Malware: Viruses, Worms,
Trojan Horses, & Spyware
What They Are & How to Deal with Them
Jay Stamps, jstamps@stanford.edu, 723-0018
ITSS Help Desk Level 1 Training, November 18, 2004
Course Objectives
Understand what malware is, where it
comes from, and what it does
 Diagnose compromised or infected
computers based on reported symptoms
 Basic troubleshooting techniques for
possibly compromised computers
 Research & diagnostic tools
 Prevention: Worth a pound of cure!

It’s Been a Rough Few Years
for Windows PCs…
Sorry…
But that was the last picture you’re
going to see in this presentation!
 The good news is that your instructor
loves questions, and you’re cordially
invited to interrupt him at any time, or
save your questions for later
 It’s a cliché, but there are no “dumb
questions”: The point is to learn
 And if I don’t have a good answer, I’ll
suggest that you make finding one part
of your homework assignment!

What’s “Malware”?

Shortened form of “malicious software”


But it’s not always really malicious
So “malware” is a general term for:
Computer and macro viruses of any kind
 Internet and mass-mailing worms
 Trojan horses, backdoors and rootkits
 Other computer exploits, bots, zombies
 Spyware, adware, and other software
installed on a computer without the user’s
knowledge or informed consent
 And then there are the “hoax viruses”…

Why Use the Word “Virus”?

The analogy with biological viruses
Computer viruses exist to self-replicate
 They can often adapt (mutate) to survive
 They might or might not harm the host
 They “infect” by inserting themselves into a
“healthy” system (be it a computer program
or living organism)


The term “virus” is heavily overused


That’s why we’re talking about “malware”
But when someone’s PC is misbehaving…

They call 5-HELP and say, “I’ve got a virus!”
Are Only PCs Affected?
The answer is “No”
 Are Macintoshes immune?

The answer is “yes and no” - sort of…
 The first virus in 1982 infected Apple IIs
 A great deal of malware - some of it not so
malicious - existed for Mac OS “Classic”
 Are there any Mac OS X malware
programs? Well, not in the wild, not yet…


What about Unix and Linux OSes?

Lots of malware is in circulation for these
platforms - lots!
Why Does Malware Exist?

When “viruses” first became common…
And “normal people” began to use personal
computers…
 If a “virus” struck, they were confused,
alarmed, felt violated…
 They’d ask, “Where do these things come
from?” and “How did I get infected?”

 Often
they’d feel embarrassed, like they’d
picked up an STD in a reckless moment…


When told, “People deliberately create
viruses,” they’d properly ask, “Why?”
What do you think? Why does malware
exist? (Possible homework assignment!)
Brief History of Malware

“Viruses” appeared in early 1980s
Very soon after first personal computers
 They spread by floppy disks, later via
“bootleg” & other software on “BBSes”
 They often weren’t meant to be destructive


Internet “worms” arrived in late 1980s

“There may be a virus loose on the
internet.” - Andy Sudduth of Harvard
University, 34 minutes past midnight,
November 3, 1988
Brief History Continued

First mass-mailing worm came in 1999
Usually called the “Melissa virus”
 It was also a “macro virus”
 Infected file had to be opened in MS Word


Spyware hits the scene around 2000
“Adware” claims to be legitimate, legal
 “Browser hijacking” is common symptom


Other exploits, trojans, backdoors…
Have been around for a long time
 Hackers target entities for malicious attack,
or may want “free” computing resources

We’ll Stick to MS Windows
The majority of computer users at
Stanford have Microsoft Windows PCs
 The majority of malware “in the wild”
today attacks only Windows PCs


Malware is very platform-dependent
Microsoft has only recently made
computer security a priority
 In the past…

MS tended to “enable everything by default”
 Network-connected “services” running on a
computer are an open invitation to hackers

Why So Much Malware?
Is malware becoming more common?
 Yes!!! It is!!! (and harder to fight off)
 Why might that be?
 The Internet! Plus all the high-powered
PCs in homes & offices connected to it
 Why does that make a difference?
 As with biological viruses, lots of people
(or computers) are rubbing up against
each other in a common space; and
computers (like people) don’t always
cover their mouths when they sneeze…

“Help! I’ve Got a Virus!”

A lot of people self-diagnose (wrongly)


“Doc, I think I’ve got the flu.” “How much
did you drink last night?” “Uh, three six
packs. I think. I don’t really remember…”
Only a few years ago…
Most folks who thought their PC had a
viral infection were wrong!
 When PCs behaved strangely, usually
there was a problem with the OS or an
application that was not at all virus-related


Today that’s still true, but…
Today That’s True, But…

Malware is more common, while OSes
and applications are both more featureladen and (often) more robust
More features mean more potential
vulnerabilities for hackers to exploit
 Greater robustness means strange behavior
is somewhat likelier to be caused by malware


Plus more people use protective software
Few people these days are unaware of the
necessity of running antivirus software
 Some people even use it correctly!

You Answer a Call to 5-HELP

And the caller begins to explain…

“I think my PC has a virus”
 Maybe
it does, and maybe it doesn’t
 We’ll look at diagnostic approaches presently

“I got an email from the Security Office…”
 Get
the details, but…
 A referral to the Level 2 Help Desk, or local or
contract support is probably the right move
 If Networking or the Security Office has noticed a
problem, the computer is almost certainly hacked

If the caller has self-diagnosed, or if you
suspect malware is involved, you ask…
The Usual Questions 1

If a caller’s PC might have an infection,
or otherwise be compromised:
Ask what version of Windows they’re using
 Ask them if they’re keeping it patched
 Ask them if they’re using antivirus software,
and if it’s up-to-date
 For Windows 2000 & XP, ask them if they
have good passwords for all user accounts
 Ask them if they use a firewall


The caller may not know the answers to
some of these questions, of course…
The Usual Questions 2

So you may need to guide the caller to
learn the answers to these questions
To check if Windows is properly updated,
have the caller visit:
 http://windowsupdate.microsoft.com
 Launch Symantec AntiVirus to check the
date of the virus definitions file
 To check password strength, use the
Stanford Security Self-Help tool
 Windows XP has a built-in firewall, as do
many broadband routers

The Answers
If a user can’t access the network, that
problem is likely not caused by malware
 If a user can’t run, install or update SAV
or other security software, that’s a clue
that the PC has been infected by a worm
 If Windows isn’t patched, and/or AV
software is out of date, and/or user
accounts have weak passwords, the PC is
definitely vulnerable to compromise
 If the web browser (especially IE) goes to
unexpected sites, suspect spyware

More Symptoms
We’ve just looked at a couple of
common symptoms of malware
 Here are some other possible signs:

Sluggishness
 One or more unexpected restarts
 Frequent system crashes
 Constant hard disk activity
 Generalized “strange behavior”

Hackers try to hide their presence: If
they’re good, they will succeed
 Worms and some viruses do likewise

Steps to Recovery
Most symptoms of malware also have
other, more mundane causes
 If there’s any reason to suspect the
presence of malware on a user’s PC,
update virus definitions, disconnect the
network cable, and run a full antivirus
scan of all hard drives
 Install and run SpySweeper
 And always, always teach computer
users how to protect themselves from
malware! Prevention is key!

Mass-Mailing Worms
Mass-mailing worms are one of the most
common vectors for malware
 Most people know not to open
“suspicious” email attachments



But the worm writers are getting a lot
craftier, and the attachments often look
less “suspicious” these days
Many people are still confused by
sender address “spoofing”

Mass-mailing worms mail themselves out
using randomly chosen sender addresses
I Got a “Suspicious” Email

A caller might say:
I got a strange email message from my
bank (or a bank I don’t even use), etc.
 I got a message from my “system
administrator” telling me to do something
 I got a message from a friend telling me
there’s some file I’m supposed to delete


Such messages are usually “phishing”
attacks, or “hoax viruses”

Delete the email message; don’t do what it
says; never give out private information
Top 6 PC Security Must-Dos

Patch Windows automatically
New patches 2nd Tuesday of each month
 Use BigFix & Windows Automatic Updates

Use strong passwords (even better, pass
phrases) for all user accounts
 Use a firewall, such as Windows XP’s
built-in software firewall
 Use and properly maintain good antivirus
software
 Don’t open suspicious email attachments
 Disable Windows File & Printer Sharing

Tools for Prevention

Essential Stanford Software
http://ess.stanford.edu
 Symantec AntiVirus
 BigFix client
 SpySweeper
 Security Self-Help Tool
 Use the Firefox web browser (not IE)


Stanford Secure Computing web site


http://securecomputing.stanford.edu
Microsoft Baseline Security Analyzer

http://support.microsoft.com/kb/320454
Questions? Research Tools
If you’ve been saving up questions,
now’s your chance!
 Tools for research & troubleshooting:












http://support.microsoft.com/kb/129972
http://www.google.com
http://www.sarc.com
http://www.mcafeesecurity.com/us/security/home.asp
http://housecall.trendmicro.com/
http://en.wikipedia.org/wiki/Computer_virus
http://www.spywareinfo.com/
http://support.microsoft.com
http://www.microsoft.com/technet
http://www.cert.org/
http://www.cisecurity.org/