Stopping Viruses, Worms and Trojan Horses
Posted 14 October 2005 - 03:49 AM
In 2002 ICSA Labs surveyed 300 businesses and government agencies to find that 28 percent of them had had a virus "disaster" in the last year. Home users, and small businesses, don't have a support staff and/or dedicated firewalls. They are more vulnerable if a piece of hostile code slips through their defenses. The cleanup can be expensive, time-consuming, and there will be no guarantee that all data will be recovered.
Checklist for security:
- Train all users in safe computing procedures
- Install antivirus software on every computer
- Install a personal firewall on every computer
- Configure email software to block or quarantine potentially dangerous attachments
- Install antivirus software on your network server if you have one
- Configure antivirus software to update itself, at least once a week.
- Bookmark trustworthy sources about viruses and hoaxes
- Backup, backup, backup!!! It can never be said enough.
- Develop a recovery plan in case you do get struck
How Malicious Software Attacks Your Computer
Before we continue, it is important to know the different types of threat you can encounter:
- Virus: a piece of code that replicates itself by attaching itself to another object. These objects can be files, like program files or documents, but they can be disk or file system structures as well, like the boot sector from a hard disk. Fun fact: the plural of virus is viruses, not virii. If you want to win a bet about this check out this page: http://en.wikipedia....Plural_of_virus
- Worm: an independent program that replicates itself by copying itself from computer to computer, usually over a network or email attachments. Lately most outbreaks are worm related.
- Trojan horse: as the name implies a Trojan horse is a program that executes instructions that the user did not intend when (s)he opened it. These programs may arrive as an email attachment or website download and are usually disguised as a joke program or software utility like a screensaver.
- Blended threat: a new class of software that combines characteristics from viruses, trojans and worms to create extra-strong attacks. These attacks spread by targeting web servers and networks to get itself spread rapidly and cause extensive damage.
Also handy to know are some terms you will see when visiting anti-virus websites that give information:
- Disinfect: Completely removing traces of a virus from a computer. This can entail manual steps, next to the automated tool from the vendor.
- Dropper: the installer of the virus.
- File virus: a class of viruses that attaches itself to files, a.k.a. file infector. File viruses often remain in memory to infect other files accessed.
- Heuristic analysis: Technique used to identify viruses on the basis of what they do rather than by signatures.
- In the wild: a virus which is spreading across computers.
- Macro virus: code written in the internal macro programming language of a program like Microsoft Word. They are stored in the files that the program creates and will be executed when you are working with the file.
- Payload: the destructive portion of a virus. This can be just about anything.
- Polymorphic virus: a virus that changes its byte pattern when replicating, a.k.a. mutating virus. By changing itself, a virus can fool anti-virus applications into believing it is not a virus.
- Scanning: Searching memory and files for viruses.
- Virus signature: Tell-tale signs that identify a virus.
Some malware gets on your computer by pretending to be something else. An example is W32.Gibe@mm <mailto:W32.Gibe@mm> that arrived as an attachment posing like an update from Microsoft. Others offer to install screensavers, or play cartoons, or anything else to make you feel that the piece of software is trustworthy.
The name of the virus is informative as well. The Computer Antivirus Research Organization (http://www.caro.org) has created a naming convention which is widely used in virus territory. In short the name boils down to:
- Family name: In the above example that would be Gibe.
- Major variant. A part that identifies the file size. Usually omitted by anti-virus developers.
- Minor variant: a letter that distinguishes alternative versions of the same virus.
Also virus names can contain suffixes that identify other characteristics. like @m which stands for mailer (it sends itself to one other person at a time) or @mm which stands for mass mailer (sending itself to many others).
Since many viruses pretend to be other types of files, usually datafiles, you will have to look at the last extension to determine what an attachment in a mail message actually is. The Loveletter virus spread by means of this file LOVE-LETTER-FOR-YOU.TXT.vbs. You can see by looking at the last extension that you are not looking at a text file but at a script for Visual Basic. This would be a reason to always show all extensions within Windows Operating Systems. If you did not, you might have thought that this was a textfile instead of a script.
Most email programs offer updates to guard against the double extension trick. Regardless of the settings in Windows Explorer, Outlook Express 5 and 6 will show the full name of an attachment including the multiple extensions. Same goes for Outlook 2000 and 2002.
The most dangerous ones enter your system through holes in the computer system. They use vulnerabilities in scripting engines, ActiveX controls, Java applets, HTML (buffer overflow, for example). So once again, it is a matter of keeping your system up to date with security patches to act as a countermeasure to the attack.
The most common source of viruses these days is as attachment. Although every virus is different they do share common traits. The accompanying mail message often uses "social engineering" to lure inattentive or gullible users into opening the attachment. A common one is convincing the user that the attachment is a picture. VBS.SST@mm <mailto:VBS.SST@mm> claimed to be a picture of Anna Kournikova. MyParty (W32.MyParty@mm <mailto:W32.MyParty@mm>) arrived in a message titled "new photos from my party!". The attachment was supposed to be a webpage, but obviously wasn't. Be especially aware of attachments ending on .com. These days people think this is a commercial Internet domain, but it is also an executable extension dating back to the MS-DOS days.
Most attachment-borne viruses arrive in an English message, but a huge number come from outside an English speaking nation. This means that these messages often contain grammatical errors, awkward syntax, and misspellings. These will clue you in that the mail message isn't what it seems be when it comes from someone you know to write in fluent English.
Early versions of mass-mailers took over the user's email program to do their work, but these days they often contain their own mail transport agents. These programs can harvest email addresses from the Windows Address Book or Contacts folder from Outlook. They might even look in the browser cache for saved pages with mailto: links.
Some viruses try to disable antivirus programs or firewalls. To do these tasks the virus has to have the privileges to do its bidding. This is one of the many reasons not to log on to your computer for everyday tasks as Administrator.
Needless to say, taken on the whole, virus creators do not have training in application programming. In other words, there is no quality control or rigorous testing, to make sure that the program is "okay". As a result of this, viruses contain lots of bugs that are a blessing in disguise because they keep it from working.
Attacks from the web
Apart from attachments there are other ways of spreading viruses. Another popular way to spread is by scripting the virus, so the user will get infected when he visits a site or looks at an email message in HTML view. One such virus was the Kak worm (VBS.Kak.Worm). Opening the message in HTML enabled viewers was enough to get infected in operating systems prior to Windows 2000.
This also shows how important it is to keep your system patched with Security updates. The Kak Worm vulnerability was documented in Microsoft Security Bulletin MS99-032 which also offered a solution.
ActiveX and Java components are another way to infect a computer. One widely used, and well documented, technique is JS.Exception.Exploit. This exploit made it possible for websites to run ActiveX controls, which were not marked safe for scripting. See Microsoft's Security Bulletin MS00-075 for more information.
Trojan Horse Programs
I guess everyone knows the story about the Trojan horse in Greek mythology, so I will not tell it once again. Trojan horse programs follow the same routine. They lure the user into installing their program, so they can perform their malignant code when executed.
Trojan horses are not unique to Windows, there are hundreds of these programs infecting Operating Systems ranging from MS-DOS and Linux to Palm OS and Macintosh.
Once installed the Trojan can do anything the user, who has installed it, can do. This can go as far as deleting files (including vital system files), log keystrokes in hopes of catching creditcard numbers and passwords, use the computer in a network (a "zombie") to launch Denial Of Service attacks or spam others. Other vulnerabilities may launch an "escalation of privilege"-attack whereby the attacker can increase the level of access beyond the level he has now.
A computer infected with a Trojan often acts as a network server. An example is the Gibe worm (W32.Gibe@mm <mailto:W32.Gibe@mm>) which contains a server listening to port 12378.
Other ways to get onto a computer is via shared network drives. The notorious Nimda worm (W32.Nimda@mm <mailto:W32.Nimda@mm>) searches for open network shares and copies itself to them.
As you can expect these network viruses require special precautions. Even with firewalls, a network is vulnerable to this attack when a user brings an infected notebook into the office and connects to the network.
A fairly new way of infecting is through Instant Messenger programs, like MSN Messenger, Windows Messenger or Yahoo! Messenger. And finally, file-sharing programs that work over the Internet can server as origins for viral infections.
Beware of virus hoaxes!
Everyone has had them. Most hoaxes are started as a joke, and get passed on to gullible users, who in turn spread them even further. If you receive a virus warning from someone, you better check it against these three sites:
· Symantec Hoax Alerts: http://www.symantec....enter/hoax.html
· F-Secure Hoax Warnings: http://www.f-secure....irus-info/hoax/
· McAfee.com Virus Hoax Listings: http://vil.mcafee.com/hoax.asp
Identifying Malicious Software
How do you know you are infected? Well, one way to find out is when you receive a message from a friend telling you you are infected. But with viruses that hide themselves and Trojans this may not be happening.
Computers do strange things all the time… For no apparent reason hard disks start whirring, or computers freeze up temporarily… All these things can be alarming, but are most likely to be caused by a buggy program than by a virus.
Any time the following symptoms show up, you should take steps to locate mischievous programs.
- Unexpected disc access: Trojans access hard discs when the local user isn't doing anything. But many legitimate programs, including Windows itself, do that as well. In other words, when you notice sudden disc activity, trace the program that does that.
- Sudden system slowdown: Viruses and Trojans can take up huge amounts of memory and resources thereby making the computer extremely slow. This can also happen with improperly configured systems, so the advice here is to check it out to rule out a virus or Trojan.
- Unexpected network traffic: hostile software can try to take over network connections. For example, to spread viruses to other workstations in your network or to use a backdoor server that was installed through a Trojan. These days most, if not all, programs assume you have an always-on Internet connection, so they try to do background work automatically. Even Windows does this with Windows Update. When you are confronted with unexpected network traffic, check out what your firewall has to say about it. Many firewalls come bearing the means to identify and block unwanted network connections.
- Changes in filename or size: Viruses and worms travel by infecting other files. If you notice a change in the size or name of an executable file, this could be a sign of infection. Some anti-virus and firewall applications detect a change in file size and alert you to it.
When you want to find out which program is hogging your computer, your first stop is the Windows Task Manager. Press Ctrl+Shift+Esc and then click "Processes". Double click on the "CPU" column to sort the list of programs in a descending order, and scroll to the top of the list. Because the order is descending, the program at the top uses the most CPU time. Don't assume that the file is bad. Make a note of its name and use the Windows Search utility to locate the file. Click right on it, and choose "Properties" from the menu. On the newly opened window you can find details about the program.
If the program is svchost.exe and you are running Windows XP professional, you can type tasklist.exe /svc at a command prompt to see the full list.
The most reliable way to identify a virus is with an up-to-date antivirus program. It will reliably identify viruses it knows about, though even this is not fool-proof. After all, it will only find viruses it knows about. All anti virus work is reactive instead of active. After a new virus emerges, it has to be analyzed so it can be written down in a definition, or signature, file. Before that is incorporated into your antivirus product you are vulnerable to it. This is a prime reason why you shouldn't rely on antivirus software alone. Block executable email attachments and install all security upgrades to prevent other forms of infection.
Your antivirus program can also falsely accuse a program of being a virus, a so called False Positive. These can usually be attributed to errors in the definition file that was used, or to a heuristic scan that detects activity associated with that program. As an example you can expect from an installer that it writes and deletes files. But the installer may still be flagged as a possible virus.
When your antivirus program sounds an alarm, take note of it. Be aware that it may be a false positive, so start by looking at the alert message. If it is a heuristic scan, you know that the message isn't coming from one of the definition files. If the alert includes the name of the virus, go to the vendor's website and find additional information on it, so you can confirm if it is on your system. If you can't find answers, submit the file to your antivirus vendor and ask them to look into it.
CAUTION: If you think your computer is infected, avoid using it to browse the Internet or send email. You would risk spreading the virus. Even more important is that many viruses spread over network shares. So it would be best to temporarily unplug every possible network connection, until you are sure that the system is clean. Do research on another, clean, computer.
Unfortunately you can find lots of false, or half-, information on viruses. So do your looking up at reliable addresses. Start with your antivirus vendor, because they most likely have step-by-step instructions on how to get rid of the infection. In addition to that there are the following pages:
· ICSA Labs' Virus Alerts: http://www.trusecure...ype/index.shtml
· CERT Coordination Center Computer Virus Resources: http://www.cert.org/...es/viruses.html
Choosing an Antivirus Program
The only computer that is safe is a computer that is unplugged! It's as simple as that! If you want to use a computer you will need antivirus software. And as you can see later on, there are many highly regarded antivirus vendors out there. But… they're not equal. Which one is right for you? That's a difficult question with no ready made solution. To draw a conclusion of which program is best, you can ask yourself these questions:
- Do I need a personal or network antivirus program?
Simply put…. The name says it all. Is it for a network? Or for a single computer? Network antivirus solutions usually have a central management program or module that you can use to update all the other computers on the network. For normal use a networked antivirus would not make sense unless it is transported to 25 computers or more.
- Is the program compatible with my Windows?
Because antivirus programs work quite close to the computer itself, you would need an antivirus solution that has been written for your Operating System. Despite the many similarities, a program written for Windows 2000 may not work on Windows XP, and vice versa. Because the major differences between the NT family of Windows (Windows 2000, Windows XP, Windows 2003) and the earlier W32 family (Windows 95, Windows 98 and Windows ME) the programs will likely not even install, let alone work.
- Does the virus scanning engine integrate into my email program?
The most effective way of protecting your system from email attachments is to detect and get rid of viruses upon arrival. To do this an antivirus program will hook into the email software, to intercept the virus as soon as possible.
- Does it integrate with my personal or corporate firewall?
Increasingly security software is bundled with antivirus and firewall software, so if you have a hardware firewall, or a router, it might be designed to work intimately with a particular antivirus program. As an example, some of the Linksys routers that work with Trend Micro's PC-Cillin software.
- Can the software be configured to update itself automatically?
No one is so organized that they will not forget to update weekly. This makes an Autoupdate function almost a necessity. Most programs will handle this for you, but it's best to check anyway.
- How much does it cost?
You don't buy a program! That's a one-time solution. Look at the price tags for updating virus definitions, because that will be a recurring cost. Also factor in that you'll need separate licenses for each computer. Another thing to look at is support. What do you need to pay for that? And what do you get? Is it round-the-clock? Or free of charge? Is it telephone support or on site? Is the price per incident? If so, a single incident can cost more than the original license.
- Is there a trial version?
There are many antivirus solutions. And all of them have reviews. So you can read up, but you could also download one of more and get some hands-on experience with the program.
- Is the software certified by ICSA labs?
The average user has no way to generate virus infected files to test an antivirus solution. And the staggering numbers that vendors use can be misleading at best. Is a program that claims to hunt down 70,000 viruses better than one that blocks only 50,000? How do you know that this software actually does what it says it does? Look for certification by ICSA Labs. ICSA Labs is an independent tester of antivirus applications. To earn certification the program must detect all viruses in the wild and 90 % of the lab viruses. And up-to-date list of these programs can be found at https://www.icsalabs...36;gdhkkjk-kkkk.
Since most people do not have a library of viruses ready to test whether their antivirus software is working, and it is debatable whether people should do that anyway, you can use a test created by EICAR (the European Institute for Computer Anti-Virus Research). Open Notepad or another text editor and create a file that begins with the following characters
Note: the letters are all uppercase and the third character is the uppercase letter O, not the digit 0.
If your antivirus software is working, and supports the EICAR test, it will intercept when you save the file. At http://www.eicar.org...s_test_file.htm you can download four other versions of this test file.
Protecting Your Computer From Hostile Software
No one has found the end all and be all protection for known threats. So you will have to implement a security regime to keep your system clean. At the least it should have the following procedures/guidelines:
- Train every person who uses your computer/network. Users should not open unexpected attachments or run programs they download from the Internet until checked out with an antivirus program.
- Install antivirus software and keep it updated. Installing an antivirus program is only half of the protection. To keep your system safe from hostile software you will have to update the definitions the program searches for. If the program has an automatic update feature, configure the program to install updates once or more times a week.
- Keep your system up to date with the latest security patches. Malware works by exploiting known vulnerabilities in email and browser programs, holes in the Operating System and or defective antivirus applications. To prevent from getting a virus in that way use Windows Update regularly and install security updates as soon as they become available. Security patches are crucial for computers that are always connected to the Internet, like webservers or email servers.
- Configure your computer to block potentially dangerous email-attachments. Many current email programs, including Outlook and Outlook Express, have the ability to block some or all attachments that can potentially harm your system. If your email program cannot do that there are other programs that have the ability to block them. An example is the MailSafe feature in ZoneAlarm Pro (http://www.zonelabs.com) that intercepts incoming attachments and lets you decide how to handle them.
- Install a firewall program that can detect and block unsolicited outbound connections. The firewall built into Windows XP offers excellent protection against unwanted intruders, but will not stop any program from sending data to the outside. This means that if a Trojan horse has entered your system it has free access to the world. You can stop this by installing a two way protection firewall that will monitor outgoing streams next to incoming streams. Apart from that, it will also help detect spyware programs and blended threats connecting to the Internet.
- Back up your data regularly. If a rogue program manages to slip between the cracks of your protection, you might be forced to reformat and start over. This process is never painless, but a recent backup can alleviate the loss of data.
Even well trained and experienced computer users can slip up. New vulnerabilities result in unprepared situations, leaving the system open for intrusion. Because programs aren't perfect this means that the best way to protect yourself is by using multiple sources of protection!
Training users to avoid viruses
The first line of defense against malware is simply the user using the computer. Therefore it is quite logical that every person using the computer has been trained in recognizing suspicious software. From this it also follows that every computer user must know and adhere to the concepts of safe computing. For starters, they should follow these principles:
· Do not open any file attached to an email message unless you know the sender and are expecting the attachment. Because even if it is from someone you know, they could be infected with something. If it is from someone you don't know, it is even easier. Do not open! Delete it!
· Never attach a file to an email message without including an explanation. Explain what the attachment is and why you send it. Do not use generic explanations, since they can easily be created by mass-mailing viruses.
Out of safety concerns zip attachments first. There are some email programs that will not let you open an executable, or other potentially dangerous attachments. Zipping the file will make it possible that the attachment can be saved and extracted. Another added benefit is that a zipped file is smaller and therefore speedier in transmission.
· When in doubt, check it. When you receive a suspicious or unexpected attachments contact the sender and get an explanation. Be wary when the message contains generic text prompting you to open the attachment. Just think about the W32.MyParty@mm <mailto:W32.MyParty@mm> worm that came with this text.
My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!
A visit to a reputable anti-virus website can help determine whether the message and attachment are known as a virus.
· If it doesn't check out, delete it. If you can't reach the sender and aren't satisfied that the attachment is okay, hit the Delete button. If it later turns out to be okay it can always be resent.
· Never install a patch or update you receive via email. Many virus messages try to make you believe that it is coming from a known software maker like Microsoft or Symantec. Never trust them. Software makers post patches on their website for you to download. They will never send them to you. They will send an email message to you to alert you to the fact that there is an update, but not the update itself.
· Never accept a file sent over an Internet messaging service unless you are certain the file is safe. ICQ, AOL Instant Messenger, MSN Messenger are used to transfer MP3 files or graphics from user to user. These can be used to transfer viruses as well, so every user that uses Internet messaging should be wary of files that get exchanged in this fashion.
Blocking Dangerous Attachments
Your antivirus program should intercept any malicious file that enters your computer, but out of date definitions might be hindering the program from doing its job. If the program is temporarily disabled it will miss the intrusion as well, so it will be better to use multiple layers of defense against these intrusions.
If you use Outlook Express 6, Outlook 2000 with Service Pack-2, or Outlook 2002, you already have an email application capable of attachment blocking. As a matter of fact, you'd have to turn it off with these programs by using other programs! If you prefer another program you can check if that has abilities to block attachments
Using Backups and System Restore
Viruses infect other files, so if a virus remains undetected for days or weeks, you could find that many files have been infected. You might even have backed them up in your regular backup routine. If you use Windows XP, the System Restore feature can also contain copies of infected files. The risk? Once cleaned up you might inadvertently reinfect by restoring a backup or using System Restore. To avoid this, follow this advice:
· Perform a complete virus scan before performing a full backup.
· After cleaning up, install antivirus programs and the latest definition files before restoring any backed-up file. This ensures that the antivirus program will detect the virus as soon as it gets restored.
Because of the way Windows works, it is not possible to repair or replace infected files in the System Volume Information folder during System Restore. Antivirus programs can detect the presence of a virus, but cannot clean it. So the only solution is to purge all System Restore points. To do so, follow these steps:
1. Open Control Panel and double-click on the System icon.
2. Click on System Restore and select "Turn Off System Restore On All Drives". If your computer only has one volume, the text will read "Turn Off System Restore".
3. Click Apply, and OK to close the dialog box.
4. Restart your computer.
5. Update the anti-virus software (System Restore may have removed recent updates) and run a complete scan for viruses.
6. Afterward turn System Restore back on by repeating the first four steps and clearing "Turn Off System Restore On All Drives".
Repairing an infected system
What should you do if you do get infected… For starters, Do Not Panic!!! If you panic, and start deleting files or mess around with the Registry you could make your problem worse. Here's an 8 step plan to recover from the infection.
1. Positively identify the infection.
Check out the filename of the attachment. Or the text of the message. Get the identity confirmed, so you are sure that you are dealing with a certain virus.
Also be sure you have identified the correct variation of the infection, because cleaning a different version might not get it all. And when you leave a portion behind this might reinfect you.
2. Isolate the infected computer
Viruses spread, so it's easy to infect another computer. Especially if it is connected to the Internet. So, unplug it from any network.
3. Find authoritative removal instructions
From an uninfected computer, visit an authoritative source to find detailed removal instructions. Print it out, and read the steps carefully before starting the cleanup process
4. Gather your cleanup tools.
Get all the things you need. Including a bootable floppy disc or CD/DVD. The Windows installation CD. The instructions from step 3 will help identify what you need.
5. Begin cleanup process
* Be prepared to delete all files infected. Replace them with backups.
* With a little bit of luck you might have found a completely automatic removal tool. Symantec has a large collection you can see at http://www.sarc.com/...tools.list.html.
* If there is not a tool, follow the removal instructions step by step, and to the letter. You don't want to rush this, because forgetting something (or worse, skipping steps) might not clean everything, and reinfect you.
* for servers/workstations containing critical data, unknown viruses may leave the system compromised. In those cases it might be best to reformat the drive and reinstall Windows and other applications. After this restore the data and your computer should be back to normal.
6. Reinstall anti virus software
After cleanup is over, reinstall the antivirus software. This should be your first priority. Reinstall from a known clean source, preferably from the original CD, After the installation, update the antivirus and rescan all local discs to make sure that your system is virusfree.
7. Restore data and programs from backups
Reinstall/restore all programs and data from trusted sources. Also, if needed, or if you suspect data corruption, check the data. The Melissa virus inserted a quote from Bart Simpson into infected documents. Other viruses tinker with spreadsheet formulas. It’s possible that the data is no longer valid.
8. Scan other computers in the network.
Before reconnecting the freshly cleaned computer to the network, confirm that the other computers are free of infections too. Otherwise all your work might have been in vain since your computer can become reinfected the moment it is reconnected.
Posted 13 December 2006 - 12:14 AM
This is such an excellent and comprehensive tutorial.
You cannot beliefe how much I learned from this.
Thanks a bunch for this great contribution !
Posted 29 September 2010 - 03:25 PM
Posted 10 November 2010 - 09:54 PM
My that was very well written guide, just wanted to say thank you for all the time you spent in writing it.