Malware Viruses Worms Trojan Horses Spyware What They

  • Slides: 25
Download presentation
Malware: Viruses, Worms, Trojan Horses, & Spyware What They Are & How to Deal

Malware: Viruses, Worms, Trojan Horses, & Spyware What They Are & How to Deal with Them Jay Stamps, jstamps@stanford. edu, 723 -0018 ITSS Help Desk Level 1 Training, November 18, 2004

Course Objectives u Understand what malware is, where it comes from, and what it

Course Objectives u Understand what malware is, where it comes from, and what it does u Diagnose compromised or infected computers based on reported symptoms u Basic troubleshooting techniques for possibly compromised computers u Research & diagnostic tools u Prevention: Worth a pound of cure!

It’s Been a Rough Few Years for Windows PCs…

It’s Been a Rough Few Years for Windows PCs…

Sorry… u But that was the last picture you’re going to see in this

Sorry… u But that was the last picture you’re going to see in this presentation! u The good news is that your instructor loves questions, and you’re cordially invited to interrupt him at any time, or save your questions for later u It’s a cliché, but there are no “dumb questions”: The point is to learn u And if I don’t have a good answer, I’ll suggest that you make finding one part of your homework assignment!

What’s “Malware”? u Shortened u u So form of “malicious software” But it’s not

What’s “Malware”? u Shortened u u So form of “malicious software” But it’s not always really malicious “malware” is a general term for: Computer and macro viruses of any kind u Internet and mass-mailing worms u Trojan horses, backdoors and rootkits u Other computer exploits, bots, zombies u Spyware, adware, and other software installed on a computer without the user’s knowledge or informed consent u And then there are the “hoax viruses”… u

Why Use the Word “Virus”? u The analogy with biological viruses Computer viruses exist

Why Use the Word “Virus”? u The analogy with biological viruses Computer viruses exist to self-replicate u They can often adapt (mutate) to survive u They might or might not harm the host u They “infect” by inserting themselves into a “healthy” system (be it a computer program or living organism) u u The u That’s why we’re talking about “malware” u But u term “virus” is heavily overused when someone’s PC is misbehaving… They call 5 -HELP and say, “I’ve got a virus!”

Are Only PCs Affected? u The answer is “No” u Are Macintoshes immune? The

Are Only PCs Affected? u The answer is “No” u Are Macintoshes immune? The answer is “yes and no” - sort of… u The first virus in 1982 infected Apple IIs u A great deal of malware - some of it not so malicious - existed for Mac OS “Classic” u Are there any Mac OS X malware programs? Well, not in the wild, not yet… u u What u about Unix and Linux OSes? Lots of malware is in circulation for these platforms - lots!

Why Does Malware Exist? u When “viruses” first became common… And “normal people” began

Why Does Malware Exist? u When “viruses” first became common… And “normal people” began to use personal computers… u If a “virus” struck, they were confused, alarmed, felt violated… u They’d ask, “Where do these things come from? ” and “How did I get infected? ” u u Often they’d feel embarrassed, like they’d picked up an STD in a reckless moment… u When told, “People deliberately create viruses, ” they’d properly ask, “Why? ” u What do you think? Why does malware exist? (Possible homework assignment!)

Brief History of Malware u “Viruses” appeared in early 1980 s Very soon after

Brief History of Malware u “Viruses” appeared in early 1980 s Very soon after first personal computers u They spread by floppy disks, later via “bootleg” & other software on “BBSes” u They often weren’t meant to be destructive u u Internet u “worms” arrived in late 1980 s “There may be a virus loose on the internet. ” - Andy Sudduth of Harvard University, 34 minutes past midnight, November 3, 1988

Brief History Continued u First mass-mailing worm came in 1999 Usually called the “Melissa

Brief History Continued u First mass-mailing worm came in 1999 Usually called the “Melissa virus” u It was also a “macro virus” u Infected file had to be opened in MS Word u u Spyware hits the scene around 2000 “Adware” claims to be legitimate, legal u “Browser hijacking” is common symptom u u Other exploits, trojans, backdoors… Have been around for a long time u Hackers target entities for malicious attack, or may want “free” computing resources u

We’ll Stick to MS Windows u The majority of computer users at Stanford have

We’ll Stick to MS Windows u The majority of computer users at Stanford have Microsoft Windows PCs u The majority of malware “in the wild” today attacks only Windows PCs u Malware is very platform-dependent u Microsoft has only recently made computer security a priority u In the past… MS tended to “enable everything by default” u Network-connected “services” running on a computer are an open invitation to hackers u

Why So Much Malware? u Is malware becoming more common? u Yes!!! It is!!!

Why So Much Malware? u Is malware becoming more common? u Yes!!! It is!!! (and harder to fight off) u Why might that be? u The Internet! Plus all the high-powered PCs in homes & offices connected to it u Why does that make a difference? u As with biological viruses, lots of people (or computers) are rubbing up against each other in a common space; and computers (like people) don’t always cover their mouths when they sneeze…

“Help! I’ve Got a Virus!” u. A u lot of people self-diagnose (wrongly) “Doc,

“Help! I’ve Got a Virus!” u. A u lot of people self-diagnose (wrongly) “Doc, I think I’ve got the flu. ” “How much did you drink last night? ” “Uh, three six packs. I think. I don’t really remember…” u Only a few years ago… Most folks who thought their PC had a viral infection were wrong! u When PCs behaved strangely, usually there was a problem with the OS or an application that was not at all virus-related u u Today that’s still true, but…

Today That’s True, But… u Malware is more common, while OSes and applications are

Today That’s True, But… u Malware is more common, while OSes and applications are both more featureladen and (often) more robust More features mean more potential vulnerabilities for hackers to exploit u Greater robustness means strange behavior is somewhat likelier to be caused by malware u u Plus more people use protective software Few people these days are unaware of the necessity of running antivirus software u Some people even use it correctly! u

You Answer a Call to 5 -HELP u And u the caller begins to

You Answer a Call to 5 -HELP u And u the caller begins to explain… “I think my PC has a virus” u Maybe it does, and maybe it doesn’t u We’ll look at diagnostic approaches presently u “I got an email from the Security Office…” u Get the details, but… u A referral to the Level 2 Help Desk, or local or contract support is probably the right move u If Networking or the Security Office has noticed a problem, the computer is almost certainly hacked u If the caller has self-diagnosed, or if you suspect malware is involved, you ask…

The Usual Questions 1 u If a caller’s PC might have an infection, or

The Usual Questions 1 u If a caller’s PC might have an infection, or otherwise be compromised: Ask what version of Windows they’re using u Ask them if they’re keeping it patched u Ask them if they’re using antivirus software, and if it’s up-to-date u For Windows 2000 & XP, ask them if they have good passwords for all user accounts u Ask them if they use a firewall u u The caller may not know the answers to some of these questions, of course…

The Usual Questions 2 u So you may need to guide the caller to

The Usual Questions 2 u So you may need to guide the caller to learn the answers to these questions To check if Windows is properly updated, have the caller visit: u http: //windowsupdate. microsoft. com u Launch Symantec Anti. Virus to check the date of the virus definitions file u To check password strength, use the Stanford Security Self-Help tool u Windows XP has a built-in firewall, as do many broadband routers u

The Answers u If a user can’t access the network, that problem is likely

The Answers u If a user can’t access the network, that problem is likely not caused by malware u If a user can’t run, install or update SAV or other security software, that’s a clue that the PC has been infected by a worm u If Windows isn’t patched, and/or AV software is out of date, and/or user accounts have weak passwords, the PC is definitely vulnerable to compromise u If the web browser (especially IE) goes to unexpected sites, suspect spyware

More Symptoms u We’ve just looked at a couple of common symptoms of malware

More Symptoms u We’ve just looked at a couple of common symptoms of malware u Here are some other possible signs: Sluggishness u One or more unexpected restarts u Frequent system crashes u Constant hard disk activity u Generalized “strange behavior” u u Hackers try to hide their presence: If they’re good, they will succeed u Worms and some viruses do likewise

Steps to Recovery u Most symptoms of malware also have other, more mundane causes

Steps to Recovery u Most symptoms of malware also have other, more mundane causes u If there’s any reason to suspect the presence of malware on a user’s PC, update virus definitions, disconnect the network cable, and run a full antivirus scan of all hard drives u Install and run Spy. Sweeper u And always, always teach computer users how to protect themselves from malware! Prevention is key!

Mass-Mailing Worms u Mass-mailing worms are one of the most common vectors for malware

Mass-Mailing Worms u Mass-mailing worms are one of the most common vectors for malware u Most people know not to open “suspicious” email attachments u But the worm writers are getting a lot craftier, and the attachments often look less “suspicious” these days u Many people are still confused by sender address “spoofing” u Mass-mailing worms mail themselves out using randomly chosen sender addresses

I Got a “Suspicious” Email u. A caller might say: I got a strange

I Got a “Suspicious” Email u. A caller might say: I got a strange email message from my bank (or a bank I don’t even use), etc. u I got a message from my “system administrator” telling me to do something u I got a message from a friend telling me there’s some file I’m supposed to delete u u Such messages are usually “phishing” attacks, or “hoax viruses” u Delete the email message; don’t do what it says; never give out private information

Top 6 PC Security Must-Dos u Patch Windows automatically New patches 2 nd Tuesday

Top 6 PC Security Must-Dos u Patch Windows automatically New patches 2 nd Tuesday of each month u Use Big. Fix & Windows Automatic Updates u u Use strong passwords (even better, pass phrases) for all user accounts u Use a firewall, such as Windows XP’s built-in software firewall u Use and properly maintain good antivirus software u Don’t open suspicious email attachments u Disable Windows File & Printer Sharing

Tools for Prevention u Essential Stanford Software http: //ess. stanford. edu u Symantec Anti.

Tools for Prevention u Essential Stanford Software http: //ess. stanford. edu u Symantec Anti. Virus u Big. Fix client u Spy. Sweeper u Security Self-Help Tool u Use the Firefox web browser (not IE) u u Stanford u Secure Computing web site http: //securecomputing. stanford. edu u Microsoft u Baseline Security Analyzer http: //support. microsoft. com/kb/320454

Questions? Research Tools u If you’ve been saving up questions, now’s your chance! u

Questions? Research Tools u If you’ve been saving up questions, now’s your chance! u Tools for research & troubleshooting: u u u http: //support. microsoft. com/kb/129972 http: //www. google. com http: //www. sarc. com http: //www. mcafeesecurity. com/us/security/home. asp http: //housecall. trendmicro. com/ http: //en. wikipedia. org/wiki/Computer_virus http: //www. spywareinfo. com/ http: //support. microsoft. com http: //www. microsoft. com/technet http: //www. cert. org/ http: //www. cisecurity. org/