As the Internet becomes more and more integrated into everyday lives, we must learn how todefend ourselves against new types of online attacks.While viruses remain a threat, todays hackers commonly use vicious multi-layered attacks, such as aworm in a chat message that displays a link to a Web page infected with a Trojan horse. “Worms”have been found that tunnel though programs, uncovering new vulnerabilities and reporting themback to hackers. The hackers then quickly assemble malware (malicious software) from pre-madecomponents, exploiting the vulnerability before the majority of people can download a fix.Below you will find the best tips that you can employ to protect yourself against these emergingsophisticated, multi-faceted threats.What Can Malware Do to My PC?Malware opens up backdoors on infected systems, giving hackers direct access to the hijacked PC. Inthis scenario, a hacker can use the infected PC to upload personal information to a remote system,or to turn the PC into a remotely controlled bot used in criminal activity.Hackers are designing their attacks to target specific high-value victims instead of simply launchingmass-mailing worms and viruses. These programs are being created specifically for data theft.What About P2P?Peer-to-peer (P2P) networking has become a launching pad for viruses. Attackers incorporatespyware, viruses, Trojan horses, and worms into their free downloads. One of the most dangerousfeatures of many P2P programs is the “browse host” feature that allows others to directly connect toyour computer and browse through file shares.P2P can accidentally give access to logins, user IDs and passwords; Quicken files and credit reports;personal information such as letters, chat logs, cookies, and emails; and medical records youaccidentally house in accessible folders on your PC. As with email and instant messages, viruses inP2P files are capable of weaving their way through as many users as they can, stealing informationand delivering it to cybercriminals who forge identities and commit fraud.Best Tips to Defend Against Viruses and Worms.You must safeguard your PC. Following these basic rules will help you protect you and your familywhenever you go online. 1. Protect your computer with strong security software and keep it updated. McAfee Total Protection for Small Business provides proven PC protection from Trojans, hackers, and spyware. Its integrated anti-virus, anti-spyware, firewall, anti-spam, anti-phishing, and backup technologies work together to combat todays advanced multi-faceted attacks. It scans disks, email attachments, files downloaded from the Web, and documents generated by word processing and spreadsheet programs. 2. Use a security-conscious Internet service provider (ISP) that implements strong anti-spam and anti-phishing procedures. 3. Enable automatic Windows® updates or download Microsoft® updates regularly to keep your operating system patched against known vulnerabilities. Install patches from other software
manufacturers as soon as they are distributed. A fully patched computer behind a firewall is the best defense against Trojan and spyware installation.4. Use caution when opening attachments. Configure your anti-virus software to automatically scan all email and instant message attachments. Make sure your email program doesnt automatically open attachments or automatically render graphics, and ensure that the preview pane is turned off. Never open unsolicited emails, or attachments that youre not expecting—even from people you know.5. Be careful when engaging in peer-to-peer (P2P) file-sharing. Trojans hide within file-sharing programs waiting to be downloaded. Use the same precautions when downloading shared files that you do for email and instant messaging. Avoid downloading files with the extensions .exe, .scr, .lnk, .bat, .vbs, .dll, .bin, and cmd.6. Use security precautions for your PDA, cell phone, and Wi-Fi devices. Viruses and Trojans arrive as an email/IM attachment, are downloaded from the Internet, or are uploaded along with other data from a desktop. Cell phone viruses and mobile phishing attacks are in the beginning stages, but will become more common as more people access mobile multimedia services and Internet content directly from their phones. Always use a PIN code on your cell phone, and never install or download mobile software from an unknown source.7. Configure your instant messaging application correctly. Make sure it does not open automatically when you fire up your computer.8. Beware of spam-based phishing schemes. Dont click on links in emails or IM.9. Back up your files regularly and store the backups somewhere besides your PC. If you fall victim to a virus attack, you can recover photos, music, movies, and personal information like tax returns and bank statements.10. Stay aware of current virus news by checking sites like McAfee® Avert® Threat Center.22.214.171.124. top-10 worst ISPs in this category—consider this when making your choice.6. Enable automatic Windows updates, or download Microsoft updates regularly, to keep your operating system patched against known vulnerabilities. Install patches from other software manufacturers as soon as they are distributed. A fully patched computer behind a firewall is the best defense against Trojan and spyware installation.7. Use great caution when opening attachments. Configure your anti-virus software to automatically scan all email and instant message attachments. Make sure your email program doesn’t automatically open attachments or automatically render graphics, and ensure that the preview pane is turned off. Never open unsolicited emails, or attachments that you’re not expecting—even from people you know.8. Be careful when using P2P file sharing. Trojans hide within file-sharing programs waiting to be downloaded. Use the same precautions when downloading shared files that you do for email and instant messaging. Avoid downloading files with the extensions .exe, .scr, .lnk, .bat, .vbs, .dll, .bin, and .cmd.9. Use security precautions for your PDA, cell phone, and Wi-Fi devices. Viruses and Trojans arrive as an email/IM attachment, are downloaded from the Internet, or are uploaded along with other data from a desktop. Cell phone viruses and mobile phishing attacks are in the beginning stages, but will become more common as more people access mobile multimedia services and Internet content directly from their phones. Mobile Anti-Virus software for a selected devices is available for free with some McAfee PC products. Always use a PIN code on your cell phone and never install or download mobile software from a un-trusted source.
10. Configure your instant messaging application correctly. Make sure it does not open automatically when you fire up your computer. 11. Beware of spam-based phishing schemes. Don’t click on links in emails or IM. 12. Back up your files regularly and store the backups somewhere besides your PC. If you fall victim to a virus attack, you can recover photos, music, movies, and personal information like tax returns and bank statements. 13. Stay aware of current virus news by checking sites like McAfee Labs Threat Center.Back to topBookmark & ShareFavoritesemail Blinklist del.icio.us Digg Furl Google Facebook MySpace Yahoo Buzz LiveMore Advice on this Topic 8 Tips on How to Protect Yourself Online 13 Ways to Protect Your System Anti-virus Tips Tips for a More Secure Internet Experience How to Protect Your Computer Against Virus and Worm Attacks Hardware vs. Software Firewalls PassphrasesFind a term you don’t recognize? Look up definitions in our Glossary.Free Security Newsletter Sign Up for Security News and Special Offers: Email AddreThe Ultimate Security:McAfee Total ProtectionUltimate. The most effective protection against virus, online and network threats.$89.99$59.99Save $30PC Infected? Get Expert Help Now!
McAfee Virus Removal ServiceConnect to one of our security experts by phone. Have your PC fixed remotely – while youwatch!$89.95Available daily, 24x7.A macro virus is a computer virus that "infects" a Microsoft Word or similar application and causes asequence of actions to be performed automatically when the application is started or something elsetriggers it. Macro viruses tend to be surprising but relatively harmless. A typical effect is theundesired insertion of some comic text at certain points when writing a line. A macro virus is oftenspread as an e-mail virus. A well-known example in March, 1999 was the Melissa virus virus.Melissa is a fast-spreading macro virus that is distributed as an e-mail attachment that, whenopened, disables a number of safeguards in Word 97 or Word 2000, and, if the user has theMicrosoft Outlook e-mail program, causes the virus to be resent to the first 50 people in eachof the users address books. While it does not destroy files or other resources, Melissa has thepotential to disable corporate and other mail servers as the ripple of e-mail distributionbecomes a much larger wave. On Friday, March 26, 1999, Melissa caused the MicrosoftCorporation to shut down incoming e-mail. Intel and other companies also reported beingaffected. The U. S. Department of Defense-funded Computer Emergency Response Team(CERT) issued a warning about the virus and developed a fix.How Melissa WorksMelissa arrives in an attachment to an e-mail note with the subject line "Important Messagefrom ]the name of someone[," and body text that reads "Here is that document you askedfor...dontLearn More Security Resources Malware, Viruses, Trojans and Spywareshow anyone else ;-)". The attachment is often named LIST.DOC. If the recipient clicks on orotherwise opens the attachment, the infecting file is read to computer storage. The file itselforiginated in an Internet alt.sex newsgroup and contains a list of passwords for various Websites that require memberships. The file also contains a Visual Basic script that copies thevirus-infected file into the normal.dot template file used by Word for custom settings anddefault macros. It also creates this entry in the Windows registry:
What is Identity Theft?Identity theft, also known as ID theft is a crime in which a criminal obtains key pieces ofpersonal information, such as Social Security or drivers license numbers, in order to pose assomeone else. The information can be used to obtain credit, merchandise, and services usingthe victims‘ name. Identity theft can also provide a thief with false credentials forimmigration or other applications. One of the biggest problems with identity theft is that veryoften the crimes committed by the identity theft expert are oftenattributed to the victim. Buy it NowThere are two main types of identity theft – account takeover and truename theft. Account takeover identity theft refers to the type ofsituation where an imposter uses the stolen personal information togain access to the person‘s existing accounts. Often the identity thiefwill use the stolen identity to acquire even more credit products bychanging your address so that you never see the credit card bills thatthe thief runs up.True name identity theft means that the thief uses personalinformation to open new accounts. The thief might open a new creditcard account, establish cellular phone service, or open a newchecking account in order to obtain blank checks. The Internet has made it easier for anidentity thief to use the information theyve stolen because transactions can be made withoutany real verification of someone‘s identity. All a thief really needs today is a series of correctnumbers to complete the crime. Companies like LifeLock can monitor if a thief has gottenaccess to and used any of your personal information."trojanIn the IT world, a Trojan horse is used to enter a victim‘s computer undetected, granting theattacker unrestricted access to the data stored on that computer and causing great damage tothe victim. A Trojan can be a hidden program that runs on your computer without yourknowledge, or it can be ‗wrapped‘ into a legitimate program meaning that this program maytherefore have hidden functions that you are not aware of.How a Trojan worksTrojans typically consist of two parts, a client part and a server part. When a victim(unknowingly) runs a Trojan server on his machine, the attacker then uses the client part ofthat Trojan to connect to the server module and start using the Trojan. The protocol usuallyused for communications is TCP, but some Trojans functions use other protocols, such asUDP, as well. When a Trojan server runs on a victim‘s computer, it (usually) tries to hidesomewhere on the computer; it then starts listening for incoming connections from theattacker on one or more ports, and attempts to modify the registry and/or use some otherauto-starting method.It is necessary for the attacker to know the victim‘s IP address to connect to his/her machine.Many Trojans include the ability to mail the victim‘s IP and/or message the attacker via ICQor IRC. This system is used when the victim has a dynamic IP, that is, every time he connectsto the Internet, he is assigned a different IP (most dial-up users have this). ADSL users have
static IPs, meaning that in this case, the infected IP is always known to the attacker; thismakes it considerably easier for an attacker to connect to your machine.Most Trojans use an auto-starting method that allows them to restart and grant an attackeraccess to your machine even when you shut down your computer. Trojan writers areconstantly on the hunt for new auto-starting methods and other such tricks, making it hard tokeep up with their new discoveries in this area. As a rule, attackers start by ―joining‖ theTrojan to some executable file that you use very often, such as explorer.exe, and then proceedto use known methods to modify system files or the Windows Registry.For an in-depth look at the different types of Trojans, why they pose a danger to corporatenetworks, and how to protect your network against them, please click here.Get the latest SPAM news at AllSpammedUp.com!Trojan Horse AttacksIf you were referred here, you may have been "hacked" by a Trojan horse attack. Its crucialthat you read this page and fix yourself immediately. Failure to do so could result in beingdisconnected from the IRC network, letting strangers access your private files, or worst yet,allowing your computer to be hijacked and used in criminal attacks on others.by Joseph Lo aka Jolo, with much help from countless othersThis page is part of IRChelp.orgs security section at http://www.irchelp.org/irchelp/security/updated Feb 5, 2006Contents: I. What is a Trojan horse? II. How did I get infected? III. How do I avoid getting infected in the future? IV. How do I get rid of trojans?!? AppendicesI. What is a Trojan horse?Trojan horse attacks pose one of the most serious threats to computer security. If you werereferred here, you may have not only been attacked but may also be attacking othersunknowingly. This page will teach you how to avoid falling prey to them, and how to repairthe damage if you already did. According to legend, the Greeks won the Trojan war by hidingin a huge, hollow wooden horse to sneak into the fortified city of Troy. In todays computerworld, a Trojan horse is defined as a "malicious, security-breaking program that is disguisedas something benign". For example, you download what appears to be a movie or music file,but when you click on it, you unleash a dangerous program that erases your disk, sends yourcredit card numbers and passwords to a stranger, or lets that stranger hijack your computer to
commit illegal denial of service attacks like those that have virtually crippled the DALnetIRC network for months on end.The following general information applies to all operating systems, but by far most of thedamage is done to/with Windows users due to its vast popularity and many weaknesses.(Note: Many people use terms like Trojan horse, virus, worm, hacking and cracking allinterchangeably, but they really dont mean the same thing. If youre curious, heres a quickprimer defining and distinguishing them. Lets just say that once you are "infected", trojansare just as dangerous as viruses and can spread to hurt others just as easily!)II. How did I get infected?Trojans are executable programs, which means that when you open the file, it will performsome action(s). In Windows, executable programs have file extensions like "exe", "vbs","com", "bat", etc. Some actual trojan filenames include: "dmsetup.exe" and "LOVE-LETTER-FOR-YOU.TXT.vbs" (when there are multiple extensions, only the last one counts,be sure to unhide your extensions so that you see it). More information on risky fileextensions may be found at this Microsoft document.Trojans can be spread in the guise of literally ANYTHING people find desirable, such as afree game, movie, song, etc. Victims typically downloaded the trojan from a WWW or FTParchive, got it via peer-to-peer file exchange using IRC/instant messaging/Kazaa etc., or justcarelessly opened some email attachment. Trojans usually do their damage silently. The firstsign of trouble is often when others tell you that you are attacking them or trying to infectthem!III. How do I avoid getting infected in the future?You must be certain of BOTH the source AND content of each file you download! Inother words, you need to be sure that you trust not only the person or file server that gave youthe file, but also the contents of the file itself.Here are some practical tips to avoid getting infected (again). For more general securityinformation, please see our main security help page. 1. NEVER download blindly from people or sites which you arent 100% sure about. In other words, as the old saying goes, dont accept candy from strangers. If you do a lot of file downloading, its often just a matter of time before you fall victim to a trojan. 2. Even if the file comes from a friend, you still must be sure what the file is before opening it, because many trojans will automatically try to spread themselves to friends in an email address book or on an IRC channel. There is seldom reason for a friend to send you a file that you didnt ask for. When in doubt, ask them first, and scan the attachment with a fully updated anti-virus program. 3. Beware of hidden file extensions! Windows by default hides the last extension of a file, so that innocuous-looking "susie.jpg" might really be "susie.jpg.exe" - an executable trojan! To reduce the chances of being tricked, unhide those pesky extensions. 4. NEVER use features in your programs that automatically get or preview files. Those features may seem convenient, but they let anybody send you anything which is extremely reckless. For example, never turn on "auto DCC get" in mIRC, instead ALWAYS screen every
single file you get manually. Likewise, disable the preview mode in Outlook and other email programs. 5. Never blindly type commands that others tell you to type, or go to web addresses mentioned by strangers, or run pre-fabricated programs or scripts (not even popular ones). If you do so, you are potentially trusting a stranger with control over your computer, which can lead to trojan infection or other serious harm. 6. Dont be lulled into a false sense of security just because you run anti-virus programs. Those do not protect perfectly against many viruses and trojans, even when fully up to date. Anti-virus programs should not be your front line of security, but instead they serve as a backup in case something sneaks onto your computer. 7. Finally, dont download an executable program just to "check it out" - if its a trojan, the first time you run it, youre already infected!IV. How do I get rid of trojans?!?Here are your many options, none of them are perfect. I strongly suggest you read through allof them before rushing out and trying to run some program blindly. Remember - thats howyou got in this trouble in the first place. Good luck! 1. Clean Re-installation: Although arduous, this will always be the only sure way to eradicate a trojan or virus. Back up your entire hard disk, reformat the disk, re-install the operating system and all your applications from original CDs, and finally, if youre certain they are not infected, restore your user files from the backup. If you are not up to the task, you can pay for a professional repair service to do it. 2. Anti-Virus Software: Some of these can handle most of the well known trojans, but none are perfect, no matter what their advertising claims. You absolutely MUST make sure you have the very latest update files for your programs, or else they will miss the latest trojans. Compared to traditional viruses, todays trojans evolve much quicker and come in many seemingly innocuous forms, so anti-virus software is always going to be playing catch up. Also, if they fail to find every trojan, anti-virus software can give you a false sense of security, such that you go about your business not realizing that you are still dangerously compromised. There are many products to choose from, but the following are generally effective: AVP, PC-cillin, and McAfee VirusScan. All are available for immediate downloading typically with a 30 day free trial. For a more complete review of all major anti-virus programs, including specific configuration suggestions for each, see the HackFix Projects anti-virus software page [all are ext. links]. When you are done, make sure youve updated Windows with all security patches [ext. link]. 3. Anti-Trojan Programs: These programs are the most effective against trojan horse attacks, because they specialize in trojans instead of general viruses. A popular choice is The Cleaner, $30 commercial software with a 30 day free trial. To use it effectively, you must follow hackfix.orgs configuration suggestions [ext. link]. When you are done, make sure youve updated Windows with all security patches [ext. link], then change all your passwords because they may have been seen by every "hacker" in the world. 4. IRC Help Channels: If youre the type that needs some hand-holding, you can find trojan/virus removal help on IRC itself, such as EFnet #dmsetup or DALnet #NoHack. These experts will try to figure out which trojan(s) you have and offer you advice on how to fix it. The previous directions were in fact adapted from advice
given by EFnet #dmsetup. (See our networks page if you need help connecting to those networks.)Appendices:These files were referred to in the text above, and provide additional information. IRChelp.org Security Page Hacker / Cracker / Trojan / Virus? - A Primer on Terminology How to unhide Windows file extensionsWhy Use A Rootkit?A rootkit allows someone, either legitimate or malicious, to maintain command and control over acomputer system, without the the computer system user knowing about it. This means that theowner of the rootkit is capable of executing files and changing system configurations on the targetmachine, as well as accessing log files or monitoring activity to covertly spy on the users computerusage.Is A Rootkit Malware?That may be debatable. There are legitimate uses for rootkits by law enforcement or even byparents or employers wishing to retain remote command and control and/or the ability to monitoractivity on their employees / childrens computer systems. Products such as eBlaster or Spector Proare essentially rootkits which allow for such monitoring.However, most of the media attention given to rootkits is aimed at malicious or illegalrootkits used by attackers or spies to infiltrate and monitor systems. But, while a rootkitmight somehow be installed on a system through the use of a virus or Trojan of some sort, therootkit itself is not really malware.Detecting A RootkitDetecting a rootkit on your system is easier said than done. Currently, there is no off-the-shelfproduct to magically find and remove all of the rootkits of the world like there is for viruses orspyware.There are various ways to scan memory or file system areas, or look for hooks into thesystem from rootkits, but not many of them are automated tools, and those that are oftenfocus on detecting and removing a specific rootkit. Another method is just to look for bizarreor strange behavior on the computer system. If there are suspicious things going on, youmight be compromised by a rootkit. Of course, you might also just need to clean up yoursystem using tips from a book like Degunking Windows.In the end, many security experts suggest a complete rebuild of a system compromised by arootkit or suspected of being compromised by a rootkit. The reason is, even if you detect filesor processes associated with the rootkit, it is difficult to be 100% sure that you have in factremoved every piece of the rootkit. Peace of mind can be found by completely erasing thesystem and starting over.
Protecting Yourself From RootkitsAs mentioned above regarding detecting rootkits, there is no packaged application to guard againstrootkits. It was also mentioned above that rootkits, while they may be used for malicious purposesat times, are not necessarily malware.Many malicious rootkits manage to infiltrate computer systems and install themselves bypropagating with a malware threat such as a virus. You can safeguard your system fromrootkits by ensuring it is kept patched against known vulnerabilities, that antivirus software isupdated and running, and that you dont accept files from or open email file attachments fromunknown sources. You should also be careful when installing software and read carefullybefore agreeing to EULAs (end user license agreements), because some may state overtlythat a rootkit of some sort will be installed. [ go back | search | help | send email ]So what does a Rookit do?What it does do, is provide access to all your folders – both private data and system files – toa remote user who, through administrative powers, can do whatever he wants with yourcomputer. Needless to say, every user should be aware of the threat they pose.Rootkits generally go much deeper than the average virus. They may even infect your BIOS –the part of your computer that‘s independent of the Operating System – making them harderto remove. And they may not even be Windows-specific, even Linux or Apple machinescould be affected. In fact, the first rootkit ever written was for Unix!
Image by FristleIs this a new phenomenon?No, not at all. The earliest known rootkit is in fact two decades old. However, now that everyhome and every work desk has a computer that is connected to the internet, the possibilitiesfor using the full potential of a rootkit is only just being realized.Possibly the most famous case so far was in 2005, when CDs sold by Sony BMG installedrootkits without user permission that allowed any user logged in at the computer to access theadministrator mode. The purpose of that rootkit was to enforce copy protection (called―Digital Rights Management‖ or DRM) on the CDs, but it compromised the computer it wasinstalled on. This process could easily be hijacked for malicious purposes.What makes it different from a virus?Most often, rootkits are used to control and not to destroy. Of course, this control could beused to delete data files, but it can also be used for more nefarious purposes.More importantly, rootkits run at the same privilege levels as most antivirus programs. Thismakes them that much harder to remove as the computer cannot decide on which programhas a greater authority to shut down the other.
So how I might get infected with a rootkit?As mentioned above, a rootkit may piggyback along with software that you thought youtrusted. When you give this software permission to install on your computer, it also inserts aprocess that waits silently in the background for a command. And, since to give permissionyou need administrative access, this means that your rootkit is already in a sensitive locationon the computer.Another way to get infected is by standard viral infection techniques – either through shareddisks and drives with infected web content. This infection may not easily get spotted becauseof the silent nature of rootkits.There have also been cases where rootkits came pre-installed on purchased computers. Theintentions behind such software may be good – for example, anti-theft identification orremote diagnosis – but it has been shown that the mere presence of such a path to the systemitself is a vulnerability.So, that was about what exactly is a rootkit and how does it creep in to computer. In my nextarticle I‘ll discuss how to defend your computer from rootkits – from protection tocleaning up.Previous post: 3 Useful Chrome Extensions to Capture Screenshot of a WebpageNext post: Windows 7 Problem Steps Recorder Makes Troubleshooting Windows ErrorsEasier 5 Cool Latest Posts o How to Create a Picture Password in Windows 8 o How to Add Computer Icon to Windows 8 Start Menu, Desktop & Windows Explorer o 4 Useful Tools to Delete Locked Files In Windows o How to Open Word, Excel (.doc, .docx, xlsx etc) Files Without MS Office Installed o How to Personalize the New Windows 8 Charm Bar D AILY ILY EMAIL UP DAT ES:What is the difference between viruses, worms, and Trojans? What is a virus? A computer virus is a small program written to alter the way a computer operates, without the permission or knowledge of the user. A virus must meet two criteria: It must execute itself. It often places its own code in the path of execution of another program. It must replicate itself. For example, it may replace other executable files with a copy of the virus infected file. Viruses can infect desktop computers and network servers alike. Some viruses are programmed to damage the computer by damaging programs,
deleting files, or reformatting the hard disk. Others are not designed to do anydamage, but simply to replicate themselves and make their presence known bypresenting text, video, and audio messages. Even these benign viruses can createproblems for the computer user. They typically take up computer memory used bylegitimate programs. As a result, they often cause erratic behavior and can result insystem crashes. In addition, many viruses are bug-ridden, and these bugs may lead tosystem crashes and data loss.Five recognized types of virusesFile infector viruses File infector viruses infect program files. These viruses normally infect executable code, such as .com and .exe files. The can infect other files when an infected program is run from floppy, hard drive, or from the network. Many of these viruses are memory resident. After memory becomes infected, any noninfected executable that runs becomes infected. Examples of known file infector viruses include Jerusalem and Cascade.Boot sector viruses Boot sector viruses infect the system area of a disk; that is, the boot record on floppy disks and hard disks. All floppy disks and hard disks (including disks containing only data) contain a small program in the boot record that is run when the computer starts up. Boot sector viruses attach themselves to this part of the disk and activate when the user attempts to start up from the infected disk. These viruses are always memory resident in nature. Most were written for DOS, but, all PCs, regardless of the operating system, are potential targets of this type of virus. All that is required to become infected is to attempt to start up your computer with an infected floppy disk Thereafter, while the virus remains in memory, all floppy disks that are not write protected will become infected when the floppy disk is accessed. Examples of boot sector viruses are Form, Disk Killer, Michelangelo, and Stoned.Master boot record Master boot record viruses are memory-resident viruses that infect disks in the same manner as boot sectorviruses viruses. The difference between these two virus types is where the viral code is located. Master boot record infectors normally save a legitimate copy of the master boot record in an different location. Windows NT computers that become infected by either boot sector viruses or master boot sector viruses will not boot. This is due to the difference in how the operating system accesses its boot information, as compared to Windows 98/Me. If your Windows NT systems is formatted with FAT partitions you can usually remove the virus by booting to DOS and using antivirus software. If the boot partition is NTFS, the system must be recovered by using the three Windows NT Setup disks. Examples of master boot record infectors are NYB, AntiExe, and Unashamed.Multipartite viruses Multipartite (also known as polypartite) viruses infect both boot records and program files. These are particularly difficult to repair. If the boot area is cleaned, but the files are not, the boot area will be reinfected. The same holds true for cleaning infected files. If the virus is not removed from the boot area, any files that you have cleaned will be reinfected. Examples of multipartite viruses include One_Half, Emperor, Anthrax and Tequilla.Macro viruses These types of viruses infect data files. They are the most common and have cost corporations the most money and time trying to repair. With the advent of Visual Basic in Microsofts Office 97, a macro virus can be written that not only infects data files, but also can infect other files as well. Macro viruses infect Microsoft Office Word, Excel, PowerPoint and Access files. Newer strains are now turning up in other programs as well. All of these viruses use another programs internal programming language, which was created to allow users to automate certain tasks within that program. Because of the ease with which these viruses can be created, there are now thousands of them in circulation. Examples of macro viruses include W97M.Melissa, WM.NiceDay and W97M.Groov.What is a Trojan horse?Trojan horses are impostors—files that claim to be something desirable but, in fact,are malicious. A very important distinction between Trojan horse programs and trueviruses is that they do not replicate themselves. Trojan horses contain malicious codethat when triggered cause loss, or even theft, of data. For a Trojan horse to spread,you must invite these programs onto your computers; for example, by opening anemail attachment or downloading and running a file from the Internet. Trojan.Vundois a Trojan horse.
What is a worm?Worms are programs that replicate themselves from system to system without the useof a host file. This is in contrast to viruses, which requires the spreading of aninfected host file. Although worms generally exist inside of other files, often Word orExcel documents, there is a difference between how worms and viruses use the hostfile. Usually the worm will release a document that already has the "worm" macroinside the document. The entire document will travel from computer to computer, sothe entire document should be considered the worm W32.Mydoom.AX@mm is anexample of a wormWhat is a virus hoax?Virus hoaxes are messages, almost always sent by email, that amount to little morethan chain letters. Following are some of the common phrases that are used in thesehoaxes: If you receive an email titled [email virus hoax name here], do not open it! Delete it immediately! It contains the [hoax name] virus. It will delete everything on your hard drive and [extreme and improbable danger specified here]. This virus was announced today by [reputable organization name here]. Forward this warning to everyone you know!Most virus hoax warnings do not deviate far from this pattern. If you are unsure if avirus warning is legitimate or a hoax, additional information is available at theSymantec Security Response online database.What is not a virus?Because of the publicity that viruses have received, it is easy to blame any computerproblem on a virus. The following are not likely to be caused by a virus or othermalicious code:Hardware problems No viruses can physically damage computer hardware, such as chips, boards, and monitors.The computer beeps at startup with no This is usually caused by a hardware problem during the boot process. Consult your computerscreen display documentation for the meaning of the beep codes.The computer does not register 640 KB This can be a sign of a virus, but it is not conclusive. Some hardware drivers such as those forof conventional memory the monitor or SCSI card can use some of this memory. Consult with your computer manufacturer or hardware vendor to determine if this is the case.You have two antivirus programs This might be a virus, but it can also be caused by one antivirus program detect the otherinstalled and one of them reports a programs signatures in memory. For additional information, see Should you run more than onevirus antivirus program at the same time?Microsoft Word warns you that a This does not mean that the macro is a virus.document contains a macroYou cannot open a particular document This is not necessarily an indication of a virus. Try opening another document or a backup of the document in question. If other documents open correctly, the document may be damaged.
The label on a hard drive has changed Every disk is allowed to have a label. You can assign a label to a disk by using the DOS Label command of from within Windows.When you run ScanDisk, Norton For instructions on what to do, read Alert: "Virus Like Activity detected. The application . . . isAntiVirus Auto-Protect reports virus-like attempting to write to the file . . . What would you like to do?activityAdditional informationFor the most up-to-date information on viruses, go to the Symantec SecurityResponse online database.To submit a file or disk that you suspect is infected with a virus, please read one ofthe following documents: Submitting a file to Symantec Security Response over the Internet or on a floppy disk Submitting a file to Symantec Security Response using Scan and Deliver What is safe computing? With all the hype, it is easy to believe that viruses lurk in every file, every email, every Web site. However, a few basic precautions can minimize your risk of infection. Practice safe computing and encourage everyone you know to do so as well. General precautions Do not leave a floppy disk in the floppy disk drive when you shut down or restart the computer. Write-protect your floppy disks after you have finished writing to them. Be suspicious of email attachments from unknown sources. Verify that attachments have been sent by the author of the email. Newer viruses can send email messages that appear to be from people you know. Do not set your email program to "auto-run" attachments. Obtain all Microsoft security updates. Back up your data frequently. Keep the write-protected media in a safe place— preferably in a different location than your computer. Specific to Norton AntiVirus Make sure that you have the most recent virus definitions. We recommend that you run LiveUpdate at least once per week. Symantec Security Response updates virus definitions in response to new virus threats. For additional information, please see How to Run LiveUpdate. Make sure that you have set Norton AntiVirus to scan floppy disks on access and at shutdown. Please see your Users Guide for information on how to do this in your version of Norton AntiVirus. Always keep Norton AntiVirus Auto-Protect running. Symantec Security Response now strongly recommends that you have Norton AntiVirus set to scan all files, not just program files.
Scan all new software before you install it. Because boot sector viruses spread by floppy disks and bootable CDs, every floppy disk and CD should be scanned for viruses. Shrink-wrapped software, demo disks from suppliers, and trial software are not exempt from this rule. Viruses have been found even on retail software. Scan all media that someone else has given you. Use caution when opening email attachments. Email attachments are a major source of virus infections. Microsoft Office attachments for Word, Excel, and Access can be infected by Macro viruses. Other attachments can contain file infector viruses. Norton AntiVirus Auto-Protect will scan these attachments for viruses as you open or detach them. We recommend that you enable email scanning, which will scan email attachments before the email message is sent to your email program.« Source : Stopping Anti Virus/Desktop Firewall processes and servicesSource : Binder stub »Nine ways how hackers propagate malware (1 of 2)Mar 24th, 2009 by carrumbaMalware propagation is one of the most fascinating parts of the attackers activities and isattracting, besides the anger of the affected people, the most attention. It is the part where allthe magic of infection and intrusion happens, where attackers release the malicious softwareto the wild and try to infect new victim systems as quickly or as targeted as possible; theirvictims are left wondering how the heck that could have happened.The goal of this article is to give you an overview how and where attackers release malware.It will show you an overview about the common infection points where people get in firstcontact with malware and what action the software has to execute to initiate the infectionprocess.Method 1 : Sending the Trojan horse as email attachmentOne of the oldest but still very effective ways people get infected is via email, by opening anattached file. Email is the most used way people communicate over the Internet. Almosteveryone owns an email address and is using it regularly. It is easy to use, it‘s accessible fromeverywhere where you have Internet access. Today, most email services are for free too.As already mentioned sending malware as an email attachment was already a propagationmethod in the early days. The attacker prepared the Trojan horse, sent it to all the recipientson his list and waited until the infected systems connected back. Simple and straightforward.The only thing the recipient (the victim) had to do was to double-click the attachment toinitiate the infection process. Back in the days anti virus software was not that wide spread as
it is nowadays, the people were not that cautious and sensitised to this kind of threat. Manyemail users were only a double-click away from the infection.Today as AV software is installed on virtually every computer and people are aware of thethreat, that way of propagation still works surprisingly well. But things turn out slightly moredifficult. An AV software doesn‘t accept *.exe *.com *.bat or *.pif files anymore and it alsochecks archives like *.zip or *.rar files for executable files. If they contain files withsuspicious file name extensions it rises a warning and interrupts the execution. But becausethere is still a big mass of potential victims among the email users that are obstinatelyignoring any kind of warnings the infection rate is still high and for an attacker this archaicmeans is still promising and valuable.Method 2 : Infection via browser bugsThe browser is doubtlessly the most used application on a computer. We use it to surf theInternet, to check our mails of course, to chat and many programs people had once installedlocally on the computer is now loaded into the browser and ready to use, as for example textprocessing programs or spreadsheets. Browsers have a big importance and over the yearstheir functionality and extensions grew and changed its usage enormously. With its quickdevelopment and the possibility to install plugins also the attack vector grew. Code reviewswere conducted more often and not only on the browsers but also on the plugins whatrevealed many critical and also not so critical bugs. These circumstances also attracted theattackers attention and allowed them new ways to spread their malware. By leading a victimto a site that contains malicious HTML, scripting or plugin code an attacker can force thevictims browser to execute hidden actions, force it to download and install the damageroutine of the Trojan horse and to infect the system that way.This is much more convenient than the variant with the infected attachment. An emailcontaining a simple link to a homepage doesn‘t seem suspicious and additionally it is a one-click-infection (instead of a double-click).Method 3 : Removable data storage devicesThere was once a time where the classic computer viruses propagation happened by sharinginfected floppy discs and executing program files. To share and to execute was simply theonly method. Even if floppy disks are not in use as data storage device anymore (maybeyou‘re still using it as boot device) the method itself is still in use. In the meantime CD-ROMs and USB memory sticks replaced the floppy discs almost completely and Microsoftintroduced the Autorun feature that executes commands automatically when a newlyconnected data storage device is connected. This combination of removable storage devicesand autoexecution revived the ancient propagation method and the USB memory sticks andCD-ROMs/DVDs served beside being data storage medium also as host to infect computerswith malware.Here is an example how the file autorun.inf has to look like :
[autorun]open=installMegapanzer.exeicon=myIcon.icoThis way of malware propagation was used a lot in the past and Microsoft and also otherinstalled 3rd party software will trigger an alert if a data storage device is using the autorunfeature. So this method is not that reliable anymore and has its restrictions.Additionally and worth mentioning: A Trojan horse itself can, once running on a victimssystem, infect other writable USB data storage devices and so propagate in the old knownmanner as it happened with the floppy disks. Ancient but proven.Method 4 : File sharing networksAnother common way to propagate malware is using the different internet based filesharingnetworks like Bittorrent, Emule, Limewire etc. An attacker tries to get hold of a new releaseof a popular software and injects his malicious code into the genuine software packet. Afterthe initial infection the attacker offers the infected file to other users for download.There are two advantages coming with this method: If a victim downloads the infected file he’s “expecting” an executable file and doesn’t become suspicious just because of its file extension. He “will” execute it after downloading. Once the file is downloaded by the first victim the availability of the file doubled. Two people offer the infected file now for download. What the attacker has to do is only to make sure he is using a popular software and the propagation will advance in a fast pace.What’s coming up in the second articleThe goal of the first part was to describe the methods how attackers propagate their malwareby distributing it in an active way, by sending ―something‖ to the victims expecting they haveexecute an action with this ―something‖. These ways are well known to all of us because themedia permanently informs about the threats we are exposed to, the latest incidents thathappend and is giving us the relevant background information. In the next article I will giveyou an understanding of how to inject the malware in a victims browsing session by takingover and controlling his data stream. More subliminal, more stateData-stealing malware is a web threat that divest victims of personal and proprietaryinformation with the purpose of monetizing stolen data through direct use or undergrounddistribution. Content security threats that fall under this umbrella include keyloggers, screenscrapers, spyware, adware, backdoors, and bots. The term does not refer to activities such asspam, phishing, DNS poisoning, SEO abuse, etc. However, when these threats result in filedownload or direct installation, as most hybrid attacks do, files that act as agents to proxyinformation will fall into the data-stealing malware category. Characteristics of data-stealing malwareDoes not leave traces of the event The malware is typically stored in a cache that is routinely flushed The malware may be installed via a drive-by-download process The website hosting the malware as well as the malware is generally temporary or rogue
Frequently changes and extends its functions It is difficult for antivirus software to detect final payload attributes due to the combination(s) of malware components The malware uses multiple file encryption levelsThwarts Intrusion Detection Systems (IDS) after successful installation There are no perceivable network anomalies The malware hides in web traffic The malware is stealthier in terms of traffic and resource useThwarts disk encryption Data is stolen during decryption and display The malware can record keystrokes, passwords, and screenshotsThwarts Data Loss Prevention (DLP) Leakage protection hinges on metadata tagging, not everything is tagged Miscreants can use encryption to port data Examples of data-stealing malware Bancos, an info stealer that waits for the user to access banking websites then spoofs pages of the bank website to steal sensitive information. Gator, spyware that covertly monitors web-surfing habits, uploads data to a server for analysis then serves targeted pop-up ads. LegMir, spyware that steals personal information such as account names and passwords related to online games. Qhost, a Trojan that modifies the Hosts file to point to a different DNS server when banking sites are accessed then opens a spoofed login page to steal login credentials for those financial institutions. Data-stealing malware incidents Albert Gonzalez (not to be confused with the U.S. Attorney General Alberto Gonzalez) is accused of masterminding a ring to use malware to steal and sell more than 170 million credit card numbers in 2006 and 2007—the largest computer fraud in history. Among the firms targeted were BJs Wholesale Club, TJX, DSW Shoes, OfficeMax, Barnes & Noble, Boston Market, Sports Authority and Forever 21. A Trojan horse program stole more than 1.6 million records belonging to several hundred thousand people from Monster Worldwide Inc’s job search service. The data was used by cybercriminals to craft phishing emails targeted at Monster.com users to plant additional malware on users’ PCs. Customers of Hannaford Bros. Co., a supermarket chain based in Maine, were victims of a data security breach involving the potential compromise of 4.2 million debit and credit cards. The company was hit by several class-action law suits. The Torpig Trojan has compromised and stolen login credentials from approximately 250,000 online bank accounts as well as a similar number of credit and debit cards. Other
information such as email, and FTP accounts from numerous websites, have also beencompromised and stolen.The trends appear quite similar to the month prior: the most popular encyclopediaentry is still Bancos, and we still have several Vundo pages in the list. We coveredVundo last month, so Ill go into a little more detail about the Bancos trojan.Bancos is a password stealing trojan that originally targeted Brazilian on-line bankingusers. Its a relatively old and diverse family- weve been detecting it for several yearsnow and have seen thousands of unique samples. We first added it to MSRT inSeptember 2006. Weve seen Bancos distributed via virtually all the usual propagationvectors: spam emails, browser exploits, p2p, irc, disguised as other software, droppedby other malware, just to name a few.Bancos exhibits a wide variety of behaviors- however essentially all variants attemptto steal banking or financial passwords using one (or several) common techniques.Some examples of these techniques include redirecting users to fake pages,monitoring keystrokes, interfering with browsers, searching for cached passwords,etc.After it has started, Bancos typically will search the system for cached passwords andthen remain memory resident waiting for a browser window with a title that its beeninstructed to look for. If a victim visits a page with a page title that the trojan islooking for, it will typically either capture data or present the user with a false versionof the page enabling it to capture the victims credentials.Once found, credentials are transmitted back to the distributor (often via email or ftp).Weve seen quite a few samples using mail servers belonging to large web-mailproviders being used to send the stolen credentials, often to yet another web-based e-mail account.The bottom line is: change your passwords regularly. Particularly after finding (andremoving) any malware running on your system. Even if the threat is removed, yourpasswords may have already been leaked. :(The trends appear quite similar to the month prior: the most popular encyclopediaentry is still Bancos, and we still have several Vundo pages in the list. We coveredVundo last month, so Ill go into a little more detail about the Bancos trojan.Bancos is a password stealing trojan that originally targeted Brazilian on-line bankingusers. Its a relatively old and diverse family- weve been detecting it for several yearsnow and have seen thousands of unique samples. We first added it to MSRT inSeptember 2006. Weve seen Bancos distributed via virtually all the usual propagationvectors: spam emails, browser exploits, p2p, irc, disguised as other software, droppedby other malware, just to name a few.Bancos exhibits a wide variety of behaviors- however essentially all variants attemptto steal banking or financial passwords using one (or several) common techniques.Some examples of these techniques include redirecting users to fake pages,monitoring keystrokes, interfering with browsers, searching for cached passwords,etc.After it has started, Bancos typically will search the system for cached passwords andthen remain memory resident waiting for a browser window with a title that its beeninstructed to look for. If a victim visits a page with a page title that the trojan islooking for, it will typically either capture data or present the user with a false versionof the page enabling it to capture the victims credentials.Once found, credentials are transmitted back to the distributor (often via email or ftp).Weve seen quite a few samples using mail servers belonging to large web-mail
providers being used to send the stolen credentials, often to yet another web-based e- mail account. The bottom line is: change your passwords regularly. Particularly after finding (and removing) any malware running on your system. Even if the threat is removed, your passwords may have already been leaked. :( CharactersticsMalware is multi-functional and modular: there are many kinds of malware that can be used togetheror separately to achieve a malicious actor‟ s goal. New features and additional capabilities are easilyadded to malware to alter and ―improve‖ its functionality and impact.12 Malware can insert itself into asystem, compromise the system, and then download additional malware from the Internet thatprovides increased functionality. Malware can be used to control an entire host13 or network, it canbypass security measures such as firewalls and anti-virus software, and it can use encryption to avoiddetection or conceal its means of operation. Malware is available and user-friendly: malware is available online at a nominal cost thus making itpossible for almost anyone to acquire. There is even a robust underground market for its sale andpurchase. Furthermore, malware is user-friendly and provides attackers with a capability to launchsophisticated attacks beyond their skill level.Malware is part of a broader cyber attack system: malware is being used both as a primary form ofcyber attack and to support other forms of malicious activity and cybercrime such as spam andphishing. Conversely, spam and phishing can be used to further distribute malwareHow does malware workMalware is able to compromise information systems due to a combination of factors that includeinsecure operating system design and related software vulnerabilities. Malware works by running orinstalling itself on an information system manually or automatically.17 Software may containvulnerabilities, or "holes" in its fabric caused by faulty coding. Software may also be improperlyconfigured, have functionality turned off, be used in a manner not compatible with suggested uses orimproperly configured with other software.Many types of malware such as viruses or trojans require some level of user interaction to initiate theinfection process such as clicking on a web link in an e-mail, opening an executable file attached to ane-mail or visiting a website where malware is hosted. Once security has been breached by the initialinfection, some forms of malware automatically install additional functionality such as spyware (e.g.keylogger), backdoor, rootkit or any other type of malware, known as the payload.18Social engineering,19 in the form of e-mail messages that are intriguing or appear to be from legitimateorganisations, is often used to convince users to click on a malicious link or download malware. Forexample, users may think they have received a notice from their bank, or a virus warning from thesystem administrator, when they have actually received a mass-mailing worm. Other examplesinclude e-mail messages claiming to be an e-card from an unspecified friend to persuade users to openthe attached ―card‖ and download the malware. Malware can also be downloaded from web pagesunintentionally by users. A recent study by Google that examined several billion URLs and includedan in-depth analysis of 4.5 million found that, of that sample, 700 000 seemed malicious and that 450000 were capable of launching malicious downloads.20 Another report found that only about one infive websites analysed were malicious by design. This has led to the conclusion that about 80% of allweb-based malware is being hosted on innocent but compromised websites unbeknownst to theirowners.21
Stealing informationOver the past five years, information theft, and in particular online identity (ID) theft,50 has been anincreasing concern to business, governments, and individuals. Although malware does not alwaysplay a direct role,51 ID theft directly using malware has become increasingly common with the rise ofbackdoor trojans and other stealthy programmes that hide on a computer system and captureinformation covertly.50 See DSTI/CP(2007)3/FINAL where Identity Theft is defined as the unlawful transfer, possession, or misuse of personal information with the intent to commit, or inconnection with, a fraud or other crime. 51 Identity theft attacks most often use social engineering techniques to convince theuser to necessarily disclose information to what they assume is a trusted source. This technique, known asPhishing, does not directly rely on the use of malware to work. It uses deceptive or ―spoofed‖ e-mails andfraudulent websites impersonating brand names of banks, e-retailers and credit card companies to deceiveInternet users into revealing personal information. However, as many phishing attacks are launched from spamemails sent from botnets, malware is indirectly involved as it is used to create botnets which are in turn used tosend the spam e–mail used in phishing attacks. Malware would be directly implicated when the spam e–mailscontained embedded malware or a link to a website where malware would be automatically downloaded. 52 Thisis a technique known as ―fast flux‖. 53 A DNS table provides a record of domain names and matching IPaddresses. 54 See Annex B for a discussion on attacks using the DNS and attacks against the DNS. 55 AusCERT(2006) p.19-20.As illustrated in Figure 1, online ID theft attacks using malware can be complex and can use multipleInternet servers to distribute spam and malware, compromise users‟ information systems, and thenlog the stolen data to another website controlled by the attacker or send it to the attacker‟ s e–mailaccount. Generally, the attacker operates under multiple domain names and multiple IP addresses foreach domain name and rapidly rotates them over the life of the attack (for example see botnet hostedmalware sites #1 and #2 in Figure 1).52 The use of multiple domain names and multiple hosts or bots(and their associated IP addresses) is designed to increase the time available for capturing thesensitive information and reduce the effectiveness of efforts by affected organisations (such as banks),CSIRTs and ISPs to shut down fraudulent sites. Under the domain name system (DNS) attackers areable to quickly and easily change their DNS tables53 to reassign a new IP addresses to fraudulent weband logging sites operating under a particular domain.54 The effect is that as one IP address is closeddown, it is trivial for the site to remain active under another IP address in the attacker‟ s DNS table.For example, in a recent case IP addresses operating under a single domain name changed on anautomated basis every 30 minutes and newer DNS services have made it possible to reduce this timeto five minutes or less. Attackers may use legitimate existing domains to host their attacks, or registerspecially created fraudulent domains. The only viable mitigation response to the latter situation is
Figure 1. Online ID theft attack system involving malware56Stealing informationOver the past five years, information theft, and in particular online identity (ID) theft,50 has been anincreasing concern to business, governments, and individuals. Although malware does not alwaysplay a direct role,51 ID theft directly using malware has become increasingly common with the rise ofbackdoor trojans and other stealthy programmes that hide on a computer system and captureinformation covertly.50 See DSTI/CP(2007)3/FINAL where Identity Theft is defined as the unlawful transfer, possession, or misuse of personal information with the intent to commit, or inconnection with, a fraud or other crime. 51 Identity theft attacks most often use social engineering techniques to convince theuser to necessarily disclose information to what they assume is a trusted source. This technique, known asPhishing, does not directly rely on the use of malware to work. It uses deceptive or ―spoofed‖ e-mails andfraudulent websites impersonating brand names of banks, e-retailers and credit card companies to deceiveInternet users into revealing personal information. However, as many phishing attacks are launched from spamemails sent from botnets, malware is indirectly involved as it is used to create botnets which are in turn used tosend the spam e–mail used in phishing attacks. Malware would be directly implicated when the spam e–mailscontained embedded malware or a link to a website where malware would be automatically downloaded. 52 Thisis a technique known as ―fast flux‖. 53 A DNS table provides a record of domain names and matching IPaddresses. 54 See Annex B for a discussion on attacks using the DNS and attacks against the DNS. 55 AusCERT(2006) p.19-20.As illustrated in Figure 1, online ID theft attacks using malware can be complex and can use multipleInternet servers to distribute spam and malware, compromise users‟ information systems, and thenlog the stolen data to another website controlled by the attacker or send it to the attacker‟ s e–mailaccount. Generally, the attacker operates under multiple domain names and multiple IP addresses foreach domain name and rapidly rotates them over the life of the attack (for example see botnet hostedmalware sites #1 and #2 in Figure 1).52 The use of multiple domain names and multiple hosts or bots(and their associated IP addresses) is designed to increase the time available for capturing thesensitive information and reduce the effectiveness of efforts by affected organisations (such as banks),CSIRTs and ISPs to shut down fraudulent sites. Under the domain name system (DNS) attackers areable to quickly and easily change their DNS tables53 to reassign a new IP addresses to fraudulent weband logging sites operating under a particular domain.54 The effect is that as one IP address is closeddown, it is trivial for the site to remain active under another IP address in the attacker‟ s DNS table.For example, in a recent case IP addresses operating under a single domain name changed on anautomated basis every 30 minutes and newer DNS services have made it possible to reduce this timeto five minutes or less. Attackers may use legitimate existing domains to host their attacks, or registerspecially created fraudulent domains. The only viable mitigation response to the latter situation is toseek deregistration of the domain.55 DSTI/ICCP/REG(2007)5/FINAL 19
Figure 1. Online ID theft attack system involving malware5656 AusCERT (2006) at 7.6Captures information exchanged, including for Internet banking, e-tax, e-health, etc.Spam email is sent toSee DSTI/CP(2007)3/FINAL where Identity Theft is defined as the unlawful transfer,possession, or misuse of personal information with the intent to commit, or in connectionwith, a fraud or other crime. 51 Identity theft attacks most often use social engineering techniques toconvince the user to necessarily disclose information to what they assume is a trusted source. This technique,known as Phishing, does not directly rely on the use of malware to work. It uses deceptive or ―spoofed‖ e-mailsand fraudulent websites impersonating brand names of banks, e-retailers and credit card companies to deceiveInternet users into revealing personal information. However, as many phishing attacks are launched from spamemails sent from botnets, malware is indirectly involved as it is used to create botnets which are in turn used tosend the spam e–mail used in phishing attacks. Malware would be directly implicated when the spam e–mailscontained embedded malware or a link to a website where malware would be automatically downloaded. 52 Thisis a technique known as ―fast flux‖. 53 A DNS table provides a record of domain names and matching IPaddresses. 54 See Annex B for a discussion on attacks using the DNS and attacks against the DNSOrigin of malware attackMalware is now spread around the world and rankings60 tend to show that a whole host of countriesacross the developed and the developing world are home to online criminals using malware. Althoughattacks originating from one country may have local targets, the predominant trend is attacks thatoriginate internationally relative to their targets. In addition, geography may play a role depending onthe end goal of the attacker. For example, broadband Internet speeds differ from country to country. Ifan attacker wishes to maximise network damage, he/she may use compromised computers located incountries where broadband is prevalent. If the goal is to degrade service or steal information overtime, the attacker may use compromised computers from a variety of geographical locations.Geographical distribution allows for increased anonymity of attacks and impedes identification,investigation and prosecution of attackers95 See ―Malware: Why should we be concerned?‖ for a discussion of the impacts from malwareBasic economic rationale for malwareE-mail is not at an economic equilibrium between the sender and the recipient because it costsvirtually nothing to send. All the costs of dealing with spam and malware are passed on to the Internetprovider and the ―unwilling‖ recipients, who are charged for protective measures, bandwidth andother connection costs, on top of the costs of repairing the computer or having lost money to scams.At the same time, criminals minimise their costs to the extreme: they pay no tax, escape the cost ofrunning a genuine business, and pay commission only to others in criminal circles worldwide and at acomparatively low price. The cost to malicious actors continues to decrease as freely available emailstorage space increases. Further, the use of botnets makes it easier and even cheaper to send malwarethrough email. Today‟ s criminals often have access to cheap techniques for harvesting emailaddresses as well as easy access to malware and outsourced spamming services. Anti detectiontechniques are constantly evolving to make it cheaper to operate, and malicious actors can easilyswitch ISPs if their activity is detected and their service terminated. Both the malware itself and thecompromised computers being used to further launch malware attacks are a low cost, readily availableand easily renewable resource. High speed Internet connections and increased bandwidth allow for themass creation of compromised information systems that comprise a self sustaining attack system asillustrated by Figure 7. Furthermore, malicious actors can replace compromised information systemsthat have been disconnected or cleaned, and they can expand the number of compromised informationsystems as the demand for resources (namely malware and compromised information systems) forcommitting cybercrime also grows. DSTI/ICCP/REG(2007)5/FINAL 34
Figure 7. Self sustaining attack system using malwareNote: this figure shows how malware is used to create a self sustaining resource of compromised computers thatserve as the backbone of malicious online activity and cybercrime. Information systems connected to the Internetcan become infected with malware. Those information systems are then used to scan and compromise otherinformation systems.MALWARE: WHY SHOULD WE BE CONCERNED?The growth of malware, and the increasingly inventive ways in which it is being used to steal personaldata, conduct espionage, harm government and business operations, or deny user access toinformation and services, is a potentially serious threat to the Internet economy, to the ability tofurther e-government for citizen services, to individual‟ s online social activities, and to nationalsecurity.Malware-enabling factorsThe capabilities of malware make it a prevalent ―cybercriminal tool‖. However, broader economicand social factors may contribute to its increased occurrences and the robust state of the malwareeconomy. The following describes some of those factors which, while they bring important benefits tosociety, also facilitate the existence and promulgation of malware.Broadband Internet and its usersIn 2005, the International Telecommunication Union estimated 216 708 600 ―fixed‖ broadbandInternet subscribers in the world.98 Furthermore, it is generally agreed that there are an average of 1000 000 000 Internet users in the world today. As the number of subscribers and users increases, sodoes the number of available targets for malware. The increased prevalence of high speed Internet andthe availability of broadband wireless connections make it easy for malicious actors to successfullycarry out attacks as they can compromise computers at faster rates, use the bandwidth to send massiveamounts of spam and conduct DDoS attacks. Furthermore, these ―always on‖ connections allowmalicious actors to be mobile and to attack from any location including public places such as Internetcafes, libraries, coffee shops or even from a PDA or mobile phone device.99 Operating from publicplaces allows attackers to conduct their activities anonymously thus making it difficult to detect andtrace their activities.98 International Telecommunications Union (ITU) (2007) p. 23. 99 McAfee Inc. (2007) p. 02 and 10. 100 Thiscould be the case for any Internet connection, broadband or otherwise. 101 OECD (2005) E-7.It is important to note that while broadband technologies are an enabling factor, it is the behavioursassociated with these technologies that are problematic. For example, people often fail to adoptappropriate security measures when using broadband technologies and therefore leave theirconnection open without the appropriate security software installed.100Ever more services available on lineMost governments, consumers and businesses depend on the Internet to conduct their daily business.In 2004, the OECD found that, in most OECD countries, over 90% of businesses with 250 or moreemployees had access to the Internet. Firms with 50 to 249 employees also had very high rates ofaccess.101 Home users rely on the Internet for their day to day activities including shopping, bankingor simply exchanging information and conducting e-government and e-commerce transactions. As theamount of these services continues to increase, so does the likely community of users accessing theseservices on line. DSTI/ICCP/REG(2007)5/FINAL 37
This in turn increases the available targets for attack or exploitation which provides further incentivefor criminals to conduct malicious activity.Operating system and software vulnerabilitiesThe more vulnerable the technology, the more likely it is to be exploitable through malware. Forexample, the security firm Symantec102 reported a 12% increase in the number of knownvulnerabilities from the first half of 2006 (January – June 2006) to the second half (June – December2006) which they largely attribute to the continued growth of vulnerabilities in web applications.Microsoft also reported an increase of nearly 2 000 disclosed vulnerabilities from 2005 to 2006.103 Theincrease in vulnerabilities corresponds to an increase in incidents. Microsoft reported an increase inthe number of machines disinfected by its Malicious Software Removal Tool from less than 4 millionat the beginning of 2005 to more than 10 million at the end of 2006.104 It is important to note that theabsence of known reported vulnerabilities in a software product does not necessarily make thatproduct more secure than one that has known reported vulnerabilities – it may simply be that similareffort has not been expended to find them. In addition, tools that find and exploit vulnerabilities areimproving; companies are doing more reporting of vulnerabilities and more people or ―researchers‖than ever are probing software to find vulnerabilities. Finally, the greater complexity of software -more interconnecting functions that need to work with an ever growing universe of other software -further increases the potential for vulnerabilities.102 Symantec (2007) p. 38. 103 Microsoft (2006b) p. 8. 104 Microsoft (2006b) p. 20-21. 105 OECD (2007c) p. 33 –34. 106 Brendler, Beau (2007) p. 4. 107 European Commission Eurobarometer (2007) p.89 .Easy to target average Internet userAs the reliance of home users and small to medium sized enterprises (SMEs) on the Internet increases,so do the malware threats they face. Consumers and business are increasingly exposed to a new rangeof complex, targeted attacks that use malware to steal their personal and financial information.Many Internet users are not adequately informed about how they can securely manage theirinformation systems. This lack of awareness and subsequent action or inaction contributes to theincreasing prevalence of malware. Most malware requires some form of user action or acceptance topropagate. Recent surveys from various organisations show that while more users are taking measuresto protect their information systems, a large percentage of the population lacks basic protectivemeasures. For example, a 2005 report commissioned by the Australian Government, Trust andGrowth in the Online Environment, found that only one in seven computers in Australia use a firewalland about one in three use up-to-date virus protection software.105 Furthermore, it is estimated that 59million users in the US have spyware or other types of malware on their computers.106The European Commissions Eurobarometer E-communications Household survey107 observed anincrease in consumer concerns about spam and viruses in 2006. For some EU Member States, up to45% of DSTI/ICCP/REG(2007)5/FINAL 38
consumers had experienced significant problems. In 40% of the cases, the computer performancedecreased significantly, in 27% of the cases a breakdown was observed. In the same survey, 19% ofconsumers had no protection system at all on their computers. Other data also suggests that homeusers are the most targeted of all the sectors108 accounting for 93% of all targeted attacks109and thushighlighting that weak user security is one important enabler of malware.125 Denning, Dorothy (2000). 126 Poulsen, Kevin (2003). 127 United States Nuclear Regulatory Commission(2003). 128 United States District Court Northern District Of Illinois Eastern Division (2007). 129 A recent OECDReport: The Development of Policies to Protect the Critical Information Infrastructure highlights this point. SeeDSTI/ICCP/REG(2007)20/FINAL. 130 U.S.-Canada Power System Outage Task Force Final Report p. 131. 131Greene, Tim (2007). 132 OECD (2007c) pg. 7.Challenges to fighting malwareProtecting against, detecting and responding to malware has become increasingly complex as malwareand the underlying criminal activity which it supports are rapidly evolving and taking advantage ofthe global nature of the Internet. Many organisations and individuals do not have the resources, skillsor expertise to prevent and/or respond effectively to malware attacks and the associated secondarycrimes which flow from those attacks such as identity theft, fraud and DDoS. In addition, the scope ofone organisation‟ s control to combat the problem of malware is limited.Many security companies report an inability to keep up with the overwhelming amounts of malwaredespite committing significant resources to analysis. One vendor dedicates 50 engineers to analysingnew malware samples and finding ways to block them, but notes that this is almost an impossible task,with about 200 new samples per day and growing.131 Another company reported it receives an averageof 15 000 files – and as many as 70 000 – per day from their product users as well as CSIRTs andothers in the security community.132 When samples and files are received, security companiesundertake a process to DSTI/ICCP/REG(2007)5/FINAL 44
determine if the file is indeed malicious. This is done by gathering data from other vendors,conducting automated analysis, or by conducting manual analysis when other methods fail todetermine the malicious nature of the code. One vendor estimated that each iteration of this cycletakes about 40 minutes and that they release an average of 10 updates per day.133 Furthermore, thereare many security vendors who all have different insights into the malware problem.133 OECD (2007c) pg. 7. 134 Information provided to the OECD by CERT.br, the national CSIRT for Brazil.135 One website provides a survey of cybercrime legislation that documented 77 countries with some existing cybercrime law. Seehttp://www.cybercrimelaw.net/index.html. 136 United States Department of Justice Computer Crime &Intellectual Property Section. 137 Green, Tim(2007a).Most security technologies such as anti-virus or anti-spyware products are signature–based meaningthey can only detect those pieces of malware for which an identifier, known as a ―signature‖ alreadyexists and have been deployed. There is always a time lag between when new malware is released byattackers into the ―wild‖, when it is discovered, when anti-virus vendors develop their signatures, andwhen those signatures are dated onto users and organisations‟ information systems. Attackersactively seek to exploit this period of heightened vulnerability. It is widely accepted that signaturebased solutions such as anti-virus programs are largely insufficient to combat today‟ s complex andprevalent malware. For example, one analysis134 that explores antivirus detection rates for 17 differentanti-virus vendors reveals that, on average, only about 48.16% of malware was detected.Circumstantial evidence such as this indicates that attackers are actively testing new malwarecreations against popular anti-virus programs to ensure they stay undetected.In addition, malicious actors exploit the distributed and global nature of the Internet as well as thecomplications of law and jurisdiction bound by traditional physical boundaries to diminish the risks ofbeing identified and prosecuted. For example, a large portion of data trapped by attackers usingkeyloggers is transmitted internationally to countries where laws against cybercrime are nascent, non-existent or not easily enforceable. Although countries across the globe have recognised theseriousness of cybercrime and many have taken legislative action to help reprimand criminals, not allhave legal frameworks that support the prosecution of cyber criminals.135 The problem however iseven more complicated as information may be compromised in one country by a criminal acting fromanother country through servers located in a third country, all together further complicating theproblem.Law enforcement agencies throughout the world have made efforts to prosecute cyber criminals. Forexample, the Computer Crime and Intellectual Property Section of the US Department of Justice hasreported the prosecution of 118 computer crime cases from 1998 – 2006.136 Although global statisticson arrests are hard to determine, one company estimated worldwide arrests at 100 in 2004, severalhundred in 2005 and then 100 again in 2006.137 While these cases did not necessarily involvemalware, they help illustrate the activities of the law enforcement community. It is important to notethat the individuals prosecuted are usually responsible for multiple attacks. These figures are lowconsidering the prevalence of online incidents and crime. They highlight the complex challengesfaced by law enforcement in investigating cybercrime.Furthermore, the volatile nature of electronic evidence and the frequent lack of logged informationcan often mean that evidence is destroyed by the time law enforcement officers can get the necessarywarrants to recover equipment. The bureaucracy of law enforcement provides good checks andbalances, DSTI/ICCP/REG(2007)5/FINAL 45
but is often too slow to cope with the speed of electronic crime. Additionally, incident respondersoften do not understand the needs of law enforcement and accidently destroy electronic evidence.Today, the benefits of malware seem to be greater for attackers than the risks of undertaking thecriminal activity. Cyberspace offers criminals a large number of potential targets and ways to deriveincome from online victims. It also provides an abundant supply of computing resources that can beharnessed to facilitate this criminal activity. Both the malware and compromised information systemsbeing used to launch the attacks have a low cost, are readily available and frequently updated. Highspeed Internet connections and increased bandwidth allow for the mass compromise of informationsystems that renew and expand the self sustaining attack system. By contrast, communities engaged infighting malware face numerous challenges that they cannot always address effectively.DSTI/ICCP/REG(2007)5/FINAL 46
MALWARE: WHAT TO DO?Many would agree that the damage caused by malware is significant and needs to be reduced althoughits economic and social impacts may be hard to quantify. That said, several factors should beconsidered in assessing what action to take, and by whom, against malware. These include: the rolesand responsibilities of the various participants,138 the incentives under which they operate as marketplayers as well as the activities already undertaken by those communities more specifically involvedin fighting malware.138 According to the 2002 OECD Guidelines for the Security of Information Systems and Networks: Towards aCulture of Security, ―participants‖ refers to governments, businesses, other organisations and individual userswho develop, own, provide, manage, service and use information systems and networks.Roles of individual, business and government participants - HighlightsMalware affects individuals, business and government in different ways. All those participants canplay a role in preventing, detecting, and responding to malware with varying levels of competence,resource, roles and responsibilities, as called for in the OECD Guidelines for the Security ofInformation Systems and Networks: Towards a Culture of Security (the ―OECD SecurityGuidelines‖). Better understanding the roles and responsibilities of the various participants in relationto malware is important to assessing how to enhance the fight against malware. Among the variousparticipants, those concerned by malware are: Users (home users, sm and medium–sized enterprises (SMEs), public and private sector allorganisations) whose data and information systems are potential targets and who have different levelsof competence to protect them. Software vendors,who have a role in developing trustworthy, reliable, safe and secure software. Anti virus vendors, who have a role in providing security solutions to users (such as updating anti- -virus software with the latest information on malware). Internet Service Providers (ISPs), who have a role in managing the networks to which theaforementioned groups connect for access to the Internet;. Domain name registrars and regulators, who determine if a domain is allowed to be registered andpotentially have the power to deregister a domain that is used to commit fraud or other criminalactivity, including, for example, the distribution of malware. CSIRTs, frequently the national or leading ones (often government), which have a role, forexample, in detecting, responding to and recovering from security incidents and issuing securitybulletins about the latest computer network threats or vulnerabilities associated with malwareDSTI/ICCP/REG(2007)5/FINAL 47
attacks; or in co–ordinating nationally and internationally the resolution of computer network attacksaffecting its constituency or emanating from its constituency. Law enforcement entities, which have a mandate to investigate and prosecute cybercrime. Government agencies, which have a role to manage risks to the security of government informationsystems and the critical information infrastructure. Governments and inter -governmental organisations, which have a role in developing national andinternational policies and legal instruments to enhance prevention, detection and response to malwareproliferation and its related crimes.
The dynamic nature of malware keeps most security experts constantly on the lookout for new typesof malware and new vectors for attack. Due to the complex technical nature of malware, it is helpfulto examine overall attack trends to better understand how attacks using malware are evolving. Asmentioned previously, the use of malware is becoming more sophisticated and targeted. Attackers areusing increasingly deceptive social engineering techniques to entice users to seemingly legitimate webpages that are actually infected and/or compromised with malware. Figure 2 illustrates the types ofattack that seem to be on the increase, those that are falling out of favour, and those for which thetrend remains unclear or not changed.DSTI/ICCP/REG(2007)5/FINAL 89 ANNEX D - EXAMPLES OF MALWARE PROPAGATIONVECTORS
E–mail: Malware can be ―mass mailed‖ by sending out a large number of e–mail messages, withmalware attached or embedded. There are numerous examples of successful malware propagatedthrough mass-mailers largely due to the ability of malicious actors to use social engineering to spreadmalware rapidly across the globe. Web: Attackers are increasingly using websites to distributemalware to potential victims. This relies on spam e–mail to direct users to a website where theattacker has installed malware capable of compromising a computer by simply allowing a browserconnection to the website. If the website is a legitimate and popular site, users will go there of theirown accord allowing their computers to potentially become infected/compromised without the needfor spam e–mail to direct them there. There are two methods of infection via the web: compromiseexisting web site to host malware; or set up a dedicated site to host malware on a domain speciallyregistered for that purpose. Instant messengers: Malware can propagate via instant messaging serviceson the Internet by sending copies of itself through the file transfer feature common to most instantmessenger programmes. Instant messages could also contain web links that direct the user to anothersite hosting downloadable malware. Once a user clicks on a link displayed in an instant messengerdialog box, a copy of the malware is automatically downloaded and executed on the affected system.Removable media: If malware is installed on removable media, such as a USB stick or CD-ROM, itcan infect and/or propagate by automatically executing as soon as it is connected to another computer.Network-shared file systems: A network share is a remotely accessible digital file storage facility on acomputer network. A network share can become a security liability for all network users when accessto the shared files is gained by malicious actors or malware, and the network file sharing facilityincluded within the operating system of a user‟ s computer has been otherwise compromised. P2Pprogrammes: Some malware propagates itself by copying itself into folders it assumes to be shared(such as those with share in its folder name), or for which it activates sharing, and uses aninconspicuous or invisible file name (usually posing as a legitimate software, or as an archivedimage). Internet Relay Chat (IRC): IRC is a form of Internet chat specifically designed for groupcommunications in many topical ―channels,‖ all of which are continuously and anonymouslyavailable from any location on the Internet. Many ―bot masters‖ (as the malefactors who operatenetworks of malware-infected/compromised machines are often called; see the chapter ―The MalwareInternet: Botnets‖) use IRC as the central command and control (C&C) communications channel forco–ordinating and directing the actions of the bot infected/compromised information systems in their―botnet.‖ Bluetooth: Bluetooth is a wireless networking protocol that allows devices like mobilephones, printers, digital cameras, video game consoles, laptops and PCs to connect at very shortdistances, using unlicensed radio spectrum. Because the security mechanisms implemented inBluetooth devices tend to be trivially bypassed, such devices are vulnerable to malware through attacktechniques which have been called ―bluejacking‖ or ―bluesnarfing.‖ A bluetooth device is mostvulnerable to this type of attack when a user‟ s connection is set to "discoverable" which allows it tobe found by other nearby bluetooth devices.
56 AusCERT (2006) at 7.6Captures information exchanged, including for Internet banking, e-tax, e-health, etc.Spam email is sent toMalware attack trendsThe dynamic nature of malware keeps most security experts constantly on the lookout for new typesof malware and new vectors for attack. Due to the complex technical nature of malware, it is helpfulto examine overall attack trends to better understand how attacks using malware are evolving. Asmentioned previously, the use of malware is becoming more sophisticated and targeted. Attackers areusing increasingly deceptive social engineering techniques to entice users to seemingly legitimate webpages that are actually infected and/or compromised with malware. Figure 2 illustrates the types ofattack that seem to be on the increase, those that are falling out of favour, and those for which thetrend remains unclear or not changed.What is Spam?Spam in a general sense is any email you dont want to receive. There are many types ofemail that you may not want e.g. advertisements, newsletters, or questionnaires, howeverthese emails are not what the computer community refers to as spam. What the computercommunity is most concerned with is illegal email spam.My definition of illegal email spam is -- attempts to deceive by falsification of seller identityor email address, and use of other trickery (defrauding), in the hope of gaining monetaryadvantage (stealing) from the email recipient and other parties.The Federal Trade Commissions definition of spam, "Not all UCE is fraudulent, but fraudoperators - often among the first to exploit any technological innovation - have seized on theInternets capacity to reach literally millions of consumers quickly and at a low cost throughUCE. In fact, UCE has become the fraud artists calling card on the Internet. Much of thespam in the Commissions database contains false information about the sender, misleadingsubject lines, and extravagant earnings or performance claims about goods and services.These types of claims are the stock in trade of fraudulent schemes." From Prepared StatementOf The Federal Trade Commission On "Unsolicited Commercial email", November 3, 1999.How does a spammer get your email address?There are many ways a spammer can obtain your email address.