail server antirelay and filter settings."
MessageLabs, a New York-based company, analyzed server data and found that many spam messages were originating from known sources of viruses. According to their analysis, MessageLabs reported that the Sobig virus and its earlier variants were probably created by spammers.
The point: Spam isn't just a nuisance any more; it's a serious threat to network security. Deleting junk e-mails at the desktop isn't good enough. Use the best spam filters available, and push for global solutions to the spam problem.
Table of Contents
SearchSecurity.com has a tip about the spam/malware connection.
A SearchSecurity.com offers an article called "Experts ponder spam, worm connection."
Learn IT: Defeating Spam in the Enterprise has more information.
7. How can I tell if my network has been compromised by malware?
An intrusion detection system (IDS) will likely spot any known malware attack. However, a new exploit could escape detection. Signs that your network has been compromised include a sudden, unexplained spike in traffic; unscheduled server reboots; signatures of known exploits in log files; unexplained failed logons; evidence of a packet sniffer; and a large number of spoofed packets detected leaving your network.
8. How do I get rid of malware?
If both anti-spyware product and anti-virus fail you, you will probably have to try a more hands-on approach. The first thing to do is to find and disable suspicious processes. For recent Windows operating systems, bring up the Task Manager window (hit control-alt-delete or right-click the task bar to do this) and look under the processes tab. A number of Web sites, such as Sysinfo.org and reger24.de, have lists and/or searchable databases of start-up processes. If you can't find any information there about what a currently running process is, plug its name into a search engine. When you identify a process as being part of the malware problem, select it in Task Manager and click the end process button.
Sometimes when you do so, you'll get a message such as "access denied", in which case you'll have to use stronger medicine. A program such as Pskill, from SysInternals, will do the trick. Pskill is available from the company's Web site. Follow the straight-forward instructions there to remove any stubborn processes. Another program, such as autoruns.exe (also available from SysInternals) can be used to help you find the settings causing these programs to run again when Windows is restarted. Delete these when you find them. Once you've completed these processes, the malware will be disabled. One final word of caution: be very sure that a program is malware before you delete it, or you could cause yourself more problems than you solve.
Table of Contents
Brent Sheets' SearchWin2000.com article "The spy(ware) who shagged me" provides links to good anti-spyware products.
TrendMicro provides a free online virus scan.
TechSoup has a tutorial about "Removing Spyware, Viruses, and Other Malware from Windows."
Pskill is available from the SysInternals Freeware Web site.
Microsoft offers a tutorial on Responding to and Protecting Against Network-Borne Attacks.
A Security Focus article is called "Are You Infected? Detecting Malware Infection."
The Sysinfo Web site lists and describes startup items and provides a searchable database.
9. What should I be doing to protect my system /network from malware?
For network administrators:
- Keep up with new threats -- it's not just your virus definitions that need to be kept up to date. Subscribe to an e-mail service, such as the one from Sophos, that sends out alerts about new malware as soon as it surfaces
- Ensure that appropriate security patches are installed promptly as soon as they become available. Although Microsoft released a patch for a security vulnerability in IIS server, both Nimda and Code Red were able to exploit the weakness, because so many systems remained unpatched
- Block file types commonly used to distribute viruses, such as exe, .pif, .scr, and .vbs. Although virus-laden attachments can appear to be of any file type, you'll be ahead if you keep out the usual suspects.
- Educate end users in safe messaging and browsing behavior
- Minimize user access to sensitive data
- Establish security policies for employees, with consequences for breaking the rules.
- Push security patches to end users
- Install a secure enterprise instant messaging (EIM) product or add security components to other products
- Schedule frequent security audits, preferably conducted by external auditors
- Ensure that remote users -- and their equipment -- are not security risks
- Have a disaster recovery plan in place, to protect your network and data from unforeseeable catastrophes
For end users:
- Keep virus definitions up to date and run antivirus software on a regular basis, at home as well as at work. If your home computer, laptop, or handheld device is in contact with computers at work, poor security practices could put the whole network at risk.
- Visit the Windows Update page frequently and download any advised security patches.
- Check the security information and options in your Web browser and set the latter appropriately.
- Never open questionable attachments. It pays to be suspicious, even if the message purports to be from someone you know. If an attachment is unexpected, verify with the sender before you open it. Because file extensions can be spoofed, don't assume that a file is safe to open, even if it appears to be a text file.
- Don't even open messages that seem suspicious. Malware can be embedded in the content of the message itself. Some viruses, such as BubbleBoy, Kak, and Nimda can infect your computer as soon as you open a message.
- Don't preview messages. If you browse through your messages with the preview window open, in effect you're opening each message that appears there.Viewing or previewing messages also encourages more spam. Many spam messages include a mechanism that informs the sender when a message is viewed. This confirms a live address, to which greater volumes of spam -- some of it virus-laden -- will be sent.
- Use appropriately stringent security settings in your e-mail program. In Outlook, for example, under Tools > Options > Security > Secure content > Attachment security, set attachment security to High so that you'll be prompted before opening attachments.
- Watch out for social engineering attempts. Never give out passwords or other protected information; don't leave them lying around (or on a sticky note affixed to your computer, for that matter -- a surprisingly common practice).
- If possible, opt to view messages in text only
Chris Mosby's SearchWindows2000.com Tip explains Fundamentals of a virus-free network.
CyberCoyote provides directions for turning off the preview window.
CKnow provides a long list of suspicious file extensions.
CERT provides an intruder detection checklist.
Tech Republic offers a customizable PowerPoint presentation for end-user security training.
10. Where can I find up-to-the-minute information about malware?
Sophos sends out notices whenever a new virus is detected.
CERT maintains up-to-the minute information about Vulnerabilities, Incidents and Fixes.
EWeek's Security Center is frequently updated
SearchSecurity.com has breaking news about current exploits and newly reported vulnerabilities.
NTBugtrac is a mailing list about Windows vulnerabilities and exploits.
Malware Words-to-Go Glossary:
Browse through malware-related vocabulary in a handy printable glossary.
After you've looked at the glossary, quiz yourself to see what you've learned about malware.