Chapter 5. Malicious Software
At a Glance
The concept of malicious software is introduced. The various types of malicious software
(such as viruses, worms and Trojans) are discussed and the mechanisms used to spread them are investigated.
Introduction
Malware
Definition: Short for malicious software. Software designed specifically to damage or disrupt a system.
The first known microcomputer virus dates back to 1981. The concept of a computer worm was introduced in a science fiction book in 1975, and the first actual implementations were in the early 1980s. Interestingly, these worms were designed to do good things instead of malicious things. Computer Trojan Horses date back to the early days of time-sharing (1960s). Despite their long history, it is only in recent years that their impact on normal users has been so severe and potentially dangerous.
To begin, we should first define what these terms mean.27
27 See www.rbs2.com/cvirus.htm for further information on viruses and other potentially malicious programs.
Virus
A virus is a program that is attached to or inserted into another program. When that program runs, the virus also runs and it inserts copies of itself into other files or disks. In this way, it replicates itself. When the program it infected runs, the whole process starts over again. The virus may or may not do other things.
Worm
A worm is similar to a virus, in that it replicates itself, but it does not need a host program. Like a virus, a worm may only replicate itself or it may take other actions as well. A worm can only work if there is some capability in a system that will allow an external source to send it a program and run that program. Some malware detection vendors consider a worm a type of virus.
Trojan
This type of software is named after the (perhaps mythical) Greek conquest of Troy, where the Greeks presented the city of Troy with a large wooden horse. When the horse was brought into the city, it was found to contain Greek soldiers who proceeded to take over the city. Since then, a “Trojan Horse” has meant something that looks benign, but contains some hidden and potentially dangerous content.
A Trojan horse program is one that can do something malicious in addition or instead of what the person thinks it is doing. The term has recently also come to mean any malicious program that is added to your system without your knowledge or authorization.
“Bonus”
This is software that is included in software some other package without your knowledge. It is common for commercial software to include other packages. For instance if you install a web browser, it may also include Adobe Acrobat© or software that plays music or videos.
These are included because they enhance the original package and usually the install process asks you if you want them, or at least informs you that they are being installed. Bonus software is different because it is not really related to the original package in function. Given a choice, you probably would not install it.
The terms Trojan, Virus and Worm are not mutually exclusive. Attackers can write software with the characteristics of more than one, such as a self-replicating Trojan. Software that has the characteristics of more than one form of malware is often called a blended threat. As you can see, the terms generally refer to how the malware is spread, and not what it does. This chapter describes what malware does and the specific ways in which it is propagated. The following chapters discuss ways in which your computers and networks can be secured against such software.
What do they do?
There is no limit to how malware acts once it is running on your computer, but the programs do have some common characteristics in their activities:
Send e-mail
Sending e-mail is one of the most common actions of malware programs. The e-mail may include a copy of the program itself (a virus or a worm) as an attachment. The content may be specific to the malware (such as falsely claiming it is an alert from Microsoft warning you about a security problem) or it may even be random parts of your previous e-mails that it finds lying around your computer. If there is a malicious attachment included, the text of the message may be something that will encourage the recipient to open the attachment. The Subject: and the From: line are similarly set according to the whim of the malware; they too may be set to encourage you to open the attachment (as in the famous worm that said “I LOVE YOU” in the subject line). The messages are typically sent to people it finds in your address book or to people whose e-mail addresses are in other types of files on your computer. Sometimes when messages have been sent to all possible recipients the program stops and sometimes it will start all over again! Note that if someone else’s computer is infected with a virus or worm that sends e-mail and it puts your address in the From: line (because it found your address somewhere on the infected machine, perhaps in its address book), you may be accused of distributing this virus.
Gather information
Malware may gather information about your computer and its files and send this information back to its author. Since it can read any files on your computer (often including encrypted files), whatever you have is fair game. If you store information about your bank accounts or credit cards on your computer, this data may be of interest to an attacker. If you have a scanned image of your signature to allow you to print or fax letters, this may also be useful. Together these pieces of information could allow the attacker to assume your identity. Alternatively, if you operate a small business and store other people’s credit card numbers on your computer, it will be a serious problem for you if these numbers are stolen.
Over-write or erase data
Some malware programs are truly malicious; upon entry to your computer, they can immediately begin to erase all the files on your hard disk or overwrite the files with garbage. Sometimes they change things in less detectable ways including:
Installing a Trojan
This aspect of malware is becoming increasingly common. One or more programs may be installed on your computer. The program may replace some common program that you or the operating system normally use (the original meaning of Trojan). Alternatively, it may insert some other program that will be invoked either at some predetermined time or whenever your computer is started. The following section on Payload Software describes many of these programs.
Scheduling something to happen later
Any of the previous actions may happen immediately or they may be triggered at a later date. Malware writers seem to like the suspense that comes with the announcement that a certain worm will do something nasty on January 1, 2000, for instance
Payload Software
Malware often comes in the form of programs left on your computer that run when you start your machine or when you start a particular program. The type of program is only limited by the imagination and programming skill of the attacker.
Web tracking/modification software
This class of programs watches what sites you visit, can display pop-up ads in addition to those you would normally see, and can display ads replacing those that the site you are visiting is sending. They can send information about your computer and what you are doing back to its developer. In many cases, the software will also have full control over your browser, watches what you enter, and may alter what you see. When it watches what you enter, it can report these entries to its developer. For Internet Explorer, this capability is designed into the product and called a Browser Helper Object (BHO) - http://msdn.microsoft.com/library/enus/dnwebgen/html/bho.asp. Although one can build very useful and legitimate BHOs, there are also clearly opportunities for less than ethical applications.
Backdoor Software
Normally to access a computer system, you need to give it a username and password, although this security if often by-passed for systems that are thought of as being physically secure and used only in front of their own keyboard and monitor. Backdoor software allows a remote user to access your computer bypassing all of your security. It may even install its own security to allow only that attacker to use it. Although the details vary from case to case, this remote user will now have full control of your system; they could even lock you out if they wished. In essence, your computer has been hijacked and you will not realize it. Why does this attacker want access to your system? The reasons vary, but they may include:
- No reason other than to prove to himself or his friends that he could do it;
- To be malicious – in general;
- To be malicious – he has some specific reason to target you;
- To use your computer for some other activity such as sending spam or launching a denial of service attack later;
- To steal something of value from your system.
Note that this same type of software, under names such as remote access or remote administration tools has very legitimate, practical applications as well. If you use these tools for work, make sure that you have proper security measures employed, including usernames and passwords.
Keyboard loggers
Keyboard loggers do just what the name implies. They trap all keyboard input and log it to disk. The file can be inspected later, perhaps via backdoor access, or it can be sent back to the person who installed the program via e-mail or web delivery.
It is important to note that keyboard loggers watch what you are actually typing, not what is sent over the network. So if you enter a credit card number on a web page that is secure (uses encryption when the data is transmitted), the logger still sees exactly what you typed in unencrypted form.
Financial Theft
Most thefts that are the result of personal computer attacks involve information that is taken from the computer. However, there are cases where payload programs actually spend your money automatically. The simplest example is if the program detects a modem on your computer and uses it to place long distance calls. Since the program cannot talk, there is no benefit to the attacker, other than the malicious satisfaction in knowing that at the end of the month, you will get an outrageous bill from the phone company.
In other cases, the attacker can benefit personally. In many countries, it is possible to arrange to have a special telephone number – when this number is called, the phone company will charge the caller a specific amount per minute and part of that money goes to the person being called. It is used for a variety of businesses, but examples are software companies that want an easy way of charging you when you call them for out-of- warranty support. In that case, the phone company collects the money from the caller and sends part of it to the company being called to pay for the support call. If an attacker had such a number, they could program your computer to call the number and just hold the line open for a while. Your telephone bill would reflect this charge.
How do you get them?
A number of years ago, the only way a PC or Macintosh user could be the recipient of a virus or other malware was to use an infected diskette. If you didn’t trade files with people who were infected, you were safe. Unix systems were not particularly prone to viruses, but with their superior connectivity capabilities (even in those days), security holes in operating systems and some common applications occasionally allowed attackers to access systems and install backdoor software. The Internet’s first major security incident was a worm that attacked Unix systems in 1988. Today, you can be attacked in a number of ways. All of the following apply to Windows machines. Unix and Macintosh systems are somewhat less prone to these types of attack, not necessarily because they are more secure, but rather because the vast number of Windows machines makes them more interesting targets.28 Unix systems are next in line, with Macintosh exhibiting the fewest exploited vulnerabilities to date.
28 Typically, a virus, worm or Trojan written for Unix may work only on the variant (Red Hat, Solaris, etc.) that it was written for, because the libraries that interface applications to the operating system differ on each type of Unix. As Linux becomes more popular and standardized, this advantage will be reduced.
e-mail
A few years ago, rumors would spread periodically that you could be infected with a virus by receiving e-mail. System managers and helpdesk people would have to reassure their users that this was impossible. As long as a user did not run a program that he or she received in an attachment without verifying that it was safe, the machine and the user were OK.
It is no longer impossible to be infected via e-mail, in fact, it is highly likely. Two enhancements brought this about. The first change is that we now have e-mail programs that can run attachments automatically.
Originally, a user would have to save the attachment and then run it. Now, automatically running attachments makes things easier, particularly for the novice user who wants to see what was sent without taking additional actions. The second change is that in an effort to make e-mail prettier and more powerful, we now allow HTML programming within the body of the e-mail, however, that HTML can include instructions that cause problems. For example, the HTML can also direct a web browser to go to a specific web site that may not be appropriate for you or your children. It should be noted that the people who send these e-mails can be very innovative. Recently, there have been a number of virus-loaded e-mails that claim to be from Microsoft and say that they are providing the latest patches to protect you from viruses and worms. They contain logos and images that could easily convince someone that they are authentic and that the attachments should be run immediately. Needless to say, anyone who does run such an attachment is in for trouble.
Web sites
When the World Wide Web was launched, web pages contained text and images. Now they can contain far more, including dynamic programs that are downloaded onto your machine and executed (Javascript, Java, ActiveX). If you allow your browser to run these programs without determining that the sending site is completely trustworthy, then there is a good chance that the program may do something objectionable. Javascript is generally safe, but Java and ActiveX are potentially quite dangerous. Browsers can usually be set to refuse these programs or to ask the user before executing one.
Plug-ins and Add-ons
Web browsers and many other programs (including word processors and spreadsheets) allow other programs to be loaded and executed from within the main program. A common example is the Adobe Acrobat Reader” which allows you to view PDF files while browsing the web. Once these add-ins or plug-ins are installed, they can do anything that the base program can do, including (usually) read and write on disk, or use your network connection. Add-ins and plug-ins should only be installed if the source is known to be trustworthy.
Security holes
Security holes are bugs in parts of the operating system or other system components that allow an attacker to access information on your system, or to gain control of the system. In recent years, most suppliers are reasonably quick to respond to security problems that are discovered in their systems, so if you apply patches to your system regularly, you may plug the holes before would-be attackers build and distribute software exploiting the known bugs.
File sharing
File sharing is available in one form or another for all operating systems. It is very convenient to share files among co-workers. If you have several machines of your own, sharing files between them is a great feature. However, if you allow file sharing over the Internet and you don’t apply adequate security measures (such as robust usernames and passwords and limiting write and update privileges) then any attacker in the world can also share your files. Further, if you allow others to write to your disks, then the attacker can set up your machine to do anything they want!
Drive-by downloads
Drive-by downloads occur when you innocently go to a web site and the HTML statements on the page automatically invoke a Java or ActiveX program that downloads another program and either executes it or schedules it for later execution. The HTML code can also arrive in e-mail. If you allow Java or ActiveX programs to execute, they can download and install whatever they want, without asking your permission and without telling you what is happening.
Piggy-back on pirated software
Pirated commercial software is not new. Counterfeit CDs have been sold for years and copies on the Internet (called Warez) are common. There has long been a problem that the CDs could have a virus, but there is now an increasing chance that the software may deliberately include altered code giving access to your computer to an unauthorized person over the Internet. Since administrator privileges are needed to install most software, it is an ideal opportunity to add a few more programs that you had not requested.
Piggy-back on legitimate software
Although most software that you download is probably legitimate, it is increasingly likely that downloaded software (particularly freeware) will install other programs as well. Peer-to-peer file sharing programs have been particularly prone to this. They often include other programs, many in the Web tracking/modification category, which monitor your web activity, display advertisements, and report on your activities to their masters. Some of these programs are particularly insidious in that they try to disguise themselves and they are almost impossible to remove. One such program includes a uninstall utility; if you run it, it deletes the uninstaller but the original program is still alive and running!
Non-resident Malware
Not all malware runs on your computer. It is becoming increasingly common to send e-mail that somehow entices the user to visit a web site. The traditional form of this trap is when an e-mail offers you something that is of interest to you
(just as with any of the common spam sales e-mails), but once you go to their site, some sort of malicious software takes over, perhaps downloading software
(what is referred to as a drive-by download) or taking other actions.
In the newer form, the e-mail claims to be from e-Bay (the Internet auction site) or PayPal
(Internet payments) or from your bank. The e-mails are crafted to really look like they are authentic. They point you to a web site to (typically) re-validate your credit card numbers. The URLs that they point you to look exactly like an authentic URL to the casual user. For instance, the real URL for PayPal is www.paypal.com. The URL which displays in the e-mail might be exactly that. However, what is shown on the screen is not the actual URL that will be used to access the web. The actual URL pointed to is often hidden and might be something like: http://www.paypal.com:user=32454329:transaction=43293:code=4333033.33@218.5.79.162.
If one is not very familiar with URL formats, it really looks like it is going to www.paypal.com, so it must be authentic. In fact, all of the data prior to the
@ sign is ignored, and this goes to site 218.5.79.162. At that site, you would see a page that looks exactly like the PayPal site, asking you to log in and re-enter your credit card number. In fact, this site is not connected to PayPal at all, but rather belongs to someone who is trying to steal your credit card information. These ploys have been very successful. Note that e-mails similar to this may be legitimate. A legitimate e-mail will usually include some information unique to you (and not included in your e-mail address) in the mail, such as your full name or the last 4 digits of your credit card. If they direct you to a web site, they will either tell you where to go, but not include a hyperlink, or the resultant web page will also include information that no spammer/fraud artist could know. If in any doubt, contact the company via telephone at their normal telephone number (not one included in the e-mail).
|
