Saturday, October 4, 2008

How Malware Spreads on Windows

By Raine on Thursday, 02 October 2008

Once they've infected a system, viruses and the like can be very difficult to remove. For that reason, your best defence against them is to prevent them from infecting your computer in the first place.

The most useful tool you can use to keep malware off your computer is your cerebral cortex. Just as malware is written to exploit vulnerabilities in computer systems, the distribution of malware exploits the stupidity of users.

Malware is typically spread in the following ways:

Email attachments

One of the most common ways viruses make their way into computers is through spam. Attachments are embedded in these junk email messages and sent by the millions to every email address in existence, for unsuspecting recipients to click, open, and execute. But how can people be that dumb, you may ask?

Well, consider the filename of a typical Trojan horse:
kittens playing with yarn.jpg .scr

Since Windows has its filename extensions hidden by default, this is how the file looks to most Vista users:
kittens playing with yarn.jpg

In other words, most people wouldn't recognize that this is an .scr (screensaver) file and not a photo of kittens. (The long space in the filename ensures that it won't be easy to spot, even if extensions are visible.)

And since many spam filters and antivirus programs block .exe files, but not .scr files - which just happen to be renamed .exe files - this innocuous-looking file is more than likely to spawn a nasty virus on someone's computer with nothing more than an innocent double-click.

So, how do you protect yourself from these? First, don't open email attachments you weren't expecting, and manually scan everything else with an up-to-date virus scanner. Next, employ a good, passive spam filter, and ask your ISP to filter out viruses on the server side.

Where do these email attachments come from, you may ask? As part of their objective to duplicate and distribute themselves, many viruses hijack your email program and use it to send infected files to everyone in your address book. In nearly all cases, these viruses are designed to work with the email software most people have on their systems, namely Microsoft Outlook and Windows Mail (formerly Outlook Express).

If you want to significantly hobble your computer's susceptibility to this type of attack, you'd be wise to use any other email software, such as Mozilla Thunderbird (http://www.mozilla.com) or stick with web-based email like Gmail (http://www.gmail.com) or Windows Live Mail (http://mail.live.com).

Infected files

Viruses don't just invade your computer and wreak havoc, they replicate themselves and bury copies of themselves in other files. This means that once your computer has been infected, the virus is likely sitting dormant in any of the applications and even personal documents stored on your hard disk. This not only means that you may be spreading the virus each time you email documents to others, but that others may be unwittingly sharing viruses with you.

One of the most common types of viruses involves macros, small scripts (programming code) embedded in documents. By some estimates, roughly three out of every four viruses is actually a macro written for Microsoft Word or Excel. These macros are executed automatically when the documents that contain them are opened, at which point they attach themselves to the global template so that they can infect every document you subsequently open and save. Both Word and Excel have security features that restrict this feature, but these measures are clumsy and most people disable them so they can work on the rest of their documents. In other words, don't rely on the virus protection built in to Microsoft Office to eliminate the threat of these types of viruses.

Peer-to-peer (P2P) file sharing

Napster started the P2P file-sharing craze years ago, but modern file sharing goes far beyond the trading of harmless music files. It’s estimated that some 40% of the files available on these P2P networks contain viruses, Trojan horses, and other unwelcome guests, but even these aren't necessarily the biggest cause of concern.

To facilitate the exchange of files, these P2P programs open network ports and create gaping holes in your computer's firewall, any of which can be exploited by a variety of worms and intruders. And since people typically leave these programs running all the time (whether they intend to or not), these security holes are constantly open for business.

But wait...there's more! If the constant threat of viruses and Trojan horses isn't enough, many P2P programs themselves come with a broad assortment of spyware and adware, intentionally installed on your system along with the applications themselves. Kazaa, one of the most popular filesharing clients, is also the biggest perpetrator of this, and the likely culprit if your system has become infected with spyware. (Note that other products like Morpheus, BearShare, Imesh, and Limewire do this, too, just in case you were thinking there was a completely "safe" alternative.)

Web sites

It may sound like the rantings of a conspiracy theorist, but even the act of visiting some web sites can infect your PC with spyware and adware. Not that it can happen transparently, but many people just don't recognize the red flags even when they're staring them in the face. Specifically, these are the "add-ins" employed by some web sites that provide custom cursors, interactive menus, or other eye candy.

While loading a web page, you may see a message asking if it's OK to install some ActiveX gadget "necessary" to view the page (e.g., Comet Cursor); here, the answer is simple: no.

Just as many viruses are written to exploit Microsoft Outlook, most spyware and adware targets Microsoft Internet Explorer. By switching to a browser like Firefox, you can eliminate the threat posed by many of these nasty programs.

Network and Internet connections

Finally, your network connection (both to your LAN and to the Internet) can serve as a conduit for a worm, the special kind of virus that doesn't need your help to infect your system. Obviously, the most effective way to protect your system is to unplug it from the network, but a slightly more realistic solution is to use a firewall. Vista comes with a built-in firewall, although a router provides much better protection.

No comments: