Malware: Viruses, Worms, Trojan Horses, & Spyware What They Are & How to Deal with Them Jay Stamps, jstamps@stanford.edu, 723-0018 ITSS Help Desk Level 1 Training, November 18, 2004 Course Objectives Understand what malware is, where it comes from, and what it does Diagnose compromised or infected computers based on reported symptoms Basic troubleshooting techniques for possibly compromised computers Research & diagnostic tools Prevention: Worth a pound of cure! It’s Been a Rough Few Years for Windows PCs… Sorry… But that was the last picture you’re going to see in this presentation! The good news is that your instructor loves questions, and you’re cordially invited to interrupt him at any time, or save your questions for later It’s a cliché, but there are no “dumb questions”: The point is to learn And if I don’t have a good answer, I’ll suggest that you make finding one part of your homework assignment! What’s “Malware”? Shortened form of “malicious software” But it’s not always really malicious So “malware” is a general term for: Computer and macro viruses of any kind Internet and mass-mailing worms Trojan horses, backdoors and rootkits Other computer exploits, bots, zombies Spyware, adware, and other software installed on a computer without the user’s knowledge or informed consent And then there are the “hoax viruses”… Why Use the Word “Virus”? The analogy with biological viruses Computer viruses exist to self-replicate They can often adapt (mutate) to survive They might or might not harm the host They “infect” by inserting themselves into a “healthy” system (be it a computer program or living organism) The term “virus” is heavily overused That’s why we’re talking about “malware” But when someone’s PC is misbehaving… They call 5-HELP and say, “I’ve got a virus!” Are Only PCs Affected? The answer is “No” Are Macintoshes immune? The answer is “yes and no” - sort of… The first virus in 1982 infected Apple IIs A great deal of malware - some of it not so malicious - existed for Mac OS “Classic” Are there any Mac OS X malware programs? Well, not in the wild, not yet… What about Unix and Linux OSes? Lots of malware is in circulation for these platforms - lots! Why Does Malware Exist? When “viruses” first became common… And “normal people” began to use personal computers… If a “virus” struck, they were confused, alarmed, felt violated… They’d ask, “Where do these things come from?” and “How did I get infected?” Often they’d feel embarrassed, like they’d picked up an STD in a reckless moment… When told, “People deliberately create viruses,” they’d properly ask, “Why?” What do you think? Why does malware exist? (Possible homework assignment!) Brief History of Malware “Viruses” appeared in early 1980s Very soon after first personal computers They spread by floppy disks, later via “bootleg” & other software on “BBSes” They often weren’t meant to be destructive Internet “worms” arrived in late 1980s “There may be a virus loose on the internet.” - Andy Sudduth of Harvard University, 34 minutes past midnight, November 3, 1988 Brief History Continued First mass-mailing worm came in 1999 Usually called the “Melissa virus” It was also a “macro virus” Infected file had to be opened in MS Word Spyware hits the scene around 2000 “Adware” claims to be legitimate, legal “Browser hijacking” is common symptom Other exploits, trojans, backdoors… Have been around for a long time Hackers target entities for malicious attack, or may want “free” computing resources We’ll Stick to MS Windows The majority of computer users at Stanford have Microsoft Windows PCs The majority of malware “in the wild” today attacks only Windows PCs Malware is very platform-dependent Microsoft has only recently made computer security a priority In the past… MS tended to “enable everything by default” Network-connected “services” running on a computer are an open invitation to hackers Why So Much Malware? Is malware becoming more common? Yes!!! It is!!! (and harder to fight off) Why might that be? The Internet! Plus all the high-powered PCs in homes & offices connected to it Why does that make a difference? As with biological viruses, lots of people (or computers) are rubbing up against each other in a common space; and computers (like people) don’t always cover their mouths when they sneeze… “Help! I’ve Got a Virus!” A lot of people self-diagnose (wrongly) “Doc, I think I’ve got the flu.” “How much did you drink last night?” “Uh, three six packs. I think. I don’t really remember…” Only a few years ago… Most folks who thought their PC had a viral infection were wrong! When PCs behaved strangely, usually there was a problem with the OS or an application that was not at all virus-related Today that’s still true, but… Today That’s True, But… Malware is more common, while OSes and applications are both more featureladen and (often) more robust More features mean more potential vulnerabilities for hackers to exploit Greater robustness means strange behavior is somewhat likelier to be caused by malware Plus more people use protective software Few people these days are unaware of the necessity of running antivirus software Some people even use it correctly! You Answer a Call to 5-HELP And the caller begins to explain… “I think my PC has a virus” Maybe it does, and maybe it doesn’t We’ll look at diagnostic approaches presently “I got an email from the Security Office…” Get the details, but… A referral to the Level 2 Help Desk, or local or contract support is probably the right move If Networking or the Security Office has noticed a problem, the computer is almost certainly hacked If the caller has self-diagnosed, or if you suspect malware is involved, you ask… The Usual Questions 1 If a caller’s PC might have an infection, or otherwise be compromised: Ask what version of Windows they’re using Ask them if they’re keeping it patched Ask them if they’re using antivirus software, and if it’s up-to-date For Windows 2000 & XP, ask them if they have good passwords for all user accounts Ask them if they use a firewall The caller may not know the answers to some of these questions, of course… The Usual Questions 2 So you may need to guide the caller to learn the answers to these questions To check if Windows is properly updated, have the caller visit: http://windowsupdate.microsoft.com Launch Symantec AntiVirus to check the date of the virus definitions file To check password strength, use the Stanford Security Self-Help tool Windows XP has a built-in firewall, as do many broadband routers The Answers If a user can’t access the network, that problem is likely not caused by malware If a user can’t run, install or update SAV or other security software, that’s a clue that the PC has been infected by a worm If Windows isn’t patched, and/or AV software is out of date, and/or user accounts have weak passwords, the PC is definitely vulnerable to compromise If the web browser (especially IE) goes to unexpected sites, suspect spyware More Symptoms We’ve just looked at a couple of common symptoms of malware Here are some other possible signs: Sluggishness One or more unexpected restarts Frequent system crashes Constant hard disk activity Generalized “strange behavior” Hackers try to hide their presence: If they’re good, they will succeed Worms and some viruses do likewise Steps to Recovery Most symptoms of malware also have other, more mundane causes If there’s any reason to suspect the presence of malware on a user’s PC, update virus definitions, disconnect the network cable, and run a full antivirus scan of all hard drives Install and run SpySweeper And always, always teach computer users how to protect themselves from malware! Prevention is key! Mass-Mailing Worms Mass-mailing worms are one of the most common vectors for malware Most people know not to open “suspicious” email attachments But the worm writers are getting a lot craftier, and the attachments often look less “suspicious” these days Many people are still confused by sender address “spoofing” Mass-mailing worms mail themselves out using randomly chosen sender addresses I Got a “Suspicious” Email A caller might say: I got a strange email message from my bank (or a bank I don’t even use), etc. I got a message from my “system administrator” telling me to do something I got a message from a friend telling me there’s some file I’m supposed to delete Such messages are usually “phishing” attacks, or “hoax viruses” Delete the email message; don’t do what it says; never give out private information Top 6 PC Security Must-Dos Patch Windows automatically New patches 2nd Tuesday of each month Use BigFix & Windows Automatic Updates Use strong passwords (even better, pass phrases) for all user accounts Use a firewall, such as Windows XP’s built-in software firewall Use and properly maintain good antivirus software Don’t open suspicious email attachments Disable Windows File & Printer Sharing Tools for Prevention Essential Stanford Software http://ess.stanford.edu Symantec AntiVirus BigFix client SpySweeper Security Self-Help Tool Use the Firefox web browser (not IE) Stanford Secure Computing web site http://securecomputing.stanford.edu Microsoft Baseline Security Analyzer http://support.microsoft.com/kb/320454 Questions? Research Tools If you’ve been saving up questions, now’s your chance! Tools for research & troubleshooting: http://support.microsoft.com/kb/129972 http://www.google.com http://www.sarc.com http://www.mcafeesecurity.com/us/security/home.asp http://housecall.trendmicro.com/ http://en.wikipedia.org/wiki/Computer_virus http://www.spywareinfo.com/ http://support.microsoft.com http://www.microsoft.com/technet http://www.cert.org/ http://www.cisecurity.org/