M

As the Internet becomes more and more integrated into everyday lives, we must learn how to
defend ourselves against new types of online attacks.

While viruses remain a threat, today's hackers commonly use vicious multi-layered attacks, such as a
worm in a chat message that displays a link to a Web page infected with a Trojan horse. “Worms”
have been found that tunnel though programs, uncovering new vulnerabilities and reporting them
back to hackers. The hackers then quickly assemble malware (malicious software) from pre-made
components, exploiting the vulnerability before the majority of people can download a fix.

Below you will find the best tips that you can employ to protect yourself against these emerging
sophisticated, multi-faceted threats.

What Can Malware Do to My PC?
Malware opens up backdoors on infected systems, giving hackers direct access to the hijacked PC. In
this scenario, a hacker can use the infected PC to upload personal information to a remote system,
or to turn the PC into a remotely controlled 'bot used in criminal activity.

Hackers are designing their attacks to target specific high-value victims instead of simply launching
mass-mailing worms and viruses. These programs are being created specifically for data theft.

What About P2P?
Peer-to-peer (P2P) networking has become a launching pad for viruses. Attackers incorporate
spyware, viruses, Trojan horses, and worms into their free downloads. One of the most dangerous
features of many P2P programs is the “browse host” feature that allows others to directly connect to
your computer and browse through file shares.

P2P can accidentally give access to logins, user IDs and passwords; Quicken files and credit reports;
personal information such as letters, chat logs, cookies, and emails; and medical records you
accidentally house in accessible folders on your PC. As with email and instant messages, viruses in
P2P files are capable of weaving their way through as many users as they can, stealing information
and delivering it to cybercriminals who forge identities and commit fraud.

Best Tips to Defend Against Viruses and Worms.
You must safeguard your PC. Following these basic rules will help you protect you and your family
whenever you go online.

1. Protect your computer with strong security software and keep it updated. McAfee Total
Protection for Small Business provides proven PC protection from Trojans, hackers, and
spyware. Its integrated anti-virus, anti-spyware, firewall, anti-spam, anti-phishing, and
backup technologies work together to combat today's advanced multi-faceted attacks. It
scans disks, email attachments, files downloaded from the Web, and documents generated
by word processing and spreadsheet programs.
2. Use a security-conscious Internet service provider (ISP) that implements strong anti-spam
and anti-phishing procedures.
3. Enable automatic Windows® updates or download Microsoft® updates regularly to keep your
operating system patched against known vulnerabilities. Install patches from other software

manufacturers as soon as they are distributed. A fully patched computer behind a firewall is
the best defense against Trojan and spyware installation.
4. Use caution when opening attachments. Configure your anti-virus software to automatically
scan all email and instant message attachments. Make sure your email program doesn't
automatically open attachments or automatically render graphics, and ensure that the
preview pane is turned off. Never open unsolicited emails, or attachments that you're not
expecting—even from people you know.
5. Be careful when engaging in peer-to-peer (P2P) file-sharing. Trojans hide within file-sharing
programs waiting to be downloaded. Use the same precautions when downloading shared
files that you do for email and instant messaging. Avoid downloading files with the
extensions .exe, .scr, .lnk, .bat, .vbs, .dll, .bin, and cmd.
6. Use security precautions for your PDA, cell phone, and Wi-Fi devices. Viruses and Trojans
arrive as an email/IM attachment, are downloaded from the Internet, or are uploaded along
with other data from a desktop. Cell phone viruses and mobile phishing attacks are in the
beginning stages, but will become more common as more people access mobile multimedia
services and Internet content directly from their phones. Always use a PIN code on your cell
phone, and never install or download mobile software from an unknown source.
7. Configure your instant messaging application correctly. Make sure it does not open
automatically when you fire up your computer.
8. Beware of spam-based phishing schemes. Don't click on links in emails or IM.
9. Back up your files regularly and store the backups somewhere besides your PC. If you fall
victim to a virus attack, you can recover photos, music, movies, and personal information
like tax returns and bank statements.
10. Stay aware of current virus news by checking sites like McAfee® Avert® Threat Center.

2.
3.
4.
5. top-10 worst ISPs in this category—consider this when making your choice.
6. Enable automatic Windows updates, or download Microsoft updates regularly, to keep your
operating system patched against known vulnerabilities. Install patches from other software
manufacturers as soon as they are distributed. A fully patched computer behind a firewall is
the best defense against Trojan and spyware installation.
7. Use great caution when opening attachments. Configure your anti-virus software to
automatically scan all email and instant message attachments. Make sure your email
program doesn’t automatically open attachments or automatically render graphics, and
ensure that the preview pane is turned off. Never open unsolicited emails, or attachments
that you’re not expecting—even from people you know.
8. Be careful when using P2P file sharing. Trojans hide within file-sharing programs waiting to
be downloaded. Use the same precautions when downloading shared files that you do for
email and instant messaging. Avoid downloading files with the extensions .exe, .scr, .lnk,
.bat, .vbs, .dll, .bin, and .cmd.
9. Use security precautions for your PDA, cell phone, and Wi-Fi devices. Viruses and Trojans
arrive as an email/IM attachment, are downloaded from the Internet, or are uploaded along
with other data from a desktop. Cell phone viruses and mobile phishing attacks are in the
beginning stages, but will become more common as more people access mobile multimedia
services and Internet content directly from their phones. Mobile Anti-Virus software for a
selected devices is available for free with some McAfee PC products. Always use a PIN code
on your cell phone and never install or download mobile software from a un-trusted source.

10. Configure your instant messaging application correctly. Make sure it does not open
automatically when you fire up your computer.
11. Beware of spam-based phishing schemes. Don’t click on links in emails or IM.
12. Back up your files regularly and store the backups somewhere besides your PC. If you fall
victim to a virus attack, you can recover photos, music, movies, and personal information
like tax returns and bank statements.
13. Stay aware of current virus news by checking sites like McAfee Labs Threat Center.

Back to top

Bookmark & Share
Favoritesemail Blinklist del.icio.us Digg Furl Google Facebook MySpace Yahoo Buzz Live

More Advice on this Topic

8 Tips on How to Protect Yourself Online
13 Ways to Protect Your System
Anti-virus Tips
Tips for a More Secure Internet Experience
How to Protect Your Computer Against Virus and Worm Attacks
Hardware vs. Software Firewalls
Passphrases

Find a term you don’t recognize? Look up definitions in our Glossary.

Free Security Newsletter Sign Up for Security News and Special Offers:

Email Addre

The Ultimate Security:

McAfee Total Protection

Ultimate. The most effective protection against virus, online and network threats.

$89.99$59.99Save $30

PC Infected? Get Expert Help Now!

McAfee Virus Removal Service

Connect to one of our security experts by phone. Have your PC fixed remotely – while you
watch!

$89.95

Available daily, 24x7.

A macro virus is a computer virus that "infects" a Microsoft Word or similar application and causes a
sequence of actions to be performed automatically when the application is started or something else
triggers it. Macro viruses tend to be surprising but relatively harmless. A typical effect is the
undesired insertion of some comic text at certain points when writing a line. A macro virus is often
spread as an e-mail virus. A well-known example in March, 1999 was the Melissa virus virus.

Melissa is a fast-spreading macro virus that is distributed as an e-mail attachment that, when
opened, disables a number of safeguards in Word 97 or Word 2000, and, if the user has the
Microsoft Outlook e-mail program, causes the virus to be resent to the first 50 people in each
of the user's address books. While it does not destroy files or other resources, Melissa has the
potential to disable corporate and other mail servers as the ripple of e-mail distribution
becomes a much larger wave. On Friday, March 26, 1999, Melissa caused the Microsoft
Corporation to shut down incoming e-mail. Intel and other companies also reported being
affected. The U. S. Department of Defense-funded Computer Emergency Response Team
(CERT) issued a warning about the virus and developed a fix.

How Melissa Works

Melissa arrives in an attachment to an e-mail note with the subject line "Important Message
from ]the name of someone[," and body text that reads "Here is that document you asked
for...don't

Learn More

Security Resources
Malware, Viruses, Trojans and Spyware

show anyone else ;-)". The attachment is often named LIST.DOC. If the recipient clicks on or
otherwise opens the attachment, the infecting file is read to computer storage. The file itself
originated in an Internet alt.sex newsgroup and contains a list of passwords for various Web
sites that require memberships. The file also contains a Visual Basic script that copies the
virus-infected file into the normal.dot template file used by Word for custom settings and
default macros. It also creates this entry in the Windows registry:

What is Identity Theft?

Identity theft, also known as ID theft is a crime in which a criminal obtains key pieces of
personal information, such as Social Security or driver's license numbers, in order to pose as
someone else. The information can be used to obtain credit, merchandise, and services using
the victims‘ name. Identity theft can also provide a thief with false credentials for
immigration or other applications. One of the biggest problems with identity theft is that very
often the crimes committed by the identity theft expert are often
attributed to the victim.
Buy it Now
There are two main types of identity theft – account takeover and true
name theft. Account takeover identity theft refers to the type of
situation where an imposter uses the stolen personal information to
gain access to the person‘s existing accounts. Often the identity thief
will use the stolen identity to acquire even more credit products by
changing your address so that you never see the credit card bills that
the thief runs up.

True name identity theft means that the thief uses personal
information to open new accounts. The thief might open a new credit
card account, establish cellular phone service, or open a new
checking account in order to obtain blank checks. The Internet has made it easier for an
identity thief to use the information they've stolen because transactions can be made without
any real verification of someone‘s identity. All a thief really needs today is a series of correct
numbers to complete the crime. Companies like LifeLock can monitor if a thief has gotten
access to and used any of your personal information."

trojan

In the IT world, a Trojan horse is used to enter a victim‘s computer undetected, granting the
attacker unrestricted access to the data stored on that computer and causing great damage to
the victim. A Trojan can be a hidden program that runs on your computer without your
knowledge, or it can be ‗wrapped‘ into a legitimate program meaning that this program may
therefore have hidden functions that you are not aware of.

How a Trojan works
Trojans typically consist of two parts, a client part and a server part. When a victim
(unknowingly) runs a Trojan server on his machine, the attacker then uses the client part of
that Trojan to connect to the server module and start using the Trojan. The protocol usually
used for communications is TCP, but some Trojans' functions use other protocols, such as
UDP, as well. When a Trojan server runs on a victim‘s computer, it (usually) tries to hide
somewhere on the computer; it then starts listening for incoming connections from the
attacker on one or more ports, and attempts to modify the registry and/or use some other
auto-starting method.

It is necessary for the attacker to know the victim‘s IP address to connect to his/her machine.
Many Trojans include the ability to mail the victim‘s IP and/or message the attacker via ICQ
or IRC. This system is used when the victim has a dynamic IP, that is, every time he connects
to the Internet, he is assigned a different IP (most dial-up users have this). ADSL users have

static IPs, meaning that in this case, the infected IP is always known to the attacker; this
makes it considerably easier for an attacker to connect to your machine.

Most Trojans use an auto-starting method that allows them to restart and grant an attacker
access to your machine even when you shut down your computer. Trojan writers are
constantly on the hunt for new auto-starting methods and other such tricks, making it hard to
keep up with their new discoveries in this area. As a rule, attackers start by ―joining‖ the
Trojan to some executable file that you use very often, such as explorer.exe, and then proceed
to use known methods to modify system files or the Windows Registry.

For an in-depth look at the different types of Trojans, why they pose a danger to corporate
networks, and how to protect your network against them, please click here.

Get the latest SPAM news at AllSpammedUp.com!

Trojan Horse Attacks

If you were referred here, you may have been "hacked" by a Trojan horse attack. It's crucial
that you read this page and fix yourself immediately. Failure to do so could result in being
disconnected from the IRC network, letting strangers access your private files, or worst yet,
allowing your computer to be hijacked and used in criminal attacks on others.

by Joseph Lo aka Jolo, with much help from countless others
This page is part of IRChelp.org's security section at http://www.irchelp.org/irchelp/security/
updated Feb 5, 2006

Contents:

I. What is a Trojan horse?
II. How did I get infected?
III. How do I avoid getting infected in the future?
IV. How do I get rid of trojans?!?
Appendices

I. What is a Trojan horse?

Trojan horse attacks pose one of the most serious threats to computer security. If you were
referred here, you may have not only been attacked but may also be attacking others
unknowingly. This page will teach you how to avoid falling prey to them, and how to repair
the damage if you already did. According to legend, the Greeks won the Trojan war by hiding
in a huge, hollow wooden horse to sneak into the fortified city of Troy. In today's computer
world, a Trojan horse is defined as a "malicious, security-breaking program that is disguised
as something benign". For example, you download what appears to be a movie or music file,
but when you click on it, you unleash a dangerous program that erases your disk, sends your
credit card numbers and passwords to a stranger, or lets that stranger hijack your computer to

commit illegal denial of service attacks like those that have virtually crippled the DALnet
IRC network for months on end.

The following general information applies to all operating systems, but by far most of the
damage is done to/with Windows users due to its vast popularity and many weaknesses.

(Note: Many people use terms like Trojan horse, virus, worm, hacking and cracking all
interchangeably, but they really don't mean the same thing. If you're curious, here's a quick
primer defining and distinguishing them. Let's just say that once you are "infected", trojans
are just as dangerous as viruses and can spread to hurt others just as easily!)

II. How did I get infected?

Trojans are executable programs, which means that when you open the file, it will perform
some action(s). In Windows, executable programs have file extensions like "exe", "vbs",
"com", "bat", etc. Some actual trojan filenames include: "dmsetup.exe" and "LOVE-
LETTER-FOR-YOU.TXT.vbs" (when there are multiple extensions, only the last one counts,
be sure to unhide your extensions so that you see it). More information on risky file
extensions may be found at this Microsoft document.

Trojans can be spread in the guise of literally ANYTHING people find desirable, such as a
free game, movie, song, etc. Victims typically downloaded the trojan from a WWW or FTP
archive, got it via peer-to-peer file exchange using IRC/instant messaging/Kazaa etc., or just
carelessly opened some email attachment. Trojans usually do their damage silently. The first
sign of trouble is often when others tell you that you are attacking them or trying to infect
them!

III. How do I avoid getting infected in the future?

You must be certain of BOTH the source AND content of each file you download! In
other words, you need to be sure that you trust not only the person or file server that gave you
the file, but also the contents of the file itself.

Here are some practical tips to avoid getting infected (again). For more general security
information, please see our main security help page.

1. NEVER download blindly from people or sites which you aren't 100% sure about. In other
words, as the old saying goes, don't accept candy from strangers. If you do a lot of file
downloading, it's often just a matter of time before you fall victim to a trojan.
2. Even if the file comes from a friend, you still must be sure what the file is before opening
it, because many trojans will automatically try to spread themselves to friends in an email
address book or on an IRC channel. There is seldom reason for a friend to send you a file that
you didn't ask for. When in doubt, ask them first, and scan the attachment with a fully
updated anti-virus program.
3. Beware of hidden file extensions! Windows by default hides the last extension of a file, so
that innocuous-looking "susie.jpg" might really be "susie.jpg.exe" - an executable trojan! To
reduce the chances of being tricked, unhide those pesky extensions.
4. NEVER use features in your programs that automatically get or preview files. Those
features may seem convenient, but they let anybody send you anything which is extremely
reckless. For example, never turn on "auto DCC get" in mIRC, instead ALWAYS screen every

single file you get manually. Likewise, disable the preview mode in Outlook and other email
programs.
5. Never blindly type commands that others tell you to type, or go to web addresses
mentioned by strangers, or run pre-fabricated programs or scripts (not even popular ones).
If you do so, you are potentially trusting a stranger with control over your computer, which
can lead to trojan infection or other serious harm.
6. Don't be lulled into a false sense of security just because you run anti-virus programs.
Those do not protect perfectly against many viruses and trojans, even when fully up to date.
Anti-virus programs should not be your front line of security, but instead they serve as a
backup in case something sneaks onto your computer.
7. Finally, don't download an executable program just to "check it out" - if it's a trojan, the first
time you run it, you're already infected!

IV. How do I get rid of trojans?!?

Here are your many options, none of them are perfect. I strongly suggest you read through all
of them before rushing out and trying to run some program blindly. Remember - that's how
you got in this trouble in the first place. Good luck!

1. Clean Re-installation: Although arduous, this will always be the only sure way to
eradicate a trojan or virus. Back up your entire hard disk, reformat the disk, re-install
the operating system and all your applications from original CDs, and finally, if you're
certain they are not infected, restore your user files from the backup. If you are not up
to the task, you can pay for a professional repair service to do it.
2. Anti-Virus Software: Some of these can handle most of the well known trojans, but
none are perfect, no matter what their advertising claims. You absolutely MUST make
sure you have the very latest update files for your programs, or else they will miss the
latest trojans. Compared to traditional viruses, today's trojans evolve much quicker
and come in many seemingly innocuous forms, so anti-virus software is always going
to be playing catch up. Also, if they fail to find every trojan, anti-virus software can
give you a false sense of security, such that you go about your business not realizing
that you are still dangerously compromised. There are many products to choose from,
but the following are generally effective: AVP, PC-cillin, and McAfee VirusScan. All
are available for immediate downloading typically with a 30 day free trial. For a more
complete review of all major anti-virus programs, including specific configuration
suggestions for each, see the HackFix Project's anti-virus software page [all are ext.
links]. When you are done, make sure you've updated Windows with all security
patches [ext. link].
3. Anti-Trojan Programs: These programs are the most effective against trojan horse
attacks, because they specialize in trojans instead of general viruses. A popular choice
is The Cleaner, $30 commercial software with a 30 day free trial. To use it effectively,
you must follow hackfix.org's configuration suggestions [ext. link]. When you are
done, make sure you've updated Windows with all security patches [ext. link], then
change all your passwords because they may have been seen by every "hacker" in the
world.
4. IRC Help Channels: If you're the type that needs some hand-holding, you can find
trojan/virus removal help on IRC itself, such as EFnet #dmsetup or DALnet
#NoHack. These experts will try to figure out which trojan(s) you have and offer you
advice on how to fix it. The previous directions were in fact adapted from advice

given by EFnet #dmsetup. (See our networks page if you need help connecting to
those networks.)

Appendices:

These files were referred to in the text above, and provide additional information.

IRChelp.org Security Page
Hacker / Cracker / Trojan / Virus? - A Primer on Terminology
How to unhide Windows file extensions

Why Use A Rootkit?
A rootkit allows someone, either legitimate or malicious, to maintain command and control over a
computer system, without the the computer system user knowing about it. This means that the
owner of the rootkit is capable of executing files and changing system configurations on the target
machine, as well as accessing log files or monitoring activity to covertly spy on the user's computer
usage.

Is A Rootkit Malware?
That may be debatable. There are legitimate uses for rootkits by law enforcement or even by
parents or employers wishing to retain remote command and control and/or the ability to monitor
activity on their employee's / children's computer systems. Products such as eBlaster or Spector Pro
are essentially rootkits which allow for such monitoring.

However, most of the media attention given to rootkits is aimed at malicious or illegal
rootkits used by attackers or spies to infiltrate and monitor systems. But, while a rootkit
might somehow be installed on a system through the use of a virus or Trojan of some sort, the
rootkit itself is not really malware.

Detecting A Rootkit
Detecting a rootkit on your system is easier said than done. Currently, there is no off-the-shelf
product to magically find and remove all of the rootkits of the world like there is for viruses or
spyware.

There are various ways to scan memory or file system areas, or look for hooks into the
system from rootkits, but not many of them are automated tools, and those that are often
focus on detecting and removing a specific rootkit. Another method is just to look for bizarre
or strange behavior on the computer system. If there are suspicious things going on, you
might be compromised by a rootkit. Of course, you might also just need to clean up your
system using tips from a book like Degunking Windows.

In the end, many security experts suggest a complete rebuild of a system compromised by a
rootkit or suspected of being compromised by a rootkit. The reason is, even if you detect files
or processes associated with the rootkit, it is difficult to be 100% sure that you have in fact
removed every piece of the rootkit. Peace of mind can be found by completely erasing the
system and starting over.

Protecting Yourself From Rootkits
As mentioned above regarding detecting rootkits, there is no packaged application to guard against
rootkits. It was also mentioned above that rootkits, while they may be used for malicious purposes
at times, are not necessarily malware.

Many malicious rootkits manage to infiltrate computer systems and install themselves by
propagating with a malware threat such as a virus. You can safeguard your system from
rootkits by ensuring it is kept patched against known vulnerabilities, that antivirus software is
updated and running, and that you don't accept files from or open email file attachments from
unknown sources. You should also be careful when installing software and read carefully
before agreeing to EULA's (end user license agreements), because some may state overtly
that a rootkit of some sort will be installed.

[ go back | search | help | send email ]

So what does a Rookit do?

What it does do, is provide access to all your folders – both private data and system files – to
a remote user who, through administrative powers, can do whatever he wants with your
computer. Needless to say, every user should be aware of the threat they pose.

Rootkits generally go much deeper than the average virus. They may even infect your BIOS –
the part of your computer that‘s independent of the Operating System – making them harder
to remove. And they may not even be Windows-specific, even Linux or Apple machines
could be affected. In fact, the first rootkit ever written was for Unix!

Image by Fristle

Is this a new phenomenon?

No, not at all. The earliest known rootkit is in fact two decades old. However, now that every
home and every work desk has a computer that is connected to the internet, the possibilities
for using the full potential of a rootkit is only just being realized.

Possibly the most famous case so far was in 2005, when CDs sold by Sony BMG installed
rootkits without user permission that allowed any user logged in at the computer to access the
administrator mode. The purpose of that rootkit was to enforce copy protection (called
―Digital Rights Management‖ or DRM) on the CDs, but it compromised the computer it was
installed on. This process could easily be hijacked for malicious purposes.

What makes it different from a virus?

Most often, rootkits are used to control and not to destroy. Of course, this control could be
used to delete data files, but it can also be used for more nefarious purposes.

More importantly, rootkits run at the same privilege levels as most antivirus programs. This
makes them that much harder to remove as the computer cannot decide on which program
has a greater authority to shut down the other.

So how I might get infected with a rootkit?

As mentioned above, a rootkit may piggyback along with software that you thought you
trusted. When you give this software permission to install on your computer, it also inserts a
process that waits silently in the background for a command. And, since to give permission
you need administrative access, this means that your rootkit is already in a sensitive location
on the computer.

Another way to get infected is by standard viral infection techniques – either through shared
disks and drives with infected web content. This infection may not easily get spotted because
of the silent nature of rootkits.

There have also been cases where rootkits came pre-installed on purchased computers. The
intentions behind such software may be good – for example, anti-theft identification or
remote diagnosis – but it has been shown that the mere presence of such a path to the system
itself is a vulnerability.

So, that was about what exactly is a rootkit and how does it creep in to computer. In my next
article I‘ll discuss how to defend your computer from rootkits – from protection to
cleaning up.

Previous post: 3 Useful Chrome Extensions to Capture Screenshot of a Webpage

Next post: Windows 7 Problem Steps Recorder Makes Troubleshooting Windows Errors
Easier

5 Cool Latest Posts
o How to Create a Picture Password in Windows 8
o How to Add Computer Icon to Windows 8 Start Menu, Desktop & Windows Explorer
o 4 Useful Tools to Delete Locked Files In Windows
o How to Open Word, Excel (.doc, .docx, xlsx etc) Files Without MS Office Installed
o How to Personalize the New Windows 8 Charm Bar
D AILY ILY EMAIL UP DAT ES:

What is the difference between viruses, worms, and Trojans?
What is a virus?

A computer virus is a small program written to alter the way a computer operates, without
the permission or knowledge of the user. A virus must meet two criteria:

It must execute itself. It often places its own code in the path of execution of
another program.
It must replicate itself. For example, it may replace other executable files with a
copy of the virus infected file. Viruses can infect desktop computers and network
servers alike.

Some viruses are programmed to damage the computer by damaging programs,

deleting files, or reformatting the hard disk. Others are not designed to do any
damage, but simply to replicate themselves and make their presence known by
presenting text, video, and audio messages. Even these benign viruses can create
problems for the computer user. They typically take up computer memory used by
legitimate programs. As a result, they often cause erratic behavior and can result in
system crashes. In addition, many viruses are bug-ridden, and these bugs may lead to
system crashes and data loss.

Five recognized types of viruses

File infector viruses File infector viruses infect program files. These viruses normally infect executable code, such as .com and .exe
files. The can infect other files when an infected program is run from floppy, hard drive, or from the network.
Many of these viruses are memory resident. After memory becomes infected, any noninfected executable
that runs becomes infected. Examples of known file infector viruses include Jerusalem and Cascade.

Boot sector viruses Boot sector viruses infect the system area of a disk; that is, the boot record on floppy disks and hard disks. All
floppy disks and hard disks (including disks containing only data) contain a small program in the boot record
that is run when the computer starts up. Boot sector viruses attach themselves to this part of the disk and
activate when the user attempts to start up from the infected disk. These viruses are always memory resident
in nature. Most were written for DOS, but, all PCs, regardless of the operating system, are potential targets of
this type of virus. All that is required to become infected is to attempt to start up your computer with an
infected floppy disk Thereafter, while the virus remains in memory, all floppy disks that are not write
protected will become infected when the floppy disk is accessed. Examples of boot sector viruses are Form,
Disk Killer, Michelangelo, and Stoned.

Master boot record Master boot record viruses are memory-resident viruses that infect disks in the same manner as boot sector
viruses viruses. The difference between these two virus types is where the viral code is located. Master boot record
infectors normally save a legitimate copy of the master boot record in an different location. Windows NT
computers that become infected by either boot sector viruses or master boot sector viruses will not boot.
This is due to the difference in how the operating system accesses its boot information, as compared to
Windows 98/Me. If your Windows NT systems is formatted with FAT partitions you can usually remove the
virus by booting to DOS and using antivirus software. If the boot partition is NTFS, the system must be
recovered by using the three Windows NT Setup disks. Examples of master boot record infectors are NYB,
AntiExe, and Unashamed.

Multipartite viruses Multipartite (also known as polypartite) viruses infect both boot records and program files. These are
particularly difficult to repair. If the boot area is cleaned, but the files are not, the boot area will be
reinfected. The same holds true for cleaning infected files. If the virus is not removed from the boot area, any
files that you have cleaned will be reinfected. Examples of multipartite viruses include One_Half, Emperor,
Anthrax and Tequilla.

Macro viruses These types of viruses infect data files. They are the most common and have cost corporations the most
money and time trying to repair. With the advent of Visual Basic in Microsoft's Office 97, a macro virus can be
written that not only infects data files, but also can infect other files as well. Macro viruses infect Microsoft
Office Word, Excel, PowerPoint and Access files. Newer strains are now turning up in other programs as well.
All of these viruses use another program's internal programming language, which was created to allow users
to automate certain tasks within that program. Because of the ease with which these viruses can be created,
there are now thousands of them in circulation. Examples of macro viruses include W97M.Melissa,
WM.NiceDay and W97M.Groov.

What is a Trojan horse?

Trojan horses are impostors—files that claim to be something desirable but, in fact,
are malicious. A very important distinction between Trojan horse programs and true
viruses is that they do not replicate themselves. Trojan horses contain malicious code
that when triggered cause loss, or even theft, of data. For a Trojan horse to spread,
you must invite these programs onto your computers; for example, by opening an
email attachment or downloading and running a file from the Internet. Trojan.Vundo
is a Trojan horse.

What is a worm?

Worms are programs that replicate themselves from system to system without the use
of a host file. This is in contrast to viruses, which requires the spreading of an
infected host file. Although worms generally exist inside of other files, often Word or
Excel documents, there is a difference between how worms and viruses use the host
file. Usually the worm will release a document that already has the "worm" macro
inside the document. The entire document will travel from computer to computer, so
the entire document should be considered the worm W32.Mydoom.AX@mm is an
example of a worm
What is a virus hoax?

Virus hoaxes are messages, almost always sent by email, that amount to little more
than chain letters. Following are some of the common phrases that are used in these
hoaxes:

If you receive an email titled [email virus hoax name here], do not open it!
Delete it immediately!
It contains the [hoax name] virus.
It will delete everything on your hard drive and [extreme and improbable danger
specified here].
This virus was announced today by [reputable organization name here].
Forward this warning to everyone you know!

Most virus hoax warnings do not deviate far from this pattern. If you are unsure if a
virus warning is legitimate or a hoax, additional information is available at the
Symantec Security Response online database.
What is not a virus?

Because of the publicity that viruses have received, it is easy to blame any computer
problem on a virus. The following are not likely to be caused by a virus or other
malicious code:

Hardware problems No viruses can physically damage computer hardware, such as chips, boards, and monitors.

The computer beeps at startup with no This is usually caused by a hardware problem during the boot process. Consult your computer
screen display documentation for the meaning of the beep codes.

The computer does not register 640 KB This can be a sign of a virus, but it is not conclusive. Some hardware drivers such as those for
of conventional memory the monitor or SCSI card can use some of this memory. Consult with your computer
manufacturer or hardware vendor to determine if this is the case.

You have two antivirus programs This might be a virus, but it can also be caused by one antivirus program detect the other
installed and one of them reports a program's signatures in memory. For additional information, see Should you run more than one
virus antivirus program at the same time?

Microsoft Word warns you that a This does not mean that the macro is a virus.
document contains a macro

You cannot open a particular document This is not necessarily an indication of a virus. Try opening another document or a backup of the
document in question. If other documents open correctly, the document may be damaged.

The label on a hard drive has changed Every disk is allowed to have a label. You can assign a label to a disk by using the DOS Label
command of from within Windows.

When you run ScanDisk, Norton For instructions on what to do, read Alert: "Virus Like Activity detected. The application . . . is
AntiVirus Auto-Protect reports virus-like attempting to write to the file . . . What would you like to do?
activity

Additional information

For the most up-to-date information on viruses, go to the Symantec Security
Response online database.

To submit a file or disk that you suspect is infected with a virus, please read one of
the following documents:

Submitting a file to Symantec Security Response over the Internet or on a floppy
disk
Submitting a file to Symantec Security Response using Scan and Deliver

What is safe computing?

With all the hype, it is easy to believe that viruses lurk in every file, every email,
every Web site. However, a few basic precautions can minimize your risk of
infection. Practice safe computing and encourage everyone you know to do so as
well.

General precautions

Do not leave a floppy disk in the floppy disk drive when you shut down or restart
the computer.
Write-protect your floppy disks after you have finished writing to them.
Be suspicious of email attachments from unknown sources.
Verify that attachments have been sent by the author of the email. Newer viruses
can send email messages that appear to be from people you know.
Do not set your email program to "auto-run" attachments.
Obtain all Microsoft security updates.
Back up your data frequently. Keep the write-protected media in a safe place—
preferably in a different location than your computer.

Specific to Norton AntiVirus

Make sure that you have the most recent virus definitions. We recommend that
you run LiveUpdate at least once per week. Symantec Security Response updates
virus definitions in response to new virus threats. For additional information,
please see How to Run LiveUpdate.
Make sure that you have set Norton AntiVirus to scan floppy disks on access and at
shutdown. Please see your User's Guide for information on how to do this in your
version of Norton AntiVirus.
Always keep Norton AntiVirus Auto-Protect running. Symantec Security Response
now strongly recommends that you have Norton AntiVirus set to scan all files, not
just program files.

Scan all new software before you install it. Because boot sector viruses spread by
floppy disks and bootable CDs, every floppy disk and CD should be scanned for
viruses. Shrink-wrapped software, demo disks from suppliers, and trial software
are not exempt from this rule. Viruses have been found even on retail software.
Scan all media that someone else has given you.
Use caution when opening email attachments. Email attachments are a major
source of virus infections. Microsoft Office attachments for Word, Excel, and
Access can be infected by Macro viruses. Other attachments can contain file
infector viruses. Norton AntiVirus Auto-Protect will scan these attachments for
viruses as you open or detach them. We recommend that you enable email
scanning, which will scan email attachments before the email message is sent to
your email program.

« Source : Stopping Anti Virus/Desktop Firewall processes and services

Source : Binder stub »

Nine ways how hackers propagate malware (1 of 2)

Mar 24th, 2009 by carrumba

Malware propagation is one of the most fascinating parts of the attackers activities and is
attracting, besides the anger of the affected people, the most attention. It is the part where all
the magic of infection and intrusion happens, where attackers release the malicious software
to the wild and try to infect new victim systems as quickly or as targeted as possible; their
victims are left wondering how the heck that could have happened.

The goal of this article is to give you an overview how and where attackers release malware.
It will show you an overview about the common infection points where people get in first
contact with malware and what action the software has to execute to initiate the infection
process.

Method 1 : Sending the Trojan horse as email attachment

One of the oldest but still very effective ways people get infected is via email, by opening an
attached file. Email is the most used way people communicate over the Internet. Almost
everyone owns an email address and is using it regularly. It is easy to use, it‘s accessible from
everywhere where you have Internet access. Today, most email services are for free too.

As already mentioned sending malware as an email attachment was already a propagation
method in the early days. The attacker prepared the Trojan horse, sent it to all the recipients
on his list and waited until the infected systems connected back. Simple and straightforward.
The only thing the recipient (the victim) had to do was to double-click the attachment to
initiate the infection process. Back in the days anti virus software was not that wide spread as

it is nowadays, the people were not that cautious and sensitised to this kind of threat. Many
email users were only a double-click away from the infection.
Today as AV software is installed on virtually every computer and people are aware of the
threat, that way of propagation still works surprisingly well. But things turn out slightly more
difficult. An AV software doesn‘t accept *.exe *.com *.bat or *.pif files anymore and it also
checks archives like *.zip or *.rar files for executable files. If they contain files with
suspicious file name extensions it rises a warning and interrupts the execution. But because
there is still a big mass of potential victims among the email users that are obstinately
ignoring any kind of warnings the infection rate is still high and for an attacker this archaic
means is still promising and valuable.

Method 2 : Infection via browser bugs

The browser is doubtlessly the most used application on a computer. We use it to surf the
Internet, to check our mails of course, to chat and many programs people had once installed
locally on the computer is now loaded into the browser and ready to use, as for example text
processing programs or spreadsheets. Browsers have a big importance and over the years
their functionality and extensions grew and changed its usage enormously. With its quick
development and the possibility to install plugins also the attack vector grew. Code reviews
were conducted more often and not only on the browsers but also on the plugins what
revealed many critical and also not so critical bugs. These circumstances also attracted the
attackers attention and allowed them new ways to spread their malware. By leading a victim
to a site that contains malicious HTML, scripting or plugin code an attacker can force the
victims browser to execute hidden actions, force it to download and install the damage
routine of the Trojan horse and to infect the system that way.
This is much more convenient than the variant with the infected attachment. An email
containing a simple link to a homepage doesn‘t seem suspicious and additionally it is a one-
click-infection (instead of a double-click).

Method 3 : Removable data storage devices

There was once a time where the classic computer viruses propagation happened by sharing
infected floppy discs and executing program files. To share and to execute was simply the
only method. Even if floppy disks are not in use as data storage device anymore (maybe
you‘re still using it as boot device) the method itself is still in use. In the meantime CD-
ROMs and USB memory sticks replaced the floppy discs almost completely and Microsoft
introduced the Autorun feature that executes commands automatically when a newly
connected data storage device is connected. This combination of removable storage devices
and autoexecution revived the ancient propagation method and the USB memory sticks and
CD-ROMs/DVDs served beside being data storage medium also as host to infect computers
with malware.

Here is an example how the file autorun.inf has to look like :

[autorun]
open=installMegapanzer.exe
icon=myIcon.ico

This way of malware propagation was used a lot in the past and Microsoft and also other
installed 3rd party software will trigger an alert if a data storage device is using the autorun
feature. So this method is not that reliable anymore and has its restrictions.

Additionally and worth mentioning: A Trojan horse itself can, once running on a victims
system, infect other writable USB data storage devices and so propagate in the old known
manner as it happened with the floppy disks. Ancient but proven.

Method 4 : File sharing networks

Another common way to propagate malware is using the different internet based filesharing
networks like Bittorrent, Emule, Limewire etc. An attacker tries to get hold of a new release
of a popular software and injects his malicious code into the genuine software packet. After
the initial infection the attacker offers the infected file to other users for download.
There are two advantages coming with this method:

If a victim downloads the infected file he’s “expecting” an executable file and doesn’t
become suspicious just because of its file extension. He “will” execute it after downloading.
Once the file is downloaded by the first victim the availability of the file doubled. Two
people offer the infected file now for download. What the attacker has to do is only to make
sure he is using a popular software and the propagation will advance in a fast pace.

What’s coming up in the second article

The goal of the first part was to describe the methods how attackers propagate their malware
by distributing it in an active way, by sending ―something‖ to the victims expecting they have
execute an action with this ―something‖. These ways are well known to all of us because the
media permanently informs about the threats we are exposed to, the latest incidents that
happend and is giving us the relevant background information. In the next article I will give
you an understanding of how to inject the malware in a victims browsing session by taking
over and controlling his data stream. More subliminal, more state

Data-stealing malware is a web threat that divest victims of personal and proprietary
information with the purpose of monetizing stolen data through direct use or underground
distribution. Content security threats that fall under this umbrella include keyloggers, screen
scrapers, spyware, adware, backdoors, and bots. The term does not refer to activities such as
spam, phishing, DNS poisoning, SEO abuse, etc. However, when these threats result in file
download or direct installation, as most hybrid attacks do, files that act as agents to proxy
information will fall into the data-stealing malware category.

[edit] Characteristics of data-stealing malware

Does not leave traces of the event

The malware is typically stored in a cache that is routinely flushed
The malware may be installed via a drive-by-download process
The website hosting the malware as well as the malware is generally temporary or rogue

Frequently changes and extends its functions

It is difficult for antivirus software to detect final payload attributes due to the
combination(s) of malware components
The malware uses multiple file encryption levels

Thwarts Intrusion Detection Systems (IDS) after successful installation

There are no perceivable network anomalies
The malware hides in web traffic
The malware is stealthier in terms of traffic and resource use

Thwarts disk encryption

Data is stolen during decryption and display
The malware can record keystrokes, passwords, and screenshots

Thwarts Data Loss Prevention (DLP)

Leakage protection hinges on metadata tagging, not everything is tagged
Miscreants can use encryption to port data

[edit] Examples of data-stealing malware

Bancos, an info stealer that waits for the user to access banking websites then spoofs pages
of the bank website to steal sensitive information.
Gator, spyware that covertly monitors web-surfing habits, uploads data to a server for
analysis then serves targeted pop-up ads.
LegMir, spyware that steals personal information such as account names and passwords
related to online games.
Qhost, a Trojan that modifies the Hosts file to point to a different DNS server when banking
sites are accessed then opens a spoofed login page to steal login credentials for those
financial institutions.

[edit] Data-stealing malware incidents

Albert Gonzalez (not to be confused with the U.S. Attorney General Alberto Gonzalez) is
accused of masterminding a ring to use malware to steal and sell more than 170 million
credit card numbers in 2006 and 2007—the largest computer fraud in history. Among the
firms targeted were BJ's Wholesale Club, TJX, DSW Shoes, OfficeMax, Barnes & Noble,
Boston Market, Sports Authority and Forever 21.[19]
A Trojan horse program stole more than 1.6 million records belonging to several hundred
thousand people from Monster Worldwide Inc’s job search service. The data was used by
cybercriminals to craft phishing emails targeted at Monster.com users to plant additional
malware on users’ PCs.[20]
Customers of Hannaford Bros. Co., a supermarket chain based in Maine, were victims of a
data security breach involving the potential compromise of 4.2 million debit and credit
cards. The company was hit by several class-action law suits.[21]
The Torpig Trojan has compromised and stolen login credentials from approximately
250,000 online bank accounts as well as a similar number of credit and debit cards. Other

information such as email, and FTP accounts from numerous websites, have also been
compromised and stolen.
The trends appear quite similar to the month prior: the most popular encyclopedia
entry is still Bancos, and we still have several Vundo pages in the list. We covered
Vundo last month, so I'll go into a little more detail about the Bancos trojan.
Bancos is a password stealing trojan that originally targeted Brazilian on-line banking
users. It's a relatively old and diverse family- we've been detecting it for several years
now and have seen thousands of unique samples. We first added it to MSRT in
September 2006. We've seen Bancos distributed via virtually all the usual propagation
vectors: spam emails, browser exploits, p2p, irc, disguised as other software, dropped
by other malware, just to name a few.
Bancos exhibits a wide variety of behaviors- however essentially all variants attempt
to steal banking or financial passwords using one (or several) common techniques.
Some examples of these techniques include redirecting users to fake pages,
monitoring keystrokes, interfering with browsers, searching for cached passwords,
etc.
After it has started, Bancos typically will search the system for cached passwords and
then remain memory resident waiting for a browser window with a title that it's been
instructed to look for. If a victim visits a page with a page title that the trojan is
looking for, it will typically either capture data or present the user with a false version
of the page enabling it to capture the victims credentials.
Once found, credentials are transmitted back to the distributor (often via email or ftp).
We've seen quite a few samples using mail servers belonging to large web-mail
providers being used to send the stolen credentials, often to yet another web-based e-
mail account.
The bottom line is: change your passwords regularly. Particularly after finding (and
removing) any malware running on your system. Even if the threat is removed, your
passwords may have already been leaked. :(
The trends appear quite similar to the month prior: the most popular encyclopedia
entry is still Bancos, and we still have several Vundo pages in the list. We covered
Vundo last month, so I'll go into a little more detail about the Bancos trojan.
Bancos is a password stealing trojan that originally targeted Brazilian on-line banking
users. It's a relatively old and diverse family- we've been detecting it for several years
now and have seen thousands of unique samples. We first added it to MSRT in
September 2006. We've seen Bancos distributed via virtually all the usual propagation
vectors: spam emails, browser exploits, p2p, irc, disguised as other software, dropped
by other malware, just to name a few.
Bancos exhibits a wide variety of behaviors- however essentially all variants attempt
to steal banking or financial passwords using one (or several) common techniques.
Some examples of these techniques include redirecting users to fake pages,
monitoring keystrokes, interfering with browsers, searching for cached passwords,
etc.
After it has started, Bancos typically will search the system for cached passwords and
then remain memory resident waiting for a browser window with a title that it's been
instructed to look for. If a victim visits a page with a page title that the trojan is
looking for, it will typically either capture data or present the user with a false version
of the page enabling it to capture the victims credentials.
Once found, credentials are transmitted back to the distributor (often via email or ftp).
We've seen quite a few samples using mail servers belonging to large web-mail

providers being used to send the stolen credentials, often to yet another web-based e-
mail account.
The bottom line is: change your passwords regularly. Particularly after finding (and
removing) any malware running on your system. Even if the threat is removed, your
passwords may have already been leaked. :(

Characterstics

Malware is multi-functional and modular: there are many kinds of malware that can be used together
or separately to achieve a malicious actor‟ s goal. New features and additional capabilities are easily
added to malware to alter and ―improve‖ its functionality and impact.12 Malware can insert itself into a
system, compromise the system, and then download additional malware from the Internet that
provides increased functionality. Malware can be used to control an entire host13 or network, it can
bypass security measures such as firewalls and anti-virus software, and it can use encryption to avoid
detection or conceal its means of operation.

Malware is available and user-friendly: malware is available online at a nominal cost thus making it
possible for almost anyone to acquire. There is even a robust underground market for its sale and
purchase. Furthermore, malware is user-friendly and provides attackers with a capability to launch
sophisticated attacks beyond their skill level.

Malware is part of a broader cyber attack system: malware is being used both as a primary form of
cyber attack and to support other forms of malicious activity and cybercrime such as spam and
phishing. Conversely, spam and phishing can be used to further distribute malware

How does malware work

Malware is able to compromise information systems due to a combination of factors that include
insecure operating system design and related software vulnerabilities. Malware works by running or
installing itself on an information system manually or automatically.17 Software may contain
vulnerabilities, or "holes" in its fabric caused by faulty coding. Software may also be improperly
configured, have functionality turned off, be used in a manner not compatible with suggested uses or
improperly configured with other software.

Many types of malware such as viruses or trojans require some level of user interaction to initiate the
infection process such as clicking on a web link in an e-mail, opening an executable file attached to an
e-mail or visiting a website where malware is hosted. Once security has been breached by the initial
infection, some forms of malware automatically install additional functionality such as spyware (e.g.
keylogger), backdoor, rootkit or any other type of malware, known as the payload.18

Social engineering,19 in the form of e-mail messages that are intriguing or appear to be from legitimate
organisations, is often used to convince users to click on a malicious link or download malware. For
example, users may think they have received a notice from their bank, or a virus warning from the
system administrator, when they have actually received a mass-mailing worm. Other examples
include e-mail messages claiming to be an e-card from an unspecified friend to persuade users to open
the attached ―card‖ and download the malware. Malware can also be downloaded from web pages
unintentionally by users. A recent study by Google that examined several billion URLs and included
an in-depth analysis of 4.5 million found that, of that sample, 700 000 seemed malicious and that 450
000 were capable of launching malicious downloads.20 Another report found that only about one in
five websites analysed were malicious by design. This has led to the conclusion that about 80% of all
web-based malware is being hosted on innocent but compromised websites unbeknownst to their
owners.21

Stealing information
Over the past five years, information theft, and in particular online identity (ID) theft,50 has been an
increasing concern to business, governments, and individuals. Although malware does not always
play a direct role,51 ID theft directly using malware has become increasingly common with the rise of
backdoor trojans and other stealthy programmes that hide on a computer system and capture
information covertly.
50 See DSTI/CP(2007)3/FINAL where Identity Theft is defined as the unlawful transfer, possession, or misuse of personal information with the intent to commit, or in
connection with, a fraud or other crime. 51 Identity
theft attacks most often use social engineering techniques to convince the
user to necessarily disclose information to what they assume is a trusted source. This technique, known as
Phishing, does not directly rely on the use of malware to work. It uses deceptive or ―spoofed‖ e-mails and
fraudulent websites impersonating brand names of banks, e-retailers and credit card companies to deceive
Internet users into revealing personal information. However, as many phishing attacks are launched from spam
emails sent from botnets, malware is indirectly involved as it is used to create botnets which are in turn used to
send the spam e–mail used in phishing attacks. Malware would be directly implicated when the spam e–mails
contained embedded malware or a link to a website where malware would be automatically downloaded. 52 This
is a technique known as ―fast flux‖. 53 A DNS table provides a record of domain names and matching IP
addresses. 54 See Annex B for a discussion on attacks using the DNS and attacks against the DNS. 55 AusCERT
(2006) p.19-20.
As illustrated in Figure 1, online ID theft attacks using malware can be complex and can use multiple
Internet servers to distribute spam and malware, compromise users‟ information systems, and then
log the stolen data to another website controlled by the attacker or send it to the attacker‟ s e–mail
account. Generally, the attacker operates under multiple domain names and multiple IP addresses for
each domain name and rapidly rotates them over the life of the attack (for example see botnet hosted
malware sites #1 and #2 in Figure 1).52 The use of multiple domain names and multiple hosts or bots
(and their associated IP addresses) is designed to increase the time available for capturing the
sensitive information and reduce the effectiveness of efforts by affected organisations (such as banks),
CSIRTs and ISPs to shut down fraudulent sites. Under the domain name system (DNS) attackers are
able to quickly and easily change their DNS tables53 to reassign a new IP addresses to fraudulent web
and logging sites operating under a particular domain.54 The effect is that as one IP address is closed
down, it is trivial for the site to remain active under another IP address in the attacker‟ s DNS table.
For example, in a recent case IP addresses operating under a single domain name changed on an
automated basis every 30 minutes and newer DNS services have made it possible to reduce this time
to five minutes or less. Attackers may use legitimate existing domains to host their attacks, or register
specially created fraudulent domains. The only viable mitigation response to the latter situation is

Figure 1. Online ID theft attack system involving malware56
Stealing information
Over the past five years, information theft, and in particular online identity (ID) theft,50 has been an
increasing concern to business, governments, and individuals. Although malware does not always
play a direct role,51 ID theft directly using malware has become increasingly common with the rise of
backdoor trojans and other stealthy programmes that hide on a computer system and capture
information covertly.
50 See DSTI/CP(2007)3/FINAL where Identity Theft is defined as the unlawful transfer, possession, or misuse of personal information with the intent to commit, or in
connection with, a fraud or other crime. 51 Identity
theft attacks most often use social engineering techniques to convince the
user to necessarily disclose information to what they assume is a trusted source. This technique, known as
Phishing, does not directly rely on the use of malware to work. It uses deceptive or ―spoofed‖ e-mails and
fraudulent websites impersonating brand names of banks, e-retailers and credit card companies to deceive
addresses. 54 See Annex B for a discussion on attacks using the DNS and attacks against the DNS. 55 AusCERT
(2006) p.19-20.
As illustrated in Figure 1, online ID theft attacks using malware can be complex and can use multiple
Internet servers to distribute spam and malware, compromise users‟ information systems, and then
log the stolen data to another website controlled by the attacker or send it to the attacker‟ s e–mail
account. Generally, the attacker operates under multiple domain names and multiple IP addresses for
each domain name and rapidly rotates them over the life of the attack (for example see botnet hosted
malware sites #1 and #2 in Figure 1).52 The use of multiple domain names and multiple hosts or bots
(and their associated IP addresses) is designed to increase the time available for capturing the
sensitive information and reduce the effectiveness of efforts by affected organisations (such as banks),
CSIRTs and ISPs to shut down fraudulent sites. Under the domain name system (DNS) attackers are
able to quickly and easily change their DNS tables53 to reassign a new IP addresses to fraudulent web
and logging sites operating under a particular domain.54 The effect is that as one IP address is closed
down, it is trivial for the site to remain active under another IP address in the attacker‟ s DNS table.
For example, in a recent case IP addresses operating under a single domain name changed on an
automated basis every 30 minutes and newer DNS services have made it possible to reduce this time
to five minutes or less. Attackers may use legitimate existing domains to host their attacks, or register
specially created fraudulent domains. The only viable mitigation response to the latter situation is to
seek deregistration of the domain.55 DSTI/ICCP/REG(2007)5/FINAL 19

Figure 1. Online ID theft attack system involving malware56
56 AusCERT (2006) at 7.
6
Captures information exchanged, including for Internet banking, e-tax, e-health, etc.
Spam email is sent to
See DSTI/CP(2007)3/FINAL where Identity Theft is defined as the unlawful transfer,
possession, or misuse of personal information with the intent to commit, or in connection
with, a fraud or other crime. 51 Identity theft attacks most often use social engineering techniques to
convince the user to necessarily disclose information to what they assume is a trusted source. This technique,
known as Phishing, does not directly rely on the use of malware to work. It uses deceptive or ―spoofed‖ e-mails
and fraudulent websites impersonating brand names of banks, e-retailers and credit card companies to deceive
addresses. 54 See Annex B for a discussion on attacks using the DNS and attacks against the DNS

Origin of malware attack

Malware is now spread around the world and rankings60 tend to show that a whole host of countries
across the developed and the developing world are home to online criminals using malware. Although
attacks originating from one country may have local targets, the predominant trend is attacks that
originate internationally relative to their targets. In addition, geography may play a role depending on
the end goal of the attacker. For example, broadband Internet speeds differ from country to country. If
an attacker wishes to maximise network damage, he/she may use compromised computers located in
countries where broadband is prevalent. If the goal is to degrade service or steal information over
time, the attacker may use compromised computers from a variety of geographical locations.
Geographical distribution allows for increased anonymity of attacks and impedes identification,
investigation and prosecution of attackers

95 See ―Malware: Why should we be concerned?‖ for a discussion of the impacts from malware
Basic economic rationale for malware
E-mail is not at an economic equilibrium between the sender and the recipient because it costs
virtually nothing to send. All the costs of dealing with spam and malware are passed on to the Internet
provider and the ―unwilling‖ recipients, who are charged for protective measures, bandwidth and
other connection costs, on top of the costs of repairing the computer or having lost money to scams.
At the same time, criminals minimise their costs to the extreme: they pay no tax, escape the cost of
running a genuine business, and pay commission only to others in criminal circles worldwide and at a
comparatively low price. The cost to malicious actors continues to decrease as freely available email
storage space increases. Further, the use of botnets makes it easier and even cheaper to send malware
through email. Today‟ s criminals often have access to cheap techniques for harvesting email
addresses as well as easy access to malware and outsourced spamming services. Anti detection
techniques are constantly evolving to make it cheaper to operate, and malicious actors can easily
switch ISPs if their activity is detected and their service terminated. Both the malware itself and the
compromised computers being used to further launch malware attacks are a low cost, readily available
and easily renewable resource. High speed Internet connections and increased bandwidth allow for the
mass creation of compromised information systems that comprise a self sustaining attack system as
illustrated by Figure 7. Furthermore, malicious actors can replace compromised information systems
that have been disconnected or cleaned, and they can expand the number of compromised information
systems as the demand for resources (namely malware and compromised information systems) for
committing cybercrime also grows. DSTI/ICCP/REG(2007)5/FINAL 34

Figure 7. Self sustaining attack system using malware
Note: this figure shows how malware is used to create a self sustaining resource of compromised computers that
serve as the backbone of malicious online activity and cybercrime. Information systems connected to the Internet
can become infected with malware. Those information systems are then used to scan and compromise other
information systems.

MALWARE: WHY SHOULD WE BE CONCERNED?
The growth of malware, and the increasingly inventive ways in which it is being used to steal personal
data, conduct espionage, harm government and business operations, or deny user access to
information and services, is a potentially serious threat to the Internet economy, to the ability to
further e-government for citizen services, to individual‟ s online social activities, and to national
security.
Malware-enabling factors
The capabilities of malware make it a prevalent ―cybercriminal tool‖. However, broader economic
and social factors may contribute to its increased occurrences and the robust state of the malware
economy. The following describes some of those factors which, while they bring important benefits to
society, also facilitate the existence and promulgation of malware.
Broadband Internet and its users
In 2005, the International Telecommunication Union estimated 216 708 600 ―fixed‖ broadband
Internet subscribers in the world.98 Furthermore, it is generally agreed that there are an average of 1
000 000 000 Internet users in the world today. As the number of subscribers and users increases, so
does the number of available targets for malware. The increased prevalence of high speed Internet and
the availability of broadband wireless connections make it easy for malicious actors to successfully
carry out attacks as they can compromise computers at faster rates, use the bandwidth to send massive
amounts of spam and conduct DDoS attacks. Furthermore, these ―always on‖ connections allow
malicious actors to be mobile and to attack from any location including public places such as Internet
cafes, libraries, coffee shops or even from a PDA or mobile phone device.99 Operating from public
places allows attackers to conduct their activities anonymously thus making it difficult to detect and
trace their activities.
98 International
Telecommunications Union (ITU) (2007) p. 23. 99 McAfee Inc. (2007) p. 02 and 10. 100 This
could be the case for any Internet connection, broadband or otherwise. 101 OECD (2005) E-7.
It is important to note that while broadband technologies are an enabling factor, it is the behaviours
associated with these technologies that are problematic. For example, people often fail to adopt
appropriate security measures when using broadband technologies and therefore leave their
connection open without the appropriate security software installed.100
Ever more services available on line
Most governments, consumers and businesses depend on the Internet to conduct their daily business.
In 2004, the OECD found that, in most OECD countries, over 90% of businesses with 250 or more
employees had access to the Internet. Firms with 50 to 249 employees also had very high rates of
access.101 Home users rely on the Internet for their day to day activities including shopping, banking
or simply exchanging information and conducting e-government and e-commerce transactions. As the
amount of these services continues to increase, so does the likely community of users accessing these
services on line. DSTI/ICCP/REG(2007)5/FINAL 37

This in turn increases the available targets for attack or exploitation which provides further incentive
for criminals to conduct malicious activity.
Operating system and software vulnerabilities
The more vulnerable the technology, the more likely it is to be exploitable through malware. For
example, the security firm Symantec102 reported a 12% increase in the number of known
vulnerabilities from the first half of 2006 (January – June 2006) to the second half (June – December
2006) which they largely attribute to the continued growth of vulnerabilities in web applications.
Microsoft also reported an increase of nearly 2 000 disclosed vulnerabilities from 2005 to 2006.103 The
increase in vulnerabilities corresponds to an increase in incidents. Microsoft reported an increase in
the number of machines disinfected by its Malicious Software Removal Tool from less than 4 million
at the beginning of 2005 to more than 10 million at the end of 2006.104 It is important to note that the
absence of known reported vulnerabilities in a software product does not necessarily make that
product more secure than one that has known reported vulnerabilities – it may simply be that similar
effort has not been expended to find them. In addition, tools that find and exploit vulnerabilities are
improving; companies are doing more reporting of vulnerabilities and more people or ―researchers‖
than ever are probing software to find vulnerabilities. Finally, the greater complexity of software -
more interconnecting functions that need to work with an ever growing universe of other software -
further increases the potential for vulnerabilities.
102 Symantec (2007) p. 38. 103 Microsoft (2006b) p. 8. 104 Microsoft (2006b) p. 20-21. 105 OECD (2007c) p. 33 –
34. 106 Brendler, Beau (2007) p. 4. 107 European Commission Eurobarometer (2007) p.89 .
Easy to target average Internet user
As the reliance of home users and small to medium sized enterprises (SMEs) on the Internet increases,
so do the malware threats they face. Consumers and business are increasingly exposed to a new range
of complex, targeted attacks that use malware to steal their personal and financial information.
Many Internet users are not adequately informed about how they can securely manage their
information systems. This lack of awareness and subsequent action or inaction contributes to the
increasing prevalence of malware. Most malware requires some form of user action or acceptance to
propagate. Recent surveys from various organisations show that while more users are taking measures
to protect their information systems, a large percentage of the population lacks basic protective
measures. For example, a 2005 report commissioned by the Australian Government, Trust and
Growth in the Online Environment, found that only one in seven computers in Australia use a firewall
and about one in three use up-to-date virus protection software.105 Furthermore, it is estimated that 59
million users in the US have spyware or other types of malware on their computers.106
The European Commission's Eurobarometer E-communications Household survey107 observed an
increase in consumer concerns about spam and viruses in 2006. For some EU Member States, up to
45% of DSTI/ICCP/REG(2007)5/FINAL 38

consumers had experienced significant problems. In 40% of the cases, the computer performance
decreased significantly, in 27% of the cases a breakdown was observed. In the same survey, 19% of
consumers had no protection system at all on their computers. Other data also suggests that home
users are the most targeted of all the sectors108 accounting for 93% of all targeted attacks109and thus
highlighting that weak user security is one important enabler of malware.

125 Denning, Dorothy (2000). 126 Poulsen, Kevin (2003). 127 United States Nuclear Regulatory Commission
(2003). 128 United States District Court Northern District Of Illinois Eastern Division (2007). 129 A recent OECD
Report: The Development of Policies to Protect the Critical Information Infrastructure highlights this point. See
DSTI/ICCP/REG(2007)20/FINAL. 130 U.S.-Canada Power System Outage Task Force Final Report p. 131. 131
Greene, Tim (2007). 132 OECD (2007c) pg. 7.
Challenges to fighting malware
Protecting against, detecting and responding to malware has become increasingly complex as malware
and the underlying criminal activity which it supports are rapidly evolving and taking advantage of
the global nature of the Internet. Many organisations and individuals do not have the resources, skills
or expertise to prevent and/or respond effectively to malware attacks and the associated secondary
crimes which flow from those attacks such as identity theft, fraud and DDoS. In addition, the scope of
one organisation‟ s control to combat the problem of malware is limited.
Many security companies report an inability to keep up with the overwhelming amounts of malware
despite committing significant resources to analysis. One vendor dedicates 50 engineers to analysing
new malware samples and finding ways to block them, but notes that this is almost an impossible task,
with about 200 new samples per day and growing.131 Another company reported it receives an average
of 15 000 files – and as many as 70 000 – per day from their product users as well as CSIRTs and
others in the security community.132 When samples and files are received, security companies
undertake a process to DSTI/ICCP/REG(2007)5/FINAL 44

determine if the file is indeed malicious. This is done by gathering data from other vendors,
conducting automated analysis, or by conducting manual analysis when other methods fail to
determine the malicious nature of the code. One vendor estimated that each iteration of this cycle
takes about 40 minutes and that they release an average of 10 updates per day.133 Furthermore, there
are many security vendors who all have different insights into the malware problem.
133 OECD (2007c) pg. 7. 134 Information provided to the OECD by CERT.br, the national CSIRT for Brazil.
135 One website provides a survey of cybercrime legislation that documented 77 countries with some existing cybercrime law. See
http://www.cybercrimelaw.net/index.html. 136 United States Department of Justice Computer Crime &
Intellectual Property Section. 137 Green, Tim(2007a).
Most security technologies such as anti-virus or anti-spyware products are signature–based meaning
they can only detect those pieces of malware for which an identifier, known as a ―signature‖ already
exists and have been deployed. There is always a time lag between when new malware is released by
attackers into the ―wild‖, when it is discovered, when anti-virus vendors develop their signatures, and
when those signatures are dated onto users and organisations‟ information systems. Attackers
actively seek to exploit this period of heightened vulnerability. It is widely accepted that signature
based solutions such as anti-virus programs are largely insufficient to combat today‟ s complex and
prevalent malware. For example, one analysis134 that explores antivirus detection rates for 17 different
anti-virus vendors reveals that, on average, only about 48.16% of malware was detected.
Circumstantial evidence such as this indicates that attackers are actively testing new malware
creations against popular anti-virus programs to ensure they stay undetected.
In addition, malicious actors exploit the distributed and global nature of the Internet as well as the
complications of law and jurisdiction bound by traditional physical boundaries to diminish the risks of
being identified and prosecuted. For example, a large portion of data trapped by attackers using
keyloggers is transmitted internationally to countries where laws against cybercrime are nascent, non-
existent or not easily enforceable. Although countries across the globe have recognised the
seriousness of cybercrime and many have taken legislative action to help reprimand criminals, not all
have legal frameworks that support the prosecution of cyber criminals.135 The problem however is
even more complicated as information may be compromised in one country by a criminal acting from
another country through servers located in a third country, all together further complicating the
problem.
Law enforcement agencies throughout the world have made efforts to prosecute cyber criminals. For
example, the Computer Crime and Intellectual Property Section of the US Department of Justice has
reported the prosecution of 118 computer crime cases from 1998 – 2006.136 Although global statistics
on arrests are hard to determine, one company estimated worldwide arrests at 100 in 2004, several
hundred in 2005 and then 100 again in 2006.137 While these cases did not necessarily involve
malware, they help illustrate the activities of the law enforcement community. It is important to note
that the individuals prosecuted are usually responsible for multiple attacks. These figures are low
considering the prevalence of online incidents and crime. They highlight the complex challenges
faced by law enforcement in investigating cybercrime.
Furthermore, the volatile nature of electronic evidence and the frequent lack of logged information
can often mean that evidence is destroyed by the time law enforcement officers can get the necessary
warrants to recover equipment. The bureaucracy of law enforcement provides good checks and
balances, DSTI/ICCP/REG(2007)5/FINAL 45

but is often too slow to cope with the speed of electronic crime. Additionally, incident responders
often do not understand the needs of law enforcement and accidently destroy electronic evidence.
Today, the benefits of malware seem to be greater for attackers than the risks of undertaking the
criminal activity. Cyberspace offers criminals a large number of potential targets and ways to derive
income from online victims. It also provides an abundant supply of computing resources that can be
harnessed to facilitate this criminal activity. Both the malware and compromised information systems
being used to launch the attacks have a low cost, are readily available and frequently updated. High
speed Internet connections and increased bandwidth allow for the mass compromise of information
systems that renew and expand the self sustaining attack system. By contrast, communities engaged in
fighting malware face numerous challenges that they cannot always address effectively.
DSTI/ICCP/REG(2007)5/FINAL 46

MALWARE: WHAT TO DO?
Many would agree that the damage caused by malware is significant and needs to be reduced although
its economic and social impacts may be hard to quantify. That said, several factors should be
considered in assessing what action to take, and by whom, against malware. These include: the roles
and responsibilities of the various participants,138 the incentives under which they operate as market
players as well as the activities already undertaken by those communities more specifically involved
in fighting malware.
138 According to the 2002 OECD Guidelines for the Security of Information Systems and Networks: Towards a
Culture of Security, ―participants‖ refers to governments, businesses, other organisations and individual users
who develop, own, provide, manage, service and use information systems and networks.
Roles of individual, business and government participants - Highlights
Malware affects individuals, business and government in different ways. All those participants can
play a role in preventing, detecting, and responding to malware with varying levels of competence,
resource, roles and responsibilities, as called for in the OECD Guidelines for the Security of
Information Systems and Networks: Towards a Culture of Security (the ―OECD Security
Guidelines‖). Better understanding the roles and responsibilities of the various participants in relation
to malware is important to assessing how to enhance the fight against malware. Among the various
participants, those concerned by malware are:

 Users (home users, sm and medium–sized enterprises (SMEs), public and private sector
all
organisations) whose data and information systems are potential targets and who have different levels
of competence to protect them.

 Software vendors,who have a role in developing trustworthy, reliable, safe and secure software.

 Anti virus vendors, who have a role in providing security solutions to users (such as updating anti-
-
virus software with the latest information on malware).

 Internet Service Providers (ISPs), who have a role in managing the networks to which the
aforementioned groups connect for access to the Internet;.

 Domain name registrars and regulators, who determine if a domain is allowed to be registered and
potentially have the power to deregister a domain that is used to commit fraud or other criminal
activity, including, for example, the distribution of malware.

 CSIRTs, frequently the national or leading ones (often government), which have a role, for
example, in detecting, responding to and recovering from security incidents and issuing security
bulletins about the latest computer network threats or vulnerabilities associated with malware
DSTI/ICCP/REG(2007)5/FINAL 47

attacks; or in co–ordinating nationally and internationally the resolution of computer network attacks
affecting its constituency or emanating from its constituency.

 Law enforcement entities, which have a mandate to investigate and prosecute cybercrime.

 Government agencies, which have a role to manage risks to the security of government information
systems and the critical information infrastructure.

 Governments and inter -governmental organisations, which have a role in developing national and
international policies and legal instruments to enhance prevention, detection and response to malware
proliferation and its related crimes.

The dynamic nature of malware keeps most security experts constantly on the lookout for new types
of malware and new vectors for attack. Due to the complex technical nature of malware, it is helpful
to examine overall attack trends to better understand how attacks using malware are evolving. As
mentioned previously, the use of malware is becoming more sophisticated and targeted. Attackers are
using increasingly deceptive social engineering techniques to entice users to seemingly legitimate web
pages that are actually infected and/or compromised with malware. Figure 2 illustrates the types of
attack that seem to be on the increase, those that are falling out of favour, and those for which the
trend remains unclear or not changed.
DSTI/ICCP/REG(2007)5/FINAL 89 ANNEX D - EXAMPLES OF MALWARE PROPAGATION
VECTORS

E–mail: Malware can be ―mass mailed‖ by sending out a large number of e–mail messages, with
malware attached or embedded. There are numerous examples of successful malware propagated
through mass-mailers largely due to the ability of malicious actors to use social engineering to spread
malware rapidly across the globe. Web: Attackers are increasingly using websites to distribute
malware to potential victims. This relies on spam e–mail to direct users to a website where the
attacker has installed malware capable of compromising a computer by simply allowing a browser
connection to the website. If the website is a legitimate and popular site, users will go there of their
own accord allowing their computers to potentially become infected/compromised without the need
for spam e–mail to direct them there. There are two methods of infection via the web: compromise
existing web site to host malware; or set up a dedicated site to host malware on a domain specially
registered for that purpose. Instant messengers: Malware can propagate via instant messaging services
on the Internet by sending copies of itself through the file transfer feature common to most instant
messenger programmes. Instant messages could also contain web links that direct the user to another
site hosting downloadable malware. Once a user clicks on a link displayed in an instant messenger
dialog box, a copy of the malware is automatically downloaded and executed on the affected system.
Removable media: If malware is installed on removable media, such as a USB stick or CD-ROM, it
can infect and/or propagate by automatically executing as soon as it is connected to another computer.
Network-shared file systems: A network share is a remotely accessible digital file storage facility on a
computer network. A network share can become a security liability for all network users when access
to the shared files is gained by malicious actors or malware, and the network file sharing facility
included within the operating system of a user‟ s computer has been otherwise compromised. P2P
programmes: Some malware propagates itself by copying itself into folders it assumes to be shared
(such as those with share in its folder name), or for which it activates sharing, and uses an
inconspicuous or invisible file name (usually posing as a legitimate software, or as an archived
image). Internet Relay Chat (IRC): IRC is a form of Internet chat specifically designed for group
communications in many topical ―channels,‖ all of which are continuously and anonymously
available from any location on the Internet. Many ―bot masters‖ (as the malefactors who operate
networks of malware-infected/compromised machines are often called; see the chapter ―The Malware
Internet: Botnets‖) use IRC as the central command and control (C&C) communications channel for
co–ordinating and directing the actions of the bot infected/compromised information systems in their
―botnet.‖ Bluetooth: Bluetooth is a wireless networking protocol that allows devices like mobile
phones, printers, digital cameras, video game consoles, laptops and PCs to connect at very short
distances, using unlicensed radio spectrum. Because the security mechanisms implemented in
Bluetooth devices tend to be trivially bypassed, such devices are vulnerable to malware through attack
techniques which have been called ―bluejacking‖ or ―bluesnarfing.‖ A bluetooth device is most
vulnerable to this type of attack when a user‟ s connection is set to "discoverable" which allows it to
be found by other nearby bluetooth devices.

56 AusCERT (2006) at 7.
6
Captures information exchanged, including for Internet banking, e-tax, e-health, etc.
Spam email is sent to
Malware attack trends

The dynamic nature of malware keeps most security experts constantly on the lookout for new types
of malware and new vectors for attack. Due to the complex technical nature of malware, it is helpful
to examine overall attack trends to better understand how attacks using malware are evolving. As
mentioned previously, the use of malware is becoming more sophisticated and targeted. Attackers are
using increasingly deceptive social engineering techniques to entice users to seemingly legitimate web
pages that are actually infected and/or compromised with malware. Figure 2 illustrates the types of
attack that seem to be on the increase, those that are falling out of favour, and those for which the
trend remains unclear or not changed.

What is Spam?

Spam in a general sense is any email you don't want to receive. There are many types of
email that you may not want e.g. advertisements, newsletters, or questionnaires, however
these emails are not what the computer community refers to as spam. What the computer
community is most concerned with is illegal email spam.
My definition of illegal email spam is -- attempts to deceive by falsification of seller identity
or email address, and use of other trickery (defrauding), in the hope of gaining monetary
advantage (stealing) from the email recipient and other parties.

The Federal Trade Commission's definition of spam, "Not all UCE is fraudulent, but fraud
operators - often among the first to exploit any technological innovation - have seized on the
Internet's capacity to reach literally millions of consumers quickly and at a low cost through
UCE. In fact, UCE has become the fraud artist's calling card on the Internet. Much of the
spam in the Commission's database contains false information about the sender, misleading
subject lines, and extravagant earnings or performance claims about goods and services.
These types of claims are the stock in trade of fraudulent schemes." From Prepared Statement
Of The Federal Trade Commission On "Unsolicited Commercial email", November 3, 1999.

How does a spammer get your email address?

There are many ways a spammer can obtain your email address.

a. You can disclose it yourself by posting your email address on auctions, bulletin boards,
advertising, or email locators.

b. Businesses might sell your email address or other personal information to a spammer
(however, legitimate businesses do not do this.)

c. Spammers can use software programs to collect email addresses from web sites or they can
use random number generators to send spam out randomly.

What is a hacker?

A hacker is an individual that attempts to take control over someone else's computer by using
viruses, worms, and other types of Internet attacks. One of their favorite "tricks", is to use
hacked computers to bring down a large web site by overloading the targeted site with
millions of transmissions in a "denial of service" (DOS) attack.
While hackers were glorified in the early days of the Internet as people standing up for their
rights against big corporations and the Government, hacking is now the hobby of criminals
and thieves. Hackers prey on all citizens of the Internet and they are extremely dangerous to
individuals, corporations, and governments.

How does a hacker find your computer?

Most hack attempts against personal computers result from viruses and worms running from
an infected PC. It is not very difficult for the creator of the hacking program to predetermine
the Internet addresses that his program will attack.
There are also amateur hackers, that use software programs, to randomly check for online
computers to attack.

What makes Spamming or Hacking Illegal?

The U.S. Congress outlawed certain types of spam with the CAN-SPAM Act of 2003. The
law, which became effective January 1, 2004, covers email whose primary purpose is
advertising or promoting a commercial product or service, including content on a Web site.
However a "transactional or relationship message" – email that facilitates an agreed-upon
transaction or updates a customer in an existing business relationship – may not contain false
or misleading routing information, but otherwise is exempt from most provisions of the
CAN-SPAM Act.

The Federal Trade Commission (FTC), the nation's consumer protection agency, is
authorized to enforce the CAN-SPAM Act. CAN-SPAM also gives the Department of Justice
(DOJ) the authority to enforce its criminal sanctions. Other federal and state agencies can
enforce the law against organizations under their jurisdiction, and companies that provide
Internet access may sue violators, as well.

All 50 states have also passed anti-spam laws that have various penalties for illegal spammers
and hackers. If you don't live in a state with a strong anti-spam law, you are still protected
from fraudulent schemes, illegal pornography, and other illegal acts by various state and
federal laws.
In addition, if a spammer or hacker causes harm to a Government computer they are subject

M

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (6)

Ähnlich wie M

Ähnlich wie M (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

M