Security Corner - 11/17/2004

Spyware, Viruses, and Worms - Oh My!

Long ago (up until about 2002) anyone who had an up to date antivirus program on their computer and was somewhat careful about what attachments that they opened was fairly safe from the various infections that spread around the internet. At that time, viruses were spread mostly by running an infected executable downloaded from the internet or by running an infected attachment received via e-mail. Times have changed.

Now we have worms like Sasser than can infect a machine directly connected to the internet - just by being there. We have software that can install itself onto your machine just from visiting a web site. We also have software that isn't exactly a virus but can still cause your machine to have problems (and is difficult to uninstall) - and antivirus scanners don't detect and remove those programs.

Viruses

Viruses typically require some sort of user intervention to spread - so they attempt to trick the user into running the virus where it will install itself and attempt to replicate.

A well known virus was the Melissa virus (external link) from 1999. This virus was one of the first to be spread via e-mail. It was also one of the first to take advantage of weaknesses in the Microsoft Office suite of programs to replicate itself - if you opened the attachment, you got the virus. It spread by hijacking the users address book and actually sending out e-mails to those people in your address book (saying that the e-mail was from the computer owner) with a copy of the virus as an attachment.

Many viruses still use a similar method to propagate. The Netsky series of viruses (external link) from earlier this year would infect a system, harvest the e-mail addresses from it, and send itself out to your friends and family - but it still depended upon opening the infected attachment.

You can protect yourself from viruses by:

  1. Running an antivirus program. Make sure that the program loads upon system startup and that it is updating its "signature" database regularly (at least once per week). Make sure that it is scanning, at a minimum, incoming e-mail in real time and that it is doing regular full system scans.
  2. Not opening unexpected attachments from known e-mailers or any attachments from unknown e-mailers. Newer versions of Microsoft Outlook and Outlook Express block executable attachments by default.
  3. Check to make sure that the antivirus program's realtime scanner is running and that it's signatures are up to date. I said this twice because it is very important. Some viruses that were in the wild this summer have the ability to kill the realtime scanner! If it is not running (and it should be) - you may already have a virus or worm problem.

Worms

Worms are self replicating network programs that are both newer and older than viruses. Worms were initially created at the Xerox PARC research facility in the late 1970's and early 1980's as network tools. In 1988, the first "destructive" internet worm was unleashed on the internet. A little bit more history about worms can be found here (external link).

Worms today are more malicious and spread just by having an unprotected machine connected to the internet. Last spring the Sasser worm (external link) hit the internet. It infected machines on the internet by connecting to them and taking advantage of an unpatched vulnerability to install itself on that machine and continue replicating itself.

Over the summer of 2004, worm infections continued to rise. Many of the newest worms are being used to create networks of "zombies" - machines that are controlled by the worm writer and can be used to do denial of service attacks or to send spam e-mails. The worms also will slow your machine and your internet connection while attempting to carry out its "task" or while attempting to replicate itself.

You can protect yourself from worms by:

  1. Running an antivirus program. Make sure that the program loads upon system startup and that it is updating its "signature" database regularly (at least once per week). Make sure that it is scanning, at a minimum, incoming e-mail in real time and that it is doing regular full system scans.
  2. Keeping your machine patched and up to date. This is especially important for Microsoft Windows machines. You can go to the Windows Update website to update your operating system. Most versions of Windows also support the automatic downloading of patches - enable this to allow the system to collect patches while you are online and install them at your convenience.
  3. Don't connect your machine directly to the internet! If you are running your machine in a broadband environment (DSL or cable modem) install either a hardware or a software firewall to hide your machine from the internet. Software firewalls can be found at ZoneLabs or Symantec (external links). One word of caution about software firewalls - they can and will slow down your machine a great deal.

    If you are running Windows XP and have downloaded and installed the Service Pack 2, you have a software firewall installed and enabled by default. If you are accessing the internet on a dial-up connection, this firewall should be good enough to keep you somewhat safe.

    For broadband environments, I would recommend running a hardware firewall or "cable/dsl router" to remove your machine one step away from the internet. Linksys makes some nice and inexpensive "routers" - not a true firewall, but good enough to keep the worms out. If you have an old PC laying around, you can build your own firewall using software from Smoothwall.org (external link) for just the cost of a couple of network cards.

    The benefits of running a hardware firewall are that they keep all "bad" traffic (anything that you haven't explicitly allowed) at arms length and away from the working systems. Even if your system is unpatched, a firewall will keep the bad traffic away from it until you can get it patched and up to date.

Spyware

Spyware is a malady mostly confined to Microsoft Windows machines. It is like a virus, but it masquerades as a useful program. The end result, however, is the same - it will slow down your machine, make it do stuff that you don't want it to do, and will cause the user much grief. Spyware programs typically require the user to go through a full installation process (although the installation process can be hidden with the installation process of other software).

Legitimate companies such as Claria (the makers of Gator, DateManager, PrecisionTime and some other "useful" programs) give away free software that is supposed to help the user out. Within the license agreement, the user gives away rights to use his or her machine. These programs will often be bundled with shareware software, music downloading software, or other programs that can be obtained on the internet. Sometimes, the makers of these programs will generate website advertisements that look like a system error message and entice the user to download and install the software.

Spyware typically attempts to track your websurfing habits and will generate pop-up advertisements (even more than what you can get just through normal surfing). These kinds of programs are also not very careful about using machine resources and can lead to an almost unusably slow machine.

Most antivirus scanners do not detect or deal with spyware. Norton Antivirus 2004 and newer seem to do some, but don't do a very good job of it.

You can protect yourself from spyware by:

  1. Look at the system tray on your machine (if you're a Windows user). This is the little area by the clock, typically in the lower right hand corner of the taskbar. Examine what is running there and investigate anything that doesn't look familiar - try to identify things that aren't normally on your machine.
  2. Download, install, and run both AdAware by Lavasoft and Spybot Search and Destroy (external links). The personal edition of AdAware is free as is Spybot. Run both of these programs weekly to remove any accumulated spyware programs and files from your system.
  3. Read dialogue boxes before clicking "yes" or "ok". Some of the spyware programs out there will pop open a dialogue box and install themselves when you click that button. Always read to see what the box is asking before answering it.
  4. Don't download and run music sharing software. Not only do some of these programs contain spyware installations, they open your machine up for an additional avenue for worm infections.

I hope that this lengthy article was at least somewhat helpful. If you have any questions, please e-mail me at security@tsbbank.com and I'll do my best to answer them.

Aaron Boyken
Technology Officer
Titonka Savings Bank
11/17/2004

 

173 Main St N, PO Box 309 • Titonka, IA 50480-0309
Telephone 515-928-2142 • 800-920-2085
Fax 515-928-2042

101 Highway 69 N • Forest City, IA 50436-1616
Telephone 641-585-3247 • Fax 641-585-3907

155 Jackson St, PO Box 7 • Thompson, IA 50478-0007
Telephone 641-584-2275 • 866-984-2275
Fax 641-584-2575

©2001-2007 Titonka Savings Bank
11/19/2004