Malware: Viruses, Worms, Trojan Horses, & Spyware

What They Are & How to Deal with Them

Jay Stamps, jstamps@stanford.edu, 723-0018ITSS Help Desk Level 1 Training, November 18, 2004

Course Objectives Understand what malware is, where it

comes from, and what it does Diagnose compromised or infected

computers based on reported symptoms Basic troubleshooting techniques for

possibly compromised computers Research & diagnostic tools Prevention: Worth a pound of cure!

It’s Been a Rough Few Years for Windows PCs…

Sorry… But that was the last picture you’re

going to see in this presentation! The good news is that your instructor

loves questions, and you’re cordially invited to interrupt him at any time, or save your questions for later

It’s a cliché, but there are no “dumb questions”: The point is to learn

And if I don’t have a good answer, I’ll suggest that you make finding one part of your homework assignment!

What’s “Malware”? Shortened form of “malicious software”

But it’s not always really malicious So “malware” is a general term for:

Computer and macro viruses of any kind Internet and mass-mailing worms Trojan horses, backdoors and rootkits Other computer exploits, bots, zombies Spyware, adware, and other software

installed on a computer without the user’s knowledge or informed consent

And then there are the “hoax viruses”…

Why Use the Word “Virus”? The analogy with biological viruses

Computer viruses exist to self-replicate They can often adapt (mutate) to survive They might or might not harm the host They “infect” by inserting themselves into a

“healthy” system (be it a computer program or living organism)

The term “virus” is heavily overused That’s why we’re talking about “malware”

But when someone’s PC is misbehaving… They call 5-HELP and say, “I’ve got a virus!”

Are Only PCs Affected? The answer is “No” Are Macintoshes immune?

The answer is “yes and no” - sort of… The first virus in 1982 infected Apple IIs A great deal of malware - some of it not so

malicious - existed for Mac OS “Classic” Are there any Mac OS X malware

programs? Well, not in the wild, not yet… What about Unix and Linux OSes?

Lots of malware is in circulation for these platforms - lots!

Why Does Malware Exist? When “viruses” first became common…

And “normal people” began to use personal computers…

If a “virus” struck, they were confused, alarmed, felt violated…

They’d ask, “Where do these things come from?” and “How did I get infected?” Often they’d feel embarrassed, like they’d

picked up an STD in a reckless moment… When told, “People deliberately create

viruses,” they’d properly ask, “Why?” What do you think? Why does malware

exist? (Possible homework assignment!)

Brief History of Malware “Viruses” appeared in early 1980s

Very soon after first personal computers They spread by floppy disks, later via

“bootleg” & other software on “BBSes” They often weren’t meant to be destructive

Internet “worms” arrived in late 1980s “There may be a virus loose on the

internet.” - Andy Sudduth of Harvard University, 34 minutes past midnight, November 3, 1988

Brief History Continued First mass-mailing worm came in 1999

Usually called the “Melissa virus” It was also a “macro virus” Infected file had to be opened in MS Word

Spyware hits the scene around 2000 “Adware” claims to be legitimate, legal “Browser hijacking” is common symptom

Other exploits, trojans, backdoors… Have been around for a long time Hackers target entities for malicious attack,

or may want “free” computing resources

We’ll Stick to MS Windows The majority of computer users at

Stanford have Microsoft Windows PCs The majority of malware “in the wild”

today attacks only Windows PCs Malware is very platform-dependent

Microsoft has only recently made computer security a priority

In the past… MS tended to “enable everything by default” Network-connected “services” running on a

computer are an open invitation to hackers

Why So Much Malware? Is malware becoming more common? Yes!!! It is!!! (and harder to fight off) Why might that be? The Internet! Plus all the high-powered

PCs in homes & offices connected to it Why does that make a difference? As with biological viruses, lots of people

(or computers) are rubbing up against each other in a common space; and computers (like people) don’t always cover their mouths when they sneeze…

“Help! I’ve Got a Virus!” A lot of people self-diagnose (wrongly)

“Doc, I think I’ve got the flu.” “How much did you drink last night?” “Uh, three six packs. I think. I don’t really remember…”

Only a few years ago… Most folks who thought their PC had a

viral infection were wrong! When PCs behaved strangely, usually

there was a problem with the OS or an application that was not at all virus-related

Today that’s still true, but…

Today That’s True, But… Malware is more common, while OSes

and applications are both more feature-laden and (often) more robust More features mean more potential

vulnerabilities for hackers to exploit Greater robustness means strange behavior

is somewhat likelier to be caused by malware Plus more people use protective software

Few people these days are unaware of the necessity of running antivirus software

Some people even use it correctly!

You Answer a Call to 5-HELP And the caller begins to explain…

“I think my PC has a virus” Maybe it does, and maybe it doesn’t We’ll look at diagnostic approaches presently

“I got an email from the Security Office…” Get the details, but… A referral to the Level 2 Help Desk, or local or

contract support is probably the right move If Networking or the Security Office has noticed a

problem, the computer is almost certainly hacked If the caller has self-diagnosed, or if you

suspect malware is involved, you ask…

The Usual Questions 1 If a caller’s PC might have an infection,

or otherwise be compromised: Ask what version of Windows they’re using Ask them if they’re keeping it patched Ask them if they’re using antivirus software,

and if it’s up-to-date For Windows 2000 & XP, ask them if they

have good passwords for all user accounts Ask them if they use a firewall

The caller may not know the answers to some of these questions, of course…

The Usual Questions 2 So you may need to guide the caller to

learn the answers to these questions To check if Windows is properly updated,

have the caller visit: http://windowsupdate.microsoft.com Launch Symantec AntiVirus to check the

date of the virus definitions file To check password strength, use the

Stanford Security Self-Help tool Windows XP has a built-in firewall, as do

many broadband routers

The Answers If a user can’t access the network, that

problem is likely not caused by malware If a user can’t run, install or update SAV

or other security software, that’s a clue that the PC has been infected by a worm

If Windows isn’t patched, and/or AV software is out of date, and/or user accounts have weak passwords, the PC is definitely vulnerable to compromise

If the web browser (especially IE) goes to unexpected sites, suspect spyware

More Symptoms We’ve just looked at a couple of

common symptoms of malware Here are some other possible signs:

Sluggishness One or more unexpected restarts Frequent system crashes Constant hard disk activity Generalized “strange behavior”

Hackers try to hide their presence: If they’re good, they will succeed

Worms and some viruses do likewise

Steps to Recovery Most symptoms of malware also have

other, more mundane causes If there’s any reason to suspect the

presence of malware on a user’s PC, update virus definitions, disconnect the network cable, and run a full antivirus scan of all hard drives

Install and run SpySweeper And always, always teach computer

users how to protect themselves from malware! Prevention is key!

Mass-Mailing Worms Mass-mailing worms are one of the most

common vectors for malware Most people know not to open

“suspicious” email attachments But the worm writers are getting a lot

craftier, and the attachments often look less “suspicious” these days

Many people are still confused by sender address “spoofing” Mass-mailing worms mail themselves out

using randomly chosen sender addresses

I Got a “Suspicious” Email A caller might say:

I got a strange email message from my bank (or a bank I don’t even use), etc.

I got a message from my “system administrator” telling me to do something

I got a message from a friend telling me there’s some file I’m supposed to delete

Such messages are usually “phishing” attacks, or “hoax viruses” Delete the email message; don’t do what it

says; never give out private information

Top 6 PC Security Must-Dos Patch Windows automatically

New patches 2nd Tuesday of each month Use BigFix & Windows Automatic Updates

Use strong passwords (even better, pass phrases) for all user accounts

Use a firewall, such as Windows XP’s built-in software firewall

Use and properly maintain good antivirus software

Don’t open suspicious email attachments Disable Windows File & Printer Sharing

Tools for Prevention Essential Stanford Software

http://ess.stanford.edu Symantec AntiVirus BigFix client SpySweeper Security Self-Help Tool Use the Firefox web browser (not IE)

Stanford Secure Computing web site http://securecomputing.stanford.edu

Microsoft Baseline Security Analyzer http://support.microsoft.com/kb/320454

Questions? Research Tools If you’ve been saving up questions,

now’s your chance! Tools for research & troubleshooting:

http://support.microsoft.com/kb/129972 http://www.google.com http://www.sarc.com http://www.mcafeesecurity.com/us/security/home.asp http://housecall.trendmicro.com/ http://en.wikipedia.org/wiki/Computer_virus http://www.spywareinfo.com/ http://support.microsoft.com http://www.microsoft.com/technet http://www.cert.org/ http://www.cisecurity.org/