260 likes | 662 Views
Malware: Viruses, Worms, Trojan Horses, & Spyware What They Are & How to Deal with Them. Jay Stamps, jstamps@stanford.edu , 723-0018 ITSS Help Desk Level 1 Training, November 18, 2004. Course Objectives. Understand what malware is, where it comes from, and what it does
E N D
Malware: Viruses, Worms, Trojan Horses, & SpywareWhat They Are & How to Deal with Them Jay Stamps, jstamps@stanford.edu, 723-0018 ITSS Help Desk Level 1 Training, November 18, 2004
Course Objectives • Understand what malware is, where it comes from, and what it does • Diagnose compromised or infected computers based on reported symptoms • Basic troubleshooting techniques for possibly compromised computers • Research & diagnostic tools • Prevention: Worth a pound of cure!
Sorry… • But that was the last picture you’re going to see in this presentation! • The good news is that your instructor loves questions, and you’re cordially invited to interrupt him at any time, or save your questions for later • It’s a cliché, but there are no “dumb questions”: The point is to learn • And if I don’t have a good answer, I’ll suggest that you make finding one part of your homework assignment!
What’s “Malware”? • Shortened form of “malicious software” • But it’s not always really malicious • So “malware” is a general term for: • Computer and macro viruses of any kind • Internet and mass-mailing worms • Trojan horses, backdoors and rootkits • Other computer exploits, bots, zombies • Spyware, adware, and other software installed on a computer without the user’s knowledge or informed consent • And then there are the “hoax viruses”…
Why Use the Word “Virus”? • The analogy with biological viruses • Computer viruses exist to self-replicate • They can often adapt (mutate) to survive • They might or might not harm the host • They “infect” by inserting themselves into a “healthy” system (be it a computer program or living organism) • The term “virus” is heavily overused • That’s why we’re talking about “malware” • But when someone’s PC is misbehaving… • They call 5-HELP and say, “I’ve got a virus!”
Are Only PCs Affected? • The answer is “No” • Are Macintoshes immune? • The answer is “yes and no” - sort of… • The first virus in 1982 infected Apple IIs • A great deal of malware - some of it not so malicious - existed for Mac OS “Classic” • Are there any Mac OS X malware programs? Well, not in the wild, not yet… • What about Unix and Linux OSes? • Lots of malware is in circulation for these platforms - lots!
Why Does Malware Exist? • When “viruses” first became common… • And “normal people” began to use personal computers… • If a “virus” struck, they were confused, alarmed, felt violated… • They’d ask, “Where do these things come from?” and “How did I get infected?” • Often they’d feel embarrassed, like they’d picked up an STD in a reckless moment… • When told, “People deliberately create viruses,” they’d properly ask, “Why?” • What do you think? Why does malware exist? (Possible homework assignment!)
Brief History of Malware • “Viruses” appeared in early 1980s • Very soon after first personal computers • They spread by floppy disks, later via “bootleg” & other software on “BBSes” • They often weren’t meant to be destructive • Internet “worms” arrived in late 1980s • “There may be a virus loose on the internet.” - Andy Sudduth of Harvard University, 34 minutes past midnight, November 3, 1988
Brief History Continued • First mass-mailing worm came in 1999 • Usually called the “Melissa virus” • It was also a “macro virus” • Infected file had to be opened in MS Word • Spyware hits the scene around 2000 • “Adware” claims to be legitimate, legal • “Browser hijacking” is common symptom • Other exploits, trojans, backdoors… • Have been around for a long time • Hackers target entities for malicious attack, or may want “free” computing resources
We’ll Stick to MS Windows • The majority of computer users at Stanford have Microsoft Windows PCs • The majority of malware “in the wild” today attacks only Windows PCs • Malware is very platform-dependent • Microsoft has only recently made computer security a priority • In the past… • MS tended to “enable everything by default” • Network-connected “services” running on a computer are an open invitation to hackers
Why So Much Malware? • Is malware becoming more common? • Yes!!! It is!!! (and harder to fight off) • Why might that be? • The Internet! Plus all the high-powered PCs in homes & offices connected to it • Why does that make a difference? • As with biological viruses, lots of people (or computers) are rubbing up against each other in a common space; and computers (like people) don’t always cover their mouths when they sneeze…
“Help! I’ve Got a Virus!” • A lot of people self-diagnose (wrongly) • “Doc, I think I’ve got the flu.” “How much did you drink last night?” “Uh, three six packs. I think. I don’t really remember…” • Only a few years ago… • Most folks who thought their PC had a viral infection were wrong! • When PCs behaved strangely, usually there was a problem with the OS or an application that was not at all virus-related • Today that’s still true, but…
Today That’s True, But… • Malware is more common, while OSes and applications are both more feature-laden and (often) more robust • More features mean more potential vulnerabilities for hackers to exploit • Greater robustness means strange behavior is somewhat likelier to be caused by malware • Plus more people use protective software • Few people these days are unaware of the necessity of running antivirus software • Some people even use it correctly!
You Answer a Call to 5-HELP • And the caller begins to explain… • “I think my PC has a virus” • Maybe it does, and maybe it doesn’t • We’ll look at diagnostic approaches presently • “I got an email from the Security Office…” • Get the details, but… • A referral to the Level 2 Help Desk, or local or contract support is probably the right move • If Networking or the Security Office has noticed a problem, the computer is almost certainly hacked • If the caller has self-diagnosed, or if you suspect malware is involved, you ask…
The Usual Questions 1 • If a caller’s PC might have an infection, or otherwise be compromised: • Ask what version of Windows they’re using • Ask them if they’re keeping it patched • Ask them if they’re using antivirus software, and if it’s up-to-date • For Windows 2000 & XP, ask them if they have good passwords for all user accounts • Ask them if they use a firewall • The caller may not know the answers to some of these questions, of course…
The Usual Questions 2 • So you may need to guide the caller to learn the answers to these questions • To check if Windows is properly updated, have the caller visit: • http://windowsupdate.microsoft.com • Launch Symantec AntiVirus to check the date of the virus definitions file • To check password strength, use the Stanford Security Self-Help tool • Windows XP has a built-in firewall, as do many broadband routers
The Answers • If a user can’t access the network, that problem is likely not caused by malware • If a user can’t run, install or update SAV or other security software, that’s a clue that the PC has been infected by a worm • If Windows isn’t patched, and/or AV software is out of date, and/or user accounts have weak passwords, the PC is definitely vulnerable to compromise • If the web browser (especially IE) goes to unexpected sites, suspect spyware
More Symptoms • We’ve just looked at a couple of common symptoms of malware • Here are some other possible signs: • Sluggishness • One or more unexpected restarts • Frequent system crashes • Constant hard disk activity • Generalized “strange behavior” • Hackers try to hide their presence: If they’re good, they will succeed • Worms and some viruses do likewise
Steps to Recovery • Most symptoms of malware also have other, more mundane causes • If there’s any reason to suspect the presence of malware on a user’s PC, update virus definitions, disconnect the network cable, and run a full antivirus scan of all hard drives • Install and run SpySweeper • And always, always teach computer users how to protect themselves from malware! Prevention is key!
Mass-Mailing Worms • Mass-mailing worms are one of the most common vectors for malware • Most people know not to open “suspicious” email attachments • But the worm writers are getting a lot craftier, and the attachments often look less “suspicious” these days • Many people are still confused by sender address “spoofing” • Mass-mailing worms mail themselves out using randomly chosen sender addresses
I Got a “Suspicious” Email • A caller might say: • I got a strange email message from my bank (or a bank I don’t even use), etc. • I got a message from my “system administrator” telling me to do something • I got a message from a friend telling me there’s some file I’m supposed to delete • Such messages are usually “phishing” attacks, or “hoax viruses” • Delete the email message; don’t do what it says; never give out private information
Top 6 PC Security Must-Dos • Patch Windows automatically • New patches 2nd Tuesday of each month • Use BigFix & Windows Automatic Updates • Use strong passwords (even better, pass phrases) for all user accounts • Use a firewall, such as Windows XP’s built-in software firewall • Use and properly maintain good antivirus software • Don’t open suspicious email attachments • Disable Windows File & Printer Sharing
Tools for Prevention • Essential Stanford Software • http://ess.stanford.edu • Symantec AntiVirus • BigFix client • SpySweeper • Security Self-Help Tool • Use the Firefox web browser (not IE) • Stanford Secure Computing web site • http://securecomputing.stanford.edu • Microsoft Baseline Security Analyzer • http://support.microsoft.com/kb/320454
Questions? Research Tools • If you’ve been saving up questions, now’s your chance! • Tools for research & troubleshooting: • http://support.microsoft.com/kb/129972 • http://www.google.com • http://www.sarc.com • http://www.mcafeesecurity.com/us/security/home.asp • http://housecall.trendmicro.com/ • http://en.wikipedia.org/wiki/Computer_virus • http://www.spywareinfo.com/ • http://support.microsoft.com • http://www.microsoft.com/technet • http://www.cert.org/ • http://www.cisecurity.org/