|
| About Alan |
| Tutorials |
| Free files |
| Win9x FAQs |
| E-mail Alan |
|
|
| Articles |
| BIV articles |
| Archive |
| Other articles |
| Archive |
|
|
 |
CyberSafety: Computer Virusesby Alan Zisman (c) 2003, 2006 |
||
|
Computer
viruses
are
among
the best-known problems affecting online users. The dangers
of
computer viruses have gotten a lot of attention (not always accurately)
from newspapers and radio and TV news. The good news is that
they’re
easily
controlled. The bad news is that despite that, far too many people fail
to take simple precautions and so viruses, old and new, continue to
spread.
Some History Computer viruses have been present for at least twenty years. Early viruses were identified as early as 1981, spreading on Apple II floppy diskettes. By 1986, viruses were spreading to the now-popular IBM-PC type of personal computer, the ancestor of most of today’s computers. Most of these early viruses were so-called boot sector viruses. These were actually relatively difficult to catch. They spread via floppy diskettes, but even if you used an infected diskette, your computer would only be infected if the disk was inserted at the time the computer was booting. When it tried (and usually failed) to boot from the floppy diskette, the computer read the floppy’s boot sector, which contained the virus code, which then spread to the computer hard drive’s boot sector. Then, if an uninfected floppy diskette was in the drive when the computer was rebooted, the virus would spread to that diskette’s boot sector, potentially infecting other computers. Often, infected computers would display a message near the start of boot: “Your computer is stoned. Legalize Marijuana” read the message on computers infected with the Stoned Virus. Along with the boot message, these viruses could cause various types of damage or reduce computer performance. By the late 1980s, file infectors were also becoming common: viruses that changed a standard computer program, such as the main DOS file Command.com, and were loaded into memory when the infected file was run. In 1988 a related type of infection, an Internet worm got a lot of publicity when, as a grad student’s ‘experiment’ got out of hand, replicating itself much more quickly than he had anticipated. It quickly spread itself to a large percentage of the computers connected to this early Internet, clogging the Net with its attempts to spread itself. In 1992, a virus, Michelangelo got quite a lot of press, with the prediction that it would cause massive damage on the painter’s birthday. Actually, its effects were quite limited, especially compared to the hype. By the mid-1990s, a new type of virus became prevalent. Macro viruses were written in the macro languages included with popular applications—most often Microsoft Word. Attached to specific documents, when the document was loaded, the macro infected the program’s macro library, attaching itself to all documents subsequently opened with that copy of the application. Besides spreading themselves, macro viruses could also be programmed to damage files on the host computer. 1998 saw the appearance of Trojans, starting with Back Orifice (a pun on Microsoft’s Back Office application). These programs are installed by innocent users thinking they are legitimate programs—and may have legitimate functions. But they enable outsiders to take control of the infected computer. 1999’s Melissa was a combination of a Word macro virus that also infected Outlook and Outlook Express, sending itself via email to people listed in the address book. Infecting Outlook and Outlook Express has become the most common way for virus infections to spread in the early part of the new decade. Viruses have been found for Internet-enabled phones, for Palm PDAs, and on most computer platforms, but the most common targets, by far, are Windows-powered computers, particularly via the Outlook and Outlook Express email programs. Trojans are often spread by users of instant messaging software (ICQ, AOL Messenger, MSN Messenger, etc) and among peer-to-peer file-sharing networks. Gaining in popularity in 2002/03 have been worms infecting Web servers and SQL database servers. While these don’t infect individual users, they can have the affect of slowing or shutting down whole sections of the Internet, indirectly affecting millions of users. Sadly, in most cases, these could have been prevented if network system administrators had made sure they were up-to-date on patching their server’s operating systems and server software. In August 2003, the Blaster worm infected many ordinary users, and a relative shut down Air Canada's reservations system. Again, users who had bothered to get Microsoft's mid-July crticial update were safe from this infection. Also in August 2003, the Sobig virus apparently was designed to allow infected computers to be used to help distribute spam. (More detail on the history of viruses can be found at http://www.cknow.com/vtutor/vthistory.htm which was the source for this discussion. The New York Times, in February 2004 ran a piece called The Virus Underground looking at some of the people who actually create computer viruses and worms: http://www.nytimes.com/2004/02/08/magazine/08WORMS.html (free registration required)). And definitions… According to well-known anti-virus software producer McAfee: * What
is a Virus? * What
is a Worm? * What
is a Trojan Horse? Many
people use the term to
refer only
to non-replicating malicious programs, thus making a distinction
between
Trojans and viruses. PC
Magazine (July 2004)
talked to a 16 year old Dutch virus writer; read the article (http://www.pcmag.com/article2/0,1759,1612207,00.asp)
to
find
out why he does it. What to do (or what not to do)… Boot sector, file infectors, Word macro viruses, and other early types are still in the wild, and may be encountered from time to time. But by far, the most prevalent type of infectors are spread as e-mail attachments. If you want to avoid getting infected, the answer is simple: don’t open email attachments. Receiving an infected attachment does not, by itself, infect your computer—your computer is only infected when you double-click on the attachment, running it. One way to avoid infected attachments is to not be connected to the Internet. But that’s too drastic a step for most of us. Instead, a little common-sense and self-discipline goes a long way. Don’t open attachments, even if they appear to be from someone you know. Ever. (Note that you can still get infected from files or boot-sector viruses on floppy diskettes). Unless
the attachment meets
the following
criteria: In order
to be properly
suspicious, you
need to have done a few things: Don’t trust your friends if messages bearing attachments appear without warning—no matter how close a friend or how cute the letter or attachment. While some viruses send themselves to names appearing in infected computers’ address books, but with from addresses like ‘friendshipforu’, others steal names and addresses from the address books and paste them into the From: field as well as the To: field. So strangers can be getting virus-bearing messages that appear to have been sent by you or even from me! That doesn’t make it so. Hoaxes Another variation on viruses is the virus hoax email message. Here, people receive a warning about a new virus, usually from someone they know, and are urged to spread the word to everyone they know. Often, the message claims that the warning originated with Microsoft, IBM, NASA, or some other well-known organization. For example, I received the following warning from a colleague (note the all-caps): PLEASE, SEND THIS INFORMATION TO EVERY PERSON IN YOUR ADDRESS BOOK. IF YOU RECEIVE AN E-MAIL THAT READS "UPGRADE INTERNET2" DO NOT OPEN IT, AS IT CONTAINS AN EXECUTABLE NAMED "PERRIN.EXE." IT WILL ERASE ALL THE DATA IN YOUR HARD DRIVE AND IT WILL STAY IN MEMORY.... THIS INFORMATION WAS PUBLISHED YESTERDAY IN THE CNN WEB SITE.... CHECK THE LIST BELOW, SENT BY IBM, WITH THE NAMES OF SOME E-MAILS THAT, IF RECEIVED, SHOULD NOT BE OPENED AND MUST BE DELETED IMMEDIATELY, BECAUSE THEY CONTAIN ATTACHED VIRUSES… Almost always, these warnings are untrue. Because they tend to spread out of control, they duplicate like a virus, taking up the time and energy of thousands or millions of users. Rest assured; Microsoft (et al) do not spread warnings about security problems via email, and do not encourage end-users to tell everyone they know. Some hoaxes have been more dangerous. At least one spread the word that if a users checked for the existence of a certain file, it meant they were infected, and should delete that file. Too bad that file was a normally installed part of Windows, and deleting it caused problems. A number
of online sites
keep track of
virus hoaxes. If you receive a warning about a virus, check with one of
these first. Some examples include: Check out any claims before spreading a virus warning further. More dangerous hoaxes are email messages bearing attachments that claim to be legitimate security patches coming from Microsoft or other sources. For example, September 2003 saw the W32.Swen virus, transmitted along with a very well-designed message that apparently was from Microsoft, bearing what it claimed was an important security fix. Microsoft does not contact end-users via e-mail; rather than fixing a security problem, the attachment infected the user's computer and hijacked Outlook or Outlook Express email software to spread itself further. Antivirus software Despite
my earlier
suggestion that you
can avoid infection by being self-disciplined about opening file
attachments,
every one of us should (in addition to being careful) run an up-to-date
antivirus program. Even if you are responsible and don’t open
email
attachments
you may still become infected with a virus: Antivirus software is always being updated to recognize new viruses. As a result, it is important to keep whatever software you are using up-to-date. Most modern AV software can be set to download new virus definitions on a regular basis. Weekly is probably a good time-period to check; some people with an always on Internet connection may want to set their software to check for new definitions daily. Even so, don’t count on any AV software to be 100% effective. The software companies are always responding to new viruses, which means that the new virus has to appear in the wild first—infecting someone, before the AV software will become aware of it. In the interval, one of the computers that may receive the new virus variety may be yours. I’ve twice received suspicious-looking attachments that weren’t picked up by my AV software, even when I manually went and downloaded the program’s latest virus definitions. Because I didn’t trust the attachments, I avoided opening them and sent them (with explanation) to my AV software provider… in each case, later that day, they were identified as new viruses. The best defense is a combination of an up-to-date AV program, common-sense, and paranoia. There
are a number of good
commercial AV
programs. The most common were reviewed in the April 22, 2003 issue of
PC Magazine; their review can be found online at: http://www.pcmag.com/article2/0,4149,989867,00.asp.
Their
editors’
choice was awarded to
Symantec’s Norton
AntiVirus 2003. They concluded: “Norton
AntiVirus 2003 gets our top rating for delivering both excellent
protection
and foolproof ease of use. It has the best interface of all the
products,
it scans all files by default, and its mail protection scans the
contents
of ZIP files before they're sent from your PC. NAV also has a stellar
lifetime
record on independent certification tests. As for the rest, PC-cillin 2003's built-in firewall and free phone support are appealing. McAfee VirusScan Home Edition 7.0 offers admirable fine-grain controls, but it requires too much knowledge on the part of inexperienced users when a virus is encountered. For power users, speed mavens, and those who want exact control over antivirus software settings: NOD32 is your baby. It had less than half the impact on system performance of the next-fastest personal av product, and it lets you choose details such as the level of heuristics to use.” However, the latest versions of NAV are now charging an annual renewal fee to continue automatically getting virus definitions (I believe you can manually download new virus definitions without paying the renewal fee), and the company is reported to be implementing ‘digital-rights management’ to ensure that a single purchased copy is only installed on a single computer. All within their rights, of course, but driving up the costs for home users. Other
well-known commercial
AV packages
include McAfee Viruscan, Panda, and PC-Cillin. Also worth considering
are
free virus programs. A list of free AV programs is posted at: http://www.thefreesite.com/Free_Software/Anti_virus_freeware/.
The
cash-strapped
Vancouver School Board, for example, recently
replaced
McAfee on thousands of school office, classroom, and computer lab
systems
with the free version of AVG
Antivirus
(http://free.grisoft.com/freeweb.php)
. I'm
particular partial to the free Avast
Antivirus
(http://www.avast.com/eng/down_home.html).
I've
started
using this one on my systems, and it seems to be working well.
Particularly
nice is the way that it quietly updates itself in the
background. (Note:
When using Avast, you need to right-click on the program's window to
access
the options... remember, when in doubt, right-click!) You can find reviews and
links to ten free antivirus programs at: http://www.freeanti-virussoftware.net/ If you
don’t have AV
software currently
installed and are afraid that you might be infected with a virus,
several
of the AV vendors offer free online virus-scanning services, letting you check your computer right
now, for
any of thousands of possible
viruses.
Don’t be in a rush—a full scan of your system will
take a while..
TrendMicro: http://housecall.antivirus.com F-Secure: http://support.f-secure.com/enu/home/ols.shtml McAfee: http://www.mcafee.com/myapps/mfs/default.asp BitDefender: http://www.bitdefender.com/scan/license.php Note that all of these require ActiveX controls and work best (or perhaps only) when run from Internet Explorer. If you are pretty sure you are infected with a particular virus variant, Symantec at: http://securityresponse.symantec.com/avcenter/tools.list.html offers automated removal tools, along with instructions for manual removal of a large number of viruses. PC Magazine (November 8 2005) reviewed three free
antivirus programs: Avast, AVG, and AntiVir PE. Check their detailed
reviews at: Check your options No matter what AV software you choose to use, pay attention to its various options. The default settings may not reflect the way you want the program to run. You might want to adjust the frequency that the program checks for updated virus definitions, or change the day of the week or time of day when it checks. You may want it to run completely unattended in the background, or you may want to know what wants to download and install onto your system. You may want to change the default behaviour if it discovers a virus. Should it delete the offending file? Try to repair it? (They rarely succeed) Quarantine it? Should it inform you or do it quietly behind the scenes? How often should you schedule scans of your entire system (and at what times of day or night)? Should the program scan all files? Inside compressed Zip files? Just the most commonly infected types of files? Can you use the program to make boot floppies (usually you’ll need more than one) enabling you to run the AV software without booting to a possibly-infected hard drive? If so, do so—make the floppy disk set and store them in a safe place. Become familiar with the AV software you choose. The other option The vast bulk of viruses affect firstly systems running Microsoft Windows and secondarily Microsoft Outlook and/or Outlook Express email software. Most of what’s left consists of older viruses attacking Microsoft Word or Excel. It’s not that virus authors are necessarily anti-Microsoft, but that’s where most of the potential victims are. Moreover, Microsoft has made it easy for virus writers. For example, when Microsoft made Visual Basic for Applications a common macro-language across its various Office applications, it gave virus writers a programming tools with immense power and few built-in limitations. Most users don’t use macros, but Office’s programmers wanted to empower and make it easier for those few users (typically in large corporations) who did extend the Office programs in that way. The result, however, was that millions of other users were put at risk from macro viruses. Limiting exposure to those particular products, then, also limits (though doesn’t completely eliminate) the risk of virus infection. Consider replacing Outlook Express with Eudora Mail, Netscape Mail, Mozilla Thunderbird or some other email program. Consider replacing Microsoft Office with Corel WordPerfect, Lotus SmartSuite, or the free open source Open Office. Consider replacing Windows with the Mac operating system (and hardware) or Linux (which can run on your existing PC hardware). While there are viruses for these systems, they are far far fewer in number and frequency. For instance: Norton Antivirus for Windows currently claims to detect some 63,000 different virus variants. I can’t find a similar number for Norton Antivirus for Mac, but the number of native viruses for the Macintosh platform is probably in the few dozens. Even Microsoft Outlook Express for Mac isn’t susceptible to Windows Outlook Express viruses. This is
not necessarily an
extremist point
of view. For instance, in September 2001, a ZDNet columnist
suggested: Ban
Outlook Now (http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2814683,00.html) New and dangerous (March 2004): Hot off
the presses...
three new varients of the Bagle virus (P, Q, and R) are reported to not
use attachments, but to be able to infect a computer when the message
itself is viewed. When the message is viewed, it opens a computer port,
automatically downloading the infection-bearing program from another
infected computer. (Sort of like peer-to-peer file sharing). Infected
computers can be controlled remotely from other computers. Some of the
message titles used by this virus appear to be security warnings, and
it may come with apparent FROM: addresses making it look like it's from
network or ISP administrators. The general warnings about not opening suspicious-looking file attachments now need to be taken a step further; users should not even view email messages from strangers-- even those claiming to be from corporate network administrators. It's not clear to me at this time whether viewing messages in email preview panes is enough to trigger the virus; to be on the safe side, I recommend turning off this feature (turned on by default in most email and webmail software). (Turning off the preview pane will also help control spam). The future: In March 2006, C/Net's
Robert Vamosi suggests that we'll be seeing far fewer large-scale virus
attacks but a greater number of virus varients, fine-tuned for specific
purposes. (http://reviews.cnet.com/4520-3513_7-6462429-1.html?tag=nl.e501)
He
relates
these to increase in so-called 'crimeware', including
identity theft and creation of networkings of 'bots' for extortion
related to denial-of-service attacks on corporate networks. He also
suggests that this flood of virtually individualized viruses may become
more difficult for traditional antivirus applications to handle. Homework * Make
sure your system is
set up to display
file extensions for all files The
CyberSafety course includes the following modules: Introduction Know your PC Computer Viruses Email and Spam Firewalls Spyware Networks and wireless issues |
||
|
||
|
|
||
|
Alan Zisman is a Vancouver educator, writer, and computer specialist. He can be reached at E-mail Alan |
