“SPYWARE” & “VIRUSES” EXPLAINED
SPYWARE, Adware, Malware, Page Hijackers, Viruses. These terms appear to be used interchangeably. This is so confusing. Can you make it clearer?
This area has become so complex that it’s no longer possible to make it “simple”. Generally, these bad things fall into two large categories: “viruses” (your computer gets sick, doesn’t act as it should, and has to be cured) and “intrusions” (unauthorized persons are rooting around inside your computer or keeping track of where you go on the Internet for their own personal gain). What follows is a pretty comprehensive primer of the ways your computer can become compromised or infected and what you can do about it. Still, don’t let it scare you. With a healthy dose of vigilance and skepticism, you should be able to avoid most of these pitfalls:
II. MALICIOUS CODE
IV. INTRUSIONS AND EXPLOITS
V. CROSS-PLATFORM SPYWARE
VIII. AND THAT’S JUST THE SOFTWARE...
IX. HOW DO YOU KNOW IF YOU HAVE A VIRUS OR SPYWARE?
X. WHAT TO DO
XI. HOW CAN I FURTHER PROTECT MYSELF?
A VIRUS is what it sounds like. Your computer gets sick, needs to be cured. Even though it might have had a flu shot (“antivirus software”) it can still get sick, it’s just not nearly as likely. And, just like people, if your computer gets sick, it can quickly infect others connected to it. There are many types of viruses.
“Virus” is often used as a generic term to designate any malicious code (instructions in a program) that can harm your computer. The term was coined by Fred Cohen, an early virus researcher. A true computer virus must meet two criteria: First it must execute itself. Second, it must replicate itself. There are five generally recognized categories of viruses: File infector viruses (which infect program and other executable files); boot sector viruses (which infect the start up process of the computer); master boot record viruses (which infect and rename the master boot sector and replace it with a malicious code); multi-partite (a/k/a polypartite) viruses (which infect both boot records and program viruses) and macro viruses (which primarily infect data files).
Viruses have their own individual “signatures,” which are a string of bits in a binary pattern, much like a fingerprint, that identify them. It’s these signatures that your antivirus program downloads to your computer on virtually a daily basis, so that it can then use to identify and remove viruses. Unfortunately, some viruses are polymorphic, which means that they can change their binary signature each time they replicate and then infect a new file in order not to be detected, making them even more difficult to uncover.
When you hear that a virus is a zero day exploit, it means that the virus, malware or intrusion takes advantage of a security vulnerability in an operating system or program on the same day that the vulnerability becomes known. This is to be distinguished from those exploits that become known through software developers or users so that they may be patched before the exploit may actually attack.
The most common types of viruses are:
1. TROJAN HORSE Strictly speaking, a trojan horse is NOT a virus because it does not replicate like ordinary viruses do. A trojan horse is an unfriendly program which will appear to be something other than what it is, for example software that is disguised as a legitimate program while instead it is installing malicious software onto the computer. The name is derived, of course, from the huge wooden horse described in the Odyssey which was left outside the gates of Troy, which appeared to be a gift but actually had soldiers hidden inside, and which won the Trojan War for the Greeks when the “gift” was moved inside the city gates and the soldiers inside were stealthily deployed. Similarly, software Trojans provide an entry point for their author to transfer files in and out of your system to attack it from inside and are usually part of a larger botnet (see below). There are many types of Trojans [e.g. Spy (includes spy programs and keystroke loggers), PSW (designed to steal passwords), Proxy (provides remote anonymous access to the internet from infected machines), Dropper (used to install other malware), Downloader (downloads and installs new malware or adware) and backdoor (allows other computer users to gain access to your computer over the Internet), stalking horses (Trojans or spyware bundled into popular programs and presented as desirable additions to the mail software), Double Extension (uses a second extension to hide the fact that the first is an executable file) and remote access trojans (“RATs”) (which can send shutdown or restart instructions) to name a few]. Famous viruses include the 1999 Melissa virus (a macro virus, see Glossary) which was the first virus to mass infect e-mails. While most people associate viruses with PCs because having the greater share of the market, they get attacked more often, the first virus outside of a lab was actually an infection on the Apple IIe, the Elk Cloner virus (1982). By 1988, Macs became infected with the MacMag and Scores viruses. [See the Mac and Apple Malware pages of this site for more.] The first PC virus was said to be the Brain boot sector virus (1986), which was spread via reboot through a floppy disk.
2. WORMS (malicious software that replicates (reproduces) itself throughout your computer without any user intervention). There are also many types of worms [e.g. IM-Worm (internet messaging), IRC (internet relay chat), Net (network, e-mail), P2P (peer-to-peer) to name a few]. Unlike a virus, a worm does not need to attach itself to an existing program to do its damage, but rather to a file, such as a Word or Excel document. Worms can travel between files on a computer, as well as between networked computers, if the file is shared. Famous worm: The I Love You worm; see Glossary.
[The name Worm comes from “The Shockwave Rider”, a science fiction novel published in 1975 by John Brunner, in which the hero used computer cracking skills to escape pursuit in a dystopian (anti-utopian) future, thereby coining the term “worm” to describe a program that propagates itself through a computer network. In the book, an omnipotent “tapeworm” program runs loose through a network of computers. Brunner writes (p. 247): “No, Mr. Sullivan, we can’t stop it! There’s never been a worm with that tough a head or that long a tail! It’s building itself, don’t you understand? Already it’s passed a billion bits and it’s still growing. It’s the exact inverse of a phage - - whatever it takes in, it adds to itself instead of wiping...Yes, sir! I’m quite aware that a worm of that type is theoretically impossible! But the fact stands, he’s done it, and now it’s so goddamn comprehensive that it can’t be killed. Not short of demolishing the net!”]
The very first worm on the Internet was the “Morris Worm,” created by Robert Tappan Morris, a 23 year old Cornell graduate student, who unleashed the worm on November 22, 1988 (out of boredom, he claimed; others say he did it to impress a prostitute, who knows??), creating the realization that, in a truly global system, interconnectivity can be both a strength and a weakness. (Yes, he was found and convicted under the Computer Fraud & Abuse Act to a $10,050 fine, 3 years probation and 400 hours of community service.) See Hackers.
The most famous early worm was the “I Love You” worm, so named because it was transmitted through attachments (“A Love Letter for You - Click to Open”) which, when opened, sent a copy of itself to every contract in the user’s Windows Address Book with the “I Love You” subject line and also made malicious changes to the user’s operating system. It started on May 4, 2000 and, in a matter of hours, infected millions of computers, eventually infecting tens of millions of computers before it was eradicated.
Worms cause damage to the network if only by consuming bandwidth and slowing down your machine, whereas viruses corrupt or modify files necessary on your computer. Both Trojans and Worms are extremely dangerous, of course, and should be removed immediately. And some viruses (see Stuxnet and Dubu for example) can cause damage to computers and other physical machines, not just software issues.
Ever wonder how viruses get their names? While there is some general consistency to naming conventions (e.g. a virus can be named .A, .B, .C for subsequent variants), the original name is often obtuse and may have little to do with the virus itself (e.g. the Code Red worm was named after the favorite drink of the researchers who discovered it) and, in fact, may have several names depending on the antivirus software you use (e.g. one software might name a virus GAME-544 while another software might name the same virus VGEN-B). The only real thing to remember, is that while a virus may have a descriptive name, such as GAME-544, it doesn’t necessarily mean that it’s damage is limited to games; it may just have been discovered by a gamer, but it can still infect other types of data files. There are no “good” viruses.
In addition to viruses, your computer can be infected by other malicious software (a/k/a/ malware), some of which are “intrusions,” i.e. software that you did not ask for, but automatically installs itself on your computer, usually invisibly intruding on your internet connection, often reporting your activities back to a vendor:
SPAM is just computer junk mail. SPIM instant message junk mail. You didn’t ask for it, don’t want it. You can either filter it out, so it goes into your recycle bin, or try to block it (“black list” it) before it even gets to your computer . Usually, though, you don’t want to click on it or attempt to unsubscribe, since it just lets the sender know that they’ve reached a valid e-mail address.
ADWARE is a form of spyware that collects information about the computer user’s web browsing habits that it then uses in order to display advertisements based on the information that it has collected from the user. The primary difference between Adware and Spyware is that the user has usually somehow consented to the installation of adware as a condition to installing a host application, usually at no charge.
FOISTWARE: Refers to software downloaded to a computer without the owner’s knowledge, which puts hidden components on a system and attempts to bait the unsuspecting into purchasing another software remedy.
SPYWARE is software that is installed surreptitiously on a computer that secretly gathers information about that computer users web surfing habits. You may not have consented to the unauthorized installation of this software, and are probably not aware of its existence. However, you may have consented to the installation of the spyware by clicking on a deceptive pop-up window or failing to uncheck it in a legitimate software installation package, or even opening a maladvertisement (a legitimate or illegitimate advertisement with embedded malware). Or you may have used a “contact scraping” tool, one which uploads your entire address book to marketers, by simply joining a social networking site like Facebook, ShareThis, LinkedIn or Plaxo and opting to build your initial “friends” list by importing your contacts from Outlook or your Web Mail. Even more deliberate attacks can be found in XSS or CSRF (so-called “Session Riding”) exploits (see Glossary and Section IV below for more). No longer satisfied by directing users to web sites specifically created to disseminate viruses and spyware, purveyors are now simply infecting legitimate sites to spread their damage.
POP-UPS are advertisements, and TOOLBARS are browser toolbars that both can be installed legitimately (i.e. Google toolbar) or surreptitiously (i.e. Hotbar).
COOKIES are generally very small files stored on your computer that are used to identify you to those web sites you have previously visited. Cookies aren’t inherently harmful, and usually only store an IP address and date and time of the last site visit, not any personal information about you. But there are a few cookies that can be malicious, and even a tremendous number of accumulated cookies can slow down your machine; they should be removed periodically. For a detailed discussion about Cookies, see this LINK.
DRIVE-BY DOWNLOADS are malware programs, typically spyware that reports information back to a vendor, that are automatically installed on your computer by merely visiting a web site, without having to explicitly click on a link. Also, these sites appear alongside valid search results in a browser results page and are clicked on in the assumption that, because they are there, they must be valid. (Obviously don’t assume that browser operators are looking out for you.)
HIJACKERS are spyware that steal your internet home page and substitute their own. They modify your default browser home page, search settings, error page settings or desktop wallpaper all without your notice, disclosure or your consent. When your home page is hijacked, the browser opens to the web page set by the web page hijacker instead of your designated home page. Your home page is re-directed to another home page, usually an advertising page, and the hijacker usually transmits your browsing data (keystrokes) to unknown servers (using KEYSTROKE LOGGERS). You may even be blocked from changing your home page back to the one you wanted. A more recent form of hijacking known as clickjacking makes it possible for hackers to embed code in a Web site, forum or blog (including social networking sites like Facebook), usually with a provocative subject line (“you’ve gotta see this photo of me...”) that will allow them to take over a user’s browser and make it click any link, even without the knowledge of the browser user. Many of those links promising a look at outrageous videos or photos scam users into clicking on a provocative link, but hidden code within the page posts a copy of the tainted link to the profiles of all the user’s friends. There are also other forms of hijacking: Sidejacking, the act of hijacking an engaged web session and using the valid user’s credentials to connect to another computer. Sheepjacking, the use of a program called Firesheep to hijack someone’s unencrypted WiFi sessions with a single click. Pagejacking, which is where the malicious user actually copies the pages of a real website, but creates a rogue copy, so that when a user clicks on the link, he is directed to the malicious, not the correct website. (This is distinguishable from clickjacking, above, which is the technique of tricking Web users into revealing confidential information by getting them to click on innocuous web pages that are not real). If you’re a social networking user, you’re next on the hit list. Beware of Likejacking, where users who click on the Facebook “Like” button or a photo will unwittingly be redirected to spam or malware. Finally, there’s Juicejacking, the use of various mobile phone charging kiosks and services to be found in hotels, shopping centers and airports, where you can plug in to a charger, but which may also be used to steal the data from your mobile device. We’re probably far from done yet. These hackers are very clever. Promoting these hijackers are what is known as “partnyo’rka owners,” (translated from Russian to English as “partner networks,” kind of like those American multi-level marketing schemes) those affiliate marketing schemes set up to encourage low-level criminals to spread the word about fake luxury goods, Canadian pharmacies, Viagra, Rolexes and the like. The partnyo’rka operators pay commissions to their workers for each sale, which use various malware such as e-mails, chats, blogs and social media to promote their schemes.
SPYBOTS are another type of more sophisticated spyware that are actually programs that embed themselves in your computer’s operating system. You may not even be aware that you have them. Spybots can create a BOTNET, or roBOT NETwork (usually controlling ZOMBIE computers (see below)) which are a collection of tens or even hundreds of thousands of computers that have been commandeered without their owners’ knowledge, infected with malware that allows malicious or criminal users remote access to and control of that computer. With that remote access, the malicious user (sometimes known as a “botherder”) can control and harness the power of all such Bots into a powerful network used for criminal activity, such as sending spam remotely, installing more malware without consent and other illicit purposes. See bots for more and FAQ, Why Do Hackers and Spys Do It?
CREEPWARE like (the now defunct) Blackshades is surreptitiously installed software that the user is completely unaware of, to the extent of disabling any indicators which would show that a user’s webcam or microphone is being used to spy on them, like the software used to spy on Miss Teen USA Cassidy Wolf.
ZOMBIES: A computer which is attached to the Internet that has been compromised by a hacker or a virus, which is then usually connected to a botnet (see above) and then used to send e-mail spam, phishing or other malicious tasks. The name is derived because these computers are metaphorically unconsciously controlled by someone else.
ROOTKITS are one of the more serious malware intrusions in effect today. Rootkits are a technique that allows malware to hide from computer users and operating systems, by creating stealth programs that run at a “lower” directory level, i.e. the “root” directory of the computer, usually accessible only to the administrator and loaded before the operating system starts and runs the rootkit. As a result, ordinary spyware detection utilities and even some utilities that purport to detect rootkits can’t scan at this level. In short, software that you can’t detect is allowing an attacker to take control of your machine without your knowledge. [UEFI, which is starting to replace BIOS on computer mother boards, will enable (in secure mode) rootkit scans before the machine completely boots, reducing rootkit risk. See definitions in the Glossary.]
MALWARE (malicious software) represents a category of programs or files that are designed to specifically damage or disrupt a computer system, including viruses, worms, Trojan Horses and some particularly dangerous spyware. [There’s even a “Malware Museum” online, which offers a glimpse of famous (defanged) malware for historical purposes for those who are interested in historical progress.]
SCAREWARE OR ROGUE SECURITY SOFTWARE: This has been one of the most insidious threats for the past two years. When you get pop ups claiming that your computer is infected with 1,664 viruses and that you must click on a button to download the remove them immediately, this is rogue security software. Their names sound like legitimate antivirus removal programs (i.e. “Antivirus Pro 2010”) and often have screens and icons that look exactly like Microsoft Windows, further confusing users. The poppa is, of course, the virus; purchasing the software does absolutely nothing to remove the virus. And, in some cases, enabling the scan can actually be granting permission for malware to operate on your machine, making a bad situation worse. Same for the 2013 FBI Ransomware Virus, all six varieties, including the one which uses your webcam to take a photo of you at the keyboard, claiming that the FBI is watching you and shutting down the computer unless you pay a fine.
RANSOMWARE (a/k/a extortionware or cryptomalware) is malware that tries to extort payment in exchange for returning control of your computer or its files to you. It installs itself on your computer, then changes your system registry so that you cannot run programs such as Internet Explorer, Rundll32, Task Manager, iTunes and the like. In order to remove the infection, you are prompted to send money to an e-mail address where they will send you an activation key to remove the malware. It usually doesn’t. See the Security page of this site for examples. Most current of these is the FBI or ICE ransomware that claims that you have violated the law, and locks up your computer unless you pay a fine through MoneyPak.
SPOOFING: Generally, any attempt to gain access to a computer by posing (impersonating, masquerading, mimicking) as an authorized user. Used by spammers, phishers and the like by creating a false e-mail identity, for example, to trick you into answering. Often, a user’s entire e-mail address book is “spoofed” by malware, which then sends malware laden e-mails to each entry in the address book, usually without the knowledge of the address book’s owner. So-called “HTTP spoofing” is pretending to be a logged-on user (to a business site, porn site, or whatever) by hacking the browser headers. And ARP spoofing is commonly used by hackers to gain access to networks. Spoofing is quite prevalent, and there are many variations on the theme, among them blind and non-blind, man-in-the-middle attacks and denial of service attacks, discussed elsewhere on this page.
CRYPTOVIROLOGY: This is a new form of attack which really causes problems for businesses. A computer virus attacks a system, then immediately begins encrypting all of the users documents or other files with an asymmetric key. When completed, a message may be displayed requiring the user to pay ransom for a decryption key in order to get the files back. It’s hard to say that, even if you pay, you will ever see your files again.
WEB BUGS: Sometimes you can have ordinary software that can, through misuse or abuse, turn into malicious spyware. Web “bugs” are small bits of code embedded in virtually all commercial web sites, code that is intended by the developer to add functionality or share information. This type of code is used by everything from Google Analytics to ad networks, popular blogging platforms to social networks and affiliate shopping programs. When a web bug is on a site, it communicates back to its parent site to carry out its functionality. So, when you open the site, it also sends information to its analytic providers, its ad network and any other sites it may be partnering with. And that data can be tracked across every site that uses the bug, even if you block cookies and do everything else possible to protect your privacy. Note that web bugs aren’t usually mentioned in privacy policies. This loophole doesn’t cover “sharing” information because the information is being sent “directly” to others. But, because it can be used to track your movements and activities across the web, there is always the possibility of abuse and misuse. Can you do anything about this? Aside from using an anonymous browser, which can be slow and difficult, nothing. Perhaps the privacy tools on the newer browsers will have an effect, it’s too soon to tell just yet. Just be aware of it. For more information see this LINK.
BLENDED MALWARE takes the stand-alone spyware to a new level - you can have a pop-up that turns into key-logger spyware and then transmits itself through bots to other programs and computers.
UNPATCHED PLUG-INS: Because most users have installed antivirus and anti-malware protection, it’s not as easy for intruders to simply send an inviting e-mail with an attachment, or rely on a threatening pop-up. The new trend is much more malicious and also more difficult to spot: All you have to do is surf onto a web page that contains a plug-in that hasn’t yet been patched. For example, if you go to a URL that runs a Java Script, Flash, Adobe Reader, Real Time, Quick Time, Internet Explorer, Mozilla or other script, the malicious software automatically loads itself on to your computer, and may very well propagate from there. Because these programs run “scripts” (which are, in actuality, small programs), you need nothing more than to click on a website to start the process. If prompted, always run the update or patch to these programs, they’re usually trying to protect you. To further protect yourself, you can always disable scripts in your browser, but you won’t see much of the content available on that site.
Blackhat SEO Poisoning: Scammers develop algorithms to manipulate Google and Bing search engine results, leading to “poisoned” search results about many popular topics, including front page results leading to exploits, malware and phishing sites.
Waterhole Attacks: Hackers poison a website frequented by a user (the “waterhole”) by modifying the code on the site or one of its elements, so that malware is allowed. These types of attacks generally target enterprises and are tailored to the individual victim’s habits. The user might click on a favorite applet (like a hit counter) or link (time or weather) and find that they were redirected to malware or intrusion without their knowledge.
Phishers are trying to filch login information so that they can infiltrate accounts, then impersonate you in order to scam others out of money and gather personal information about you and your friends to scam still others, and on and on. It’s much more dangerous than spam, because it’s not just a nuisance, it can lead to security breaches. And, generally, these types of hackers have more knowledge about you. Years ago, these types of attacks were considered to apply to relatively few “whale” targets which might offer a large payoff. However, with the explosion of bi-directional social networking sites such as Facebook and MySpace, phishing has become the ideal vehicle for spreading links to malicious, malware-infested hosts and creating data leaks of sensitive personal and corporate information. [See, Social Networking/Privacy] Because of this changing online sociology, the information harvested from social networks is invaluable in creating effective, convincing spear phishing e-mail messages. Now that most individuals and organizations have Web 1.0 security strategies in place, and are blocking sites categorizing their reliability, the bad guys are moving on to dynamic, unmoderated Web 2.0 type sites filled with user-contributed content. Larger organizations may be able to afford web filtering appliances, but individuals and smaller operations can only rely on vigilance and user education to monitor the newer attacks.
PHISHING: While not strictly malware, this involves the impersonation of a trusted web site, usually a financial institution, in order to extract passwords or other sensitive information from the victim, which is then used for malicious or criminal purposes. The impersonation links to a site that appears to look genuine, but is actually false. [Check sites that request financial or personal information by looking for misspellings, trying to independently log on to their web domains, or typing in incorrect passwords - if the site accepts you anyway, it’s probably bogus.]
PHARMING: The establishing of false web sites for the purpose of stealing personal information. A scam by which fraudsters try to lure people to, say, a counterfeit replica of their bank’s web site, to get them to part with their user names and passwords.
SPEAR-PHISHING: A variant of phishing, targets government agencies and defense contractors, and are directed at specific individuals. Spear-phishers gather information about people’s jobs and social networks, often from publicly available information and data stolen from other infected computers, and then trick them into opening an e-mail. This type of cyber espionage tactic is called by security experts a “net reconnaissance”, and has appeared as fake e-mail messages to CEOs and PayPal users, in an effort to get them to click on a link to an infected URL or give up private information. Once an e-mail is opened, allowing the phishers inside the network, one of the newer malicious codes such as “Poison Ivy” can take over. Poison Ivy is so sophisticated that it can render traditional defenses such as firewalls and antivirus software virtually useless. (Business Week, 4/21/08, pp. 33-41) And, in 2016, ZeroFOX released SNAP_R (“social network automated phisher with reconnaissance) which automatically drafts a tweet with a link to malware, based upon the recipient’s likes in their Twitter account.
VISHING: A combination of “voice” and phishing. “Vishers” make use of Voice Over IP and IVR to gain access to private personal and financial information from the public to fleece them. Vishing victims usually are unaware that VoIP allows for inexpensive caller ID spoofing and anonymity to create fake call centers, which are then used to steal credit card numbers or other information used in identity theft schemes from individuals. Vishers often pretend to be a credit card company in an effort to gain access to credit card and other security information from users.
WHALING: The conscious directing of on-line malware toward the rich and powerful, who often purchase luxury goods. For example, thousands of high-ranking executives across the country have been receiving e-mail messages purporting to be official subpoenas from the U.S. District Court in San Diego, CA. But a recipient who tries to view the document unwittingly downloads and installs software that secretly records keystrokes and sends the data to a remote computer, letting the criminals capture passwords and other personal or corporate information. (Reported: NYTimes, 4/16/08)
BLOW PHISHING: A phishing scheme that employs cryptography. Data sent from the victim is sent back to the phisher in encrypted form so as not to be detected by network monitoring tools.
ROCK PHISHING: Strikes naive (“clueless as a rock”) targets.
HISHING: Phishing through hardware and embedded systems. This scheme involves information-gathering malware preinstalled on computing devices, such as smartphones or PDAs, offered for sale, perhaps through eBay.
SISHING: Search Engine phishing. This involves phish delivered through advertising using search engine results on specific key words.
SMiShing: A portmanteau of “SMS” and “Phishing”. Attack through SMS via mobile devices. Messages warning of charges being levied against the user’s account (ringtones, services) accompanied by request for private information.
INTRUSIONS AND EXPLOITS
An Intrusion is an invasion of a computer whereby an outside user takes control of the computer by hacking in to that computer’s system; an exploit is a program that takes advantage of vulnerabilities in widely-used software (Windows Server, Linux, Adobe Flash, etc.) by breaking in and inserting a destructive payload onto the computer. Sometimes it takes days, weeks, even months to discover these exploits. But the most successful ones are known as zero day exploits, those that remain unknown until the first time they’re actually put to use (no matter how long they’ve been waiting in the computer to be activated).
EVIL TWIN EXPLOIT: Again, while not strictly malware, this type of security breach enables an attacker to access a computer connected to a wireless network. An attacker creates a homemade wireless access point that masquerades as a legitimate hot spot to gather personal or corporate information without the end-users knowledge. [Historically, evil twins have also been called base station clones or honeypots].
VEILED WEB EXPLOITS: An increasing area of concern (almost doubling in 2009 alone), the amount of “suspicious, obfuscated or concealed content” in websites, particularly through PDF files, has become a major problem, as hackers devise new malicious domains and untrusted websites with the express intent of gaining access to personal information and manipulating data. There are truly some ingenious techniques out there: In mid-2010, Olympus Japan revealed that customers who purchased its Stylus 6010 digital cameras came with a virus on its internal memory card, which seriously infected computers when connected to download photos.
MAN IN THE MIDDLE (A/K/A FIRE BRIGADE) ATTACKS: Named after the ball game where two people try to throw a ball directly to each other while another person in between them tries to intercept it. In this case the attacker intercepts legitimate messages in a public key exchange and then retransmits them, substituting its own public key for the requested one, so that the two original parties still appear to be communicating with each other, while in reality both are communicating with the attacker, who has intercepted the message and may insert malware in the message before passing it on. Also called “fire brigade” attacks because of the resemblance to the old fashioned “bucket brigades” used in putting out fires by handing buckets of water down a line between the water and the fire. A variation of the MIM attack is the MITM (“Man in the Mailbox”) attack where mail is redirected to a purposely misspelled domain name (see typosquatting) in the hopes that the sender won’t realize the error and will inadvertently part with personal information that can be used for hacking.
DENIAL OF SERVICE (DDoS): Basically, this is an attempt by hackers to make a network, server or web site useless by flooding it with useless traffic, over-burdening its resources and causing it to crash. Most often, hackers use these types of attacks to bring a specific network to its knees and preventing legitimate traffic by exploiting limitations within the TCP/IP protocols. See the DDoS definition for more...
TYPOSQUATTING (a/k/a Mailbox in the Middle): A variant of the Man in the Middle attack (above). The practice of registering purposely misspelled domain names in order to direct traffic to an illegitimate website (e.g. McDonalds, MacDonalds, MacDonald’s), where e-mails could be opened which might contain personal or proprietary information, passwords, corporate or computer data, etc. It becomes a MITMB (man in the mailbox) attack (see above) when the redirected mail is returned to the original sender with a malicious or virus payload so that it then infects other computers.
SQL INJECTION: A type of security exploit in which the attacker adds structured query language (“SQL”) code to a input box in a web form on a web site in order to gain access to resources or make changes to data. Because most developers that their web forms require users to submit only their names and passwords, there is little security and verification for these requests. Once a user gains access to the underlying database, it will have virtually unfettered access to wreak havoc on all of the information it contains. Becoming an increasingly common exploit.
DNS REBINDING: An Internet intrusion by which hackers use extra IP addresses for legitimate web sites in order to obtain access to routers and then computers which do not have adequate password and firmware protection. It is not browser specific, and only applies to some routers.
CROSS-SITE SCRIPTING (a/k/a “XSS”): The newest and most common of malware, which is actually a variation of a worm (see above). An attacker inserts malicious code into a link that appears to be from a trustworthy source. When a user then clicks on the link, the infected link is then submitted with the user’s web request, executing it on the user’s computer and allowing the attacker to steal information from the user’s computer. Again, this type of exploit is becoming more common, due to the lack of security and verification programmed into the links by most developers. The vulnerability that enables CSS is sometimes referred to as an “XSS Hole”.
APTs: Stands for Advanced Persistent Threats. These are a new breed of cyber-adversary which are well-funded and highly organized, intruding into larger networks by continuously probing target systems looking for information such as source code and other sensitive intellectual property with which to invade the subject network. Operation Aurora, which compromised systems at Google and other major companies in 2009 was a type of APT.
Google Dorking: An advanced search technique used by malicious hackers to locate information that enterprises may not have intended to be discoverable by the public, or to find website vulnerabilities for use in subsequent cyberattacks. This applies to any search engine with advanced search capabilities, as by searching for specific file types, malicious cyberactors can locate information such as user names, keywords, e-mail lists, sensitive documents, bank account details and website vulnerabilities. For example, a simple “operator.keyword” syntax such as “filetype:xls:intext:username” in a standard advanced search box would retrieve Excel spreadsheets containing user names. Moreover, freely available online tools can run automated scans using multiple “dork queries”.
WHY DO PEOPLE CREATE VIRUSES AND SPYWARE? For a rather lengthy discussion of this issue, click FAQs...
Don’t be all smug just because you have a Mac. Increasingly, proportional to their newfound popularity, Macs are now getting viruses and spyware, too. And there are also “cross-platform” versions of viruses and spyware, i.e. those that can infect both Macs and PCs. For example, see the 2010 Boonana malware, which used a malicious Java applet to deliver a cross-platform attack which attempts to download further malware to computers running Windows, Unix and Mac OS X. And then there’s the 2011 explosion in Mac Defender and other viruses (see the Mac pages for more).
NOTE: As noted earlier, we haven’t included SPAM as a virus or malware because it isn’t. It may be an annoyance, but does not fit the definitions of a virus or intrusion. It’s just junk mail that you receive because you are on the Internet, much like the bulk mail you receive in your physical mailbox because you have a public street address. If you don’t like it, filter it out. Only when combined with any of the above intrusions, infections or exploits does spam rise to the level of malware. Maladvertisements, for example, may be pop-up advertisements which also load malware on your computer, such as keystroke loggers or viruses.
This term, which you may frequently see after you have run a malware or spyware scan means “potentially unwanted program”. This term was coined by internet security provider McAfee when software companies protested that their programs were being classified as “spyware”. McAfee distinguishes PUPs from spyware on the basis that spyware is always unwanted by the user, while PUPs may actually be unwanted, despite the fact that the user consented to the download, mainly because it is rightfully assumed that computer users don’t really read each screen of their download agreement to sufficiently provide informed consent to those add-on programs which are downloaded along with the program they think they are getting.
AND THAT’S JUST THE SOFTWARE...
Of course, this entire discussion concerns only SOFTWARE problems.
HARDWARE intrusion is a completely separate issue, beyond this explanation. For example, a simple key logging “dongle” which can be placed between the keyboard plug and the PC (or even in the keyboard itself) can log a couple of million keystrokes and, because it is self-contained and doesn’t interact with the PC or its operating system, is virtually undetectable by standard security software. Or an unauthorized (even innocent) “rogue access point” within your office network may be a gaping security hole which reports secure information to another computer or a “drop zone” which is controlled by criminal elements. Also, USB devices are a major unprotected source of intrusions and infections, because the majority of USB flash drives (and most other USB peripherals as well) do not protect their firmware (the software that runs on the microcontroller inside it), allowing a malware program to replace the firmware, perhaps with secret SCSI commands that may make it act like some other type of device, like a keyboard, which can then send commands to download and execute malware, viruses or espionage programs. Newer keystroke loggers even resemble USB cell phone chargers. And your USB (but not Bluetooth, which is subjected to stronger industry security standards) wireless keyboard can be hacked to intercept signals as far as 250 feet away. That’s why so many enterprises make it a practice to lock down their computer systems so that USB drives can’t be inserted anywhere in the system, at least not without SysOp permission. You have to visually inspect your system and know what you’re looking for.
Moreover, most intrusions occur via Social Engineering, which (aside from phishing) don’t involve either software or hardware attacks. Click HERE for more about this.
HOW DO YOU KNOW IF YOU HAVE A VIRUS OR SPYWARE?
Of course, if your antivirus program and/or anti-spyware program is up-to-date and working, it should notify you that it has detected a virus or spyware, and prompt its removal. Quite often, the virus will intentionally “disable” your antivirus software and slip into your computer undetected. If you notice that the icon on the taskbar (bottom right corner of the monitor) has changed from color to black and white, has disappeared, or has an “X” through it, it has probably been intentionally disabled by a virus or the like. Also, you will probably see a noticeable slowdown in the operation of your system as the virus works its way through the computer. You may also receive legitimate messages at startup indicating problems with the system. Your home page on your browser may change, and cannot be reset. You may start seeing pop-ups claiming that your computer is infected and that you have to purchase or run a specific brand of antivirus protection. You might be receiving e-mails requesting confirmation of your passwords or other account settings. All of these things are bogus tricks, you should not fall for them. Finally, you may notice that your Windows settings, such as screen savers or taskbars are changing without any action on your part.
A great deal of spyware and phishing attacks are delivered via e-mail (although more and more are exploiting social networking sites such as MySpace and Facebook), but if you are vigilant you can quickly spot some of the traits typical of those fakes designed to steal your private information. For example, misspellings and poor grammar are often employed, not because the phishers are illiterate or foreign, but as a common ploy to avoid spam filters. Also, phishers may employ a generic greeting (“Dear Sir”), rather than your name, a tip-off that it’s from someone unknown and should bear closer scrutiny. Many attacks prey on people by threatening imminent urgent action unless responded to, such as threatening account closure or claiming that an unauthorized transaction has occurred. Same for phony links to alleged traffic cam photos of your speeding, UPS and FedEx receipts or IRS notices. Fake links and deceptive URLs can be quite sophisticated so, if in doubt, search for and go to the company’s actual web site directly and log in there rather than responding to an e-mail. And, remember, any e-mail that asks for personal information is probably not legitimate. And many of those e-mail messages with gibberish aren’t as stupid as you might think: Because most anti-spam programs use some form of Baysian message filtering, spammers can “poison” the filters by sending many messages which each contain large amounts of random words and phrases that are likely to appear in legitimate messages, letting the spam through. Also, opening the mail may also open some “web beacons” which are transparent graphics files placed in the HTML e-mail messages which, when opened, informs the sender that the e-mail address is a “live one”.
But there are still some instances of malware that you cannot detect. Take, for example, the Creepware example above of Blackshades, the malware that uses your webcam and microphone to spy on you to get your personal information. Always rely on the “layered” security protection recommended in the Baseline page of this site. Remember, security is a “process” - protection is never “done”.
WHAT TO DO
There are many thing you can do to reduce the risk of viruses and intrusions:
(1) Probably the most important program on your computer is your antivirus software. Whether it’s McAfee, Norton, Trend Micro, AVG, Panda or any of the other popular antivirus programs, it is an absolute necessity to install and just as absolute to keep it up to date.
(2) Many of these programs also include spyware and even rootkit detection. Or you may have separate ones. Either way, install them and keep them updated.
(3) In addition, you may have firewalls (either hardware or software) and other security features (in addition to the basic Windows incoming firewall and router hardware firewall). Some programs offer all of the above in one package.
It’s up to you whether you think you really need this much protection or whether the more a program claims to do, the less well it does each item of protection individually (i.e. “Jack of all trades, master of none”). Reading between the lines, you may see my opinion on this matter. Note that the figures presented by antivirus and anti-malware vendors must be viewed realistically: Their elimination rates only refer to known infections and intrusions. Heuristic infections such as Zero Day exploits, rootkits and the like (which are increasingly the more common malware) aren’t included, and are generally in the 35% to 65% range, not 95%+ as they are for known malware. For some types of intrusions, such as those used to steal financial information, the figure can be as low as 25% protection.
(4) Also, upgrading your operating system from earlier versions up to XP to Windows 7 or 8 will help (for example the ZeuS virus will infect XP computers, while Win 7 will help prevent the ZeuS infection routines and guard against your PC being subverted into a botnet). Keeping your Windows updates current will also help thwart intrusions.
(5) Installing and using the Microsoft Malicious Software Removal Tool (a Microsoft desktop security default) will also help.
(6) You should also avoid directly typing your passwords and user names into various web pages if at all possible (using such automated programs as LastPass or RoboForm to do the work for you, as then may not be detectable by keystroke loggers).
(7) Similarly, running the latest versions of your web browser will help, as will installing the latest patches for them
(8) In addition, you should always install updates for Adobe and Java if you use them. Enable the automatic update feature for this.
(9) If you’re running enterprise computers, think about setting each PC’s software management tools, or setting its Group Policy Objects to restrict vulnerable registry keys. (For more, See Tip #62).
(10) Finally, you can always shut off your computer when you’re not using it if you want to be even safer - No one can intrude into your computer if it’s turned off.
Remember - there is no such thing as total security. The biggest security threat is YOU, not your computer or the Internet. See also 10 Commandments of Computing.
However, don’t get that warm fuzzy feeling just yet. Anti-virus programs can prevent lots of viruses, but they’re not perfect. Just as you can get a flu shot but still contract the flu. The shot prevents the flu virus from entering your body before it can cause any damage. But it doesn’t work against every strain of flu virus, only the ones that it’s designed to prevent, not every possible existing flu or a flu that arises after the shot has been prepared. Similarly, the antivirus programs create a barrier preventing most viruses or intrusions from entering your computer. But some infections and intrusions can nevertheless get through because the software hasn’t been prepared to specifically prevent them. When you download virus “definitions” periodically, that’s what it’s doing: Preparing itself to recognize viruses that fit the new definitions. If the new definitions aren’t there, the virus may be missed. Also, for example, rootkits, zero-day exploits, boot sector viruses and blended malware (discussed above), may simply not be detectable and removable by even the best heuristic (self-learning) antivirus software, partly because they are in places on your computer that antivirus software can’t reach. In such cases, they have to be “manually” removed in parts, usually by a professional, or else they may magically reappear.
Moreover, removing viruses using these programs is not a perfect science. When a virus is detected, the program will prompt you to “heal” it, “quarantine” it, or “ignore” it. Select “heal” first. Don’t be surprised if the virus can’t be healed; the consumer grade programs are more for detection than removal (besides, what do you really expect from a free or inexpensive program?). Your second choice, “quarantining” the virus, is the most common fix. The program takes the infected file, virus and all, and separates it from all of the others on your computer (usually into a “virus vault”) so it can’t cause further damage. The only problem with this is that you may win the battle but lose the war. I’ll explain: The antivirus program doesn’t distinguish between necessary or unnecessary programs on your hard drive. If it’s infected, it’s removed. Therefore, if the infected file is a part of the master boot sector for your operating system, once it is removed, your computer may not boot. It may be dead. On the other hand, if the file that is infected is only for some obscure word processing feature that you’ve never used, or in your temp files or recycle bin, you may not even notice the difference. The third choice, “ignore”, is only for leaving programs on your drive that are really not viruses or spyware. They may be diagnostic programs or false-positives for programs (often anti-spyware) that you intentionally installed.
HOW CAN I FURTHER PROTECT MYSELF
Anti-virus and anti-spyware programs, discussed above, are a good start. But common sense is the best prevention. Believe it or not (see News, Data), the majority of intrusions and infections are actually caused by “social” interaction, especially through social networking sites like Facebook, MySpace, Twitter and the like (see also, Social Networking). Don’t be fooled by messages that purport to be from your “friends” if they seem uncharacteristic, generic or are unexpected. Many of the “hacks” on these sites are the result of some type of phishing scheme through which users are tricked into visiting a bogus website and then into entering login credentials to view a page or update some sort of software. Offline, you can trust your real friends have your back; on line, trust no one. Don’t trust messages or e-mail or telephone calls that purport to be from Microsoft requesting password information. Microsoft will never e-mail you requesting passwords or to confirm settings information or send you messages (from the operating system, not their own antivirus software) that your computer is infected. Nor will they telephone you and ask to check your computer because they think your computer is infected. In 2010, Bank of America and Facebook both suffered from phishing e-mails purportedly from them to their users requesting confirmation of their account passwords. Since most people use the same or similar passwords for all of their computer accounts, once the hackers gain access this way, they’re effectively taken control of your entire computer. See Password Advice about how to create a secure password.
Here are a few basic, common-sense rules:
- Stop “promiscuous friending” just to build up a group with people you don’t really know - following or responding to unknown tweets or e-mails will spread viruses and intrusions.
- Also, don’t click on unexpected links, even from senders you might actually know.
- Don’t ever click on pop-up warnings. If you do click, and are prompted to install software, paid or free, never do it.
- Don’t click on a suggested web address unless you’re positive that it’s legitimate. If you’re unsure, go directly to the vendor’s website instead. Don’t fall for the “password reset” e-mails that look like they’re coming from a legitimate company. Go directly to their site to reset. Also, for phone browsers, preview shortened URLs to see their true destination by pasting them into your browser, add a + after the URL, then press Enter. Adding the plus sign takes you to a bitly site first, where you'll see a stats page for the destination site. For tinyurl addresses, add "preview" before the address, and the uncloaked address will appear at the tinyurl site. For snipurl addresses, add "peek" before the shortened address. For any link — short or long — in a web page, hover your cursor over the link and the true, full address should appear at the bottom of the browser window. Anything with a .exe or .dll at the end is a sure tip-off, as is a gibberish URL. If it’s suspicious, don’t click on it.
When installing software, pay attention to the check boxes that install unwanted add-ons. Like Kazaa foisting MySearch Toolbar, Adobe Flash installing McAfee Security Scan, Java the Ask Toolbar, Flash installing Chrome, and many others.
- Never return to the web page that you visited before the intrusion which is causing pop-up messages or page hijacking.
- Never, I repeat never, provide your login information to any site visited through social networking. If you believe the request is legitimate, visit the site independently, rather than through the link.
- Also, it’s a good idea to sign out or log off of the sites you are not actively using, rather than leaving them on continuously (avoiding man-in-the-middle attacks by someone sniffing active SSL certificates).
- Finally, to avoid those infections and intrusions that occur simply by visiting legitimate sites, always remember to install the genuine Adobe Reader, Flash, Java, Internet Explorer, Mozilla and other major plug-in and browser updates, some of which are zero-day patches. Set your Java and Flash to automatically install updates rather than checking manually.
On the advanced side, here are some additional suggestions:
--- Always change the default account and password on your router.
--- If your browser and operating system support higher levels of encryption, enable the support of TLS 1.1 and disable TLS 1.0 in the advanced settings of your browser, but only if it supported (sadly XP won’t; Windows 7 & 8 will).
--- As a last resort, you may consider disabling scripts in your browser.
--- Also, remember to keep the firmware in hardware such as routers and access points up-to-date.
--- If you are a more advanced user (careful here, you can seriously screw up your computer), you could disable HTTP and enable HTTPS in your router settings.
--- Maybe you can disable UpNP (but not if you use services such as Skype).
--- You could use the NoScript browser plug-in for Firefox (suspends Java, Flash and Active-X, asking first for its use).
--- You could even switch to OpenDNS, which changes DNS from your ISPs defaults to those of OpenDNS (22.214.171.124 and 126.96.36.199).
Many of the advanced suggestions above would only be necessary if you have a persistent security issue. If you need help, call!
Don’t want to be tracked without your permission? Keep in mind that GPS is a hardware system of about 30 satellites which orbit the earth. They don’t track your location. It’s the hardware you own that does that - primarily smart phones with built in chips that do that job. According to CNN, as of 2011, some 43% of us own these smart phones, but many of us don’t have the slightest idea that they can control the GPS settings:
> Turn off your GPS on your smart phone. But remember, if you call 911, it will always record your location.
> Disable the photo tags which put GPS info on your photos.
> Adjust the settings on your individual apps like Twitter and Facebook to control the transmission of location and other private information that you may be transmitting over the Internet.
The best plan for anti-virus and anti-malware protection is a “multi-layered” one, combining anti-virus software, anti-malware software, a good firewall, operating system updates, storage protection and common sense. [See the Baseline page of this site for more.] These days, all of these types of protection are absolutely necessary.
NOTE: While off-the-shelf programs are often sufficient to detect and remove or at least quarantine many viruses and spyware, truly invasive viruses (i.e. blended malware, polymorphic viruses, rootkits, master boot sector viruses, zero day exploits) usually require manual removal by a computer professional. Editing the system registry, services and processes, and removing system files and restoring renamed files is NOT for the novice user. It can damage or even irretrievably crash your computer. CALL US.