Some History
Computer viruses have been present for at least twenty years. Early viruses were identified as early as 1981, spreading on Apple II floppy diskettes. By 1986, viruses were spreading to the now-popular IBM-PC type of personal computer, the ancestor of most of today’s computers.
Most of these early viruses were so-called boot sector viruses. These were actually relatively difficult to catch. They spread via floppy diskettes, but even if you used an infected diskette, your computer would only be infected if the disk was inserted at the time the computer was booting. When it tried (and usually failed) to boot from the floppy diskette, the computer read the floppy’s boot sector, which contained the virus code, which then spread to the computer hard drive’s boot sector. Then, if an uninfected floppy diskette was in the drive when the computer was rebooted, the virus would spread to that diskette’s boot sector, potentially infecting other computers.
Often, infected computers would display a message near the start of boot: “Your computer is stoned. Legalize Marijuana” read the message on computers infected with the Stoned Virus. Along with the boot message, these viruses could cause various types of damage or reduce computer performance.
By the late 1980s, file infectors were also becoming common: viruses that changed a standard computer program, such as the main DOS file Command.com, and were loaded into memory when the infected file was run.
In 1988 a related type of infection, an Internet worm got a lot of publicity when, as a grad student’s ‘experiment’ got out of hand, replicating itself much more quickly than he had anticipated. It quickly spread itself to a large percentage of the computers connected to this early Internet, clogging the Net with its attempts to spread itself. In 1992, a virus, Michelangelo got quite a lot of press, with the prediction that it would cause massive damage on the painter’s birthday. Actually, its effects were quite limited, especially compared to the hype.
By the mid-1990s, a new type of virus became prevalent. Macro viruses were written in the macro languages included with popular applications—most often Microsoft Word. Attached to specific documents, when the document was loaded, the macro infected the program’s macro library, attaching itself to all documents subsequently opened with that copy of the application. Besides spreading themselves, macro viruses could also be programmed to damage files on the host computer.
1998 saw the appearance of Trojans, starting with Back Orifice (a pun on Microsoft’s Back Office application). These programs are installed by innocent users thinking they are legitimate programs—and may have legitimate functions. But they enable outsiders to take control of the infected computer. 1999’s Melissa was a combination of a Word macro virus that also infected Outlook and Outlook Express, sending itself via email to people listed in the address book. Infecting Outlook and Outlook Express has become the most common way for virus infections to spread in the early part of the new decade.
Viruses have been found for Internet-enabled phones, for Palm PDAs, and on most computer platforms, but the most common targets, by far, are Windows-powered computers, particularly via the Outlook and Outlook Express email programs. Trojans are often spread by users of instant messaging software (ICQ, AOL Messenger, MSN Messenger, etc) and among peer-to-peer file-sharing networks.
Gaining in popularity in 2002/03 have been worms infecting Web servers and SQL database servers. While these don’t infect individual users, they can have the affect of slowing or shutting down whole sections of the Internet, indirectly affecting millions of users. Sadly, in most cases, these could have been prevented if network system administrators had made sure they were up-to-date on patching their server’s operating systems and server software. In August 2003, the Blaster worm infected many ordinary users, and a relative shut down Air Canada's reservations system. Again, users who had bothered to get Microsoft's mid-July crticial update were safe from this infection.
Also in August 2003, the Sobig virus apparently was designed to allow infected computers to be used to help distribute spam.
(More detail on the history of viruses can be found at http://www.cknow.com/vtutor/vthistory.htm which was the source for this discussion. The New York Times, in February 2004 ran a piece called The Virus Underground looking at some of the people who actually create computer viruses and worms: http://www.nytimes.com/2004/02/08/magazine/08WORMS.html (free registration required)).
And definitions…
According to well-known anti-virus software producer McAfee:
* What is a Virus?
A virus is a manmade program or piece
of code that causes an unexpected, usually negative, event. Viruses are
often disguised games or images with clever marketing titles such as
“Me,
nude.”
* What is a Worm?
Computer Worms are viruses that reside
in the active memory of a computer and duplicate themselves. They may
send
copies of themselves to other computers, such as through email or
Internet
Relay Chat (IRC).
* What is a Trojan Horse?
A Trojan horse program is a malicious
program that pretends to be a benign application; a Trojan horse
program
purposefully does something the user does not expect. Trojans are not
viruses
since they do not replicate, but Trojan horse programs can be just as
destructive.
Many people use the term to refer only
to non-replicating malicious programs, thus making a distinction
between
Trojans and viruses.
(http://www.mcafee.com/anti-virus/default.asp)
PC Magazine (July 2004) talked to a 16 year old Dutch virus writer; read the article (http://www.pcmag.com/article2/0,1759,1612207,00.asp) to find out why he does it.
What to do (or what not to do)…
Boot sector, file infectors, Word macro viruses, and other early types are still in the wild, and may be encountered from time to time. But by far, the most prevalent type of infectors are spread as e-mail attachments. If you want to avoid getting infected, the answer is simple: don’t open email attachments. Receiving an infected attachment does not, by itself, infect your computer—your computer is only infected when you double-click on the attachment, running it.
One way to avoid infected attachments is to not be connected to the Internet. But that’s too drastic a step for most of us. Instead, a little common-sense and self-discipline goes a long way. Don’t open attachments, even if they appear to be from someone you know. Ever. (Note that you can still get infected from files or boot-sector viruses on floppy diskettes).
Unless the attachment meets the
following
criteria:
* It’s from someone you know
* You were expecting to receive it or
* You’ve written the sender and confirmed
that they intended to send it to you
Even then, you may want to be suspicious
if, for instance:
* The attachment is a program file (file
extension ending in EXE, BAT, PIF, or COM)
* The attachment is a screen saver (file
extension ending in SCR)
* The attachment has two file extensions,
with the first one appearing to be a document like a JPG (image) and
the
last one a program or screen saver.
When in doubt, rather then opening the
attachment, be suspicious.
In order to be properly suspicious, you
need to have done a few things:
* Have your email program put any attached
files some place where you can easily see them. I use the computer
Desktop
for that.
* Make sure that you’ve set your computer
to always display file extensions. This is not the Windows default
(unfortunately).
See the previous part of this tutorial if you don’t know how to do that.
* Be disciplined. On my desktop, there’s
a cute green heart-shaped icon labeled ‘friends.scr’ that came in an
email
message addressed to me from someone named friendshipforu. The message
subject said “Best Friends !!” Could something that friendly be nasty?
You bet!
* When in doubt, check. Go to Google.com
and type (for example) ‘friends.scr’ in the search field. Very quickly,
I discovered that this was a well-known attachment of the W32/Yaha.B
virus.
* Even if you don’t find anything about
that particular attachment, be suspicious. It may be a new virus, too
new
to have made it into Google. Or it may be an old virus with a new name.
If it seems suspicious, treat it as guilty until proven innocent.
Don’t trust your friends if messages bearing attachments appear without warning—no matter how close a friend or how cute the letter or attachment. While some viruses send themselves to names appearing in infected computers’ address books, but with from addresses like ‘friendshipforu’, others steal names and addresses from the address books and paste them into the From: field as well as the To: field. So strangers can be getting virus-bearing messages that appear to have been sent by you or even from me! That doesn’t make it so.
Hoaxes
Another variation on viruses is the virus hoax email message. Here, people receive a warning about a new virus, usually from someone they know, and are urged to spread the word to everyone they know. Often, the message claims that the warning originated with Microsoft, IBM, NASA, or some other well-known organization.
For example, I received the following warning from a colleague (note the all-caps):
PLEASE, SEND THIS INFORMATION TO EVERY PERSON IN YOUR ADDRESS BOOK. IF YOU RECEIVE AN E-MAIL THAT READS "UPGRADE INTERNET2" DO NOT OPEN IT, AS IT CONTAINS AN EXECUTABLE NAMED "PERRIN.EXE." IT WILL ERASE ALL THE DATA IN YOUR HARD DRIVE AND IT WILL STAY IN MEMORY.... THIS INFORMATION WAS PUBLISHED YESTERDAY IN THE CNN WEB SITE.... CHECK THE LIST BELOW, SENT BY IBM, WITH THE NAMES OF SOME E-MAILS THAT, IF RECEIVED, SHOULD NOT BE OPENED AND MUST BE DELETED IMMEDIATELY, BECAUSE THEY CONTAIN ATTACHED VIRUSES…
Almost always, these warnings are untrue. Because they tend to spread out of control, they duplicate like a virus, taking up the time and energy of thousands or millions of users. Rest assured; Microsoft (et al) do not spread warnings about security problems via email, and do not encourage end-users to tell everyone they know.
Some hoaxes have been more dangerous. At least one spread the word that if a users checked for the existence of a certain file, it meant they were infected, and should delete that file. Too bad that file was a normally installed part of Windows, and deleting it caused problems.
A number of online sites keep track of
virus hoaxes. If you receive a warning about a virus, check with one of
these first. Some examples include:
* Symantec:
http://www.symantec.com/avcenter/hoax.html
* McAfee:
http://vil.mcafee.com/hoax.asp
* Hoaxbusters:
http://hoaxbusters.ciac.org/
* VMyths:
http://www.vmyths.com/
Check out any claims before spreading a virus warning further.
More dangerous hoaxes are email messages bearing attachments that claim to be legitimate security patches coming from Microsoft or other sources. For example, September 2003 saw the W32.Swen virus, transmitted along with a very well-designed message that apparently was from Microsoft, bearing what it claimed was an important security fix. Microsoft does not contact end-users via e-mail; rather than fixing a security problem, the attachment infected the user's computer and hijacked Outlook or Outlook Express email software to spread itself further.
Antivirus software
Despite my earlier suggestion that you
can avoid infection by being self-disciplined about opening file
attachments,
every one of us should (in addition to being careful) run an up-to-date
antivirus program. Even if you are responsible and don’t open email
attachments
you may still become infected with a virus:
* You may run into one of the older virus
types on a floppy diskette or a Word document or some other way
* Some other user may be sitting at your
computer and may, without thinking, open an email attachment
* A new and ‘improved’ virus may start
to spread that (for example) runs a destructive java applet from html
text
embedded in an email message, without actually appearing as a
downloaded
file. Or something.
Antivirus software is always being updated to recognize new viruses. As a result, it is important to keep whatever software you are using up-to-date. Most modern AV software can be set to download new virus definitions on a regular basis. Weekly is probably a good time-period to check; some people with an always on Internet connection may want to set their software to check for new definitions daily.
Even so, don’t count on any AV software to be 100% effective. The software companies are always responding to new viruses, which means that the new virus has to appear in the wild first—infecting someone, before the AV software will become aware of it. In the interval, one of the computers that may receive the new virus variety may be yours. I’ve twice received suspicious-looking attachments that weren’t picked up by my AV software, even when I manually went and downloaded the program’s latest virus definitions. Because I didn’t trust the attachments, I avoided opening them and sent them (with explanation) to my AV software provider… in each case, later that day, they were identified as new viruses.
The best defense is a combination of an up-to-date AV program, common-sense, and paranoia.
There are a number of good commercial
AV
programs. The most common were reviewed in the April 22, 2003 issue of
PC Magazine; their review can be found online at: http://www.pcmag.com/article2/0,4149,989867,00.asp.
Their
editors’
choice was awarded to Symantec’s Norton
AntiVirus
2003. They concluded: “Norton
AntiVirus 2003 gets our top rating for delivering both excellent
protection
and foolproof ease of use. It has the best interface of all the
products,
it scans all files by default, and its mail protection scans the
contents
of ZIP files before they're sent from your PC. NAV also has a stellar
lifetime
record on independent certification tests.
As for the rest, PC-cillin 2003's built-in firewall and free phone support are appealing. McAfee VirusScan Home Edition 7.0 offers admirable fine-grain controls, but it requires too much knowledge on the part of inexperienced users when a virus is encountered. For power users, speed mavens, and those who want exact control over antivirus software settings: NOD32 is your baby. It had less than half the impact on system performance of the next-fastest personal av product, and it lets you choose details such as the level of heuristics to use.”
However, the latest versions of NAV are now charging an annual renewal fee to continue automatically getting virus definitions (I believe you can manually download new virus definitions without paying the renewal fee), and the company is reported to be implementing ‘digital-rights management’ to ensure that a single purchased copy is only installed on a single computer. All within their rights, of course, but driving up the costs for home users.
Other well-known commercial AV packages
include McAfee Viruscan, Panda, and PC-Cillin. Also worth considering
are
free virus programs. A list of free AV programs is posted at: http://www.thefreesite.com/Free_Software/Anti_virus_freeware/.
The
cash-strapped
Vancouver School Board, for example, recently
replaced
McAfee on thousands of school office, classroom, and computer lab
systems
with the free version of AVG
Antivirus
(http://free.grisoft.com/freeweb.php)
. I'm
particular partial to the free Avast
Antivirus
(http://www.avast.com/eng/down_home.html). I've
started
using this one on my systems, and it seems to be working well.
Particularly
nice is the way that it quietly updates itself in the background. (Note:
When using Avast, you need to right-click on the program's window to
access
the options... remember, when in doubt, right-click!)
You can find reviews and links to ten free antivirus programs at: http://www.freeanti-virussoftware.net/
If you don’t have AV
software currently
installed and are afraid that you might be infected with a virus,
several
of the AV vendors offer free online virus-scanning services, letting you check your computer right now, for
any of thousands of possible
viruses.
Don’t be in a rush—a full scan of your system will take a while..
If you are pretty sure you are infected with a particular virus variant, Symantec at: http://securityresponse.symantec.com/avcenter/tools.list.html offers automated removal tools, along with instructions for manual removal of a large number of viruses.
PC Magazine (November 8 2005) reviewed three free antivirus
programs:
Avast, AVG, and AntiVir PE. Check their detailed reviews at:
http://www.pcmag.com/article2/0,1895,1865516,00.asp
Check your options
No matter what AV software you choose to use, pay attention to its various options. The default settings may not reflect the way you want the program to run. You might want to adjust the frequency that the program checks for updated virus definitions, or change the day of the week or time of day when it checks. You may want it to run completely unattended in the background, or you may want to know what wants to download and install onto your system.
You may want to change the default behaviour if it discovers a virus. Should it delete the offending file? Try to repair it? (They rarely succeed) Quarantine it? Should it inform you or do it quietly behind the scenes? How often should you schedule scans of your entire system (and at what times of day or night)? Should the program scan all files? Inside compressed Zip files? Just the most commonly infected types of files?
Can you use the program to make boot floppies (usually you’ll need more than one) enabling you to run the AV software without booting to a possibly-infected hard drive? If so, do so—make the floppy disk set and store them in a safe place.
Become familiar with the AV software you choose.
The other option
The vast bulk of viruses affect firstly systems running Microsoft Windows and secondarily Microsoft Outlook and/or Outlook Express email software. Most of what’s left consists of older viruses attacking Microsoft Word or Excel. It’s not that virus authors are necessarily anti-Microsoft, but that’s where most of the potential victims are. Moreover, Microsoft has made it easy for virus writers. For example, when Microsoft made Visual Basic for Applications a common macro-language across its various Office applications, it gave virus writers a programming tools with immense power and few built-in limitations. Most users don’t use macros, but Office’s programmers wanted to empower and make it easier for those few users (typically in large corporations) who did extend the Office programs in that way. The result, however, was that millions of other users were put at risk from macro viruses.
Limiting exposure to those particular products, then, also limits (though doesn’t completely eliminate) the risk of virus infection. Consider replacing Outlook Express with Eudora Mail, Netscape Mail, Mozilla Thunderbird or some other email program. Consider replacing Microsoft Office with Corel WordPerfect, Lotus SmartSuite, or the free open source Open Office. Consider replacing Windows with the Mac operating system (and hardware) or Linux (which can run on your existing PC hardware). While there are viruses for these systems, they are far far fewer in number and frequency. For instance: Norton Antivirus for Windows currently claims to detect some 63,000 different virus variants. I can’t find a similar number for Norton Antivirus for Mac, but the number of native viruses for the Macintosh platform is probably in the few dozens. Even Microsoft Outlook Express for Mac isn’t susceptible to Windows Outlook Express viruses.
This is not necessarily an extremist
point
of view. For instance, in September 2001, a ZDNet columnist
suggested: Ban
Outlook Now (http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2814683,00.html)
New
and dangerous (March 2004):
Hot off the presses... three new
varients of the Bagle virus (P, Q, and R) are reported to not use
attachments, but to be able to infect a computer when the message
itself is viewed. When the message is viewed, it opens a computer port,
automatically downloading the infection-bearing program from another
infected computer. (Sort of like peer-to-peer file sharing). Infected
computers can be controlled remotely from other computers. Some of the
message titles used by this virus appear to be security warnings, and
it may come with apparent FROM: addresses making it look like it's from
network or ISP administrators.
The general warnings about not opening suspicious-looking file attachments now need to be taken a step further; users should not even view email messages from strangers-- even those claiming to be from corporate network administrators. It's not clear to me at this time whether viewing messages in email preview panes is enough to trigger the virus; to be on the safe side, I recommend turning off this feature (turned on by default in most email and webmail software). (Turning off the preview pane will also help control spam).
The future:
In March 2006, C/Net's Robert Vamosi suggests that we'll be seeing far fewer large-scale virus attacks but a greater number of virus varients, fine-tuned for specific purposes. (http://reviews.cnet.com/4520-3513_7-6462429-1.html?tag=nl.e501) He relates these to increase in so-called 'crimeware', including identity theft and creation of networkings of 'bots' for extortion related to denial-of-service attacks on corporate networks. He also suggests that this flood of virtually individualized viruses may become more difficult for traditional antivirus applications to handle.Homework
* Make sure your system is set up to
display
file extensions for all files
* Make sure you know where email file
attachments are being saved on your system
* Go to one of the listed websites
offering
information on virus hoaxes and check for ‘perrin.exe’
* Go to Symantec’s online virus check
and let it scan your system
* (If it finds you are infected, clean
the infection using one of Symantec’s automated tools or manual
instructions)
* If you have an AV program installed,
make sure the virus definitions are up to date and look over the
program’s
options.
* If you don’t currently have an AV
program
installed, download and install the free AVG or Avast Antivirus. Make
sure
its virus definitions are up to date. Look over the program’s options.
* Make a set of boot floppies with your
AV program.
* Think about whether you could replace
any Microsoft products with more secure alternatives