Keywords: computer virus, worm, Trojan horse, malware, computer security, computer privacy, Internet
Working in a networked information environment brings new opportunities for getting and sharing information. Regrettably, these benefits of the Internet are challenged by forces that would interfere to satisfy their own profit or malevolent motives. Your networked computer can be infected by viruses, worms, or Trojan horses or infiltrated by spyware, adware, or pop-ups. Without being aware of the dangers and taking precautionary steps, your PC is susceptible to being compromised and your privacy invaded. This column will highlight some of the dangers and offer basic steps for securing your computer and protecting your privacy.
Just what are these nefarious creatures and attacks that encroach on the security of our computer, affect its operation, or challenge our privacy? The following definitions are from the anti-virus software company Symantec (http://securityresponse.symantec.com/avcenter/expanded_threats/).
Viruses, Worms and Trojan Horses:
A virus is a program or code that replicates; that is, infects another program, boot sector, partition sector, or document that supports macros, by inserting itself or attaching itself to that medium. Most viruses only replicate, though, many do a large amount of damage as well.
A worm is a program that makes copies of itself; for example, from one disk drive to another, or by copying itself using email or another transport mechanism. The worm may do damage and compromise the security of the computer. It may arrive in the form of a joke program or software of some sort.
A Trojan Horse is a program that neither replicates nor copies itself, but causes damage or compromises the security of the computer. Typically, an individual emails a Trojan Horse to you, it does not email itself,-and it may arrive in the form of a joke program or software of some sort.
Expanded threats exist outside of commonly known definitions of viruses, worms, and Trojan horses that may provide unauthorized access, threats to system or data security, and other types of threats or nuisances. Expanded threats may be unknowingly downloaded from Web sites, email messages, or instant messengers. They can also be installed as a by-product of accepting the End User License Agreement from another software program related to or linked in some way to the expanded threat.
Adware: Programs that secretly gather personal information through the Internet and relay it back to another computer, generally for advertising purposes. This is often accomplished by tracking information related to Internet browser usage or habits. Adware can be downloaded from Web sites (typically in shareware or freeware), email messages, and instant messengers. A user may unknowingly trigger adware by accepting an End User License Agreement from a software program linked to the adware.
Spyware: Stand-alone programs that can secretly monitor system activity. These may detect passwords or other confidential information and transmit them to another computer. Spyware can be downloaded from Web sites (typically in shareware or freeware), email messages, and instant messengers. A user may unknowingly trigger spyware by accepting an End User License Agreement from a software program linked to the spyware.
Securing Your PC
Swartz (2004) reported that 1,000 viruses were identified in May of this year, eclipsing the number in December 2001. Reportedly, 90,800 viruses are loose on the Internet, an increase of 11% from one year ago. Some viruses leave security holes in the PCs that they strike, enabling hackers to remotely use them for sending spam and for phishing scams (more on phishing below).
Melissa, first spotted on March 26, 1999, was one of the first major viruses that attacked corporate and government networks—infecting 1 million computers in North America. It was spread when computer users clicked on an e-mail attachment that initiated a Microsoft Word macro virus. This caused the infected computer to send copies of the virus to 50 addresses taken from a user's e-mail address book.
Computer virus activity in 2003 shut down ATMs, infected airline and train reservation and signaling systems, effected emergency phone and hospital systems, and at least one nuclear power plant (Delio, 2003). Some of the most serious attacks included:
- Slammer (released January 25): scanned all 4 billion public IP addresses on the Internet in less than 15 minutes and infected tens of thousands of vulnerable servers.
- Blaster (detected August 11): infected computers were alerted to the presence of Blaster with a message the PC would be restarting in 60 seconds. Users had to attempt download security updates during that interval. The vulnerability it exploited and been known for almost a month before the worm appeared. Infection spread to at least eight million machines.
- Sobig.F (detected August 18, 2003): infected a large number of computers and secretly used them for relaying spam.
The MyDoom e-mail worm was released on January 26, 2004, and was judged to be the fastest spreading e-mail worm ever. In addition to attacking computers, the worm enabled the remote uploading of malicious files to those computers. This included software that was used to forward spam e-mails. It also created a mass-mailing of itself, further slowing down Internet traffic and clogging corporate e-mail servers. On February 5, McCandless in the Guardian (London) gave this report: "... after eight hours, MyDoom spiked. Millions of copies poured across the internet and all hell broke loose. Email servers around the world buckled. By the time it reached its peak last Tuesday week, one in 12 emails in the world was MyDoom-generated. This tiny sliver of code had wiped out the records of August's Sobig and the legendary Lovebug worm of 1999 to become the fastest-spreading virus of all time."
In May 2004, the Sasser computer worm hit. Among the victims were Germany's Deutsche Post, Britain's coastguard stations, and investment bank Goldman Sachs. By May 8, 2004, German police arrested Sven Jaschan, an 18-year old suspected of creating Sasser. It is expected the worm will infect millions of machines before computer users download antivirus patches to end its run. F-Secure, an anti-virus software company, advises that network worms have peak activity and then fade away, but will not disappear completely for years.
Worms exploit known holes in Windows or Office, allowing code to be run on that computer by a remote attacker. This is what occurred with the Blaster and Sasser worms. Often there are patches available to close these holes and to prevent the worm from lodging itself in the computer, but all too often the patches have not been downloaded and installed by users. An all too familiar pattern has been the announcement by a vendor of a hole in its software and a slow response by users to install the available patch. This has allowed virus writers time to capitalize on the vulnerability of the PCs. Virus writers are moving more quickly to take advantage of announced vulnerabilities. Slammer was released six months after the announcement of the software hole and infected 90% of vulnerable computers within ten minutes. Blaster was released in just three weeks following an announcement of a software hole. Both individuals and organizations are slow to patch their systems.
The cost of these attacks is huge. Hobson (2004) gave cost estimates of at least $525 million for Blaster worm and of $500 million to more than one billion dollars for Sobig.f. New breeds of worms appearing in the spring of 2004 did not require a user to open an e-mail attachment for the PC to become infected. With both the Bagle and Sasser worms, a PC not current with its operating system patches could become infected automatically when a user clicked on an e-mail message.
Any device connected to the Internet is a potential target for attacks, including spam. This includes instant messaging services, peer-to-peer networks, handheld devices, and smart cellphones (those that are e-mail and Web-capable). It is suggested that airborne worms will spread among mobile phones and that infection will occur from simple proximity. Wireless users are already advised to take extra precautions to protect their systems. These security issues will grow as Internet connectivity becomes more ubiquitous.
Microsoft and PC Manufacturers Respond
Critics speak of the heightened danger posed by the current monoculture of personal computing where 94% of all PCs are running on Windows. Bill Gates reported in March 2004 of the increased security efforts by Microsoft. This includes setting a monthly release schedule of new updates, providing more information for computer users, and offering cash rewards for information leading to the arrest and conviction of those responsible for viruses and worms. As he said, "Technology has come an incredibly long way in the past two decades, and it is far too important to let a few criminals stop the rest of us from enjoying its amazing benefits."
PC makers are also increasing their commitment to the security effort (Kessler, 2004). Dell, for example, reports that virus-related issues comprise more than 20% of support calls, jumping 200% to 300% with a serious virus strike. To deal with this growing problem, Dell announced it would provide more education for users and work with vendors to lower the cost of security software that is preinstalled on its PCs.
Protect your PC
If you are on the Internet, you must take steps to insure that your PC is secure. It is no longer sufficient to avoid opening suspicious e-mail attachments. The computer industry and its experts agree the following steps are needed to make certain your PC is protected. These steps will not only protect your own computer, but also help insure that your computer cannot be used to launch an attack against others.
- Use a firewall (at least the one provided by Windows).
- Get security updates from Microsoft regularly.
- Use an antivirus software and keep it up-to-date.
- Run antispam and anti-spyware software.
Firewalls are software designed to protect from attacks from the outside and prevent rogue programs from sending data out. A firewall should be in place for every computer connected to the Internet. They are of two types, providing differing lines of defense. External firewalls are found in routers and some cable or DSL modems and are the first defense against incoming attacks. A software firewall running on the PC can provide additional protection against viruses, Trojan horses, and spyware. Commercial software packages are available. Users with Windows XP can take advantage of what Microsoft calls the "Internet Connection Firewall" which is included in the XP software. Directions on turning this functionality on are available at: www.microsoft.com/athome/security/protect/windowsxp/firewall.aspx.
Microsoft announces vulnerabilities in its software (Microsoft Windows, Internet Explorer, or Outlook Express) and provides software updates or patches on its Web site to fix the problem. It is important that you monitor these advisories. A PC user with Microsoft Windows should go to http://windowsupdate.microsoft.com/, where Microsoft will initiate a scan of the PC for critical Microsoft security vulnerabilities and advise what patches should be downloaded. There is no charge for these security patches. Windows users with recent versions of Windows can use the built-in Windows Update feature found at the top of the "Start" menu, which updates automatically while you are connected to the Internet.
Many computers come with an anti-virus package, but typically the service has to be activated before it will begin scanning incoming e-mail and files. A free, introductory period may be offered followed by an annual subscription to the service. These software packages can also be purchased in computer stores or online. Anti-virus software vendors are constantly monitoring the appearance of new threats and updating their software to protect against new attacks. Therefore, it is necessary that you update your anti-virus software regularly, which can be done using the software’s auto-update feature. Popular products are from F-Secure (www.f-secure.com/), McAfee (www.mcafee.com/us/), Norton/Symantec (www.symantec.com/) and Trend Micro (www.trendmicro.com/).
Anti-virus software companies maintain pages highlighting the latest threats, as well as those previously identified. These can provide valuable and timely information about a virus, how it acts, and what can be done if attacked. These sites include:
- F-Secure: www.f-secure.com/v-descs/
- McAfee: AVERT Alerts at http://vil.nai.com/vil/content/alert.htm
- Symantec: www.symantec.com/avcenter/
Several sites are good for verifying if an e-mail is or is not a hoax about a supposed virus. There is at least one known case of what was first a hoax later being used to transmit a destructive Trojan horse. So even with a presumed hoax, be vigilant. Before passing on news of a supposed virus, check one of these hoax pages:
- F-Secure: www.f-secure.com/news/hoax.htm
- Hoaxbusters: http://hoaxbusters.ciac.org/
- McAfee: http://vil.mcafee.com/hoax.asp
- Symantec: www.symantec.com/avcenter/hoax.html
- Urban Legends and Folklore—Computer Virus Hoaxes: http://urbanlegends.about.com/cs/virushoaxes/
Computer users are advised to select "strong" passwords. Such passwords are devised using upper and lowercase letters, numbers, and at least one special character. Do not use names, dates, or dictionary words. Microsoft offers advice on creating passwords at: www.microsoft.com/athome/security/privacy/password.mspx.
Backing Up Important Data
If your PC is attacked, files may be irretrievable. Regularly backing up critical data provides insurance against such a loss. Microsoft offers suggestions at: www.microsoft.com/athome/security/update/backup.mspx.
As e-mail increasingly becomes an ever more important means of communication for commerce and personal needs alike, the challenges to it are becoming more serious. The problems are not just annoyances, but involve fraud and increasingly sophisticated virus and worm attacks. There is some evidence that virus writers, spammers, and con artists are joining ranks.
Brightmail, a firm specializing in anti-spam and anti-fraud software, reports that of over the 104 billion e-mail messages filtered by Brightmail in June 2004 that 65% were identified as spam. This was up from 49% in June 2003 (www.brightmail.com/spamstats.html). Also in June 2004, Brightmail reported filtering over 3.52 billion fraudulent e-mails (www.brightmail.com/brc_fraud-stats.html).
Although viruses and other attacks can be spread by means other than opening an e-mail attachment, PC users must continue to regard attachments as a potential threat. In short, do not open an e-mail attachment unless you know what it is, even when the sender appears to be someone you know and trust.
On December 16, 2003, President Bush signed a federal anti-spam law which has had little effect on the largest spammers, many of whom operate outside the U.S. and are able to cover their tracks and maintain anonymity. In June 2004, Nucleus Research reported that the number of spam messages received by the average employee increased to 7,500, up from 3,500 in 2003. For businesses, this meant a loss in productivity per year per employee of 3.2 percent, up from 1.4 percent in 2003. Companies using spam filters reported they were able to filter out only 20% of the incoming spam.
Some spam reduction tips are:
- Never respond to a spam message. This includes links provided to get off of the sender’s mailing list. For spammers, this simply confirms that the e-mail address is active.
- Don’t buy anything from a spam e-mail message. This will place you on more spam mailing lists.
- Don’t forward chain messages by e-mail. These messages may be hoaxes or the delivery system for a virus. There are reports of spammers using chain letters to harvest e-mail addresses. Hoaxbusters (http://hoaxbusters.ciac.org/HBHoaxInfo.html#whattodo) gives good tips for identifying chain letters and laying out the dangers they present.
- Protect your e-mail address. Spammers use robots to harvest e-mail addresses from Web sites, so keep that in mind if you are posting your e-mail address on your personal Web page. Another strategy is to use multiple e-mail addresses. One might be for your more public activity—shopping, discussion lists. The other might be kept for personal communication.
Also, the Federal Trade Commission (FTC) maintains a database of samples of deceptive spam that have been forwarded by computer users. The FTC receives about 300,000 of these messages each day. This information is used to build cases against spammers who send deceptive messages including pyramid schemes, money-making chain letters, credit card scams. You can contribute to this database by sending any unwanted or deceptive spam to firstname.lastname@example.org. The message you forward must include the complete email header. If you have been a victim of a scam, report that information to the FTC at www.ftc.gov.
An e-mail message can disguise who actually sent the message. Viruses can harvest e-mail addresses from an infected hard drive and then use one of those addresses as the supposed "sender" of future e-mails serving as the virus’ vector. Spammers use forging techniques as well. Those who receive these messages can all too easily believe that it is someone known to them who has been responsible for sending a virus or for creating the e-mail bounce and rejection notices that come from all over.
Spoofing is e-mail that pretends to come from legitimate and trusted sources, but really uses fake Web pages and offers false messages or press releases. Phishing (that is, to "fish" for information from victims) is the practice of tricking computer users to give out sensitive information, such as credit card numbers or passwords. These messages appear to come from a legitimate bank or e-commerce site and use their company logos and Web links. A successful phishing attack often results in identity theft of the victim.
Malware—malicious software that disrupts a computer’s operation—includes both adware and spyware. If you have been surfing the Internet, it is very likely your computer has unsolicited software on it. Signs that this is the case are a continual stream of pop-up ads and poor system performance. Adware monitors your surfing and shopping habits to create a profile for sending you targeted, pop-up ads. It can also create desktop shortcuts to gambling or pornographic Web sites or hijack your browser’s homepage. One free product to detect and remove these "data-miners" is Ad-Aware (www.lavasoft.de). This popular software checks your system for adware, reports its findings, allows you to choose those you wish to fix, and then acts on those. Doing this cleanup can also have the effect of improving the performance of your PC.
Spyware is more dangerous because it tracks your activities, collecting personal information. This can include logging your keystrokes, recording which Web sites you visit or even making note of usernames and passwords. Spyware enters your PC when you download a program with a spyware program piggybacking on it. The download acceptance agreement that you clicked on prior to the download may in fact have included an agreement clause for the spyware. So it is important that you read any statement completely before agreeing to the download.
It is good practice to use a spyware detector and eradicator. One notable product is Spybot—S&D (www.safer-networking.org/en/index.html), which received the PC World Class Award 2004 for being the Best Anti-Spyware Scanner. Similar to Ad-Aware, it will scan your system for spyware, which you can then elect to have removed. Another spyware tool is provided by Spychecker (www.spychecker.com). This site allows you to type in the name of a downloaded program to determine if spyware is present in that program.
Because Internet Explorer is the most widely used Web browser, advertisers, spammers, and con artists have worked to use it to shower you with pop-up ads, hijack your home page, install adware or spyware, and steal data.
- Encryption: If you are using an older version of a browser, it may not provide 128-bit encryption, which is the highest level available to secure Internet transactions. If this is the case, you should upgrade to a newer version. You can check your Internet Explorer version by clicking on Help/About Internet Explorer. "Cipher strength" indicates the level of encryption provided.
- Secure Web sites: When security is important for an online transaction (such as banking or purchasing an item), check to see that you are connected to a secure Web site. The Web address should start with https:// (the "s" indicates secure), and a small padlock should be visible in the bottom of your browser.
- Browser Security Levels: Internet Explorer has settings that allow you to select security levels. A useful description of these is available at: www.learnthat.com/courses/computer/windowsxp/iesecurity/. An alternative approach is to switch to browsers that are not susceptible to these problems. This includes Mozilla (available at www.mozilla.org) or Opera (available at www.opera.com).
- Cookies: Cookies are small text files that Web sites place on your hard drive to track and record your activities on their site. While this sounds ominous, not all cookies are bad, as they can carry information that saves you time when you revisit a site and can personalize your visit. First-party cookies are those created by sites you visit directly and are of the type that can save you time on your next visit. Third-party cookies, however, are created by advertisers for sites other than the one you visit. Some sites provide a compact privacy statement that describes the purpose of their cookies, how they are used, and how long they will remain on your PC. Internet Explorer allows you to customize how you want cookies handled. To see your choices in Internet Explorer, go to Tools/Internet Options/Privacy. The default setting is "medium." Choosing a "medium high" setting provides a compromise between protecting your privacy and still having the convenience of customizing your visit to select sites.
Pop-ups are ads that appear uninvited on your browser, often with flashing and obnoxious messages. Google offers a Tool Bar, which among its several useful features is a "Pop Up Blocker." The Google Tool Bar can be downloaded for free. It installs as a separate bar on your browser and prevents new windows from opening automatically when you visit a Web site. For sites where you do wish to see the pop-ups, you can allow that by adding the site to the "white list." The blocker indicates when it is intercepting an incoming ad, as well as displaying a count of the number of pop-ups blocked since the last Toolbar installation. To take a look, go to Google (www.google.com) and click on "more>>" above the input box. You will find the Tool Bar under "Google Tools." Both the Mozilla and Opera browsers also have an option to enable a pop-up killer.
In this information-intensive world, computer viruses are here to stay. Health professionals should see the analog to public health. Individual behavior with respect to protecting your own computer directly impacts others in the Internet community. To be a responsible computer user means following good computer health practice. I like this message from PC Update Online (www.melbpc.org.au/pcupdate/2205/2205article4.htm):
Safe Computing - Like Safe Sex
When applying these lessons to computer usage, we need to remember:
Article published October 22, 2004