Section 82. About Malware

82. About Malware

Keeping your network up and running after you configure your WiFi router correctly could be a fairly carefree endeavor. Now, I said "could be"; computing in general could be a much more carefree pastime if we didn't have to deal with malicious software that can disable or hijack our computers. I'm talking about viruses, Trojan horses, worms, and spyware. Malicious software such as these are often referred to collectively as malware. Malware would be any software designed to exploit or damage your computer. Another annoying computer incursion that we all have to deal with is spam email, and while spam doesn't really qualify as malware, it can be just as annoying.

Key Term

Malware Malicious software such as viruses, worms, and spyware.

Fortunately, the unsettling fact (actually it's depressing that someone with people programming knowledge would spend their time creating viruses) that there are numerous viruses, worms, and Trojan horses loose means that some excellent software tools have been developed (and continue to evolve) to protect your computer against malware. Let's take a look at the different types of malware, and then we'll walk through some tasks that explore some of the ways to protect your computer.

Viruses

A definite threat to your computer (or computers) and your network's security is the virus. A virus is self-replicating software code, meaning that it can make copies of itself. The fact that a virus can self-replicate means that it can spread easily from computer to computer.

Key Term

Virus Malicious, self-replicating software code that can infect computers and damage system and other files.

Viruses actually require action from you before they can infect your system. For example, if you open an infected file shared by another user or open an infected email attachment, you are going to infect your computer. The virus can then be spread from computer to computer over a network (such as your workgroup) when the infected file is shared and opened. Viruses can also be spread on removable media such as floppy disks, CDs, and USB memory sticks.

Viruses come in several varieties. A number of different virus types have evolved over the years. These different types of viruses have been classified based on how they infect a computer:

• Boot sector viruses: Some of the first viruses were boot sector viruses, which spread through infected floppy disks or other removable storage media such as bootable CDs. When an infected disk or bootable CD is left in a computer and the computer is turned on, the computer attempts to boot to the removable media. On bootup, the boot sector virus loads in to the computer's memory. The virus can then infect the hard drive or any disks you place in the floppy drive after the computer is up and running. One of the first boot sector viruses was the BRAIN virus, which actually didn't really do any damage to the computer or files on the infected disk. However, the virus was able to spread quite quickly because floppy disks were commonly used for data storage when the BRAIN virus first appeared. Today, most computers will not boot to a CD unless you specify that the computer should do so.

Note

Boot sector viruses are uncommon now. In fact, many new computers do not even come configured with floppy drives, which makes boot sector viruses a rather outdated venture for those malcontents who create viruses.

• File viruses: Although fairly uncommon now, file viruses actually infect an executable file such as an EXE or COM file. When the infected file is run, the file virus loads into the computer's RAM. It can then infect other executable files as they are run on the computer. A form of the file virus is the overwriting virus, which actually overwrites the executable file it infects. Examples of file viruses include the Dark Avenger virus and the KMIT virus.

• Macro viruses: The macro virus is a fairly recent virus type. Macro viruses are typically written in Visual Basic code and infect documents and spreadsheet data files rather than executable files. When an infected document is loaded into an application such as Microsoft Word, the virus code runs just like any other macro would in that particular application. Another scary thing about macro viruses is that they are not operating system specific. Because Microsoft Word can run on a Macintosh or a Windows-based PC, the macro virus can actually be spread between the two platforms if the infected Word document is shared. An example of a macro virus is the famous Melissa virus, a Word macro virus that automatically spread itself via email.

• Multipartite viruses: A multipartite virus has the characteristics of both a boot sector virus and a file virus. It can spread from the boot sector of a drive to another drive, and it can also attack executable files on the computer. Some multipartite viruses can even infect device drivers (such as the drivers for your network interface card). An example of a multipartite virus is Pastika, which is activated on only certain days of the month (typically the 21st and 22nd of the month) and can actually overwrite your hard drive.

The actual number of viruses in the "wild" (meaning those that are infecting computers and networks) at any one time varies, but in general, the number is increasing.

The only way you can protect your computer from virus infection is to install antivirus software on your computer and keep it up to date. Unfortunately, protection against a particular virus doesn't become part of the antivirus software capabilities until the virus "goes public." This means that there is always a lag time between the virus's appearance and the ability of the antivirus software to protect against it.

Tip

A good place to look for information related to viruses is the SANS institute. SANS, at http://www.sans.org/, provides information on viruses and other network security issues. You can also find information on current virus and other malware threats by checking out the website of the antivirus software that you use.

Worms and Trojan Horses

Viruses aren't the only malware threats that can infect your computer. There are also worms and Trojan Horses.

A worm is a program that spreads itself from computer to computer on a network. It doesn't need to be activated by you as does a virus. Worms are typically specific to an operating system (such as Windows) and exploit some weakness in that operating system. Worms often exploit open ports and can actually hijack a computer and use it in denial-of-service (DOS) attacks against websites (in DOS attacks, a website is flooded by requests from the computers that have been hijacked by the worm).

Key Term

Worm Self-spreading and self-activating malware software code that typically exploits a particular weakness in an operating system.

Trojan Horse Malware that appear to be a normal program but, when executed, causes harm to your system. The fact that the malicious program is masquerading as a "normal" program is why this particular type of malware is referred to as a Trojan horse.

A Trojan horse, on the other hand, is a program that appears to be perfectly benign, such as a screensaver or a game. For example, the HAPPY99.EXE Trojan horse, when executed, provides a nice little fireworks display on your screen and then immediately uses mail addresses found in your computer's email client to send off copies of itself to these addresses (this is similar to how the Melissa virus is spread).

One of the earliest Trojan horses was the AIDS Information Disk Trojan, which was actually a disk sent out to medical establishments as an AIDS-awareness product. After being executed, the Trojan horse file created a hidden directory on the computer's hard drive and eventually encrypted the entire contents of the hard drive, making it unusable.

One of the biggest threats related to Trojan horses is that some can actually invade a computer and allow remote control of the infected computer by the originator of the Trojan horse (the hacker). This allows the hacker to steal personal information and also use the computer in en-masse attacks upon website servers.