Malicious Software

CyberWatch Column

Malicious Software

M. E. Kabay, PhD, CISSP-ISSMP

Professor of Computer Information Systems

Norwich University, Northfield, VT

This is another in a continuing series devoted to how ordinary people can protect themselves when using the Internet.

As this course is being written, there are over 55,000 distinct forms of malicious program code circulating in cyberspace. Most of these harmful programs are limited to anti-virus laboratories and to the computers of virus hobbyists — people who derive a perverted pleasure from playing with dangerous toys.

Viruses are self-reproducing programs that insert parts of themselves into various forms of executable code — i.e., instructions that can tell a computer what to do. There are several forms of executable code that have been used for viruses:

Boot-sectors: the first piece of information on a disk (sector 0, cylinder 0); boot-sector viruses reproduce by being loaded into memory when a computer boots (restarts) with an infected disk in the boot-device
Program files: files on PCs that end in ".exe" or (more rarely) ".com" and some other less-used extensions. Program-file infectors are viruses that insert instructions into a program file so that viral code can be loaded into memory where it can modify the functioning of the computer to, among other things, allow replication of the viral code.
Trojans: another form of harmful code using programs is called the Trojan Horse and refers to programs that have been modified without authorization and without documentation so that they contain unexpected functions. Examples programs that supposedly allowed people to cheat AOL out of connection fees (but actually stole passwords and sent them to the criminals who had written the programs).
Document macros: Microsoft Office includes an automatic execution feature for stored operations; macro viruses are macros that are written in the Visual Basic programming language and can be executed automatically by several programs in the MS-Office suite. Macro viruses are the most frequently-encountered viruses in the world today. They reproduce through the exchange of infected documents such as MS-Word ".doc" files and MS-Excel spreadsheet ".xls" files.
E-mail attachments: In addition, the newest generation of macro-based malicious software, known as e-mail-enabled worms use Visual Basic to exploit a feature of MS-Outlook, MS-Outlook Express and other MAPI-compliant e-mail packages to send copies of themselves to many or all of the recipients listed in standard e-mail address books. These worms spread through the 'Net thanks to the automatic execution of file attachments that occurs when an e-mail recipient opens the attachment.

Today, there are virus-creation kits that allow untrained kids to create virus variants that can cause havoc to individuals and organizations. Writing (or modifying) viruses seems to appeal to children because it is so easy to cause trouble for many people at once – it’s one of the few ways a child can feel really powerful in the world of adults. It is important to discuss these problems with children from the earliest ages so that they can get used to the idea that writing viruses is just as bad an idea as, say, arson. Writing and distributing viruses may be prosecuted under a number of computer crime laws, including the 1987 Computer Fraud and Abuse Act (18 USC 1087).

Use antivirus software on all your computers.

Keep your virus strings up to date (e.g., at least twice-monthly updates of your antivirus software).

Don't download or use software that purports to help you break the law or cheat people and businesses – these programs are especially prone to viruses or Trojan code.

Don't download or use stolen software (i.e., software copies without permission or in violation of license restrictions).

Don't execute software that anyone sends you through e-mail even if you know and like the person who sent it to you. Just because they're nice people doesn't mean they are qualified to inspect programs for safety.

Before sending someone an attachment (e.g., a picture or any other kind of file) by e-mail, let your recipient know what to expect via a preliminary message; if you don't know the person personally, send an e-mail requesting permission to send the attachment.

Never open attachments you have received without warning, regardless of who sent them or what the subject line or text say. Be especially suspicious of generic subjects such as "FYI" without details or "You'll like this." If you are really curious about the attachment, phone or e-mail the supposed sender to find out whether it is legitimate.

Don't forward programs, even reliable programs, to anyone; instead, tell your friends where to download useful programs from a trustworthy source (e.g., a legitimate Web site).

Before sending anyone an MS-Word document as an attachment, save the document as an RTF file instead of as the usual DOC file. RTF files don't include document macros and therefore cannot carry macro-viruses.

Disable automatic execution of macros in MS-Word using the TOOLS | MACROS | SECURITY menu and select the HIGH option (which restricts macro execution to digitally-signed macros from trusted sources — none, by default).

Use the patches offered by Microsoft to shut off automatic execution of attachments in Outlook and Outlook Express.

18 USC 1030: Computer Fraud and Abuse Act of 1987 < http://www4.law.cornell.edu/uscode/18/1030.html >

Computer Virus FAQ for New Users (1999) < http://www.cs.ruu.nl/wais/html/na-dir/computer-virus/new-users.html >

F-Secure Virus Database search < http://www.f-secure.com/v-descs/ >

IBM Antivirus Research < http://www.research.ibm.com/antivirus/SciPapers.htm >

ICSA Labs Virus Alerts < http://www.icsalabs.com/html/communities/antivirus/alerts.shtml >

Online VGrep Search < http://www.virusbtn.com/VGrep/search.html >

Top Ten Viruses (Trend Micro) < http://www.antivirus.com/vinfo/default.asp >

Virus Bulletin < http://www.virusbtn.com/ >

Virus Primer (Trend Micro) < http://www.antivirus.com/vinfo/vprimer.htm >

“What makes Johnny (and Janey) write viruses?” (2001) by Kim Zetter < http://www.itworld.com/Net/3271/PCW01051534405/pfindex.html >

WildList Organization < http://www.wildlist.org/ >

Word Macro Virus FAQ from Michigan State University < http://www.ahdl.msu.edu/ahdl/macrofaq.htm >

<< end of article >>

SIDEBAR:

In recent weeks, readers may have heard a great deal on the news about the Sircam and CodeRed worms.

Sircam is a very widespread and dangerous worm that infects MS-Windows systems. It infects a system when a user opens (double-clicks) an infected attachment. The e-mail message carrying the worm usually has text that reads something like “Hi how are you?” in the first line, includes a semi-random selection from a list of phrases such as “I wanted your opinion on this” and is followed by a last line reading “See you later. Thanks.” The subject line of the e-mail message is random characters usually taken from the name of the attached infected file. Once it infects a system, Sircam will attach itself to any document and convert it into an executable file and then mail itself to everyone in the victim’s e-mail address book. The documents are randomly chosen, but there have been cases in which confidential or embarrassing information has been mailed out to thousands of recipients. Sircam cannot infect Macintosh computers. Always delete any attachment that you are not expecting to receive and, if necessary, contact the sender to determine why you have been sent a file without a preliminary request for permission to do so. For technical details of the Sircam worm, see < http://www.trusecure.com/html/tspub/hypeorhot/rxalerts/hohsircam_cid118.shtml >.

The CodeRed worms (there are now several) are limited to Web servers (not ordinary PCs) using MS-Windows NT or Windows 2000 running the MS-IIS (Internet Information Server) package. In addition to defacing Web sites, the initial version of the worm tried to launch a flood of spurious traffic at the White House Web site from the 20^th to the 27^th of July; luckily, a programming decision allowed the White House to avoid attack. The newer versions of the worm are more insidious: they cause no obvious damage to the infected system’s Web site and they open an unauthorized access path (a “back door”) into the infected system so that criminal hackers can gain control of the systems. At this point, the CodeRed worms are spreading ferociously because there are still MS-IIS installations that have not installed the repairs (“patches”) that prevent infection. For technical information about CodeRed worms, see the alerts from the Computer Emergency Response Team Coordination Center (CERT-CC) at < http://www.cert.org/advisories/CA-2001-19.html > and < http://www.cert.org/incident_notes/IN-2001-09.html >.

<< end of sidebar >>