Computer worms, virus and security threats

Avoiding computer worms, virus and security threats.

One obvious method of reducing the risk of attack is to avoid whatever is the most attacked set of products. This means avoiding MS-DOS, Windows and MS Office applications, in favour of less popular products. If you must use the same products as others, consider at least removing Outlook Express, Outlook, Internet Explorer, VBA, scripting, and any automatic execution of Office macros.

History

The first one on a personal computer was probably Richard Skrenta's Elk Cloner, on the Apple II around 1980. Even the term virus didn't exist then. This was mentioned in Scientific American. The first for the IBM PC was the 1986 Brain, done as an advertising stunt by a Pakistan computer shop run by Basit and Amjad Farooq Alvi.

The first ones I saw were Jerusalem, and the New Zealand product Stoned. We couldn't stop it infecting a PC and had to work out a way to make it think it had already infected everything, so it wouldn't bother doing so again. Eventually we kludged write protected hardware for the hard drives in the student labs, and that settled things down.

Around 1990 there was a Bulgarian virus bulletin board that helped spread code (including development kits) for writing new viruses. The 1992 Virus Creation Lab and other tools appeared, so many really badly written viruses appeared.

Delivery of Virus Attacks

Most virus attacks work through social engineering. That is, the user is somehow persuaded that they should actually run the virus. This method applies to any operating system at all.

The next most common attack is via bugs in existing programs and operating systems.

A virus needs to infect local files. The preference is to infect executable (program) files.

Why is Windows So Vulnerable?

Partly because there are more Windows PCs. Partly because by default a Windows user has traditionally had full administrative power to do anything on the computer. Partly because to enhance ease of use, programs can run automatically (for example, when you insert a CD).

On Unix and Linux, users are generally discouraged from operating the computer as an administrator. A virus in these systems can only infect files owned by the local user, and as a local user, you have no special administrative power. You can not infect normal program files. You can (and should) set up Macintosh and Windows systems so that you normally do not run as administrator

In Windows it is easy to run an infected file from a local directory, since by default that works. In Linux, by default it is harder to do so, since by default it doesn't work.

In Windows, and file ending in .exe, .com, .bat, .pif, .vbs, .scr (and others I've forgotten) is considered executable. In addition, by default Windows hides file extensions, so you don't even know whether a file is an executable (always turn extensions on).

In Linux you need to tell the system that a file can be executed, so there are often additional steps you need to do before a virus can act.

Windows provides a monoculture, while Linux is not. There is one major email system. As a result, any attack on a vulnerability in Outlook or Outlook Express automatically catches large numbers of users. This particular attack has happened at least once a year for the past five years.

Virus Types

Boot sector
Most early viruses spread from an MS-DOS floppy disk being booted. Once on a hard drive (usually in the master boot record), they generally infected any floppy disks inserted into that PC. Protect against these by never booting from a floppy disk. Set your BIOS so that your PC does not boot from a floppy disk, but only from its own hard drive.
Executable file infector
Copy themselves to files that can be executed, such as .com, .exe, .bin, .drv, .dll, .ovl, .ovy, .sys, lnk, even .bat Hang around in memory, infecting every such file. Some use boot sector means to infect files also (and may be called bimodal viruses). You basically need to get your programs from reliable sources (hint - there are no reliable sources). Open source software where you can read and compile the code yourself is far safer. Consider only installing new programs if you really need the product, and only from a recognised software vendor. Do not under any circumstances use any browser or internet program that permits programs found on the web to execute.
Macro virus
As at the turn of the century, most viruses are application specific macro viruses. They mostly infect Microsoft Office products, but can be written for any application with a sufficiently complex macro language. General solution, turn off macros and scripting in the products you use. If not possible, use different products. Personally, I'd regard removing Visual Basic and turning off scripting as minimal precautions.

Virus Tricks

Some overwrite part of their host file so the length of the file is unchanged, so you can't spot them just by checking file lengths. These may be called a cavity virus.

Some modify directory table entries to run before other programs, so although the virus is only in one location, running any program starts it. Cluster viruses appear to infect everything.

Companion viruses rely upon DOS files executing in a certain order. .bat executes before .com which executes before .exe. If people are likely to run a named .exe program, having the virus with the same name but a .com extensions runs it first.

Fast infectors when in memory infect every application that is opened, even without it being run. If you run an antivirus program the virus has it made, as antivirus programs open all other programs to check whether they are infected. That is one of the reasons an antivirus checks memory first.

Some anti virus programs check for virus patterns. Polymorphic viruses, whose source code was published by Mark Washburn around 1990, include encryption and decryption code, so the body of the virus can have totally different patterns. You have to search for the decrypter (and there may be several different types of decrypter). Trident's TPE and other polymorphic kits like DAME and NED made it easier for less skilled virus writers to make their own versions. Versions may use random number generators and mutation engines to change their patterns.

Back Orifice (1998) is a Trojan (a program you believe does something else) done as a remote system administration tool to allow someone else to control your PC.

Strange Brew, the first Java virus, also appeared (Java, at least in applet form, was intended to be safe).

Bubbleboy demonstrated how to infect by opening an email in Outlook or previewing in Outlook Express (which is one reason I say dump Outlook off your system). Kak showed how well that technique worked as a virus.

Email

Virus writers attempt to get you to either execute attachments, or take advantage of bugs in common mail clients to execute code. Set Outlook Express and Internet Explorer to prompt before opening attachments at the very least. Scan all attachments with an antivirus before opening them.

Removing Outlook Express and Outlook from your system is a very good start in improving security. Replace them with safer email clients such as Pegasus or Eudora, and newsreaders such as Agent.

Windows Scripting Host, Internet Explorer and Web Access

Remove the Windows Scripting Host in Windows 98 setup (it is installed automatically by Internet Explorer). In File Types, remove VBScript. Remove any .vbs associations. Remove Visual Basis entirely if you can get away with it.

Remove Internet Explorer using 98Lite. Replace it with a safer browser such as Opera. Turn off Javascript, and enable it only for trusted sites that demand it (like banks). Unless you need the Java Virtual machine for some applet, consider not installing it.

If you must run Internet Explorer, turn the Security Settings to High. Refuse to deal with web sites that ask you to turn it lower. Please note that some antivirus sites (amongst others) may ask you to turn it down for system checks. Use a different antivirus instead.

File Names

Turn file extensions on in Explorer. The default of leaving them off is monumentally stupid. Learn the extensions for all executable files, and know what you are doing before running any of them.

Active-X Controls

Unless you need them, consider removing Active-X.

Macro Virus

Enable macro virus warnings in all MS Office products. Protect Word's normal.dot global template, and do not allow random Word files to change it. Keep up to date with all Microsoft security patches (all 100 a year of them), despite their patches sometimes stuffing up your PC. Better yet, use the Disable Macros option as well. Best, remove MS Office and use some safer product.

Anti-Virus

I sometimes think anti-virus vendors are as much a part of the problem as a solution.

Anti-virus vendors regularly describe harmless proof of concept virus as a danger, under circumstances where there really is no problem. Anti-virus vendors are adept at spreading fear, uncertainty and doubt, in an attempt to sell their programs.

McAfee claimed it had discovered the first Linux virus, Bliss, on 5 February 1997, and had a cure. Actually Staog predated it in mid 1996. Bliss was announced on Usenet on 29 September 1996. It was a proof of concept virus which included detailed logs of its action and had a removal option included.

I hope you have enjoyed www.ericlindsay.com.