CHIPS Articles: The Lazy Person's Guide to Malicious Software

To start, take a short quiz. Please note your answers now. We'll check them as we go along.

1. Most zombie computers are:

2. Your computer is at risk of becoming infected by malware if you:

3. An application that appears useful or entertaining but installs hidden software on your PC is called:

4. In 2008, which country was allegedly the largest source of zombie PC cyber-attacks?

5. Which of the following is the most effective computer security strategy:

6. True or False: Antivirus software will keep you safe from malware infection

7. True or False: It is safer to run your computer in admin mode because it gives you more control

8. True or False: A rootkit is a useful application that can give you control over the core operations of a PC

9. True or False: Blocking incoming communications from foreign IP addresses is an effective way to defend your organization from cyber attacks

10. True or False: You will have a more secure system by adopting new technology as soon as it comes out – before hackers have a chance to find vulnerabilities

Bonus question: In 2004, what key change was made in the default settings of Windows XP?

Now, let's see how you did.

Uncle Zombie Wants You

And Uncle Zombie likes them big. The answer to No. 1 is c. Yes, home PCs may get infected daily, but it requires defeating the firewall on each computer. Networks represent a much higher return on the attack investment, and the larger they are, the better. There might be one or more computers on a home local area network, but that's slim pickings for a botnet that needs thousands of drones to be a real threat. However, if malware penetrates an organization's firewall it has hundreds, if not thousands, of targets to try and enlist to its cause.

No. 2 is tricky. I can remember back to a halcyon time when just opening an e-mail did not put you at risk of infection. At this time, Web pages were handcrafted line by line using Notepad and not by a scripting language that waits to load nasty stuff on your computer. However, you still cannot get infected just by opening an application — you have to open content from an external source to be at risk. So, the answer to No. 2 is c.

Adobe Portable Document Format files, generally considered safe and reliable for years, have been used as malware delivery platforms. If you’re using a version of Adobe Reader earlier than version 8.1.2, for example, you may be vulnerable to PDFs car¬rying the Trojan.Zonebac which lowers Microsoft Internet Ex¬plorer security settings. (Go to http://web.nvd.nist.gov/view/vuIn/detail?vuInId=CVE-2008-0655 for more information.)

If PDF files are not safe, is anything? No, not really. You can get malware from graphics files, music files, document files and pretty much anything else capable of carrying a form of execut¬able code. If you want a truly frightening picture of the ratio of bad to good applications, take a look at the list your antivirus software uses to identify malicious code.

A well-developed antivirus program will probably list at least 75,000 different dangerous items that it needs to keep out of our computers. On the other hand, we probably run only a few dozen “good” applications and maybe a few hundred useful bits of mobile code from Web sites. With that ratio of crud in mind it is not a stretch to say that the Internet may be more like a sewer system than a highway.

Beware of Geeks Bearing Gifts

The answer to No. 3 is b. It may look like a calculator. It may act like a calculator. But that cute calculator application adorned with tiny flying ponies that you downloaded from the Internet in hopes of luring your 6 year-old into a state of mathematical genius might really be a horse — a Trojan horse.

While rootkits (discussed later) and spyware (discussed in the last issue at www.chips.navy.mil/archives/08_Jul/web_pages/botnets.html) are not nice things to have on your computer, a Trojan horse is a sweet candy coating for something infectious on the inside. Beware of anything you can get for free — it might be worth less than you paid for it.

MP3 players are marginally less evil, but we can discuss their insidious effects the next time we look at forms of computer-mediated addiction.

Trojan horses, like their mythical Greek namesake, rarely carry anything good. When that innocent-looking calculator application triggers a security alert during installation, your computer will ask for permission to complete the job. There is usually a good reason for the computer to ask because the application is asking the computer to let it change things deep in the computer’s cerebral cortex.

At this point, it is up to the operator to exercise good judgment and question why a calculator application needs to make changes to the Registry. Unfortunately, too many people inadvertently load bad stuff on their PCs, or use obsolete or unpatched software that allows malware on the system, thus contributing more zombies to the botnet army.

The first three questions should lead you to the answer to No. 4. If you know what country has the largest organizational networks, uses massive amounts of information daily, and whose populace is easily distracted by bright shiny computer-like objects, then the only logical answer is a, the United States.

Earlier this year, a company named SecureWorks published a report about the source of cyber-attack attempts against its clients. At the top of the list was the United States, which hosted 20.6 million attack attempts. China was a distant second with 7.7 million, followed in descending order by Brazil, South Korea, Poland, Japan, Russia, Taiwan, Germany and Canada, which racked up between 100,000 and 200,000 each.

However, the last eight together only totaled around 1.6 million attacks, far short of either China or the United States, and more attacks were launched from U.S. computers than the rest of these nations combined. If you knew the answer to No. 4 then I am hoping you also got No. 9 correct.

The last of our multiple choice questions offers several strategies of varying attractiveness.

“Default Permit,” or "Everything, not explicitly forbidden, is permitted," only works if you can identify every possible threat to your system. Like my earlier indictment of antivirus software, any new attack not in the profile list will walk right in and make itself at home.

“Penetrate and Patch” is a security approach used by many in the computer industry. We have been doing this for decades. We still do P&P, and therein is the problem. If it were an effective way to secure our systems, why do we still need to keep doing it?

Even if we could find all the holes in a particular system, as soon as we upgrade or replace software new groups of hidden vulnerabilities emerge. Granted, penetration testing is useful, but only if you, or the people you hire, are more skilled than the people trying to compromise your system.

“Educating Users” suffers from the same lack of results. Every year, millions of computer users in the United States take computer security training mandated by their organizations. Does it help? Well, according to SecureWorks’ report, we have more attacks coming from infected PCs here in the U.S. These infected PCs serve as platforms (bots) that launch cyber-attacks worldwide. So educating users, which is still something we should do, does not appear to be stemming the tide.

That leaves “Whitelisting” which is how most secure computers operate today. A whitelist is a list of accepted items or persons in a set. The list is inclusionary, confirming that the item being analyzed is acceptable. An e-mail whitelist is a list of contacts that the user deems are acceptable to receive e-mail from. Spam filters that come with e-mail clients have both white and blacklists of senders and keywords to look for in e-mails.

No one should be running in a mode where they can load software or change key system settings as a matter of routine. If you need to install new applications, turn off anything that might attract malware, log in as "admin" and make your changes, and then go back to running in a safer mode. This answers No. 7 a little early, but running your PC in admin mode only makes you more vulnerable to infection. Do not do it.

If you want to see an early description of whitelisting I will wind up the Wayback Machine to an article on computer security published in CHIPS almost 12 years ago at www.chips.navy.mil/archives/97_jan/file6.htm. It took many years for computer security to gain enough traction to be considered more than an inconvenience. For example, it was not until 2004 that most PCs were sold with the firewall turned on as a default setting instead of leaving it up to the user. And yes, that is the answer to the bonus question.

Got Root?

Since we have already discussed the answers to No. 6 (False) and No. 7 (False), let us move on to No. 8, which is True. A rootkit is a useful application for someone trying to hack into a system to gain control at the “root” level of a computer.

Early rootkits were developed to allow Unix administrators to take control of unresponsive systems and gain root access to the system, thus the name. However, they quickly became tools for hackers who wanted to gain administrative privileges and hide their activities from a system’s legitimate owners. A rootkit can be a tool or a weapon depending on how it is employed.

Modern rootkits are like submarines: Their job is to disappear into the system and become invisible. In addition, they can also conceal the activities of other programs, like botnet applications or spyware. Rootkits can be difficult to find, particularly if you are searching while the rootkit is running. The only reliable way is to shut down the system and reboot from a CD or write-protected external drive. The rootkit cannot hide itself if it is not running.

The only reliable way to cure a rootkit infection is to re-install the operating system and applications. If you save the data files, scan them until they are sterile to avoid re-infection. Make sure the firewall is on, never surf the Internet in admin mode, and never allow anything to install that needs administrative privileges unless you are very certain of what it will do.

Man the Barricades

Now to No. 9 which is False. If you remember that most zombie attacks appear to originate here in the U.S.A., blocking incoming packets from foreign IP addresses might stop a little over a third of the attacks. But what you really want is control over outgoing packets, particularly those heading to foreign IP addresses. Regardless of where the zombies are located, there is some consensus that the people operating botnets live in countries with lax law enforcement regarding computer crime, and possibly some countries may even encourage these nefarious activities.

While an infected PC might still be getting instructions from a foreign source, it will be far less effective if it cannot report back to its new master. Outgoing traffic, particularly to sites no one has actually visited, might be a sign that there are infected PCs inside the firewall.

No. 10 is False. Computer history is littered with the virtual bodies of early adopters who embraced version 1.0 (or beta versions) of an application, only to find that they had acquired the computer security equivalent of a cardboard flak jacket. Unfortunately, there are people who want the newest, brightest and “bestest” toys right now. Please resist the urge to rush a new system into operation unless there really is no other choice.

Malware Symptoms

How can you tell if your computer has been infected? Here are some typical symptoms:
• You get pop-ups at random when you are not searching the Internet.
• You get a funny video in e-mail and when you double click on it you get a security warning. When you click OK to let the video run, nothing happens.
• You click on a link in search results and immediately get pop-ups. You close the pages but get error messages.
• Your computer runs slowly and when you check system activity you see unexplained memory, central processing unit, or network bandwidth consumption.
• Your computer is sending or receiving data (indicated by constantly blinking lights on your modem or router) even though you do not have a browser, e-mail or other Internet program open.

Essentially, any time your computer does something that you did not tell it to do, you should be suspicious. Granted, the last example could be some type of auto-update program, but any reputable updater application should issue an alert and ask permission before proceeding.

We looked at Trojan horses earlier, but it also might be useful to look at the differences between a virus, worms and Trojans.

A computer virus is executable code that attaches itself to a executable file and is activated when a user runs the file it is attached to. Viruses range from annoying (displaying a joke message at a set time) to dangerous (damage to your system or files). Because almost all viruses are attached to executable files they generally cannot infect a computer until a user runs or opens the host file.

Please note that a virus cannot be spread without a human action such as running an infected program or e-mailing an infected file.

A computer worm is similar to a virus, with one important difference: It can travel without any help from users. Worms take advantage of the various file and information transport features on computers and networks to travel. Once a worm is active it can send thousands of copies of itself to any target it can find.

A common worm tactic is to e-mail itself to everyone in a user's e-mail address book, or just wait until an e-mail is sent. This feature can also help us detect worms because if they are too active and consume too many system resources, we may notice loss in memory or an increase in bandwidth consumption.

A worm may install a Trojan, or a Trojan may carry a worm or virus. While worms try to operate below the radar, Trojans can be more effective because they attempt to trick the system user instead of the built-in security of the system. Sadly, it seems that humans are easier to fool than computers.

Another infection method that deserves a look is the "Drive-by Download." This happens without knowledge of the user and occurs by visiting a Web page with malicious code, viewing an infected e-mail or clicking on a deceptive pop-up. The page may have only been open for a few seconds and nothing was installed, but if the code is there, and the browser is vulnerable, the computer can be compromised.

You do not even have to visit questionable Web sites to be attacked by a drive-by. In addition to looking for new PCs to infect, hackers probe legitimate corporate and government Web sites scouting for vulnerabilities to try to upload malicious code that will attack PCs that visit those sites.

Closing Words

The global reach of the Internet provides great opportunities. But leaving your network or computer vulnerable to people in faraway places who will cheerfully add your computer to their botnet without caring what damage they may do along the way can have catastrophic consequences, but if you do some fairly simple, sensible things, you can be safe.

So enjoy the Internet, but remember the words of President Ronald Reagan — “Trust, but verify.”

Happy Networking!

Long is a retired Air Force communications officer who has written regularly for CHIPS since 1993. He holds a Master of Science degree in information resources management from the Air Force Institute of Technology. He currently serves as a telecommunications manager in the Department of Homeland Security.

The views expressed here are solely those of the author, and do not necessarily reflect those of the Department of the Navy, Department of Defense or the United States government.