Mal-ware Control
 
I
N
D
E
  X  

Mal-ware Control: Intro

Of all the topics that we'll cover in this course, this one is by far the most familiar to the average home PC user. Most folks will already know that they need an anti-virus program and that they should scan their hard drives every once in a while. But protecting one's PC against malicious software (mal-ware) of all kinds goes far beyond that. 

Your job is to educate your readers about the threats posed by different kinds of malicious software, get them up to speed about the varieties of anti-virus and anti-trojan software programs that exist and how to use them properly, and, above all, to hammer home the message that anti-virus and anti-trojan programs aren't magic bullets -- that any strong defense against mal-ware necessarily involves them and what they do with their computers. As I've said before: "Dumb users trump smart software every day of the week."

Viruses & Worms

The first thing we need to do is introduce our readers to viruses and worms, what they are, how they spread, and what these nasty things can do. In other words, we need to give our readers a basic taxonomy of viruses and worms. It's especially important to hammer home the damage that viruses and worms can do to a system (loss of data, corruption of key application and system files, compromise of personal privacy, and even hardware damage in extreme cases), as most of your readers will be reluctant to take any additional precautions beyond installing an anti-virus program until its too late. Especially in a networked world where your system, if compromised, can be used as a platform to attack and spread dangerous viruses and worms to other computer systems on a network, it is simply inexcusable not to take basic steps to protect one's own machine. The days when one could dismiss virus protection as somebody else's problem are over. And the time to start thinking about and planning defenses against malware is NOW, not after one's system has been compromised (and possibly damaged) by a virus or worm.

Good places to get basic information about viruses and worms and all their different variants are the major anti-virus software makers. Most anti-virus makers have information and alert pages where you can find "primers" on viruses and worms (as well as trojans), as well as alerts to the most current threats. You can find links to many of the info pages for major anti-virus software makers on the Anti-Virus Info page on the class web site, a page which ought to be a main starting point for all of your research and investigations:

Anti-Virus Info

Anti-virus manufacturers with useful info pages include:

Computer Associates
http://www3.ca.com/virusinfo/

McAfee (AVERT & VIL) 
http://www.mcafeeb2b.com/naicommon/avert/avert-research-center/default.asp
http://vil.nai.com/vil/default.asp

Sophos
http://www.sophos.com/virusinfo/

http://www.sophos.com/support/faqs/

Symantec
http://www.symantec.com/avcenter/

Trend Micro
http://www.trendmicro.com/vinfo/

Also on that Anti-Virus Info page are plenty of links to other sites and FAQ's that provide helpful overviews and introductory discussions of viruses and worms.

Once you start reading, you'll notice that I've grouped viruses and worms under one topic, though technically they are two different beasts. The reason I've run these two different types of malicious software together is that in the past few years so many of the "outbreaks" of mal-ware have involved "hybrids," malicious software programs that are both virus and worm. Examples include the well known "viruses" "Melissa," "ILoveYou," and "AnnaKournikova," all of which are also technically "worms" as well. You'll need to give your readers good definitions of both, and explain how these hybrids work.

Macro Viruses

Another thing that you'll discover once you start reading is that there are many different types of viruses (logic bombs, time bombs, boot sector infectors, et al). One particular type of virus is so prevalent and "popular" that it really deserves individual coverage: macro viruses. In the Group Topic breakdown that I handed out you'll notice that I have listed macro viruses as a separate sub-topic. That's because these things are so virulent and so easy to make and spread, that they are easily the most common type of virus around (and have been since the mid-1990's, when they first appeared).

Macros are basically plain text programs that can be written in the ubiquitous Microsoft Office suite of programs (Word, Excel, PowerPoint, etc.) and then embedded in documents, spreadsheets, and presentations. Macros were originally designed to help users automate repetitive, complicated tasks, by allowing them to write "scripts" that would perform almost any kind of task within Word, Excel, or PowerPoint. They can be extremely helpful additions to Office -- easy to create, handy, and very powerful. And therein lies the problem. Virus programmers discovered that macros could be used to create and spread viruses within Office documents, which are often shared among users.

Most of the introductions to viruses and worms listed above will discuss macro viruses, though anyone covering macro viruses ought to look at the links on that Anti-Virus Info page for tips from Microsoft about macro viruses as well. In addition to defining and explaining macro viruses, we also need to describe the several precautions that we can take within Office programs like Word, Excel, or PowerPoint to defend against macro viruses.

Windows Scripting

Another type of malicious software is the VBS Worm. VBS stands for Visual Basic Script, a programming technology from Microsoft that allows users to write plain text programs in order to automate tasks in Windows (much the same way that macros automate jobs in Office). Like macros, VBS scripts are easy to create, handy, and very powerful. And, again, therein lies the problem. VBS scripts can be used to propagate a nasty type of worm known as the VBS Worm

The VBS Worm has been one of the more popular types of hybrid virus/worms in the past few years. ("AnnaKournikova," "ILoveYou," and "Melissa" were all VBS Worms.) Worms are malicious software programs that spread by themselves (unlike viruses, which require users to run infected executable programs). VBS Worms exploit the power of Windows Scripting (which includes VBS scripting, JS scripting, and several other types of scripting) to interact with and control Microsoft email programs like Outlook and Outlook Express in order to spread. (Remember all those "ILoveYou" email attachments that you got a few years ago?)

All forms of Windows Scripting depend on a package called the Windows Scripting Host (often abbreviated WSH). The WSH is what actually "runs" or executes VBS scripts within Windows. The WSH is installed by default on all versions of Windows after Windows 98 (including Windows 98, 98 SE, Me, 2000, and XP). The WSH will also usually be present on earlier versions of Windows (e.g., Windows 95 and Windows NT 4.0) if Internet Explorer 5.0 or later has been installed. So, the WSH is available as a platform for spreading VBS worms on almost every Windows box in the world. Neat, huh?

By the way, don't confuse VBS scripting -- which is enabled or "hosted" by the WSH within Windows -- with the kind of scripting that you see within web browsers. While these types of scripting are in many respects similar, the WSH enables you to run scripts directly on a Windows system just like any other program that you might run, whereas the scripts you find embedded within web pages (usually JavaScript) are largely confined to (or "sandboxed" within) the web browser itself.

To reduce the risk posed by the Windows Scripting Host, there are several tricks or steps we can take. Briefly, they are:

  • uninstalling or removing the WSH (which can be difficult to do properly)
  • crippling the WSH (by renaming or removing certain files)
  • reconfiguring WSH file extensions and file types so that WSH scripts either don't open at all or open in Notepad (instead of running by default)
  • using a third-party software application like Script Sentry to intercept and inspect WSH scripts when they run

We need to lay out and explain each of these options for our readers. Especially in the wake of the ILoveYou" and "Melissa" viruses, you'll find plenty of advice out there on the web about how to deal with the WSH. You can find links to many such pages on the Windows Script Info page here:

Windows Script Info

Pay close attention, though, to the advice that these pages offer. Many of the "uninstallation" methods that they lay out don't really uninstall the WSH at all (they merely diddle with the file extensions and types). Still other "uninstallation" methods won't work on any version of Windows other than Windows 98. And when those pages do give instructions for reconfiguring the WSH file types and extensions, they often cover only one or two of the file types and extensions, not all six.

For links to third-party software programs to deal with the WSH, check out the Windows Script Tools page:

Windows Script Tools

For my money, the best of these programs is Jason Levine's fine program:

Script Sentry

...but I'd look into some of the other programs as well. Again, read the documentation that comes with these programs carefully so that you understand precisely what they do. No two programs operate exactly alike.

A few other programs that can be used to deal with the WSH are written by me and are available on the class web site. First, EBURGER, among other things, can cripple or reconfigure the WSH so as to "de-fang" it. You can get EBURGER here:

EBURGER

Another one of my programs is the WSH Uninstaller, which will, unlike so many of the other programs, really and truly uninstall the WSH (but not on Windows Me, 2000, or XP). You can get the WSH Uninstaller here:

WSH Uninstaller

I'd recommend that you take a look at the "ReadMe's" for both of the above programs. In particular, the "ReadMe" for EBURGER details all the different file extensions and types for WSH (you'll have to scroll down to the particular section that deals with the WSH in that document, and it's a large document). The "ReadMe" for the WSH Uninstaller also gives plenty of detailed, nitty gritty info about the WSH.

Above all, please don't hesitate to ask questions about the WSH and the various strategies for dealing with it. I realize that the WSH can be a bit confusing at first, but I'm more than happy to help you out.

Anti-Virus Software

Of course, at some point we'll also need to discuss anti-virus software. You can find links to many anti-virus software programs on the Anti-Virus Programs page:

Anti-Virus Programs

You probably already have an anti-virus program on your computer, but I'd recommend that you install and take a look at some of the others. You'll find that they usually work similarly and have a common set of functions and options. When we're talking about anti-virus programs and how to use them properly, we'll have to explain such core issues as:

  • manual ("on demand" or "active") scanning vs. automatic, background ("on access" or "passive") scanning
  • signature scanning vs. heuristics
  • file types to scan (vs. a "dumb" scan of all files)
  • scheduling routine hard drive scans
  • obtaining and installing updates (scan engine updates & virus definition updates, automatic updates vs. manual updates)

Updates for anti-virus programs are especially important, but most users don't download them, rendering their anti-virus programs next to worthless. In addition to discussing scan engine updates vs. virus definition updates, we'll have to discuss automatic updates (performed by the programs themselves) as well as manual updates (done by the users on the Internet). You can find links to update pages for all the major anti-virus programs here:

Anti-Virus Updates

On that page you can not only download and install updates for anti-virus programs manually, but you can usually find info about configuring those programs to perform automatic updates (which usually require an update subscription from the manufacturer).

Also, keep in mind that many of the larger anti-virus programs (I'm thinking of McAfee VirusScan and Norton AntiVirus in particular here, though they're not alone) include "extra" functionality that we should introduce to our readers. "Extra" functionality may include such things as:

  • email scanning
  • web browser scanning
  • file download scanning
  • automatic scanning of removable media (floppies, ZIP disks, JAZ disks, etc.)

Not all anti-virus programs have this kind of functionality, but the big "Cadillacs" of AV programs usually do.

You might also check out some of the Misc Mal-ware Control Programs on this page:

Misc Mal-ware Control Programs

The programs on that page are generally not full, complete anti-virus programs, but rather programs that specialize in doing certain kinds of scans or monitoring your system in certain ways for signs of infection and illicit behavior. You'll also find some odds and ends on that page that may be of interest (including sample viruses and worms that you can use to test anti-virus programs).

Manual Removal of Viruses & Worms

Finally, anti-virus software sometimes fails to do the job completely. After an anti-virus program sounds the alert, users might find that they have to remove viruses and worms themselves manually. We need to warn our readers about this possibility and give them an idea of the typical tasks that are often involved in manually removing viruses and worms. Keep in mind that the particular steps to remove a virus or worm manually will vary from instance to instance, but we can give our readers SOME idea of what they might be in for, as well as where to go to get detailed instructions for removing particular viruses and worms.

I'd recommend that you check out the info and alert pages from the anti-virus manufacturers given above. Read the alerts or bulletins for a good number of viruses and worms. Those alerts and bulletins usually give step-by-step instructions for removal. After looking at a number of alerts and bulletins, you should have a good feel for what might be involved in removing most viruses and worms, even if the details vary from infection to infection.

Trojans & Anti-Trojan Programs

Trojans (short for trojan horses) are programs that appear to do one thing, but actually do something else entirely. Much like the wooden horse given by the ancient Greeks to the Trojans as a "gift" during the Trojan War, computer trojan horses contain nasty surprises. Trojans are very different from viruses and worms, and can do many more different types of things to a user's system, some of them quite devious and even scary. For links to basic info about trojan horses, check the Anti-Trojan Info page:

Anti-Trojan Info

Once you start reading, you'll quickly discover that one particular type of trojan horse has become popular in the past few years: Remote Administration Trojans (RAT's). Remote Administration Trojans allow hackers, crackers, and script kiddies to take control of other computers from a remote location (in other words, remotely administer another computer). Common RAT's include such programs as Sub7, NetBus, and Back Orifice, to name but a few. You can find links to those three common RAT's on this page:

Snooping Utilities

In fact, I'd highly recommend checking out the home pages for those RAT's in order to get a feel for just what those trojans can do. Believe me, you'll be quite surprised.

In addition to explaining just what trojans are, how they spread, and what they can do to a user's system, we need to introduce our readers to a class of programs known as dedicated anti-trojan programs:

Anti-Trojan Programs

Most folks think that if they have an anti-virus program, then they're protected against trojans as well. That's not necessarily the case. While anti-virus programs will pick up the more prevalent trojans, they'll miss many of the numerous variants and repackaged off-shoots. To defend yourself against trojans properly, you need a program that specializes in detecting trojans -- a dedicated anti-trojan program, in other words.

You'll find that most of the anti-trojan programs on that Anti-Trojan Programs page look and operate in ways similar to a standard anti-virus program, so many of the issues that I discussed above with respect to anti-virus program will also apply to anti-trojan programs. Some of the anti-trojan programs, though, have "exotic" functionality, Trojan Defence Suite-3 (TDS-3) in particular. 

Once you become familiar with Remote Administration Trojans and anti-trojan software, you might be interested in a series of trojan detection tests that I recently ran with a group of anti-virus and anti-trojan programs:

Informal Trojan Detection Test

Feel free to ask questions about anything you see on that Informal Trojan Detection Test page.

As with viruses and worms, we also need to give our readers a feel for what might be involved in manually removing a trojan horse and where to get info about removing particular trojan horses. All the advice I gave above regarding how to approach this task with respect to manual removal of viruses and worms also applies here. I recommend checking out not only the info and alert pages from major anti-virus and anti-trojan makers, but also many of the links on the Anti-Trojan Info page listed above. Those pages often contain detailed instructions for removing particular trojan horses. Again, the idea here isn't to be comprehensive, but simply to give our readers a feel for what tasks might be required should they ever need to rip a trojan horse out of their systems by the roots.

One final topic that we ought to address with respect to trojans is the value of installing a personal firewall such as ZoneAlarm or Norton Internet Security (to name but two of many fine personal firewalls out on the market) that provides both outbound and inbound protection. Another group is covering personal firewalls in some depth, but we need to mention the important role that personal firewalls can play in stopping Remote Administration Trojans from setting up on a user's system and then giving a cracker full access to and control over that system. We don't need to provide a complete introduction to personal firewalls, but we can explain briefly how personal firewalls with outbound and inbound protection can monitor ports on a networked computer and stop RAT's from communicating with crackers out there on the Net (alerting the user to their presence in the process).

Safe PC Practices

I've put this topic last, though it really ought to come first. None of the anti-virus and anti-trojan programs above will provide decent protection against malicious software if the users running PC's are careless, ignorant, and stupid in opening every email attachment that lands in their inbox, downloading and running any and every file they encounter on the web, and promiscuously sharing floppies and ZIP disks with other users. "Dumb users trump good software every day of the week."

In your reading around on all of the issues detailed above, you should encounter plenty of good advice about how to behave smartly with a PC in order to prevent that PC from becoming infected or compromised by malicious software. Most of the advice will address one of these three major threats:

  • email attachments
  • downloadable files on the Internet
  • removable media (floppies, ZIP disks, JAZ disk, etc.) 

We need to provide our readers sound advice about each of these major routes of infection and compromise. And the basic question we need to answer is: "How do I keep all of this nasty stuff off of my computer to begin with?"

It's a simple, important question to which we need to give solid answers. We also need to hammer home the fundamental limitations of anti-virus and anti-trojan software (by nature, such programs are always reactive, a step behind).

Of all the topics that your group covers in its report, this one is arguably the most important.

This Page Last Updated: Mar. 26, 2002

Home [frames]        Home [no frames]

Advice, Organization, & Compilation 
2000, 2001, 2002 Eric L. Howes