Malware and Safe Computing
I’ve been doing freelance computer consulting for the past few months (not money to eat, but money to eat out), and that’s taken a fair bit of time. Here’s something I sent to one of these clients discussing viruses and other malware, and what we do about them:
How do most bugs get into the system? E-mails? If so, it might be a good idea to not allow anyone to open personal E-mails.
The term of art for this type of stuff is “malware”. Typically, you’ll see three types of malware: worms, viruses/trojans and spyware.
Worms infect computers without user intervention: computers that are already infected scan the Internet for vulnerable systems, and infect those, adding to the number of machines that are infected and scanning the Net. These are relatively easy to keep out in your situation, since all we need is one of those $50 firewall/router appliances, and machines in the outside world can’t get at the machines on the inside world, i.e., your office.
Most viruses (in common parlance; they’re more technically trojans) right now propagate by email. Infected computers churn out a lot of email, each carrying the virus. The email is typically targeted to real email addresses, e.g., the names on someone’s contact list in Microsoft Outlook. These emails probably look like they came from someone real, and will ask you to open up a file for review. Opening (and running) this file is typically how the virus program is executed so that the computer becomes infected. We can address this issue by using relatively secure mail programs, running antivirus scanners on the mail program, so the virus emails are flagged and deleted, and by training the user not to open up suspicious looking email (we need to do this because viruses sometimes propagate faster than the antivirus programs update their profile. This window is typically on the order of a few hours, but a fast-moving email virus might be able to slip through. This is rare, though.) The thing to note is that the user generally needs to perform some action to trigger the virus.
Spyware is a sort of nebulous category. They typically don’t propagate themselves, but are meant to direct your browser to specific websites, mainly to drive up referral traffic or advertisement payouts. Generally, the user would have to visit a website, and most likely would have to click on a message in a popup window to activate the spyware, which would then install on the computer and put up annoying popups, change the browser’s home page, and so on. We address this issue by using a safer web browser (Firefox instead of Internet Explorer), using software that blocks pop-ups (so that there’s less of a chance of accidentally triggering the spyware execution; Firefox has a built-in pop-up blocker), running antispyware scanners on the computer, and applying safe web browsing practices on the part of the user, i.e., don’t go to, say, porn sites, stay on mainstream websites like CNN, Google, etc. Also, depending on the firewall, you may be able to configure Internet access so that the office can only get to, say, the corporate web site, CNN, and so on, and can’t get to other places.
These are broad categories. The devil is in the details, of course, and there are occassionally viruses, for example, that may arrive by email and can be triggered merely by reading that email, without clicking on an executable. This usually requires a flaw in Windows or the mail program to happen. Updates for Windows and the various applications are released regularly, and it’s important to keep the machines up-to-date. This is fairly easy to do with WinXP, because, by default, it’s set to download updates from Microsoft’s website whenever a new security fix comes out. (I think AOL recently had an advertising campaign that tried to focus on the dangers of highspeed Internet access compared to slow dial-up access. The campaign exaggerated the dangers of highspeed access (almost all of which are mitigated by simply having a firewall/router in place) without highlighting the main danger of having a slow dial-up connection: when your download speed is so slow, you tend not to bother downloading Windows update files from Microsoft (some of the updates will take more than all night to download), so a lot of dial-up users are running vulnerable machines. Making sure your machine is up-to-date on security fixes is one of the most important ways to keep your computer safe.)
The reason Macs aren’t as vulnerable to these threats is that most of these threats are written so that they only run on Windows computers, as they rely on Windows programming structures. Modern Macs are also internally unix machines, and will tend to have very good internal protection: it’s possible for a virus to infect a Mac user, but that virus won’t be able to take over the computer and propagate itself, which greatly limits the ability of viruses to spread. I don’t believe there’s been a wide-spread Mac virus since OS X came out, and the only ones that people have seen tend more to be laboratory experiments that can’t propagate in the real world.
In a following email:
I think perhaps I’ve overemphasized technical fixes to malware in my previous email. Yes, technical fixes, like antivirus scanners, are necessary, but should not be considered sufficient. “Good computing practices” are probably more important after you put that necessary level of technical fixes in place.
“Good computing practices” boils down to using common sense and to not be overly trusting what comes in from the Internet. The most successful email viruses, for example, are what we’d call “social engineering” viruses. They can’t activate themselves, and so they try to trick the user into doing something that activates the virus. Some of the big viruses have been “I Love You”, which purports to be a note from a secret admirer, and “Nude Anna Kournikova Pics Here!”, which is self-explanatory. What they all have in common is some social hook that gets the user to open the attachment and run the virus; they would be harmless otherwise.
The following snippet of email arguably would be a self-propagating virus:
Hi, here’s a neat trick for your computer. Do the following:
1. Forward this email to all your friends
2. Open up a command prompt and type the following:
a) If you’re using Windows, type “del *.*”
b) If you’re using a Mac, type “rm -rf *”Enjoy!
That email snippet would be a spectacularly unsuccessful virus, though in some sense not too different from the recent “Kama Sutra” virus scare a few weeks ago. (However, my email snippet would probably get through any antivirus scanner on the planet, and would work on Macs.) It’s unsuccessful because the email recipient knows enough not to follow the instructions. “Good computing practices” are just a more refined version of this common sense: if you get unsolicited email that tells you to open this attachment or run this application, don’t.
Note that it won’t matter if you’re banning personal mail or not: say, another client of your software vendor gets infected with one of these viruses, which picks the vendor’s email address to use as the “From:” and picks your email to use as the “To:”, then you’ll get a virus-laden email that looks like business email telling you to do open the attachment and run the program. “Good computing practices” would say that what you should do is following up with the vendor, and not simply run the program. If it’s a legitimate fix for some problem with their program, presumably you’ve been talking to the vendor about the problem already. But this email simply appeared out of the blue, so it probably isn’t legitimate. As said, the technical stuff is necessary and helps a great deal, but at the end of the day you’ll have to apply a mix of common sense and suspicion to what you’re receiving from the Internet. If you do that, you’ll be pretty secure, and anyone who advocates only technical fixes is either fooling themselves or is trying to sell you something.