M

As the Internet becomes more and more integrated into everyday lives, we must learn how to
defend ourselves against new types of online attacks.

While viruses remain a threat, today's hackers commonly use vicious multi-layered attacks, such as a
worm in a chat message that displays a link to a Web page infected with a Trojan horse. “Worms”
have been found that tunnel though programs, uncovering new vulnerabilities and reporting them
back to hackers. The hackers then quickly assemble malware (malicious software) from pre-made
components, exploiting the vulnerability before the majority of people can download a fix.

Below you will find the best tips that you can employ to protect yourself against these emerging
sophisticated, multi-faceted threats.

What Can Malware Do to My PC?
Malware opens up backdoors on infected systems, giving hackers direct access to the hijacked PC. In
this scenario, a hacker can use the infected PC to upload personal information to a remote system,
or to turn the PC into a remotely controlled 'bot used in criminal activity.

Hackers are designing their attacks to target specific high-value victims instead of simply launching
mass-mailing worms and viruses. These programs are being created specifically for data theft.

What About P2P?
Peer-to-peer (P2P) networking has become a launching pad for viruses. Attackers incorporate
spyware, viruses, Trojan horses, and worms into their free downloads. One of the most dangerous
features of many P2P programs is the “browse host” feature that allows others to directly connect to
your computer and browse through file shares.

P2P can accidentally give access to logins, user IDs and passwords; Quicken files and credit reports;
personal information such as letters, chat logs, cookies, and emails; and medical records you
accidentally house in accessible folders on your PC. As with email and instant messages, viruses in
P2P files are capable of weaving their way through as many users as they can, stealing information
and delivering it to cybercriminals who forge identities and commit fraud.

Best Tips to Defend Against Viruses and Worms.
You must safeguard your PC. Following these basic rules will help you protect you and your family
whenever you go online.

1. Protect your computer with strong security software and keep it updated. McAfee Total
Protection for Small Business provides proven PC protection from Trojans, hackers, and
spyware. Its integrated anti-virus, anti-spyware, firewall, anti-spam, anti-phishing, and
backup technologies work together to combat today's advanced multi-faceted attacks. It
scans disks, email attachments, files downloaded from the Web, and documents generated
by word processing and spreadsheet programs.
2. Use a security-conscious Internet service provider (ISP) that implements strong anti-spam
and anti-phishing procedures.
3. Enable automatic Windows® updates or download Microsoft® updates regularly to keep your
operating system patched against known vulnerabilities. Install patches from other software

manufacturers as soon as they are distributed. A fully patched computer behind a firewall is
the best defense against Trojan and spyware installation.
4. Use caution when opening attachments. Configure your anti-virus software to automatically
scan all email and instant message attachments. Make sure your email program doesn't
automatically open attachments or automatically render graphics, and ensure that the
preview pane is turned off. Never open unsolicited emails, or attachments that you're not
expecting—even from people you know.
5. Be careful when engaging in peer-to-peer (P2P) file-sharing. Trojans hide within file-sharing
programs waiting to be downloaded. Use the same precautions when downloading shared
files that you do for email and instant messaging. Avoid downloading files with the
extensions .exe, .scr, .lnk, .bat, .vbs, .dll, .bin, and cmd.
6. Use security precautions for your PDA, cell phone, and Wi-Fi devices. Viruses and Trojans
arrive as an email/IM attachment, are downloaded from the Internet, or are uploaded along
with other data from a desktop. Cell phone viruses and mobile phishing attacks are in the
beginning stages, but will become more common as more people access mobile multimedia
services and Internet content directly from their phones. Always use a PIN code on your cell
phone, and never install or download mobile software from an unknown source.
7. Configure your instant messaging application correctly. Make sure it does not open
automatically when you fire up your computer.
8. Beware of spam-based phishing schemes. Don't click on links in emails or IM.
9. Back up your files regularly and store the backups somewhere besides your PC. If you fall
victim to a virus attack, you can recover photos, music, movies, and personal information
like tax returns and bank statements.
10. Stay aware of current virus news by checking sites like McAfee® Avert® Threat Center.

2.
3.
4.
5. top-10 worst ISPs in this category—consider this when making your choice.
6. Enable automatic Windows updates, or download Microsoft updates regularly, to keep your
operating system patched against known vulnerabilities. Install patches from other software
manufacturers as soon as they are distributed. A fully patched computer behind a firewall is
the best defense against Trojan and spyware installation.
7. Use great caution when opening attachments. Configure your anti-virus software to
automatically scan all email and instant message attachments. Make sure your email
program doesn’t automatically open attachments or automatically render graphics, and
ensure that the preview pane is turned off. Never open unsolicited emails, or attachments
that you’re not expecting—even from people you know.
8. Be careful when using P2P file sharing. Trojans hide within file-sharing programs waiting to
be downloaded. Use the same precautions when downloading shared files that you do for
email and instant messaging. Avoid downloading files with the extensions .exe, .scr, .lnk,
.bat, .vbs, .dll, .bin, and .cmd.
9. Use security precautions for your PDA, cell phone, and Wi-Fi devices. Viruses and Trojans
arrive as an email/IM attachment, are downloaded from the Internet, or are uploaded along
with other data from a desktop. Cell phone viruses and mobile phishing attacks are in the
beginning stages, but will become more common as more people access mobile multimedia
services and Internet content directly from their phones. Mobile Anti-Virus software for a
selected devices is available for free with some McAfee PC products. Always use a PIN code
on your cell phone and never install or download mobile software from a un-trusted source.

10. Configure your instant messaging application correctly. Make sure it does not open
automatically when you fire up your computer.
11. Beware of spam-based phishing schemes. Don’t click on links in emails or IM.
12. Back up your files regularly and store the backups somewhere besides your PC. If you fall
victim to a virus attack, you can recover photos, music, movies, and personal information
like tax returns and bank statements.
13. Stay aware of current virus news by checking sites like McAfee Labs Threat Center.

Back to top

Bookmark & Share
Favoritesemail Blinklist del.icio.us Digg Furl Google Facebook MySpace Yahoo Buzz Live

More Advice on this Topic

8 Tips on How to Protect Yourself Online
13 Ways to Protect Your System
Anti-virus Tips
Tips for a More Secure Internet Experience
How to Protect Your Computer Against Virus and Worm Attacks
Hardware vs. Software Firewalls
Passphrases

Find a term you don’t recognize? Look up definitions in our Glossary.

Free Security Newsletter Sign Up for Security News and Special Offers:

Email Addre

The Ultimate Security:

McAfee Total Protection

Ultimate. The most effective protection against virus, online and network threats.

$89.99$59.99Save $30

PC Infected? Get Expert Help Now!

McAfee Virus Removal Service

Connect to one of our security experts by phone. Have your PC fixed remotely – while you
watch!

$89.95

Available daily, 24x7.

A macro virus is a computer virus that "infects" a Microsoft Word or similar application and causes a
sequence of actions to be performed automatically when the application is started or something else
triggers it. Macro viruses tend to be surprising but relatively harmless. A typical effect is the
undesired insertion of some comic text at certain points when writing a line. A macro virus is often
spread as an e-mail virus. A well-known example in March, 1999 was the Melissa virus virus.

Melissa is a fast-spreading macro virus that is distributed as an e-mail attachment that, when
opened, disables a number of safeguards in Word 97 or Word 2000, and, if the user has the
Microsoft Outlook e-mail program, causes the virus to be resent to the first 50 people in each
of the user's address books. While it does not destroy files or other resources, Melissa has the
potential to disable corporate and other mail servers as the ripple of e-mail distribution
becomes a much larger wave. On Friday, March 26, 1999, Melissa caused the Microsoft
Corporation to shut down incoming e-mail. Intel and other companies also reported being
affected. The U. S. Department of Defense-funded Computer Emergency Response Team
(CERT) issued a warning about the virus and developed a fix.

How Melissa Works

Melissa arrives in an attachment to an e-mail note with the subject line "Important Message
from ]the name of someone[," and body text that reads "Here is that document you asked
for...don't

Learn More

Security Resources
Malware, Viruses, Trojans and Spyware

show anyone else ;-)". The attachment is often named LIST.DOC. If the recipient clicks on or
otherwise opens the attachment, the infecting file is read to computer storage. The file itself
originated in an Internet alt.sex newsgroup and contains a list of passwords for various Web
sites that require memberships. The file also contains a Visual Basic script that copies the
virus-infected file into the normal.dot template file used by Word for custom settings and
default macros. It also creates this entry in the Windows registry:

What is Identity Theft?

Identity theft, also known as ID theft is a crime in which a criminal obtains key pieces of
personal information, such as Social Security or driver's license numbers, in order to pose as
someone else. The information can be used to obtain credit, merchandise, and services using
the victims‘ name. Identity theft can also provide a thief with false credentials for
immigration or other applications. One of the biggest problems with identity theft is that very
often the crimes committed by the identity theft expert are often
attributed to the victim.
Buy it Now
There are two main types of identity theft – account takeover and true
name theft. Account takeover identity theft refers to the type of
situation where an imposter uses the stolen personal information to
gain access to the person‘s existing accounts. Often the identity thief
will use the stolen identity to acquire even more credit products by
changing your address so that you never see the credit card bills that
the thief runs up.

True name identity theft means that the thief uses personal
information to open new accounts. The thief might open a new credit
card account, establish cellular phone service, or open a new
checking account in order to obtain blank checks. The Internet has made it easier for an
identity thief to use the information they've stolen because transactions can be made without
any real verification of someone‘s identity. All a thief really needs today is a series of correct
numbers to complete the crime. Companies like LifeLock can monitor if a thief has gotten
access to and used any of your personal information."

trojan

In the IT world, a Trojan horse is used to enter a victim‘s computer undetected, granting the
attacker unrestricted access to the data stored on that computer and causing great damage to
the victim. A Trojan can be a hidden program that runs on your computer without your
knowledge, or it can be ‗wrapped‘ into a legitimate program meaning that this program may
therefore have hidden functions that you are not aware of.

How a Trojan works
Trojans typically consist of two parts, a client part and a server part. When a victim
(unknowingly) runs a Trojan server on his machine, the attacker then uses the client part of
that Trojan to connect to the server module and start using the Trojan. The protocol usually
used for communications is TCP, but some Trojans' functions use other protocols, such as
UDP, as well. When a Trojan server runs on a victim‘s computer, it (usually) tries to hide
somewhere on the computer; it then starts listening for incoming connections from the
attacker on one or more ports, and attempts to modify the registry and/or use some other
auto-starting method.

It is necessary for the attacker to know the victim‘s IP address to connect to his/her machine.
Many Trojans include the ability to mail the victim‘s IP and/or message the attacker via ICQ
or IRC. This system is used when the victim has a dynamic IP, that is, every time he connects
to the Internet, he is assigned a different IP (most dial-up users have this). ADSL users have

static IPs, meaning that in this case, the infected IP is always known to the attacker; this
makes it considerably easier for an attacker to connect to your machine.

Most Trojans use an auto-starting method that allows them to restart and grant an attacker
access to your machine even when you shut down your computer. Trojan writers are
constantly on the hunt for new auto-starting methods and other such tricks, making it hard to
keep up with their new discoveries in this area. As a rule, attackers start by ―joining‖ the
Trojan to some executable file that you use very often, such as explorer.exe, and then proceed
to use known methods to modify system files or the Windows Registry.

For an in-depth look at the different types of Trojans, why they pose a danger to corporate
networks, and how to protect your network against them, please click here.

Get the latest SPAM news at AllSpammedUp.com!

Trojan Horse Attacks

If you were referred here, you may have been "hacked" by a Trojan horse attack. It's crucial
that you read this page and fix yourself immediately. Failure to do so could result in being
disconnected from the IRC network, letting strangers access your private files, or worst yet,
allowing your computer to be hijacked and used in criminal attacks on others.

by Joseph Lo aka Jolo, with much help from countless others
This page is part of IRChelp.org's security section at http://www.irchelp.org/irchelp/security/
updated Feb 5, 2006

Contents:

I. What is a Trojan horse?
II. How did I get infected?
III. How do I avoid getting infected in the future?
IV. How do I get rid of trojans?!?
Appendices

I. What is a Trojan horse?

Trojan horse attacks pose one of the most serious threats to computer security. If you were
referred here, you may have not only been attacked but may also be attacking others
unknowingly. This page will teach you how to avoid falling prey to them, and how to repair
the damage if you already did. According to legend, the Greeks won the Trojan war by hiding
in a huge, hollow wooden horse to sneak into the fortified city of Troy. In today's computer
world, a Trojan horse is defined as a "malicious, security-breaking program that is disguised
as something benign". For example, you download what appears to be a movie or music file,
but when you click on it, you unleash a dangerous program that erases your disk, sends your
credit card numbers and passwords to a stranger, or lets that stranger hijack your computer to

commit illegal denial of service attacks like those that have virtually crippled the DALnet
IRC network for months on end.

The following general information applies to all operating systems, but by far most of the
damage is done to/with Windows users due to its vast popularity and many weaknesses.

(Note: Many people use terms like Trojan horse, virus, worm, hacking and cracking all
interchangeably, but they really don't mean the same thing. If you're curious, here's a quick
primer defining and distinguishing them. Let's just say that once you are "infected", trojans
are just as dangerous as viruses and can spread to hurt others just as easily!)

II. How did I get infected?

Trojans are executable programs, which means that when you open the file, it will perform
some action(s). In Windows, executable programs have file extensions like "exe", "vbs",
"com", "bat", etc. Some actual trojan filenames include: "dmsetup.exe" and "LOVE-
LETTER-FOR-YOU.TXT.vbs" (when there are multiple extensions, only the last one counts,
be sure to unhide your extensions so that you see it). More information on risky file
extensions may be found at this Microsoft document.

Trojans can be spread in the guise of literally ANYTHING people find desirable, such as a
free game, movie, song, etc. Victims typically downloaded the trojan from a WWW or FTP
archive, got it via peer-to-peer file exchange using IRC/instant messaging/Kazaa etc., or just
carelessly opened some email attachment. Trojans usually do their damage silently. The first
sign of trouble is often when others tell you that you are attacking them or trying to infect
them!

III. How do I avoid getting infected in the future?

You must be certain of BOTH the source AND content of each file you download! In
other words, you need to be sure that you trust not only the person or file server that gave you
the file, but also the contents of the file itself.

Here are some practical tips to avoid getting infected (again). For more general security
information, please see our main security help page.

1. NEVER download blindly from people or sites which you aren't 100% sure about. In other
words, as the old saying goes, don't accept candy from strangers. If you do a lot of file
downloading, it's often just a matter of time before you fall victim to a trojan.
2. Even if the file comes from a friend, you still must be sure what the file is before opening
it, because many trojans will automatically try to spread themselves to friends in an email
address book or on an IRC channel. There is seldom reason for a friend to send you a file that
you didn't ask for. When in doubt, ask them first, and scan the attachment with a fully
updated anti-virus program.
3. Beware of hidden file extensions! Windows by default hides the last extension of a file, so
that innocuous-looking "susie.jpg" might really be "susie.jpg.exe" - an executable trojan! To
reduce the chances of being tricked, unhide those pesky extensions.
4. NEVER use features in your programs that automatically get or preview files. Those
features may seem convenient, but they let anybody send you anything which is extremely
reckless. For example, never turn on "auto DCC get" in mIRC, instead ALWAYS screen every

single file you get manually. Likewise, disable the preview mode in Outlook and other email
programs.
5. Never blindly type commands that others tell you to type, or go to web addresses
mentioned by strangers, or run pre-fabricated programs or scripts (not even popular ones).
If you do so, you are potentially trusting a stranger with control over your computer, which
can lead to trojan infection or other serious harm.
6. Don't be lulled into a false sense of security just because you run anti-virus programs.
Those do not protect perfectly against many viruses and trojans, even when fully up to date.
Anti-virus programs should not be your front line of security, but instead they serve as a
backup in case something sneaks onto your computer.
7. Finally, don't download an executable program just to "check it out" - if it's a trojan, the first
time you run it, you're already infected!

IV. How do I get rid of trojans?!?

Here are your many options, none of them are perfect. I strongly suggest you read through all
of them before rushing out and trying to run some program blindly. Remember - that's how
you got in this trouble in the first place. Good luck!

1. Clean Re-installation: Although arduous, this will always be the only sure way to
eradicate a trojan or virus. Back up your entire hard disk, reformat the disk, re-install
the operating system and all your applications from original CDs, and finally, if you're
certain they are not infected, restore your user files from the backup. If you are not up
to the task, you can pay for a professional repair service to do it.
2. Anti-Virus Software: Some of these can handle most of the well known trojans, but
none are perfect, no matter what their advertising claims. You absolutely MUST make
sure you have the very latest update files for your programs, or else they will miss the
latest trojans. Compared to traditional viruses, today's trojans evolve much quicker
and come in many seemingly innocuous forms, so anti-virus software is always going
to be playing catch up. Also, if they fail to find every trojan, anti-virus software can
give you a false sense of security, such that you go about your business not realizing
that you are still dangerously compromised. There are many products to choose from,
but the following are generally effective: AVP, PC-cillin, and McAfee VirusScan. All
are available for immediate downloading typically with a 30 day free trial. For a more
complete review of all major anti-virus programs, including specific configuration
suggestions for each, see the HackFix Project's anti-virus software page [all are ext.
links]. When you are done, make sure you've updated Windows with all security
patches [ext. link].
3. Anti-Trojan Programs: These programs are the most effective against trojan horse
attacks, because they specialize in trojans instead of general viruses. A popular choice
is The Cleaner, $30 commercial software with a 30 day free trial. To use it effectively,
you must follow hackfix.org's configuration suggestions [ext. link]. When you are
done, make sure you've updated Windows with all security patches [ext. link], then
change all your passwords because they may have been seen by every "hacker" in the
world.
4. IRC Help Channels: If you're the type that needs some hand-holding, you can find
trojan/virus removal help on IRC itself, such as EFnet #dmsetup or DALnet
#NoHack. These experts will try to figure out which trojan(s) you have and offer you
advice on how to fix it. The previous directions were in fact adapted from advice

given by EFnet #dmsetup. (See our networks page if you need help connecting to
those networks.)

Appendices:

These files were referred to in the text above, and provide additional information.

IRChelp.org Security Page
Hacker / Cracker / Trojan / Virus? - A Primer on Terminology
How to unhide Windows file extensions

Why Use A Rootkit?
A rootkit allows someone, either legitimate or malicious, to maintain command and control over a
computer system, without the the computer system user knowing about it. This means that the
owner of the rootkit is capable of executing files and changing system configurations on the target
machine, as well as accessing log files or monitoring activity to covertly spy on the user's computer
usage.

Is A Rootkit Malware?
That may be debatable. There are legitimate uses for rootkits by law enforcement or even by
parents or employers wishing to retain remote command and control and/or the ability to monitor
activity on their employee's / children's computer systems. Products such as eBlaster or Spector Pro
are essentially rootkits which allow for such monitoring.

However, most of the media attention given to rootkits is aimed at malicious or illegal
rootkits used by attackers or spies to infiltrate and monitor systems. But, while a rootkit
might somehow be installed on a system through the use of a virus or Trojan of some sort, the
rootkit itself is not really malware.

Detecting A Rootkit
Detecting a rootkit on your system is easier said than done. Currently, there is no off-the-shelf
product to magically find and remove all of the rootkits of the world like there is for viruses or
spyware.

There are various ways to scan memory or file system areas, or look for hooks into the
system from rootkits, but not many of them are automated tools, and those that are often
focus on detecting and removing a specific rootkit. Another method is just to look for bizarre
or strange behavior on the computer system. If there are suspicious things going on, you
might be compromised by a rootkit. Of course, you might also just need to clean up your
system using tips from a book like Degunking Windows.

In the end, many security experts suggest a complete rebuild of a system compromised by a
rootkit or suspected of being compromised by a rootkit. The reason is, even if you detect files
or processes associated with the rootkit, it is difficult to be 100% sure that you have in fact
removed every piece of the rootkit. Peace of mind can be found by completely erasing the
system and starting over.

Protecting Yourself From Rootkits
As mentioned above regarding detecting rootkits, there is no packaged application to guard against
rootkits. It was also mentioned above that rootkits, while they may be used for malicious purposes
at times, are not necessarily malware.

Many malicious rootkits manage to infiltrate computer systems and install themselves by
propagating with a malware threat such as a virus. You can safeguard your system from
rootkits by ensuring it is kept patched against known vulnerabilities, that antivirus software is
updated and running, and that you don't accept files from or open email file attachments from
unknown sources. You should also be careful when installing software and read carefully
before agreeing to EULA's (end user license agreements), because some may state overtly
that a rootkit of some sort will be installed.

[ go back | search | help | send email ]

So what does a Rookit do?

What it does do, is provide access to all your folders – both private data and system files – to
a remote user who, through administrative powers, can do whatever he wants with your
computer. Needless to say, every user should be aware of the threat they pose.

Rootkits generally go much deeper than the average virus. They may even infect your BIOS –
the part of your computer that‘s independent of the Operating System – making them harder
to remove. And they may not even be Windows-specific, even Linux or Apple machines
could be affected. In fact, the first rootkit ever written was for Unix!

Image by Fristle

Is this a new phenomenon?

No, not at all. The earliest known rootkit is in fact two decades old. However, now that every
home and every work desk has a computer that is connected to the internet, the possibilities
for using the full potential of a rootkit is only just being realized.

Possibly the most famous case so far was in 2005, when CDs sold by Sony BMG installed
rootkits without user permission that allowed any user logged in at the computer to access the
administrator mode. The purpose of that rootkit was to enforce copy protection (called
―Digital Rights Management‖ or DRM) on the CDs, but it compromised the computer it was
installed on. This process could easily be hijacked for malicious purposes.

What makes it different from a virus?

Most often, rootkits are used to control and not to destroy. Of course, this control could be
used to delete data files, but it can also be used for more nefarious purposes.

More importantly, rootkits run at the same privilege levels as most antivirus programs. This
makes them that much harder to remove as the computer cannot decide on which program
has a greater authority to shut down the other.

So how I might get infected with a rootkit?

As mentioned above, a rootkit may piggyback along with software that you thought you
trusted. When you give this software permission to install on your computer, it also inserts a
process that waits silently in the background for a command. And, since to give permission
you need administrative access, this means that your rootkit is already in a sensitive location
on the computer.

Another way to get infected is by standard viral infection techniques – either through shared
disks and drives with infected web content. This infection may not easily get spotted because
of the silent nature of rootkits.

There have also been cases where rootkits came pre-installed on purchased computers. The
intentions behind such software may be good – for example, anti-theft identification or
remote diagnosis – but it has been shown that the mere presence of such a path to the system
itself is a vulnerability.

So, that was about what exactly is a rootkit and how does it creep in to computer. In my next
article I‘ll discuss how to defend your computer from rootkits – from protection to
cleaning up.

Previous post: 3 Useful Chrome Extensions to Capture Screenshot of a Webpage

Next post: Windows 7 Problem Steps Recorder Makes Troubleshooting Windows Errors
Easier

5 Cool Latest Posts
o How to Create a Picture Password in Windows 8
o How to Add Computer Icon to Windows 8 Start Menu, Desktop & Windows Explorer
o 4 Useful Tools to Delete Locked Files In Windows
o How to Open Word, Excel (.doc, .docx, xlsx etc) Files Without MS Office Installed
o How to Personalize the New Windows 8 Charm Bar
D AILY ILY EMAIL UP DAT ES:

What is the difference between viruses, worms, and Trojans?
What is a virus?

A computer virus is a small program written to alter the way a computer operates, without
the permission or knowledge of the user. A virus must meet two criteria:

It must execute itself. It often places its own code in the path of execution of
another program.
It must replicate itself. For example, it may replace other executable files with a
copy of the virus infected file. Viruses can infect desktop computers and network
servers alike.

Some viruses are programmed to damage the computer by damaging programs,

deleting files, or reformatting the hard disk. Others are not designed to do any
damage, but simply to replicate themselves and make their presence known by
presenting text, video, and audio messages. Even these benign viruses can create
problems for the computer user. They typically take up computer memory used by
legitimate programs. As a result, they often cause erratic behavior and can result in
system crashes. In addition, many viruses are bug-ridden, and these bugs may lead to
system crashes and data loss.

Five recognized types of viruses

File infector viruses File infector viruses infect program files. These viruses normally infect executable code, such as .com and .exe
files. The can infect other files when an infected program is run from floppy, hard drive, or from the network.
Many of these viruses are memory resident. After memory becomes infected, any noninfected executable
that runs becomes infected. Examples of known file infector viruses include Jerusalem and Cascade.

Boot sector viruses Boot sector viruses infect the system area of a disk; that is, the boot record on floppy disks and hard disks. All
floppy disks and hard disks (including disks containing only data) contain a small program in the boot record
that is run when the computer starts up. Boot sector viruses attach themselves to this part of the disk and
activate when the user attempts to start up from the infected disk. These viruses are always memory resident
in nature. Most were written for DOS, but, all PCs, regardless of the operating system, are potential targets of
this type of virus. All that is required to become infected is to attempt to start up your computer with an
infected floppy disk Thereafter, while the virus remains in memory, all floppy disks that are not write
protected will become infected when the floppy disk is accessed. Examples of boot sector viruses are Form,
Disk Killer, Michelangelo, and Stoned.

Master boot record Master boot record viruses are memory-resident viruses that infect disks in the same manner as boot sector
viruses viruses. The difference between these two virus types is where the viral code is located. Master boot record
infectors normally save a legitimate copy of the master boot record in an different location. Windows NT
computers that become infected by either boot sector viruses or master boot sector viruses will not boot.
This is due to the difference in how the operating system accesses its boot information, as compared to
Windows 98/Me. If your Windows NT systems is formatted with FAT partitions you can usually remove the
virus by booting to DOS and using antivirus software. If the boot partition is NTFS, the system must be
recovered by using the three Windows NT Setup disks. Examples of master boot record infectors are NYB,
AntiExe, and Unashamed.

Multipartite viruses Multipartite (also known as polypartite) viruses infect both boot records and program files. These are
particularly difficult to repair. If the boot area is cleaned, but the files are not, the boot area will be
reinfected. The same holds true for cleaning infected files. If the virus is not removed from the boot area, any
files that you have cleaned will be reinfected. Examples of multipartite viruses include One_Half, Emperor,
Anthrax and Tequilla.

Macro viruses These types of viruses infect data files. They are the most common and have cost corporations the most
money and time trying to repair. With the advent of Visual Basic in Microsoft's Office 97, a macro virus can be
written that not only infects data files, but also can infect other files as well. Macro viruses infect Microsoft
Office Word, Excel, PowerPoint and Access files. Newer strains are now turning up in other programs as well.
All of these viruses use another program's internal programming language, which was created to allow users
to automate certain tasks within that program. Because of the ease with which these viruses can be created,
there are now thousands of them in circulation. Examples of macro viruses include W97M.Melissa,
WM.NiceDay and W97M.Groov.

What is a Trojan horse?

Trojan horses are impostors—files that claim to be something desirable but, in fact,
are malicious. A very important distinction between Trojan horse programs and true
viruses is that they do not replicate themselves. Trojan horses contain malicious code
that when triggered cause loss, or even theft, of data. For a Trojan horse to spread,
you must invite these programs onto your computers; for example, by opening an
email attachment or downloading and running a file from the Internet. Trojan.Vundo
is a Trojan horse.

What is a worm?

Worms are programs that replicate themselves from system to system without the use
of a host file. This is in contrast to viruses, which requires the spreading of an
infected host file. Although worms generally exist inside of other files, often Word or
Excel documents, there is a difference between how worms and viruses use the host
file. Usually the worm will release a document that already has the "worm" macro
inside the document. The entire document will travel from computer to computer, so
the entire document should be considered the worm W32.Mydoom.AX@mm is an
example of a worm
What is a virus hoax?

Virus hoaxes are messages, almost always sent by email, that amount to little more
than chain letters. Following are some of the common phrases that are used in these
hoaxes:

If you receive an email titled [email virus hoax name here], do not open it!
Delete it immediately!
It contains the [hoax name] virus.
It will delete everything on your hard drive and [extreme and improbable danger
specified here].
This virus was announced today by [reputable organization name here].
Forward this warning to everyone you know!

Most virus hoax warnings do not deviate far from this pattern. If you are unsure if a
virus warning is legitimate or a hoax, additional information is available at the
Symantec Security Response online database.
What is not a virus?

Because of the publicity that viruses have received, it is easy to blame any computer
problem on a virus. The following are not likely to be caused by a virus or other
malicious code:

Hardware problems No viruses can physically damage computer hardware, such as chips, boards, and monitors.

The computer beeps at startup with no This is usually caused by a hardware problem during the boot process. Consult your computer
screen display documentation for the meaning of the beep codes.

The computer does not register 640 KB This can be a sign of a virus, but it is not conclusive. Some hardware drivers such as those for
of conventional memory the monitor or SCSI card can use some of this memory. Consult with your computer
manufacturer or hardware vendor to determine if this is the case.

You have two antivirus programs This might be a virus, but it can also be caused by one antivirus program detect the other
installed and one of them reports a program's signatures in memory. For additional information, see Should you run more than one
virus antivirus program at the same time?

Microsoft Word warns you that a This does not mean that the macro is a virus.
document contains a macro

You cannot open a particular document This is not necessarily an indication of a virus. Try opening another document or a backup of the
document in question. If other documents open correctly, the document may be damaged.

The label on a hard drive has changed Every disk is allowed to have a label. You can assign a label to a disk by using the DOS Label
command of from within Windows.

When you run ScanDisk, Norton For instructions on what to do, read Alert: "Virus Like Activity detected. The application . . . is
AntiVirus Auto-Protect reports virus-like attempting to write to the file . . . What would you like to do?
activity

Additional information

For the most up-to-date information on viruses, go to the Symantec Security
Response online database.

To submit a file or disk that you suspect is infected with a virus, please read one of
the following documents:

Submitting a file to Symantec Security Response over the Internet or on a floppy
disk
Submitting a file to Symantec Security Response using Scan and Deliver

What is safe computing?

With all the hype, it is easy to believe that viruses lurk in every file, every email,
every Web site. However, a few basic precautions can minimize your risk of
infection. Practice safe computing and encourage everyone you know to do so as
well.

General precautions

Do not leave a floppy disk in the floppy disk drive when you shut down or restart
the computer.
Write-protect your floppy disks after you have finished writing to them.
Be suspicious of email attachments from unknown sources.
Verify that attachments have been sent by the author of the email. Newer viruses
can send email messages that appear to be from people you know.
Do not set your email program to "auto-run" attachments.
Obtain all Microsoft security updates.
Back up your data frequently. Keep the write-protected media in a safe place—
preferably in a different location than your computer.

Specific to Norton AntiVirus

Make sure that you have the most recent virus definitions. We recommend that
you run LiveUpdate at least once per week. Symantec Security Response updates
virus definitions in response to new virus threats. For additional information,
please see How to Run LiveUpdate.
Make sure that you have set Norton AntiVirus to scan floppy disks on access and at
shutdown. Please see your User's Guide for information on how to do this in your
version of Norton AntiVirus.
Always keep Norton AntiVirus Auto-Protect running. Symantec Security Response
now strongly recommends that you have Norton AntiVirus set to scan all files, not
just program files.

Scan all new software before you install it. Because boot sector viruses spread by
floppy disks and bootable CDs, every floppy disk and CD should be scanned for
viruses. Shrink-wrapped software, demo disks from suppliers, and trial software
are not exempt from this rule. Viruses have been found even on retail software.
Scan all media that someone else has given you.
Use caution when opening email attachments. Email attachments are a major
source of virus infections. Microsoft Office attachments for Word, Excel, and
Access can be infected by Macro viruses. Other attachments can contain file
infector viruses. Norton AntiVirus Auto-Protect will scan these attachments for
viruses as you open or detach them. We recommend that you enable email
scanning, which will scan email attachments before the email message is sent to
your email program.

« Source : Stopping Anti Virus/Desktop Firewall processes and services

Source : Binder stub »

Nine ways how hackers propagate malware (1 of 2)

Mar 24th, 2009 by carrumba

Malware propagation is one of the most fascinating parts of the attackers activities and is
attracting, besides the anger of the affected people, the most attention. It is the part where all
the magic of infection and intrusion happens, where attackers release the malicious software
to the wild and try to infect new victim systems as quickly or as targeted as possible; their
victims are left wondering how the heck that could have happened.

The goal of this article is to give you an overview how and where attackers release malware.
It will show you an overview about the common infection points where people get in first
contact with malware and what action the software has to execute to initiate the infection
process.

Method 1 : Sending the Trojan horse as email attachment

One of the oldest but still very effective ways people get infected is via email, by opening an
attached file. Email is the most used way people communicate over the Internet. Almost
everyone owns an email address and is using it regularly. It is easy to use, it‘s accessible from
everywhere where you have Internet access. Today, most email services are for free too.

As already mentioned sending malware as an email attachment was already a propagation
method in the early days. The attacker prepared the Trojan horse, sent it to all the recipients
on his list and waited until the infected systems connected back. Simple and straightforward.
The only thing the recipient (the victim) had to do was to double-click the attachment to
initiate the infection process. Back in the days anti virus software was not that wide spread as

it is nowadays, the people were not that cautious and sensitised to this kind of threat. Many
email users were only a double-click away from the infection.
Today as AV software is installed on virtually every computer and people are aware of the
threat, that way of propagation still works surprisingly well. But things turn out slightly more
difficult. An AV software doesn‘t accept *.exe *.com *.bat or *.pif files anymore and it also
checks archives like *.zip or *.rar files for executable files. If they contain files with
suspicious file name extensions it rises a warning and interrupts the execution. But because
there is still a big mass of potential victims among the email users that are obstinately
ignoring any kind of warnings the infection rate is still high and for an attacker this archaic
means is still promising and valuable.

Method 2 : Infection via browser bugs

The browser is doubtlessly the most used application on a computer. We use it to surf the
Internet, to check our mails of course, to chat and many programs people had once installed
locally on the computer is now loaded into the browser and ready to use, as for example text
processing programs or spreadsheets. Browsers have a big importance and over the years
their functionality and extensions grew and changed its usage enormously. With its quick
development and the possibility to install plugins also the attack vector grew. Code reviews
were conducted more often and not only on the browsers but also on the plugins what
revealed many critical and also not so critical bugs. These circumstances also attracted the
attackers attention and allowed them new ways to spread their malware. By leading a victim
to a site that contains malicious HTML, scripting or plugin code an attacker can force the
victims browser to execute hidden actions, force it to download and install the damage
routine of the Trojan horse and to infect the system that way.
This is much more convenient than the variant with the infected attachment. An email
containing a simple link to a homepage doesn‘t seem suspicious and additionally it is a one-
click-infection (instead of a double-click).

Method 3 : Removable data storage devices

There was once a time where the classic computer viruses propagation happened by sharing
infected floppy discs and executing program files. To share and to execute was simply the
only method. Even if floppy disks are not in use as data storage device anymore (maybe
you‘re still using it as boot device) the method itself is still in use. In the meantime CD-
ROMs and USB memory sticks replaced the floppy discs almost completely and Microsoft
introduced the Autorun feature that executes commands automatically when a newly
connected data storage device is connected. This combination of removable storage devices
and autoexecution revived the ancient propagation method and the USB memory sticks and
CD-ROMs/DVDs served beside being data storage medium also as host to infect computers
with malware.

Here is an example how the file autorun.inf has to look like :

[autorun]
open=installMegapanzer.exe
icon=myIcon.ico

This way of malware propagation was used a lot in the past and Microsoft and also other
installed 3rd party software will trigger an alert if a data storage device is using the autorun
feature. So this method is not that reliable anymore and has its restrictions.

Additionally and worth mentioning: A Trojan horse itself can, once running on a victims
system, infect other writable USB data storage devices and so propagate in the old known
manner as it happened with the floppy disks. Ancient but proven.

Method 4 : File sharing networks

Another common way to propagate malware is using the different internet based filesharing
networks like Bittorrent, Emule, Limewire etc. An attacker tries to get hold of a new release
of a popular software and injects his malicious code into the genuine software packet. After
the initial infection the attacker offers the infected file to other users for download.
There are two advantages coming with this method:

If a victim downloads the infected file he’s “expecting” an executable file and doesn’t
become suspicious just because of its file extension. He “will” execute it after downloading.
Once the file is downloaded by the first victim the availability of the file doubled. Two
people offer the infected file now for download. What the attacker has to do is only to make
sure he is using a popular software and the propagation will advance in a fast pace.

What’s coming up in the second article

The goal of the first part was to describe the methods how attackers propagate their malware
by distributing it in an active way, by sending ―something‖ to the victims expecting they have
execute an action with this ―something‖. These ways are well known to all of us because the
media permanently informs about the threats we are exposed to, the latest incidents that
happend and is giving us the relevant background information. In the next article I will give
you an understanding of how to inject the malware in a victims browsing session by taking
over and controlling his data stream. More subliminal, more state

Data-stealing malware is a web threat that divest victims of personal and proprietary
information with the purpose of monetizing stolen data through direct use or underground
distribution. Content security threats that fall under this umbrella include keyloggers, screen
scrapers, spyware, adware, backdoors, and bots. The term does not refer to activities such as
spam, phishing, DNS poisoning, SEO abuse, etc. However, when these threats result in file
download or direct installation, as most hybrid attacks do, files that act as agents to proxy
information will fall into the data-stealing malware category.

[edit] Characteristics of data-stealing malware

Does not leave traces of the event

The malware is typically stored in a cache that is routinely flushed
The malware may be installed via a drive-by-download process
The website hosting the malware as well as the malware is generally temporary or rogue

Frequently changes and extends its functions

It is difficult for antivirus software to detect final payload attributes due to the
combination(s) of malware components
The malware uses multiple file encryption levels

Thwarts Intrusion Detection Systems (IDS) after successful installation

There are no perceivable network anomalies
The malware hides in web traffic
The malware is stealthier in terms of traffic and resource use

Thwarts disk encryption

Data is stolen during decryption and display
The malware can record keystrokes, passwords, and screenshots

Thwarts Data Loss Prevention (DLP)

Leakage protection hinges on metadata tagging, not everything is tagged
Miscreants can use encryption to port data

[edit] Examples of data-stealing malware

Bancos, an info stealer that waits for the user to access banking websites then spoofs pages
of the bank website to steal sensitive information.
Gator, spyware that covertly monitors web-surfing habits, uploads data to a server for
analysis then serves targeted pop-up ads.
LegMir, spyware that steals personal information such as account names and passwords
related to online games.
Qhost, a Trojan that modifies the Hosts file to point to a different DNS server when banking
sites are accessed then opens a spoofed login page to steal login credentials for those
financial institutions.

[edit] Data-stealing malware incidents

Albert Gonzalez (not to be confused with the U.S. Attorney General Alberto Gonzalez) is
accused of masterminding a ring to use malware to steal and sell more than 170 million
credit card numbers in 2006 and 2007—the largest computer fraud in history. Among the
firms targeted were BJ's Wholesale Club, TJX, DSW Shoes, OfficeMax, Barnes & Noble,
Boston Market, Sports Authority and Forever 21.[19]
A Trojan horse program stole more than 1.6 million records belonging to several hundred
thousand people from Monster Worldwide Inc’s job search service. The data was used by
cybercriminals to craft phishing emails targeted at Monster.com users to plant additional
malware on users’ PCs.[20]
Customers of Hannaford Bros. Co., a supermarket chain based in Maine, were victims of a
data security breach involving the potential compromise of 4.2 million debit and credit
cards. The company was hit by several class-action law suits.[21]
The Torpig Trojan has compromised and stolen login credentials from approximately
250,000 online bank accounts as well as a similar number of credit and debit cards. Other

information such as email, and FTP accounts from numerous websites, have also been
compromised and stolen.
The trends appear quite similar to the month prior: the most popular encyclopedia
entry is still Bancos, and we still have several Vundo pages in the list. We covered
Vundo last month, so I'll go into a little more detail about the Bancos trojan.
Bancos is a password stealing trojan that originally targeted Brazilian on-line banking
users. It's a relatively old and diverse family- we've been detecting it for several years
now and have seen thousands of unique samples. We first added it to MSRT in
September 2006. We've seen Bancos distributed via virtually all the usual propagation
vectors: spam emails, browser exploits, p2p, irc, disguised as other software, dropped
by other malware, just to name a few.
Bancos exhibits a wide variety of behaviors- however essentially all variants attempt
to steal banking or financial passwords using one (or several) common techniques.
Some examples of these techniques include redirecting users to fake pages,
monitoring keystrokes, interfering with browsers, searching for cached passwords,
etc.
After it has started, Bancos typically will search the system for cached passwords and
then remain memory resident waiting for a browser window with a title that it's been
instructed to look for. If a victim visits a page with a page title that the trojan is
looking for, it will typically either capture data or present the user with a false version
of the page enabling it to capture the victims credentials.
Once found, credentials are transmitted back to the distributor (often via email or ftp).
We've seen quite a few samples using mail servers belonging to large web-mail
providers being used to send the stolen credentials, often to yet another web-based e-
mail account.
The bottom line is: change your passwords regularly. Particularly after finding (and
removing) any malware running on your system. Even if the threat is removed, your
passwords may have already been leaked. :(
The trends appear quite similar to the month prior: the most popular encyclopedia
entry is still Bancos, and we still have several Vundo pages in the list. We covered
Vundo last month, so I'll go into a little more detail about the Bancos trojan.
Bancos is a password stealing trojan that originally targeted Brazilian on-line banking
users. It's a relatively old and diverse family- we've been detecting it for several years
now and have seen thousands of unique samples. We first added it to MSRT in
September 2006. We've seen Bancos distributed via virtually all the usual propagation
vectors: spam emails, browser exploits, p2p, irc, disguised as other software, dropped
by other malware, just to name a few.
Bancos exhibits a wide variety of behaviors- however essentially all variants attempt
to steal banking or financial passwords using one (or several) common techniques.
Some examples of these techniques include redirecting users to fake pages,
monitoring keystrokes, interfering with browsers, searching for cached passwords,
etc.
After it has started, Bancos typically will search the system for cached passwords and
then remain memory resident waiting for a browser window with a title that it's been
instructed to look for. If a victim visits a page with a page title that the trojan is
looking for, it will typically either capture data or present the user with a false version
of the page enabling it to capture the victims credentials.
Once found, credentials are transmitted back to the distributor (often via email or ftp).
We've seen quite a few samples using mail servers belonging to large web-mail

providers being used to send the stolen credentials, often to yet another web-based e-
mail account.
The bottom line is: change your passwords regularly. Particularly after finding (and
removing) any malware running on your system. Even if the threat is removed, your
passwords may have already been leaked. :(

Characterstics

Malware is multi-functional and modular: there are many kinds of malware that can be used together
or separately to achieve a malicious actor‟ s goal. New features and additional capabilities are easily
added to malware to alter and ―improve‖ its functionality and impact.12 Malware can insert itself into a
system, compromise the system, and then download additional malware from the Internet that
provides increased functionality. Malware can be used to control an entire host13 or network, it can
bypass security measures such as firewalls and anti-virus software, and it can use encryption to avoid
detection or conceal its means of operation.

Malware is available and user-friendly: malware is available online at a nominal cost thus making it
possible for almost anyone to acquire. There is even a robust underground market for its sale and
purchase. Furthermore, malware is user-friendly and provides attackers with a capability to launch
sophisticated attacks beyond their skill level.

Malware is part of a broader cyber attack system: malware is being used both as a primary form of
cyber attack and to support other forms of malicious activity and cybercrime such as spam and
phishing. Conversely, spam and phishing can be used to further distribute malware

How does malware work

Malware is able to compromise information systems due to a combination of factors that include
insecure operating system design and related software vulnerabilities. Malware works by running or
installing itself on an information system manually or automatically.17 Software may contain
vulnerabilities, or "holes" in its fabric caused by faulty coding. Software may also be improperly
configured, have functionality turned off, be used in a manner not compatible with suggested uses or
improperly configured with other software.

Many types of malware such as viruses or trojans require some level of user interaction to initiate the
infection process such as clicking on a web link in an e-mail, opening an executable file attached to an
e-mail or visiting a website where malware is hosted. Once security has been breached by the initial
infection, some forms of malware automatically install additional functionality such as spyware (e.g.
keylogger), backdoor, rootkit or any other type of malware, known as the payload.18

Social engineering,19 in the form of e-mail messages that are intriguing or appear to be from legitimate
organisations, is often used to convince users to click on a malicious link or download malware. For
example, users may think they have received a notice from their bank, or a virus warning from the
system administrator, when they have actually received a mass-mailing worm. Other examples
include e-mail messages claiming to be an e-card from an unspecified friend to persuade users to open
the attached ―card‖ and download the malware. Malware can also be downloaded from web pages
unintentionally by users. A recent study by Google that examined several billion URLs and included
an in-depth analysis of 4.5 million found that, of that sample, 700 000 seemed malicious and that 450
000 were capable of launching malicious downloads.20 Another report found that only about one in
five websites analysed were malicious by design. This has led to the conclusion that about 80% of all
web-based malware is being hosted on innocent but compromised websites unbeknownst to their
owners.21

Stealing information
Over the past five years, information theft, and in particular online identity (ID) theft,50 has been an
increasing concern to business, governments, and individuals. Although malware does not always
play a direct role,51 ID theft directly using malware has become increasingly common with the rise of
backdoor trojans and other stealthy programmes that hide on a computer system and capture
information covertly.
50 See DSTI/CP(2007)3/FINAL where Identity Theft is defined as the unlawful transfer, possession, or misuse of personal information with the intent to commit, or in
connection with, a fraud or other crime. 51 Identity
theft attacks most often use social engineering techniques to convince the
user to necessarily disclose information to what they assume is a trusted source. This technique, known as
Phishing, does not directly rely on the use of malware to work. It uses deceptive or ―spoofed‖ e-mails and
fraudulent websites impersonating brand names of banks, e-retailers and credit card companies to deceive
Internet users into revealing personal information. However, as many phishing attacks are launched from spam
emails sent from botnets, malware is indirectly involved as it is used to create botnets which are in turn used to
send the spam e–mail used in phishing attacks. Malware would be directly implicated when the spam e–mails
contained embedded malware or a link to a website where malware would be automatically downloaded. 52 This
is a technique known as ―fast flux‖. 53 A DNS table provides a record of domain names and matching IP
addresses. 54 See Annex B for a discussion on attacks using the DNS and attacks against the DNS. 55 AusCERT
(2006) p.19-20.
As illustrated in Figure 1, online ID theft attacks using malware can be complex and can use multiple
Internet servers to distribute spam and malware, compromise users‟ information systems, and then
log the stolen data to another website controlled by the attacker or send it to the attacker‟ s e–mail
account. Generally, the attacker operates under multiple domain names and multiple IP addresses for
each domain name and rapidly rotates them over the life of the attack (for example see botnet hosted
malware sites #1 and #2 in Figure 1).52 The use of multiple domain names and multiple hosts or bots
(and their associated IP addresses) is designed to increase the time available for capturing the
sensitive information and reduce the effectiveness of efforts by affected organisations (such as banks),
CSIRTs and ISPs to shut down fraudulent sites. Under the domain name system (DNS) attackers are
able to quickly and easily change their DNS tables53 to reassign a new IP addresses to fraudulent web
and logging sites operating under a particular domain.54 The effect is that as one IP address is closed
down, it is trivial for the site to remain active under another IP address in the attacker‟ s DNS table.
For example, in a recent case IP addresses operating under a single domain name changed on an
automated basis every 30 minutes and newer DNS services have made it possible to reduce this time
to five minutes or less. Attackers may use legitimate existing domains to host their attacks, or register
specially created fraudulent domains. The only viable mitigation response to the latter situation is

Figure 1. Online ID theft attack system involving malware56
Stealing information
Over the past five years, information theft, and in particular online identity (ID) theft,50 has been an
increasing concern to business, governments, and individuals. Although malware does not always
play a direct role,51 ID theft directly using malware has become increasingly common with the rise of
backdoor trojans and other stealthy programmes that hide on a computer system and capture
information covertly.
50 See DSTI/CP(2007)3/FINAL where Identity Theft is defined as the unlawful transfer, possession, or misuse of personal information with the intent to commit, or in
connection with, a fraud or other crime. 51 Identity
theft attacks most often use social engineering techniques to convince the
user to necessarily disclose information to what they assume is a trusted source. This technique, known as
Phishing, does not directly rely on the use of malware to work. It uses deceptive or ―spoofed‖ e-mails and
fraudulent websites impersonating brand names of banks, e-retailers and credit card companies to deceive
addresses. 54 See Annex B for a discussion on attacks using the DNS and attacks against the DNS. 55 AusCERT
(2006) p.19-20.
As illustrated in Figure 1, online ID theft attacks using malware can be complex and can use multiple
Internet servers to distribute spam and malware, compromise users‟ information systems, and then
log the stolen data to another website controlled by the attacker or send it to the attacker‟ s e–mail
account. Generally, the attacker operates under multiple domain names and multiple IP addresses for
each domain name and rapidly rotates them over the life of the attack (for example see botnet hosted
malware sites #1 and #2 in Figure 1).52 The use of multiple domain names and multiple hosts or bots
(and their associated IP addresses) is designed to increase the time available for capturing the
sensitive information and reduce the effectiveness of efforts by affected organisations (such as banks),
CSIRTs and ISPs to shut down fraudulent sites. Under the domain name system (DNS) attackers are
able to quickly and easily change their DNS tables53 to reassign a new IP addresses to fraudulent web
and logging sites operating under a particular domain.54 The effect is that as one IP address is closed
down, it is trivial for the site to remain active under another IP address in the attacker‟ s DNS table.
For example, in a recent case IP addresses operating under a single domain name changed on an
automated basis every 30 minutes and newer DNS services have made it possible to reduce this time
to five minutes or less. Attackers may use legitimate existing domains to host their attacks, or register
specially created fraudulent domains. The only viable mitigation response to the latter situation is to
seek deregistration of the domain.55 DSTI/ICCP/REG(2007)5/FINAL 19

Figure 1. Online ID theft attack system involving malware56
56 AusCERT (2006) at 7.
6
Captures information exchanged, including for Internet banking, e-tax, e-health, etc.
Spam email is sent to
See DSTI/CP(2007)3/FINAL where Identity Theft is defined as the unlawful transfer,
possession, or misuse of personal information with the intent to commit, or in connection
with, a fraud or other crime. 51 Identity theft attacks most often use social engineering techniques to
convince the user to necessarily disclose information to what they assume is a trusted source. This technique,
known as Phishing, does not directly rely on the use of malware to work. It uses deceptive or ―spoofed‖ e-mails
and fraudulent websites impersonating brand names of banks, e-retailers and credit card companies to deceive
addresses. 54 See Annex B for a discussion on attacks using the DNS and attacks against the DNS

Origin of malware attack

Malware is now spread around the world and rankings60 tend to show that a whole host of countries
across the developed and the developing world are home to online criminals using malware. Although
attacks originating from one country may have local targets, the predominant trend is attacks that
originate internationally relative to their targets. In addition, geography may play a role depending on
the end goal of the attacker. For example, broadband Internet speeds differ from country to country. If
an attacker wishes to maximise network damage, he/she may use compromised computers located in
countries where broadband is prevalent. If the goal is to degrade service or steal information over
time, the attacker may use compromised computers from a variety of geographical locations.
Geographical distribution allows for increased anonymity of attacks and impedes identification,
investigation and prosecution of attackers

95 See ―Malware: Why should we be concerned?‖ for a discussion of the impacts from malware
Basic economic rationale for malware
E-mail is not at an economic equilibrium between the sender and the recipient because it costs
virtually nothing to send. All the costs of dealing with spam and malware are passed on to the Internet
provider and the ―unwilling‖ recipients, who are charged for protective measures, bandwidth and
other connection costs, on top of the costs of repairing the computer or having lost money to scams.
At the same time, criminals minimise their costs to the extreme: they pay no tax, escape the cost of
running a genuine business, and pay commission only to others in criminal circles worldwide and at a
comparatively low price. The cost to malicious actors continues to decrease as freely available email
storage space increases. Further, the use of botnets makes it easier and even cheaper to send malware
through email. Today‟ s criminals often have access to cheap techniques for harvesting email
addresses as well as easy access to malware and outsourced spamming services. Anti detection
techniques are constantly evolving to make it cheaper to operate, and malicious actors can easily
switch ISPs if their activity is detected and their service terminated. Both the malware itself and the
compromised computers being used to further launch malware attacks are a low cost, readily available
and easily renewable resource. High speed Internet connections and increased bandwidth allow for the
mass creation of compromised information systems that comprise a self sustaining attack system as
illustrated by Figure 7. Furthermore, malicious actors can replace compromised information systems
that have been disconnected or cleaned, and they can expand the number of compromised information
systems as the demand for resources (namely malware and compromised information systems) for
committing cybercrime also grows. DSTI/ICCP/REG(2007)5/FINAL 34

Figure 7. Self sustaining attack system using malware
Note: this figure shows how malware is used to create a self sustaining resource of compromised computers that
serve as the backbone of malicious online activity and cybercrime. Information systems connected to the Internet
can become infected with malware. Those information systems are then used to scan and compromise other
information systems.

MALWARE: WHY SHOULD WE BE CONCERNED?
The growth of malware, and the increasingly inventive ways in which it is being used to steal personal
data, conduct espionage, harm government and business operations, or deny user access to
information and services, is a potentially serious threat to the Internet economy, to the ability to
further e-government for citizen services, to individual‟ s online social activities, and to national
security.
Malware-enabling factors
The capabilities of malware make it a prevalent ―cybercriminal tool‖. However, broader economic
and social factors may contribute to its increased occurrences and the robust state of the malware
economy. The following describes some of those factors which, while they bring important benefits to
society, also facilitate the existence and promulgation of malware.
Broadband Internet and its users
In 2005, the International Telecommunication Union estimated 216 708 600 ―fixed‖ broadband
Internet subscribers in the world.98 Furthermore, it is generally agreed that there are an average of 1
000 000 000 Internet users in the world today. As the number of subscribers and users increases, so
does the number of available targets for malware. The increased prevalence of high speed Internet and
the availability of broadband wireless connections make it easy for malicious actors to successfully
carry out attacks as they can compromise computers at faster rates, use the bandwidth to send massive
amounts of spam and conduct DDoS attacks. Furthermore, these ―always on‖ connections allow
malicious actors to be mobile and to attack from any location including public places such as Internet
cafes, libraries, coffee shops or even from a PDA or mobile phone device.99 Operating from public
places allows attackers to conduct their activities anonymously thus making it difficult to detect and
trace their activities.
98 International
Telecommunications Union (ITU) (2007) p. 23. 99 McAfee Inc. (2007) p. 02 and 10. 100 This
could be the case for any Internet connection, broadband or otherwise. 101 OECD (2005) E-7.
It is important to note that while broadband technologies are an enabling factor, it is the behaviours
associated with these technologies that are problematic. For example, people often fail to adopt
appropriate security measures when using broadband technologies and therefore leave their
connection open without the appropriate security software installed.100
Ever more services available on line
Most governments, consumers and businesses depend on the Internet to conduct their daily business.
In 2004, the OECD found that, in most OECD countries, over 90% of businesses with 250 or more
employees had access to the Internet. Firms with 50 to 249 employees also had very high rates of
access.101 Home users rely on the Internet for their day to day activities including shopping, banking
or simply exchanging information and conducting e-government and e-commerce transactions. As the
amount of these services continues to increase, so does the likely community of users accessing these
services on line. DSTI/ICCP/REG(2007)5/FINAL 37

This in turn increases the available targets for attack or exploitation which provides further incentive
for criminals to conduct malicious activity.
Operating system and software vulnerabilities
The more vulnerable the technology, the more likely it is to be exploitable through malware. For
example, the security firm Symantec102 reported a 12% increase in the number of known
vulnerabilities from the first half of 2006 (January – June 2006) to the second half (June – December
2006) which they largely attribute to the continued growth of vulnerabilities in web applications.
Microsoft also reported an increase of nearly 2 000 disclosed vulnerabilities from 2005 to 2006.103 The
increase in vulnerabilities corresponds to an increase in incidents. Microsoft reported an increase in
the number of machines disinfected by its Malicious Software Removal Tool from less than 4 million
at the beginning of 2005 to more than 10 million at the end of 2006.104 It is important to note that the
absence of known reported vulnerabilities in a software product does not necessarily make that
product more secure than one that has known reported vulnerabilities – it may simply be that similar
effort has not been expended to find them. In addition, tools that find and exploit vulnerabilities are
improving; companies are doing more reporting of vulnerabilities and more people or ―researchers‖
than ever are probing software to find vulnerabilities. Finally, the greater complexity of software -
more interconnecting functions that need to work with an ever growing universe of other software -
further increases the potential for vulnerabilities.
102 Symantec (2007) p. 38. 103 Microsoft (2006b) p. 8. 104 Microsoft (2006b) p. 20-21. 105 OECD (2007c) p. 33 –
34. 106 Brendler, Beau (2007) p. 4. 107 European Commission Eurobarometer (2007) p.89 .
Easy to target average Internet user
As the reliance of home users and small to medium sized enterprises (SMEs) on the Internet increases,
so do the malware threats they face. Consumers and business are increasingly exposed to a new range
of complex, targeted attacks that use malware to steal their personal and financial information.
Many Internet users are not adequately informed about how they can securely manage their
information systems. This lack of awareness and subsequent action or inaction contributes to the
increasing prevalence of malware. Most malware requires some form of user action or acceptance to
propagate. Recent surveys from various organisations show that while more users are taking measures
to protect their information systems, a large percentage of the population lacks basic protective
measures. For example, a 2005 report commissioned by the Australian Government, Trust and
Growth in the Online Environment, found that only one in seven computers in Australia use a firewall
and about one in three use up-to-date virus protection software.105 Furthermore, it is estimated that 59
million users in the US have spyware or other types of malware on their computers.106
The European Commission's Eurobarometer E-communications Household survey107 observed an
increase in consumer concerns about spam and viruses in 2006. For some EU Member States, up to
45% of DSTI/ICCP/REG(2007)5/FINAL 38

consumers had experienced significant problems. In 40% of the cases, the computer performance
decreased significantly, in 27% of the cases a breakdown was observed. In the same survey, 19% of
consumers had no protection system at all on their computers. Other data also suggests that home
users are the most targeted of all the sectors108 accounting for 93% of all targeted attacks109and thus
highlighting that weak user security is one important enabler of malware.

125 Denning, Dorothy (2000). 126 Poulsen, Kevin (2003). 127 United States Nuclear Regulatory Commission
(2003). 128 United States District Court Northern District Of Illinois Eastern Division (2007). 129 A recent OECD
Report: The Development of Policies to Protect the Critical Information Infrastructure highlights this point. See
DSTI/ICCP/REG(2007)20/FINAL. 130 U.S.-Canada Power System Outage Task Force Final Report p. 131. 131
Greene, Tim (2007). 132 OECD (2007c) pg. 7.
Challenges to fighting malware
Protecting against, detecting and responding to malware has become increasingly complex as malware
and the underlying criminal activity which it supports are rapidly evolving and taking advantage of
the global nature of the Internet. Many organisations and individuals do not have the resources, skills
or expertise to prevent and/or respond effectively to malware attacks and the associated secondary
crimes which flow from those attacks such as identity theft, fraud and DDoS. In addition, the scope of
one organisation‟ s control to combat the problem of malware is limited.
Many security companies report an inability to keep up with the overwhelming amounts of malware
despite committing significant resources to analysis. One vendor dedicates 50 engineers to analysing
new malware samples and finding ways to block them, but notes that this is almost an impossible task,
with about 200 new samples per day and growing.131 Another company reported it receives an average
of 15 000 files – and as many as 70 000 – per day from their product users as well as CSIRTs and
others in the security community.132 When samples and files are received, security companies
undertake a process to DSTI/ICCP/REG(2007)5/FINAL 44

determine if the file is indeed malicious. This is done by gathering data from other vendors,
conducting automated analysis, or by conducting manual analysis when other methods fail to
determine the malicious nature of the code. One vendor estimated that each iteration of this cycle
takes about 40 minutes and that they release an average of 10 updates per day.133 Furthermore, there
are many security vendors who all have different insights into the malware problem.
133 OECD (2007c) pg. 7. 134 Information provided to the OECD by CERT.br, the national CSIRT for Brazil.
135 One website provides a survey of cybercrime legislation that documented 77 countries with some existing cybercrime law. See
http://www.cybercrimelaw.net/index.html. 136 United States Department of Justice Computer Crime &
Intellectual Property Section. 137 Green, Tim(2007a).
Most security technologies such as anti-virus or anti-spyware products are signature–based meaning
they can only detect those pieces of malware for which an identifier, known as a ―signature‖ already
exists and have been deployed. There is always a time lag between when new malware is released by
attackers into the ―wild‖, when it is discovered, when anti-virus vendors develop their signatures, and
when those signatures are dated onto users and organisations‟ information systems. Attackers
actively seek to exploit this period of heightened vulnerability. It is widely accepted that signature
based solutions such as anti-virus programs are largely insufficient to combat today‟ s complex and
prevalent malware. For example, one analysis134 that explores antivirus detection rates for 17 different
anti-virus vendors reveals that, on average, only about 48.16% of malware was detected.
Circumstantial evidence such as this indicates that attackers are actively testing new malware
creations against popular anti-virus programs to ensure they stay undetected.
In addition, malicious actors exploit the distributed and global nature of the Internet as well as the
complications of law and jurisdiction bound by traditional physical boundaries to diminish the risks of
being identified and prosecuted. For example, a large portion of data trapped by attackers using
keyloggers is transmitted internationally to countries where laws against cybercrime are nascent, non-
existent or not easily enforceable. Although countries across the globe have recognised the
seriousness of cybercrime and many have taken legislative action to help reprimand criminals, not all
have legal frameworks that support the prosecution of cyber criminals.135 The problem however is
even more complicated as information may be compromised in one country by a criminal acting from
another country through servers located in a third country, all together further complicating the
problem.
Law enforcement agencies throughout the world have made efforts to prosecute cyber criminals. For
example, the Computer Crime and Intellectual Property Section of the US Department of Justice has
reported the prosecution of 118 computer crime cases from 1998 – 2006.136 Although global statistics
on arrests are hard to determine, one company estimated worldwide arrests at 100 in 2004, several
hundred in 2005 and then 100 again in 2006.137 While these cases did not necessarily involve
malware, they help illustrate the activities of the law enforcement community. It is important to note
that the individuals prosecuted are usually responsible for multiple attacks. These figures are low
considering the prevalence of online incidents and crime. They highlight the complex challenges
faced by law enforcement in investigating cybercrime.
Furthermore, the volatile nature of electronic evidence and the frequent lack of logged information
can often mean that evidence is destroyed by the time law enforcement officers can get the necessary
warrants to recover equipment. The bureaucracy of law enforcement provides good checks and
balances, DSTI/ICCP/REG(2007)5/FINAL 45

but is often too slow to cope with the speed of electronic crime. Additionally, incident responders
often do not understand the needs of law enforcement and accidently destroy electronic evidence.
Today, the benefits of malware seem to be greater for attackers than the risks of undertaking the
criminal activity. Cyberspace offers criminals a large number of potential targets and ways to derive
income from online victims. It also provides an abundant supply of computing resources that can be
harnessed to facilitate this criminal activity. Both the malware and compromised information systems
being used to launch the attacks have a low cost, are readily available and frequently updated. High
speed Internet connections and increased bandwidth allow for the mass compromise of information
systems that renew and expand the self sustaining attack system. By contrast, communities engaged in
fighting malware face numerous challenges that they cannot always address effectively.
DSTI/ICCP/REG(2007)5/FINAL 46

MALWARE: WHAT TO DO?
Many would agree that the damage caused by malware is significant and needs to be reduced although
its economic and social impacts may be hard to quantify. That said, several factors should be
considered in assessing what action to take, and by whom, against malware. These include: the roles
and responsibilities of the various participants,138 the incentives under which they operate as market
players as well as the activities already undertaken by those communities more specifically involved
in fighting malware.
138 According to the 2002 OECD Guidelines for the Security of Information Systems and Networks: Towards a
Culture of Security, ―participants‖ refers to governments, businesses, other organisations and individual users
who develop, own, provide, manage, service and use information systems and networks.
Roles of individual, business and government participants - Highlights
Malware affects individuals, business and government in different ways. All those participants can
play a role in preventing, detecting, and responding to malware with varying levels of competence,
resource, roles and responsibilities, as called for in the OECD Guidelines for the Security of
Information Systems and Networks: Towards a Culture of Security (the ―OECD Security
Guidelines‖). Better understanding the roles and responsibilities of the various participants in relation
to malware is important to assessing how to enhance the fight against malware. Among the various
participants, those concerned by malware are:

 Users (home users, sm and medium–sized enterprises (SMEs), public and private sector
all
organisations) whose data and information systems are potential targets and who have different levels
of competence to protect them.

 Software vendors,who have a role in developing trustworthy, reliable, safe and secure software.

 Anti virus vendors, who have a role in providing security solutions to users (such as updating anti-
-
virus software with the latest information on malware).

 Internet Service Providers (ISPs), who have a role in managing the networks to which the
aforementioned groups connect for access to the Internet;.

 Domain name registrars and regulators, who determine if a domain is allowed to be registered and
potentially have the power to deregister a domain that is used to commit fraud or other criminal
activity, including, for example, the distribution of malware.

 CSIRTs, frequently the national or leading ones (often government), which have a role, for
example, in detecting, responding to and recovering from security incidents and issuing security
bulletins about the latest computer network threats or vulnerabilities associated with malware
DSTI/ICCP/REG(2007)5/FINAL 47

attacks; or in co–ordinating nationally and internationally the resolution of computer network attacks
affecting its constituency or emanating from its constituency.

 Law enforcement entities, which have a mandate to investigate and prosecute cybercrime.

 Government agencies, which have a role to manage risks to the security of government information
systems and the critical information infrastructure.

 Governments and inter -governmental organisations, which have a role in developing national and
international policies and legal instruments to enhance prevention, detection and response to malware
proliferation and its related crimes.

The dynamic nature of malware keeps most security experts constantly on the lookout for new types
of malware and new vectors for attack. Due to the complex technical nature of malware, it is helpful
to examine overall attack trends to better understand how attacks using malware are evolving. As
mentioned previously, the use of malware is becoming more sophisticated and targeted. Attackers are
using increasingly deceptive social engineering techniques to entice users to seemingly legitimate web
pages that are actually infected and/or compromised with malware. Figure 2 illustrates the types of
attack that seem to be on the increase, those that are falling out of favour, and those for which the
trend remains unclear or not changed.
DSTI/ICCP/REG(2007)5/FINAL 89 ANNEX D - EXAMPLES OF MALWARE PROPAGATION
VECTORS

E–mail: Malware can be ―mass mailed‖ by sending out a large number of e–mail messages, with
malware attached or embedded. There are numerous examples of successful malware propagated
through mass-mailers largely due to the ability of malicious actors to use social engineering to spread
malware rapidly across the globe. Web: Attackers are increasingly using websites to distribute
malware to potential victims. This relies on spam e–mail to direct users to a website where the
attacker has installed malware capable of compromising a computer by simply allowing a browser
connection to the website. If the website is a legitimate and popular site, users will go there of their
own accord allowing their computers to potentially become infected/compromised without the need
for spam e–mail to direct them there. There are two methods of infection via the web: compromise
existing web site to host malware; or set up a dedicated site to host malware on a domain specially
registered for that purpose. Instant messengers: Malware can propagate via instant messaging services
on the Internet by sending copies of itself through the file transfer feature common to most instant
messenger programmes. Instant messages could also contain web links that direct the user to another
site hosting downloadable malware. Once a user clicks on a link displayed in an instant messenger
dialog box, a copy of the malware is automatically downloaded and executed on the affected system.
Removable media: If malware is installed on removable media, such as a USB stick or CD-ROM, it
can infect and/or propagate by automatically executing as soon as it is connected to another computer.
Network-shared file systems: A network share is a remotely accessible digital file storage facility on a
computer network. A network share can become a security liability for all network users when access
to the shared files is gained by malicious actors or malware, and the network file sharing facility
included within the operating system of a user‟ s computer has been otherwise compromised. P2P
programmes: Some malware propagates itself by copying itself into folders it assumes to be shared
(such as those with share in its folder name), or for which it activates sharing, and uses an
inconspicuous or invisible file name (usually posing as a legitimate software, or as an archived
image). Internet Relay Chat (IRC): IRC is a form of Internet chat specifically designed for group
communications in many topical ―channels,‖ all of which are continuously and anonymously
available from any location on the Internet. Many ―bot masters‖ (as the malefactors who operate
networks of malware-infected/compromised machines are often called; see the chapter ―The Malware
Internet: Botnets‖) use IRC as the central command and control (C&C) communications channel for
co–ordinating and directing the actions of the bot infected/compromised information systems in their
―botnet.‖ Bluetooth: Bluetooth is a wireless networking protocol that allows devices like mobile
phones, printers, digital cameras, video game consoles, laptops and PCs to connect at very short
distances, using unlicensed radio spectrum. Because the security mechanisms implemented in
Bluetooth devices tend to be trivially bypassed, such devices are vulnerable to malware through attack
techniques which have been called ―bluejacking‖ or ―bluesnarfing.‖ A bluetooth device is most
vulnerable to this type of attack when a user‟ s connection is set to "discoverable" which allows it to
be found by other nearby bluetooth devices.

56 AusCERT (2006) at 7.
6
Captures information exchanged, including for Internet banking, e-tax, e-health, etc.
Spam email is sent to
Malware attack trends

The dynamic nature of malware keeps most security experts constantly on the lookout for new types
of malware and new vectors for attack. Due to the complex technical nature of malware, it is helpful
to examine overall attack trends to better understand how attacks using malware are evolving. As
mentioned previously, the use of malware is becoming more sophisticated and targeted. Attackers are
using increasingly deceptive social engineering techniques to entice users to seemingly legitimate web
pages that are actually infected and/or compromised with malware. Figure 2 illustrates the types of
attack that seem to be on the increase, those that are falling out of favour, and those for which the
trend remains unclear or not changed.

What is Spam?

Spam in a general sense is any email you don't want to receive. There are many types of
email that you may not want e.g. advertisements, newsletters, or questionnaires, however
these emails are not what the computer community refers to as spam. What the computer
community is most concerned with is illegal email spam.
My definition of illegal email spam is -- attempts to deceive by falsification of seller identity
or email address, and use of other trickery (defrauding), in the hope of gaining monetary
advantage (stealing) from the email recipient and other parties.

The Federal Trade Commission's definition of spam, "Not all UCE is fraudulent, but fraud
operators - often among the first to exploit any technological innovation - have seized on the
Internet's capacity to reach literally millions of consumers quickly and at a low cost through
UCE. In fact, UCE has become the fraud artist's calling card on the Internet. Much of the
spam in the Commission's database contains false information about the sender, misleading
subject lines, and extravagant earnings or performance claims about goods and services.
These types of claims are the stock in trade of fraudulent schemes." From Prepared Statement
Of The Federal Trade Commission On "Unsolicited Commercial email", November 3, 1999.

How does a spammer get your email address?

There are many ways a spammer can obtain your email address.

a. You can disclose it yourself by posting your email address on auctions, bulletin boards,
advertising, or email locators.

b. Businesses might sell your email address or other personal information to a spammer
(however, legitimate businesses do not do this.)

c. Spammers can use software programs to collect email addresses from web sites or they can
use random number generators to send spam out randomly.

What is a hacker?

A hacker is an individual that attempts to take control over someone else's computer by using
viruses, worms, and other types of Internet attacks. One of their favorite "tricks", is to use
hacked computers to bring down a large web site by overloading the targeted site with
millions of transmissions in a "denial of service" (DOS) attack.
While hackers were glorified in the early days of the Internet as people standing up for their
rights against big corporations and the Government, hacking is now the hobby of criminals
and thieves. Hackers prey on all citizens of the Internet and they are extremely dangerous to
individuals, corporations, and governments.

How does a hacker find your computer?

Most hack attempts against personal computers result from viruses and worms running from
an infected PC. It is not very difficult for the creator of the hacking program to predetermine
the Internet addresses that his program will attack.
There are also amateur hackers, that use software programs, to randomly check for online
computers to attack.

What makes Spamming or Hacking Illegal?

The U.S. Congress outlawed certain types of spam with the CAN-SPAM Act of 2003. The
law, which became effective January 1, 2004, covers email whose primary purpose is
advertising or promoting a commercial product or service, including content on a Web site.
However a "transactional or relationship message" – email that facilitates an agreed-upon
transaction or updates a customer in an existing business relationship – may not contain false
or misleading routing information, but otherwise is exempt from most provisions of the
CAN-SPAM Act.

The Federal Trade Commission (FTC), the nation's consumer protection agency, is
authorized to enforce the CAN-SPAM Act. CAN-SPAM also gives the Department of Justice
(DOJ) the authority to enforce its criminal sanctions. Other federal and state agencies can
enforce the law against organizations under their jurisdiction, and companies that provide
Internet access may sue violators, as well.

All 50 states have also passed anti-spam laws that have various penalties for illegal spammers
and hackers. If you don't live in a state with a strong anti-spam law, you are still protected
from fraudulent schemes, illegal pornography, and other illegal acts by various state and
federal laws.
In addition, if a spammer or hacker causes harm to a Government computer they are subject

to the penalties of USC Title 18, Part I, Chapter 47, Sec. 1030. - Fraud and related
activity in connection with computers.

Now that we have a definition of illegal spam and hacking, let's move on to the practical
matter of defending your computer against spammers and hackers.

Next - Defending your computer against spammers and hackers

. Avoiding Spam

1. One of the easiest things you can do to avoid spam is to never give out your real email
address. Your real email address should only be used with trusted friends and coworkers. For
all other types of email, and for situations that require an email address from you, you should
setup and use a junk email account. A junk email account is usually obtained from a free web
based email provider like Hotmail or our InfoHQ.com free email.

A junk email account is used for all types of correspondence when the end-user can not
be trusted with your real email address. So use your junk email account for entering
contests, shopping, registering on web sites etc. When your junk email address becomes so
full of spam that you get tired of managing it, you delete it and get a new email account.
Spam problem solved, you start spam free with a new email address.

2. Don't open junk email. The safest thing to do with junk email is to delete it.

Bad things can happen by opening junk email such as; the impossible to close window scam,
resetting of your homepage to the spam site, and loading of unwanted or hostile programs.

Note: Some experts are now claiming that you should
not have your email "preview pane" open as hostile
programs could be started just by the act of the email
being previewed.
I have never seen a program load from the preview
pane, however it is a good practice to close the
preview pane when dealing with suspicious email.

What is a firewall?

Firewall is essentially a filter. It is either a software program or hardware device used in
computer systems to prohibit forbidden information for passing though, while allowing
approved information. The communication which the firewall prevents from passing though
could be hackers trying to gain access to your personal information stored on your computer.

How do firewalls work?

The firewall inspects all the information which is passed over the system and determines if it
is a threat or not based upon a variety of factors. It then stops all potential threats from
passing through. The criteria which a firewall uses to determine whether or not information in
a threat or not is carefully determined.

Do I need a firewall on my personal computer?

Firewalls are important for anyone with online security concerns. Firewalls can be used for
businesses, known as a corporate firewall or by individuals, known as a personal firewall. It
has long been known the firewalls are a necessity for businesses to protect their networks;
however, the demand for personal firewalls has increased dramatically.

Hardware & Software Firewall

There are two types of firewalls the Hardware Firewall and the Software Firewall. A
Software Firewall is a software program and a Hardware Firewall is a piece of hardware.
Both have the same objective of filtering communications over a system. Systems can use a
Hardware Firewall, a Software Firewall, or a combination of both.

Code red

This essay contains a description of several famous malicious computer programs (e.g., computer
viruses and worms) that caused extensive harm, and it reviews the legal consequences of each
incident, including the nonexistent or lenient punishment of the program's author.

It is not my intention to provide information on threats by current malicious programs: this essay is
only a historical document. (You can find information on current threats at websites operated by
vendors of anti-virus software.)

There are three reasons to understand past malicious programs:

Learning how past incidents caused damage may help you protect your computer from
future damage. I say may, because new types of threats are continually emerging.

Because the law reacts to past events, learning about past harmful incidents shows us how
the law should be corrected to respond appropriately to the new crimes of writing and
distributing malicious computer programs.

In May 2002, the Norton Anti-Virus software for Windows operating systems detected about
61000 malicious programs. Astoundingly, there have been criminal prosecutions and
convictions of the author(s) of only five malicious programs, all of which are described
below:
1. the Morris worm released in 1988,
2. the author and distributors of the MBDF virus,
3. the author of the Pathogen virus,
4. the author of the Melissa virus, and
5. the author of the Anna worm

I hope that when people read this essay and become aware of both the malicious design and
great harm caused by computer viruses and worms, readers will urge their legislators:

F. to enact criminal statutes against authors of computer viruses and worms, with
punishment to reflect the damage done by those authors, and

G. to allocate more money to the police for finding and arresting the authors of
malicious computer programs.

I have not cited a source for each fact mentioned in this essay, because most of these facts have
been reported at many different sources, and are well known to computer experts who are familiar
with viruses and worms. (I do cite a source for facts that are either not well known or controversial.)
Further, this essay is not a formal scholarly document, with numerous citations, but only an
informative review intended for attorneys, legislators, the general public, students, businessmen,
etc. Some general sources are mentioned later.

Author did not know ....
The most common excuse made by criminal defense attorneys who represent authors of computer
worms and viruses is that their client did not know how rapidly the worm or virus would spread.
Because this excuse occurs in several of the cases presented below, let's discuss it at the beginning.

Such an excuse might be plausible to someone who had no understanding of the Internet and
computer programming. However, it is ridiculous to suggest that a computer programmer who
creates a worm is unaware that it will spread rapidly. Students who major in computer science,
mathematics, physics, or engineering learn in mathematics classes about geometric series. There is a
good reason why mathematics classes are required for science and engineering students:
mathematics is really useful for predicting results of experiments that one should not perform.

A good example of a geometric series is the propagation of a computer worm. Consider the
following hypothetical example in which each victim's computer provides the addresses of four new
victims, and the worm requires one hour to be received by the next wave of victims, to search the
next victim's computer and find four new addresses, then to be sent to the four new victims:

time in hours number of new victims

1 4

2 16

3 64

4 256

5 1024

6 4096

7 16384

8 65536

9 262144

10 1048576

In this hypothetical example, at 24 hours there would be approximately 1014 new victims, which is a
ridiculous extrapolation, because there are only about 109 people on the planet earth. But this
example clearly shows the rapid growth of a geometric series and why authors of worms should not
be surprised when their worm rapidly gets out-of-control. Seen in this context, the criminal defense
attorney's statement that his/her client "did not know ...." is not plausible. Actually, the defense
attorney's statement is ludicrous.

Even if one ignores the rapid growth of a geometric series, the historical examples of the rapid
propagation of the Chrisma Worm in Dec 1987 and the Morris Worm in Nov 1988 show what
happens when worms are released into computer networks. There is absolutely no need for another
"experiment" of this kind, as we already know what will happen. (I put "experiment" in quotation
marks, because the design and release or a computer virus or worm is a crime, not a legitimate
scientific experiment.)

Other examples of specious defenses for writing or releasing malicious programs are contained in
my essay on Computer Crime.

The Melissa virus was released on 26 March 1999 and was designed to infect macros in
wordprocessing documents used by the Microsoft Word 97 and Word 2000 programs. Macro viruses
were not new, they had been known since 1995.

The innovative feature of the Melissa virus was that it propagated by e-mailing itself to the first fifty
addresses in the Microsoft Outlook e-mail program's address book. This feature allowed the Melissa
virus to propagate faster than any previous virus. The virus arrived at each new victim's computer
disguised as e-mail from someone who they knew, and presumedly trusted. (About 11 years earlier,
the Christma Worm automatically sent itself to everyone in a victim's e-mail address book on an IBM
mainframe computer.)

The Melissa virus propagated in two different ways:

1. On PCs running the Microsoft Outlook 97 or 98 e-mail program, the Melissa virus used the
Outlook program to send an e-mail containing an attachment, with a filename like
list.doc. This file contained a Microsoft Word document with a macro, and a copy of the
Melissa virus was inside the macro.

When this e-mail was received by someone who had Microsoft Word on his/her computer
(even if their computer was an Apple Macintosh), and the recipient clicked on the
attachment, the document would open and the Melissa virus would automatically infect
Word's normal.dot template file, thus infecting the recipient's computer.

While Microsoft Outlook was necessary for the automatic sending of infected documents,
the recipient of such e-mail could be infected even if the recipient used a non-Microsoft e-
mail program.

2. Infected Microsoft Word documents could be transmitted by floppy disks, usual e-mail sent
by victim, etc. When such infected documents were opened in Microsoft Word, the Melissa
virus would automatically infect Word's normal.dot template file, thus infecting the
recipient's computer.

Many documents about the Melissa virus claim this virus was "relatively harmless" or "benign". That
claim is not true. There were a number of distinctly different harms caused by Melissa:

Documents in Microsoft Word format were automatically sent, using Microsoft Outlook, to
fifty people by the Melissa virus. Such automatic transmission could release confidential
information from the victim's computer.

When the day number equals the number of minutes in the current time (e.g., at 11:06 on
the 6th day of the month), the Melissa virus inserted the following text in whatever
document was then being edited in Word on the victim's computer:

Twenty-two points, plus triple-word-score, plus fifty points for
using all my letters. Game's over. I'm outta here.

Such an insertion was a deliberate modification of data files on the victim's hard drive, an
unauthorized tampering with the victim's document files.

Future victims were most commonly infected by opening an attachment in an e-mail from
someone who they knew, and presumedly trusted. Until the workings of the Melissa virus
were understood by all the victims, trusted relationships between people could be harmed
by this unauthorized sending of e-mail.

As with any rapidly propagating virus or worm, e-mail can be delayed, which sometimes has
economic consequences (e.g., lost productivity).

And, as with all viruses and worms, there was the cost of removing the infection and
restoring the computer to normal.

The fact that the Melissa virus could have been more destructive (e.g., by deleting data files from
the victim's computer) is hardly praise for the author of the Melissa virus.

For more technical details on Melissa, see the CERT advisory and the F-Secure description.

Finally, using an Apple Macintosh gives one immunity from most computer viruses and worms.
However, Apple computer users who also use Microsoft Word 97 or later are vulnerable to the same
macro viruses that plague Word users on Microsoft Windows 95 or later. However, the Melissa virus
can not automatically transmit itself by e-mail from a computer that uses the Macintosh operating
system.

Melissa Perpetrator
The Melissa virus was written by David Lee Smith and first released on 26 March 1999 as an
attachment to his posting to an alt.sex newsgroup. That posting said the attachment contained a
list of passwords for pornographic websites, but the attachment actually contained his virus. Smith
named his virus "Melissa" after a topless dancer in Florida, who Smith knew.

It is obvious that Smith knew what he was doing was wrong, because he used a stolen AOL account
and password to make the initial release to the alt.sex newsgroup. Before his arrest, Smith
discarded the hard drives that were used to create his virus at his home in New Jersey, then he hid
at his brother's house, where David Lee Smith was arrested.

Smith was arrested on 1 April 1999. The CNN news report shows the police mugshot of Smith, with a
smirking expression. He was charged in federal court with violations of 18 USC § 1030(a)(5)(A) and in
New Jersey state court with violations of NJSA 2C:20-25(a) and 2C:20-26(a).

Smith was fired from his job doing computer programming from AT&T. He subsequently worked as a
computer technician at Rutgers University after his arrest. (Rutgers did not know that Smith had
been arrested for this crime.) Smith voluntarily quit his job at Rutgers six days before he pled guilty.

On 9 Dec 1999, Smith pled guilty in federal court. The plea agreement between prosecutors and
Smith had the following features:

Smith would cooperate with authorities in thwarting other creators of malicious computer
programs.
It would be stipulated that the Melissa virus did "more than eighty million dollars of
damage". (The actual amount was much, much higher – one estimate was US$ 1100 million.
However, the stipulation became a "fact" accepted in court for the purposes of determining
Smith's sentence.)
Any state and federal prison sentences would run concurrently, and end at the same time.

On 1 May 2002, a judge in federal court imposed the following sentence on Smith:

20 months in federal prison,
36 months of "supervised release" (i.e., probation) after his prison term ends, during which
time he can access the Internet only with the permission of his probation officer,
fined US$ 5100, and
ordered to serve 100 hours of "community service" work in the "technological field",
perhaps giving lectures in schools about the harmfulness of computer viruses.

Apparently, the 29-month interval between Smith's guilty plea and his sentencing (an unusually long
interval) was the result of his cooperation with authorities in investigating other malicious computer
programs. The authorities did not reveal any details of the cooperation, so it is not possible to know
what the government got in exchange for more than halving Smith's prison sentence.

On 3 May 2002, a judge in New Jersey state court imposed the following sentence on Smith:

the maximum allowable sentence of ten years in state prison. However, because of his plea
agreement, Smith would serve only the 20 months in federal prison and then be a free man.
fined US$ 2500.

Some documents in Smith's case have been posted on the Internet:

Information filed by the U.S. Attorney for the District of New Jersey, charging David Lee
Smith with violation of 18 USC § 1030(a)(5)(A).

Letter of 8 Dec 1999 from the U.S. Attorney for New Jersey to the attorney representing
David Smith, offering a plea agreement.

DoJ press release about Smith's guilty plea.

Judgment issued by Judge Greenaway on 1 May 2002.

U.S. Attorney's 1 May 2002 press release about Smith's sentence. Another copy is at the DoJ
website.

weak punishment
If one accepts the legal stipulation that the Melissa virus did US$ 8 × 107 in damage, and one
considers Smith in prison to lose 16 hours/day of freedom (who cares where he sleeps for
8 hours/day?) for 20 months, then the effective value of Smith's time in prison is US$ 8330/hour.
That is a ridiculously high value for Smith's time.

The prosecutors ignored that Smith's virus fraudulently sent e-mails from each victim's computer to
new victims who were in previous victim's e-mail address book. The new victims opened the
attachment in e-mail apparently from someone who they knew, and presumedly trusted, and were
infected with a copy of Smith's virus. I believe society should express outrage at this kind of fraud.

hree worms: CodeRed, Sircam, Nimda
The year 2001 saw the introduction of many serious malicious programs: CodeRed, Sircam, Nimda,
BadTrans.B, and Klez. I treat the first three tersely in the following sections.

CodeRed
The initial CodeRed worm was discovered on 16 July 2001. CodeRed targeted webservers, not
computers of users. This worm was propagated as an http get request, i.e. a request to get a

webpage from a server. If the server was running Microsoft Windows NT 4.0 or Windows 2000
operating systems, a defect in those operating systems allowed the worm to infect that server.

An interesting feature of CodeRed is that it does not reside in any file on the hard disk, but only
exists in semiconductor memory (RAM): this feature allows CodeRed to escape detection by a scan
of the hard disk with anti-virus software. Switching the infected computer off, then on, will remove
the infection, but webservers normally run continually (i.e., 24 hours/day, 7 days/week), unlike
computers in homes and offices that may be rebooted daily.

The CodeRed worm did different things depending on the day of the month. Most versions of
CodeRed used the following schedule:

1. During the first 19 days of each month, the CodeRed worm sent out many http get
requests to random IP addresses (i.e., websites and Internet users), seeking webservers to
infect. This feature of CodeRed is essentially a port probe, looking for webservers running
Windows NT 4.0 or Windows 2000 operating systems. The large number of bogus requests
from CodeRed could mimic a denial-of-service attack on a webserver.

2. During days 20 to 28 of each month, another feature of CodeRed makes a denial-of-service
attack on the IP address that then corresponded to www.whitehouse.gov. The IP address
of the U.S. President's website was changed to defeat CodeRed.

3. After the 28th day of the month, CodeRed goes into a sleep state until the next month,
although the server is still infected.

4. Under certain circumstances, one early version of CodeRed running on a webserver that
uses the English language will intercept requests for a webpage and return its own HTML
code:

Welcome to http:// www.worm.com !
Hacked by Chinese!

After 10 hours, CodeRed again returns the proper requested webpage. The temporary
unavailability of some webpages will cause concern to webmasters, then the problem will
"magically" disappear, frustrating operators of webservers who are trying to find the
problem.

A CERT advisory showed that CodeRed infected 2.0 × 105 computers in just five hours on
19 July 2001, which was a rapid rate of infection and a good example of geometric series mentioned
earlier in this essay. CERT said that "at least 280000 hosts were compromised in the first wave" of
attacks on 19 July 2001.

CodeRed II

A new version of CodeRed appeared on 4 August 2001, called CodeRed II. The important new
feature of CodeRed II is the installation of a Trojan Horse program, which creates a backdoor into the
infected webserver. After this backdoor is installed, any web surfer can send commands by using any

web browser. Such commands could, for example, delete files from the webserver, or upload new
files to the webserver. The Trojan Horse also disables the system file checker function in Windows,
so that the modified operating system files can not be detected.

Whoever wrote CodeRed II did not like the Chinese, as that variant is designed to propagate faster,
and for a longer time, in webservers that use the Chinese language.

Perpetrator of CodeRed

To the best of my knowledge, the author of the CodeRed worm was never identified, so there can be
no legal consequences for him.

Sircam
The initial Sircam worm was discovered on 17 July 2001, about the same time as CodeRed first
appeared.

The worm arrived at a victim's computer in e-mail with the following text:

Hi! How are you?
[second line: one of four choices below]
See you later. Thanks

There are four different versions of the second line of the e-mail text:

1. I send you this file in order to have your advice
2. I hope you can help me with this file that I send
3. I hope you like the file that I sendo you
4. This is the file with the information that you ask for

Clicking on the attached file infects the victim with the Sircam worm.
Note: the text of e-mail containing malicious programs often contains ungrammatical text,
punctuation errors (e.g., the missing periods in Sircam's text), or misspelled words, because the
author is a non-native speaker of English. Such mistakes in English text in an e-mail apparently from
an English-speaking country should alert the reader to the possibility of e-mail from a forged
address.

The Sircam worm inflicts several harms on the victim:

a 2% chance that the file c:recycledsircam.sys will be created, then text is
repeatedly added to this file until there is no more free space on the C: hard disk drive.

on computers using the day/month/year date format and when the date is 16 October,
there is a 5% chance that Sircam will delete all files and delete all directories on the C:
hard disk drive.

Sircam automatically sends copies of itself with the victim's e-mail address as the From:
address. If Sircam can not find the victim's e-mail address, then Sircam will forge a From:

address from the current username and one of four mail servers (e.g., @prodigy.net.mx).

The To: addresses are harvested from the Windows Address Book and also from e-mail
addresses found in the web browser cache files.

The text of the e-mail was mentioned above.

The e-mail has one attachment which contains a copy of the Sircam worm followed by the
contents of a file with file type .doc or .zip from the My Documents folder on the victim's
computer. This document could contain the victim's confidential information, which is then
sent to numerous addresses.

The name of the attachment had a double file extension, which like Melissa and Anna above,
is symptomatic of a malicious attachment. The filename and left extension of the
attachment was identical to the copied file from the victim's machine, Sircam then added a
second file extension: either .com, .bat, .exe, .pif, or .lnk, which made the attachment
an executable file type.

Sircam uses its own internal mail program, so that copies of outgoing e-mail do not appear
in the user's e-mail program's out-box. Thus the user does not know his/her computer is
mailing copies of the Sircam worm to other people.

The Sircam worm has a length of 137216 bytes. The additional space required by the
document from the victim's computer makes the attachment even larger, perhaps more
than 200000 bytes, which is larger than most webpages and most e-mail messages. This
large file size helps Sircam clog the Internet.

Several anti-virus websites note that there is a bug in the Sircam worm that makes it "highly
unlikely" that the disk-space-filling and file-deleting will occur. However, the author of Sircam
apparently intended those harms to occur.

Perpetrator of SirCam

To the best of my knowledge, the author of the SirCam worm was never identified, so there can be
no legal consequences for him. A copyright notice in the Sircam code says that this worm was made
in Mexico, but I have seen no confirmation that this statement is correct.

The anti-virus software vendor Trend Micro reported on 10 May 2002 that a total of 1.0 × 106
computers worldwide had been infected with Sircam. The anti-virus software vendors Sophos and
Computer Associates both reported SirCam as the second most prevalent malicious program
infecting computers in the year 2001: SirCam accounted for 20% of the reports to Sophos in 2001.
On 17 May 2002, MessageLabs reported SirCam as the all-time most prevalent malicious program in
e-mail.

Nimda
The Nimda worm was discovered on 18 September 2001 and it spread rapidly on the Internet.

Nimda had two novel features:

1. Nimda could infect a computer when the user read or previewed an e-mail that contained a
copy of Nimda. With all previous viruses or worms transmitted by e-mail, the user would
need to click on an attachment to infect the user's computer.
2. Nimda could modify webpages on a webserver, so that accessing those webpages could
download a copy of Nimda to the browser's computer.

These two novel features represented a significant "advance" in ability to harm victims.

The first novel feature of Nimda exploited a defect in Microsoft Internet Explorer 5.01 and 5.5. A
patch that repairs this defect had been available from the Microsoft website since 29 March 2001,
but most computer users do not bother to install the latest updates. Why did a defect in a
web browser cause a vulnerability to worms sent by e-mail? Most modern e-mail is sent in HTML
format, the same format used by webpages, and e-mail software (e.g., Microsoft Outlook) uses
Internet Explorer web browser to display such e-mail. This vulnerability could be avoided by (1)
selecting either Netscape Navigator or Opera as the default browser and (2) using a non-Microsoft e-
mail program, such as Eudora.

The Nimda worm propagates in several different ways:

1. Like the CodeRed worm, every copy of Nimda generates many random IP addresses to target
http get requests, i.e. a request to get a webpage from a server. If the server was running
Microsoft Windows NT 4.0 or Windows 2000 operating systems, a defect in those operating
systems allowed the worm to infect that server.

The name of the Nimda worm is a reversal of the computer term admin (administrator),
which designates a user with the privilege of modifying system files. By exploiting a defect in
Windows, the Nimda worm is able to act as an administrator.

2. Once a webserver was infected by Nimda, the worm adds a small amount of Javascript code
to webpages on that server with filenames:
index, default, or readme
and extensions:
.html, .htm, or .asp.

Nimda also creates a copy of itself in a file, readme.eml, on an infected webserver.

Depending on the settings on the user's computer regarding Javascript, when the user
accessed one of these altered webpages, the user's web browser might:
o automatically download readme.eml and execute the Nimda worm, thus infecting
the user's computer,
o display a prompt to ask whether the user wanted to download the file readme.eml,
or
o automatically refuse to download the file.

3. Once every ten days, Nimda searches the hard drive of an infected computer to harvest e-
mail addresses from the following sources:
o in-boxes for the user's e-mail program (e.g., Microsoft Outlook)
o *.HTML and *.HTM files in the user's web browser cache (also called the Temporary
Internet Files folder).

After harvesting e-mail addresses, Nimda selects one of these addresses as the From:
address and the remainder as To: addresses, and sends copies of Nimda in an apparently
blank e-mail.

Note that the infected computer is not used as the From: address, so there is no easy way
for the recipient of e-mail to determine whose computer sent the copy of Nimda.

Nimda (like Sircam) uses its own internal mail program, so that copies of outgoing e-mail do
not appear in the user's e-mail program's out-box. Thus the user does not know his/her
computer is mailing copies of the Nimda worm to other people.

As mentioned above, Nimda can infect the recipient's machine when the recipient either
reads or previews the e-mail, without needing to click on an attachment.

4. Nimda adds a copy of itself to the beginning of *.EXE files. Such executable files are
sometimes transferred to other computers, which will spread the Nimda infection.

On 11 Oct 2001, hundreds of e-mails containing Nimda were sent with forged From: addresses that
appeared to originate from the manager of anti-virus research at F-Secure in Finland. Such forged
source addresses, whether a deliberate act or whether a random occurrence caused by execution of
a malicious program, damages the reputation of innocent people. (I elaborate on this point later in
this essay, in discussing the Klez program.)

For more technical details on Nimda, see the CERT advisory and the F-Secure description.

The Nimda worm has a length of 57344 bytes, which makes it a relatively large file compared to
many webpages and e-mail messages. This large file size helps Nimda clog the Internet.

I noticed CodeRed and Nimda at my professional website, where, up to 10 May 2002, there were
11238 requests for Windows NT operating system files, particularly cmd.exe. (These files do not
exist on the server that hosts my website, as that server runs the Unix operating system.) The
webhosting service that I use reported on 18 Sep 2001 that they were receiving approximately
8000 hits/second requesting cmd.exe. Such a high rate of requests approximates a denial-of-service
attack on a webserver.

Perpetrator of Nimda

To the best of my knowledge, the author of the Nimda worm was never identified, so there can be
no legal consequences for him. The code for the Nimda contains a copyright notice stating that it
originated in communist China, but I have seen no confirmation that this statement is correct.

computers worldwide had been infected with Nimda. The anti-virus software vendor Sophos
reported Nimda as the most prevalent malicious program in the year 2001: Nimda accounted for
27% of the reports to Sophos.

computers worldwide had been infected with BadTrans.B, which was only about 1/5 the number of
computers that TrendMicro reported as infected with Sircam or Nimda, which also appeared in the
year 2001. However, the anti-virus software vendor Computer Associates reported BadTrans.B as
the most prevalent malicious program in the year 2001. On 2 Dec 2001, MessageLabs filtered
BadTrans.B from one in every 57 e-mails, the second-highest daily infection rate seen by
MessageLabs. On 17 May 2002, MessageLabs reported the BadTrans.B worm was the all-time third-
most-common malicious program in e-mail.

Klez
The original Klez program appeared on 26 October 2001. A number of variants appeared later, of
which the most significant were the E variant that first appeared on 17 January 2002 and the
H variant that first appeared on 17 April 2002. The H variant caused an epidemic from about
20 April 2002 through June 2002, and became the most widespread malicious program in the history
of the Internet.

Klez has properties of both a computer virus and worm, what the Norton Anti-Virus website calls a
"blended threat".

There are a number of varieties of the Klez program and they each do slightly different harms to the
victim's computer. Among these harms are:

deposit a copy of an ElKern computer virus in the victim's computer. The early versions of
this virus destroy information in all files on the victim's computer on 13 March and
13 September of each year.
the Klez program is released when the victim reads or previews e-mail with Microsoft
Outlook. The same defect in Microsoft Internet Explorer was exploited earlier by both the
Nimda and BadTrans worms.
send copies of the Klez program via e-mail from the victim's computer, as discussed in more
detail below.
attempts to disable many common anti-virus programs by modifying the Windows registry
file.
on the 6th day of each odd-numbered month, attempts to overwrite many different files on
the victim's hard drive with a pattern of all zeroes, thus destroying data in those files.

hree worms: CodeRed, Sircam, Nimda
The year 2001 saw the introduction of many serious malicious programs: CodeRed, Sircam, Nimda,
BadTrans.B, and Klez. I treat the first three tersely in the following sections.

CodeRed
The initial CodeRed worm was discovered on 16 July 2001. CodeRed targeted webservers, not
computers of users. This worm was propagated as an http get request, i.e. a request to get a
webpage from a server. If the server was running Microsoft Windows NT 4.0 or Windows 2000
operating systems, a defect in those operating systems allowed the worm to infect that server.

An interesting feature of CodeRed is that it does not reside in any file on the hard disk, but only
exists in semiconductor memory (RAM): this feature allows CodeRed to escape detection by a scan
of the hard disk with anti-virus software. Switching the infected computer off, then on, will remove
the infection, but webservers normally run continually (i.e., 24 hours/day, 7 days/week), unlike
computers in homes and offices that may be rebooted daily.

The CodeRed worm did different things depending on the day of the month. Most versions of
CodeRed used the following schedule:

1. During the first 19 days of each month, the CodeRed worm sent out many http get
requests to random IP addresses (i.e., websites and Internet users), seeking webservers to
infect. This feature of CodeRed is essentially a port probe, looking for webservers running
Windows NT 4.0 or Windows 2000 operating systems. The large number of bogus requests
from CodeRed could mimic a denial-of-service attack on a webserver.

2. During days 20 to 28 of each month, another feature of CodeRed makes a denial-of-service
attack on the IP address that then corresponded to www.whitehouse.gov. The IP address
of the U.S. President's website was changed to defeat CodeRed.

3. After the 28th day of the month, CodeRed goes into a sleep state until the next month,
although the server is still infected.

4. Under certain circumstances, one early version of CodeRed running on a webserver that
uses the English language will intercept requests for a webpage and return its own HTML
code:

Welcome to http:// www.worm.com !
Hacked by Chinese!

After 10 hours, CodeRed again returns the proper requested webpage. The temporary
unavailability of some webpages will cause concern to webmasters, then the problem will
"magically" disappear, frustrating operators of webservers who are trying to find the
problem.

A CERT advisory showed that CodeRed infected 2.0 × 105 computers in just five hours on
19 July 2001, which was a rapid rate of infection and a good example of geometric series mentioned

earlier in this essay. CERT said that "at least 280000 hosts were compromised in the first wave" of
attacks on 19 July 2001.

CodeRed II

A new version of CodeRed appeared on 4 August 2001, called CodeRed II. The important new
feature of CodeRed II is the installation of a Trojan Horse program, which creates a backdoor into the
infected webserver. After this backdoor is installed, any web surfer can send commands by using any
web browser. Such commands could, for example, delete files from the webserver, or upload new
files to the webserver. The Trojan Horse also disables the system file checker function in Windows,
so that the modified operating system files can not be detected.

Whoever wrote CodeRed II did not like the Chinese, as that variant is designed to propagate faster,
and for a longer time, in webservers that use the Chinese language.

Perpetrator of CodeRed

To the best of my knowledge, the author of the CodeRed worm was never identified, so there can be
no legal consequences for him.

Sircam
The initial Sircam worm was discovered on 17 July 2001, about the same time as CodeRed first
appeared.

The worm arrived at a victim's computer in e-mail with the following text:

Hi! How are you?
[second line: one of four choices below]
See you later. Thanks

There are four different versions of the second line of the e-mail text:

1. I send you this file in order to have your advice
2. I hope you can help me with this file that I send
3. I hope you like the file that I sendo you
4. This is the file with the information that you ask for

Clicking on the attached file infects the victim with the Sircam worm.
Note: the text of e-mail containing malicious programs often contains ungrammatical text,
punctuation errors (e.g., the missing periods in Sircam's text), or misspelled words, because the
author is a non-native speaker of English. Such mistakes in English text in an e-mail apparently from
an English-speaking country should alert the reader to the possibility of e-mail from a forged
address.

The Sircam worm inflicts several harms on the victim:

a 2% chance that the file c:recycledsircam.sys will be created, then text is
repeatedly added to this file until there is no more free space on the C: hard disk drive.

on computers using the day/month/year date format and when the date is 16 October,
there is a 5% chance that Sircam will delete all files and delete all directories on the C:
hard disk drive.

Sircam automatically sends copies of itself with the victim's e-mail address as the From:
address. If Sircam can not find the victim's e-mail address, then Sircam will forge a From:
address from the current username and one of four mail servers (e.g., @prodigy.net.mx).

The To: addresses are harvested from the Windows Address Book and also from e-mail
addresses found in the web browser cache files.

The text of the e-mail was mentioned above.

The e-mail has one attachment which contains a copy of the Sircam worm followed by the
contents of a file with file type .doc or .zip from the My Documents folder on the victim's
computer. This document could contain the victim's confidential information, which is then
sent to numerous addresses.

The name of the attachment had a double file extension, which like Melissa and Anna above,
is symptomatic of a malicious attachment. The filename and left extension of the
attachment was identical to the copied file from the victim's machine, Sircam then added a
second file extension: either .com, .bat, .exe, .pif, or .lnk, which made the attachment
an executable file type.

Sircam uses its own internal mail program, so that copies of outgoing e-mail do not appear
in the user's e-mail program's out-box. Thus the user does not know his/her computer is
mailing copies of the Sircam worm to other people.

The Sircam worm has a length of 137216 bytes. The additional space required by the
document from the victim's computer makes the attachment even larger, perhaps more
than 200000 bytes, which is larger than most webpages and most e-mail messages. This
large file size helps Sircam clog the Internet.

Several anti-virus websites note that there is a bug in the Sircam worm that makes it "highly
unlikely" that the disk-space-filling and file-deleting will occur. However, the author of Sircam
apparently intended those harms to occur.

Perpetrator of SirCam

To the best of my knowledge, the author of the SirCam worm was never identified, so there can be
no legal consequences for him. A copyright notice in the Sircam code says that this worm was made
in Mexico, but I have seen no confirmation that this statement is correct.

computers worldwide had been infected with Sircam. The anti-virus software vendors Sophos and
Computer Associates both reported SirCam as the second most prevalent malicious program

infecting computers in the year 2001: SirCam accounted for 20% of the reports to Sophos in 2001.
On 17 May 2002, MessageLabs reported SirCam as the all-time most prevalent malicious program in
e-mail.

Nimda
The Nimda worm was discovered on 18 September 2001 and it spread rapidly on the Internet.

Nimda had two novel features:

1. Nimda could infect a computer when the user read or previewed an e-mail that contained a
copy of Nimda. With all previous viruses or worms transmitted by e-mail, the user would
need to click on an attachment to infect the user's computer.
2. Nimda could modify webpages on a webserver, so that accessing those webpages could
download a copy of Nimda to the browser's computer.

These two novel features represented a significant "advance" in ability to harm victims.

The first novel feature of Nimda exploited a defect in Microsoft Internet Explorer 5.01 and 5.5. A
patch that repairs this defect had been available from the Microsoft website since 29 March 2001,
but most computer users do not bother to install the latest updates. Why did a defect in a
web browser cause a vulnerability to worms sent by e-mail? Most modern e-mail is sent in HTML
format, the same format used by webpages, and e-mail software (e.g., Microsoft Outlook) uses
Internet Explorer web browser to display such e-mail. This vulnerability could be avoided by (1)
selecting either Netscape Navigator or Opera as the default browser and (2) using a non-Microsoft e-
mail program, such as Eudora.

The Nimda worm propagates in several different ways:

1. Like the CodeRed worm, every copy of Nimda generates many random IP addresses to target
http get requests, i.e. a request to get a webpage from a server. If the server was running
Microsoft Windows NT 4.0 or Windows 2000 operating systems, a defect in those operating
systems allowed the worm to infect that server.

The name of the Nimda worm is a reversal of the computer term admin (administrator),
which designates a user with the privilege of modifying system files. By exploiting a defect in
Windows, the Nimda worm is able to act as an administrator.

2. Once a webserver was infected by Nimda, the worm adds a small amount of Javascript code
to webpages on that server with filenames:
index, default, or readme
and extensions:
.html, .htm, or .asp.

Nimda also creates a copy of itself in a file, readme.eml, on an infected webserver.

Depending on the settings on the user's computer regarding Javascript, when the user
accessed one of these altered webpages, the user's web browser might:

o automatically download readme.eml and execute the Nimda worm, thus infecting
the user's computer,
o display a prompt to ask whether the user wanted to download the file readme.eml,
or
o automatically refuse to download the file.

3. Once every ten days, Nimda searches the hard drive of an infected computer to harvest e-
mail addresses from the following sources:
o in-boxes for the user's e-mail program (e.g., Microsoft Outlook)
o *.HTML and *.HTM files in the user's web browser cache (also called the Temporary
Internet Files folder).

After harvesting e-mail addresses, Nimda selects one of these addresses as the From:
address and the remainder as To: addresses, and sends copies of Nimda in an apparently
blank e-mail.

Note that the infected computer is not used as the From: address, so there is no easy way
for the recipient of e-mail to determine whose computer sent the copy of Nimda.

Nimda (like Sircam) uses its own internal mail program, so that copies of outgoing e-mail do
not appear in the user's e-mail program's out-box. Thus the user does not know his/her
computer is mailing copies of the Nimda worm to other people.

As mentioned above, Nimda can infect the recipient's machine when the recipient either
reads or previews the e-mail, without needing to click on an attachment.

4. Nimda adds a copy of itself to the beginning of *.EXE files. Such executable files are
sometimes transferred to other computers, which will spread the Nimda infection.

On 11 Oct 2001, hundreds of e-mails containing Nimda were sent with forged From: addresses that
appeared to originate from the manager of anti-virus research at F-Secure in Finland. Such forged
source addresses, whether a deliberate act or whether a random occurrence caused by execution of
a malicious program, damages the reputation of innocent people. (I elaborate on this point later in
this essay, in discussing the Klez program.)

For more technical details on Nimda, see the CERT advisory and the F-Secure description.

The Nimda worm has a length of 57344 bytes, which makes it a relatively large file compared to
many webpages and e-mail messages. This large file size helps Nimda clog the Internet.

I noticed CodeRed and Nimda at my professional website, where, up to 10 May 2002, there were
11238 requests for Windows NT operating system files, particularly cmd.exe. (These files do not
exist on the server that hosts my website, as that server runs the Unix operating system.) The
webhosting service that I use reported on 18 Sep 2001 that they were receiving approximately

8000 hits/second requesting cmd.exe. Such a high rate of requests approximates a denial-of-service
attack on a webserver.

Perpetrator of Nimda

To the best of my knowledge, the author of the Nimda worm was never identified, so there can be
no legal consequences for him. The code for the Nimda contains a copyright notice stating that it
originated in communist China, but I have seen no confirmation that this statement is correct.

computers worldwide had been infected with Nimda. The anti-virus software vendor Sophos
reported Nimda as the most prevalent malicious program in the year 2001: Nimda accounted for
27% of the reports to Sophos.

BadTrans.B worm
The BadTrans.B worm was discovered on 24 Nov 2001. There was an epidemic from late
November 2001 through early January 2002.

This worm did the following things to a victim's computer:

installs a Trojan Horse program to record the victim's keystrokes that are typed into any
window with a title that begins PAS[sword], LOG[on], or four similar words that indicate an
attempt to logon to some service. This program later e-mailed the collected keystrokes (e.g.,
including username and password) to an e-mail address specified in the Trojan Horse.

finds yet unread e-mail in Microsoft Outlook on the victim's machine and replies to those
unread e-mails with a copy of the BadTrans worm in an attachment to the reply. This novel
feature of the BadTrans worm increased the chances of propagation, since the recipient was
expecting a reply from the victim.

The From: address will be the victim's e-mail address if the worm can find that information
in the victim's computer, otherwise the From: address will be chosen from a list of
15 addresses, mostly with female names, contained in the worm. These 15 addresses
connected to real people, who were selected by the author of the BadTrans worm. One of
them, Joanna Castillo, posted a webpage about her experience. Also, the now-defunct
Newsbytes website had an article about the "e-mail hell" experienced by Castillo and
one other victim of the forged From: addresses.

Before sending copies with the victim's From: address, the worm adds the underline
character (i.e., _) to the beginning of that From: e-mail address. Such an additional
character will prevent warnings from the recipient from reaching the victim. Also, any
returned copies of the worm (e.g., because the worm replied to spam that had an invalid,
forged address) will not reach the victim and inform him/her of the unauthorized sending
from his/her computer.

Some variants of the BadTrans worm also sent copies of the worm to e-mail addresses found

in previously read e-mail in the victim's inbox or to addresses contained in files of types
*.htm, *.html, and *.asp in documents downloaded from the Internet.

exploits a defect in Microsoft Internet Explorer that allows the worm to be launched without
the victim opening an attachment. The same defect was exploited earlier by the Nimda
worm.

BadTrans.B Perpetrator
To the best of my knowledge, the author of the BadTrans worm was never identified, so there can
be no legal consequences for him.

computers worldwide had been infected with BadTrans.B, which was only about 1/5 the number of
computers that TrendMicro reported as infected with Sircam or Nimda, which also appeared in the
year 2001. However, the anti-virus software vendor Computer Associates reported BadTrans.B as
the most prevalent malicious program in the year 2001. On 2 Dec 2001, MessageLabs filtered
BadTrans.B from one in every 57 e-mails, the second-highest daily infection rate seen by
MessageLabs. On 17 May 2002, MessageLabs reported the BadTrans.B worm was the all-time third-
most-common malicious program in e-mail.

Klez
The original Klez program appeared on 26 October 2001. A number of variants appeared later, of
which the most significant were the E variant that first appeared on 17 January 2002 and the
H variant that first appeared on 17 April 2002. The H variant caused an epidemic from about
20 April 2002 through June 2002, and became the most widespread malicious program in the history
of the Internet.

Klez has properties of both a computer virus and worm, what the Norton Anti-Virus website calls a
"blended threat".

There are a number of varieties of the Klez program and they each do slightly different harms to the
victim's computer. Among these harms are:

deposit a copy of an ElKern computer virus in the victim's computer. The early versions of
this virus destroy information in all files on the victim's computer on 13 March and
13 September of each year.
the Klez program is released when the victim reads or previews e-mail with Microsoft
Outlook. The same defect in Microsoft Internet Explorer was exploited earlier by both the
Nimda and BadTrans worms.
send copies of the Klez program via e-mail from the victim's computer, as discussed in more
detail below.
attempts to disable many common anti-virus programs by modifying the Windows registry
file.

on the 6th day of each odd-numbered month, attempts to overwrite many different files on
the victim's hard drive with a pattern of all zeroes, thus destroying data in those files.
randomly selects a file of type .doc, .rtf, .pdf, .jpg, among other possibilities, to
append to the attachment containing the Klez program, thus possibly sending confidential
information from the victim to future victims.

This long list of harms shows that the author of Klez had a truly malicious intent.

sending copies

The Klez program propagated by sending e-mail that contains Klez in an attachment. The
subject line, body of the e-mail, and name of the attachment were randomly selected from a
long list of possibilities contained in the Klez program. (This is unlike the Anna worm
discussed above, where the attachment always had the same name and could be easily
recognized by someone who had been warned by the news media.)
randomly selects a file of type .doc, .rtf, .pdf, .jpg, among other possibilities, to
append to the attachment containing the Klez program, thus possibly sending confidential
information from the victim to future victims.

This long list of harms shows that the author of Klez had a truly malicious intent.

sending copies

The Klez program propagated by sending e-mail that contains Klez in an
attachment. The subject line, body of the e-mail, and name of the
attachment were randomly selected from a long list of possibilities
contained in the Klez program. (This is unlike the Anna worm discussed
above, where the attachment always had the same name and could be
easily recognized by someone who had been warned by the news media.)
Vital information resourse under siege.

• Moves around in e-mail messages

• Usually replicate itself by automatically mailing itself to dozens of people in the victim’s
email address book.

Example “MELISSA VIRUS

– Type of virus

– File infector virus

• Infect program files

– Boot sector virus

• Infect the system area of a disk

– Master boot record virus

–

• infect disks in the same manner as boot sector viruses. The difference
between these two virus types is where the viral code is located.

– Multi-partite virus

• infect both boot records and program files

– Macro virus

• infect data files. Examples: Microsoft Office Word, Excel, PowerPoint and
Access files

 Melissa virus 1999

Melissa virus spread in Microsoft Word documents sent via e-mail.

How it works ?

• Created the virus as word document

• Uploaded to an internet newsgroup

• Anyone who download the document and opened it would trigger the virus.

• Send friendly email messages to first 50 people in person’s address book.

CODE RED WORM

• Code Red made huge headlines in 2001

• It slowed down internet traffic when it began to replicate itself.

• Each copy of the worm scanned the internet for Windows NT or Windows 2000 that don’t
have security patch installed.

Each time it found an unsecured server, the worm copied itself to that server

In computer terminology, polymorphic code is code that uses a polymorphic engine to
mutate while keeping the original algorithm intact. That is, the code changes itself each time
it runs, but the function of the code (its semantics) will not change at all. This technique is
sometimes used by computer viruses, shellcodes and computer worms to hide their
presence.[1]

Encryption is the most common method to hide code. With encryption, the main body of the
code (also called its payload) is encrypted and will appear meaningless. For the code to
function as before, a decryption function is added to the code. When the code is executed this
function reads the payload and decrypts it before executing it in turn.

Encryption alone is not polymorphism. To gain polymorphic behavior, the
encryptor/decryptor pair are mutated with each copy of the code. This allows different
versions of some code while all function the same.[2]

Contents
[show]

[edit] Malicious code

Most anti-virus software and intrusion detection systems (IDS) attempt to locate malicious
code by searching through computer files and data packets sent over a computer network. If
the security software finds patterns that correspond to known computer viruses or worms, it
takes appropriate steps to neutralize the threat. Polymorphic algorithms make it difficult for
such software to recognise the offending code because it constantly mutates.

Malicious programmers have sought to protect their encrypted code from this virus-scanning
strategy by rewriting the unencrypted decryption engine (and the resulting encrypted
payload) each time the virus or worm is propagated. Anti-virus software uses sophisticated
pattern analysis to find underlying patterns within the different mutations of the decryption
engine, in hopes of reliably detecting such malware.

Emulation may be used to defeat polymorphic obfuscation by letting the malware demangle
itself in a virtual environment before utilising other methods, such as traditional signature
scanning. Such virtual environment is sometimes called a sandbox. Polymorphism does not
protect the virus against such emulation, if the decrypted payload remains the same regardless
of variation in the decryption algorithm. Metamorphic code techniques may be used to
complicate detection further, as the virus may execute without ever having identifiable code
blocks in memory that remain constant from infection to infection.

The first known polymorphic virus was written by Mark Washburn. The virus, called 1260,
was written in 1990. A more well-known polymorphic virus was created in 1992 by the
hacker Dark Avenger (a pseudonym) as a means of avoiding pattern recognition from
antivirus software. A common and very virulent polymorphic virus is the file infecter Virut.

In computer terminology, polymorphic code is code that uses a polymorphic engine to
mutate while keeping the original algorithm intact. That is, the code changes itself each time
it runs, but the function of the code (its semantics) will not change at all. This technique is
sometimes used by computer viruses, shellcodes and computer worms to hide their
presence.[1]

Encryption is the most common method to hide code. With encryption, the main body of the
code (also called its payload) is encrypted and will appear meaningless. For the code to

function as before, a decryption function is added to the code. When the code is executed this
function reads the payload and decrypts it before executing it in turn.

Encryption alone is not polymorphism. To gain polymorphic behavior, the
encryptor/decryptor pair are mutated with each copy of the code. This allows different
versions of some code while all function the same.[2]

.

Most anti-virus software and intrusion detection systems (IDS) attempt to locate malicious
code by searching through computer files and data packets sent over a computer network. If
the security software finds patterns that correspond to known computer viruses or worms, it
takes appropriate steps to neutralize the threat. Polymorphic algorithms make it difficult for
such software to recognise the offending code because it constantly mutates.

Malicious programmers have sought to protect their encrypted code from this virus-scanning
strategy by rewriting the unencrypted decryption engine (and the resulting encrypted
payload) each time the virus or worm is propagated. Anti-virus software uses sophisticated
pattern analysis to find underlying patterns within the different mutations of the decryption
engine, in hopes of reliably detecting such malware.

Emulation may be used to defeat polymorphic obfuscation by letting the malware demangle
itself in a virtual environment before utilising other methods, such as traditional signature
scanning. Such virtual environment is sometimes called a sandbox. Polymorphism does not
protect the virus against such emulation, if the decrypted payload remains the same regardless
of variation in the decryption algorithm. Metamorphic code techniques may be used to
complicate detection further, as the virus may execute without ever having identifiable code
blocks in memory that remain constant from infection to infection.

The first known polymorphic virus was written by Mark Washburn. The virus, called 1260,
was written in 1990. A more well-known polymorphic virus was created in 1992 by the
hacker Dark Avenger (a pseudonym) as a means of avoiding pattern recognition from
antivirus software. A common and very virulent polymorphic virus is the file infecter Virut

Understanding encryption and polymorphism

Escalation is a good word to use here.

Virus programmers may encrypt messages so they can not be easily seen. In the
same way many viruses contain encrypted code to hide what they do. Before there
were virus scanners, there were programs written to detect possible Trojans. One
such program was written by Andy Hopkins in 1984 and was called CHK4BOMB.
When you used it to check out a program, it would alert you to anything suspicious
in the program, like direct disk writes and formatting, as well as print out any
messages it found. Obviously, a fully encrypted program, even one that did and said

nasty things, would look safe on examination.

Yet, encrypted viruses are not complete encrypted. Encrypted code is no longer
executable code--it simply won't run. For an encrypted virus to actually run, it has
to decrypt its code and data. The portion that does this decryption is not encrypted
because it has to run. This portion is refered to as a decryptor.

Encryption techniques
Some viruses use very simple encryption techniques such as incrementing, decrementing,
or rotating each byte in the code. They may also negate or logically not each byte. Such
encryption does not require an encryption key--a additional value used in encrypting each
byte or word (two bytes). Techniques that use a key include adding, subtracting and
xoring. A key value can also be used in rotating a byte. Additionally, keys themselves come
in three types.

A static key is one that doesn't change as the virus uses it--it is a set value. Viruses
using a static key might add 128 to each byte, rotate each byte 3 places to the right,
or xor each word with 0F8F8h.

A variable key is where the key value varies in some way. This key starts as a static
value and is then modified during the decryption. The key may itself be
incremented, decremented, xored, rotated, etc.

Both static and changing keys produce predictable results. Specifically, the
resulting encrypted code looks the same in every replication of the virus. Therefore,
if you used a simple string scanner with a string from within the encrypted portion
of the virus, you would still detect all its parents and progeny. Such encryption
presents no problem to the antivirus industry. But the third type of key does.

A random key is one that changes from infection to infection. Cascade, for
example, bases its key on the size of the host file--which obviously changes a lot.
Other viruses use a pseudo-random key, such as fetching, storing, and using the
current timer tick count, or the current 100ths of a second value. Any of these
approaches produces a virtually random and unpredictable key.

This causes problems for those write programs that detect viruses. Since the code
and data in such a virus changes radically, string scanning product developers must
chose a string from the the only part of the virus that doesn't change--the decryptor.
Early on this lead to two major problems in the industry.

The first problem involved false alarms. Early grunt scanners (scanners that
examine an entire file) that used the same string for Cascade would detect each
other as being infected. This problem was solved by encrypting strings.

The second problem involved copyright. Some early product developers claimed
copyright on their scan strings, which, when you think about it, means they were
copyrighting fragments of another programmer's code--the virus programmer's
code. Ross Greenburg, the developer of Flu-Shot and VirexPC, had a request out

for virus strings. As Ross tells it, someone downloaded a bunch of strings, sent
them to him, and he used them. Unfortunatly, those strings had been extracted from
McAfee's scanner. McAfee threatened a lawsuit, but never carried out the threat.

Herein lies the problem. What then about a randomly encrypted virus with a short
decryptor? In the Fish virus, for example, there are only 14 usable bytes. So string
scanning products virtually have to use the same pattern, do they not? How then can
one company claim a copyright on a string many others are forced to use also?

Virus Bulletin regularly publishes search strings and the Fish virus byte pattern can
be found in the July, 1991 issue. Here it is reprinted:

E800 005B 81EB A90D B958 0D2E 8037

By the way, I did not ask permission to reprint this. So is my printing this pattern a
violation of VB copyright?

Virus Bulletin itself answers "No" and points how ludicrous this idea is:

"Some misunderstandings have arisen in the past about the copyright notice which
appears at the foot of each page of the bulletin; does this notification apply equally
to hexadecimal search patterns? The answer, of course, is an empahtic NO - search
patterns are not intellectual property or original material and are beyond copyright.
There have been incidents in the United States of software developers threatening
lawsuits against other software developers on the basis that search patterns have
been 'stolen'.

"The VB Table of Known IBM PC Viruses is designed to be actively used; the
patterns are supplied to help systems engineers with diagnosis but may also be used
in the development of comprehensive scanning software. Use of these patterns is
positively to be encouraged."

But encryption, even random key encryption and short decryptors are truely not a
problem to antivirus developers when it comes to detection. The real problem is
polymorphism.

Polymorphism
Since a string scanner can only detect randomly encrypted viruses by using their
decryptor, what happens if the decryptor itself changes with each infection?

"Scanning can't find all viruses." Was reportedly the premise of two virus
researchers in the United States.

According to sources such as Virus Bulletin, in January of 1990 each of these men
sent out a virus to prove their claim. Patrick Toulome sent his Virus-101 to the
developer of a scan product. Mark Washburn sent out his V2P1 or Chameleon
virus. These were the first two polymorphic viruses.

When Toulome's virus went beyond the researcher he sent it to, he didn't appreciate
it. He stopped making viruses. Washburn, on the other hand, made and released
several more--each progressively more polymorphic.

The general meaning of polymorphic is "having many forms" and could thus be
applied to any randomly encrypted virus--since they indeed have many forms.
However, the use of this word in antivirus research and product development, as
well as our use here, is more specific.

A polymorphic virus is a randomly encrypted virus that is also programmed to
randomly vary its decryption routine. Thus the decryptor itself has "many forms"--
is polymorphic.

Before February of 1991 there were several terms used to describe these viruses:
mutating, garbling, self-modifying, variably decrypting, and such. In that month,
however, Fridrik Skulason and Alan Solomon coined "polymorphic" as it is applied
to these viruses. The term caught on quickly.

Now that we've explained the the definition and history of the term, polymorphic,
we're going to look at what it really means. But be warned. This portion of our
discussion of viruses gets more analytical in nature and thus, necessarily, more
technical.

During 1990 four polymorphic viruses were developed by Dark Avenger, based on
his V800 virus. In an interview with Sarah Gordon, Dark Avenger said "Proud,
Evil, Phoenix,are variants of one virus." This may mean that the fourth,
Phoenix.1226, was the first programmed. None of these are in the wild, but we'll
use the 1226 version here as an example of polymorphism.

The decryption routine for phoenix.1226 is 32 bytes long. Within that 32 byte
routine, 18 bytes are variable. This variation is accomplished in two ways.

First off, two of the bytes can each have one of two values, these bytes represent to
two conditional jumps that can either be a jns (jump if not sign) instruction, with a
byte value of 79h, or jge (jump if greater than or equal) instruction, with a byte
value of 7Dh.

The remainder of the variability is more complex. There are five processor registers
used in the decryptor. The first two used have to be pointer registers since they are
used in indirect memory addressing. This limits the available registers to bx, di, and
si (bp is not used). The other three registers are used for storage and may be
selected from ax, bx, cx, or dx. Also, if bx was used as a pointer than either di or si,
whichever is available, can be used.
• program V:=

• {goto main:

• 1234567;

• subroutine infect-executable :=

• {loop:

• file:= get-random-executable-file;

• if (first-line-of-file = 1234567)

• then goto loop

• else prepend V to file;}

• subroutine do–damage :=

• {whatever damage is to be done}

• subroutine trigger-pulled :=

• {return true if some condition holds}

• main: main-program :=

• {infect-executable;

• if trigger-pulled then do-damage;

• goto next;}

next:

How can I prevent malware from entering my PC?
It is important not to open any emails which come from senders you don’t know. Many of those
emails have luring titles like “You have won a lottery” or “Happy birthday, I have a present for you”
and so on. Never open any attachments coming with such emails, as it is likely that in such cases you
will install a virus or a worm in your PC. As a rule, you should never open an attachment that has
been sent to you by someone you don’t know.

Install an anti-virus software on your PC. This will protect your computer against viruses and other
malware threats.

You can also install a firewall, which will keep watch on all files that go in and out of your computer.
Try to avoid suspicious websites, and if you accidentally enter one which seems strange, leave it
immediately. If pop-up windows alert you or ask you to agree to anything, immediately close them
and never click on any button inside them

What is a firewall?
A device or software designed to prevent or stop unauthorised people from accessing your
computer via the internet without permission. A firewall controls all the files that go in and out of
your computer. If there is a suspicious file, it will take care of it for you and keep your computer safe.

What is spyware?
It is a program that can be secretly attached to files you download from the internet. As soon as it is

downloaded it installs itself in your PC without your knowledge, and starts to monitor your internet
activity. The monitored information is then transmitted to a third party, in most cases to companies
which are interested in creating your personal profile. Later on, it will start sending you advertising
or other data.

M

More Related Content

What's hot

Viewers also liked

Similar to M

Recently uploaded

M