Do you REALLY need to know the difference between malware types?

Explaining Malware Types is Hard To Do

One of the stranger perils of being a technical writer involves being ambushed at odd moments by people demanding on-the-spot explanations of complex technical concepts.  I was out on the town one night and somehow found myself having to explain to a not-too-tech-savvy friend how to differentiate between a virus, a trojan and a worm.

After patiently listening to a lengthy, rambling answer, my friend thought it over for a minute and then asked, “So, why should I care? Why is this important to me? Do I really need to know the difference between different types of malwares?

My automatic reaction was to say, “Of course you need to!” – but to my surprise,  I couldn’t coherently express why I felt that way (though to be fair,  I was having trouble thinking clearly about anything that night).

Thinking it over in the sober light of day,  I realized that he’d actually asked a pretty good question. For most computer users, the difference between malware types is academic and irrelevant – at least,  right up until their computer gets infected. If everything’s working just fine, why in the world should they be able to distinguish between an exploit and a backdoor?

A Technical Person’s Answer

To get a expert’s opinion on this,  I relayed my friend’s question to an Analyst in our Response Lab. His reply was (and I’m paraphrasing here):

“Yes,  so that if anything happens, you’d know how the computer got infected, how to deal with the infection, and how to prevent it from spreading.”

Now, that’s the condensed version of a technical person’s answer. The real answer was actually a long, in-depth and detailed explanation covering how certain malware types had specific behaviors and particular vectors for distribution, as well as recommendations for dealing with particular types of infection.

And that there was the problem in a nutshell – it’s a lot of information to absorb. It was a thorough answer, but not an easy one to communicate to people with little interest in technicalities.  Some parts of the explanation also assumed more computer knowledge than most users would probably have or want.

Having said that, I thought the condensed version of our Analyst’s answer seemed like a helpful, ‘user-friendly’ answer. It summarizes all the main points effectively, puts it in a context most users would understand  and – this is important – it isn’t long-winded. I’ll come back to this again a little later.

Why A User Doesn’t Need To Know Malware Types

Trying to find a simple, all-encompassing answer to my friend’s question made me wonder if he really had a point and that users didn’t really need to know something as technical as malware types. So I decided to turn the question around and ask:

“Are there any cases in which ‘the average user’ doesn’t need to know the difference between malware types?”

The following four scenarios were the only ones I could think of where knowing malware types wouldn’t be helpful (if you can think of others, feel free to leave a comment). Of course,  I included some reasons why I think knowing malware types would be helpful even in these situations.

  1. I don’t do anything that might harm my computer.

    If you can honestly claim this, you’re probably what I’d call an Exemplary User: someone who diligently updates the operating system and programs, never installs programs or uses removable media without thoroughly vetting it first, doesn’t download from untrusted sources and basically, just does computer security right.

    An Exemplary User can laugh with scorn at looming malware outbreaks.  If this describes you, great! You can stop reading now. (Heck, you probably know the malware types already, anyway).

    Since the vast majority of users will never qualify for Exemplary Userhood however (myself included), the second best scenario is:

  2. MY computer can’t be infected.

    No, I’m not starting a PC versus Mac debate. What I mean is that even if malware does get onto your computer, it needs to find a suitable environment before it can have an effect. A Linux virus that somehow manages to get onto a Windows machine usually can’t do anything except blush sheepishly. Ditto for a backdoor that uses HTTP to connect to a remote site but ends up on a standalone computer without Internet acess.

    If your computer happens to be set up so that the majority of malware doesn’t target it or affect it (now you can start the PC/Mac debate), then our query becomes moot. Again, congratulations!

    Of course, most people have very little choice in the kind of operating system or programs they have on their computer, particularly business users. Even home users usually have to consider familiarity and affordability over specifically tailoring their computer to be malware resistant. To fix that, most users use antivirus protection. Which leads to reason 3:

  3. Why worry? My antivirus will remove it.

    Actually, since I work for a computer security company, I’d reeeaaally like it if more people could claim this. And hey – shameless plug – our Internet Security is doing pretty well in independent tests!

    Unfortunately, this solution isn’t 100% bulletproof, especially if you’re not an Exemplary User or are just plain unlucky.  Sometimes, the antivirus doesn’t catch the malware. Or it makes an error and the wrong file get fingered, causing all sorts of mayhem. Worse still, the antivirus turns out to be rogueware.

    In other words, the program you’re depending on to sort out all the problems….doesn’t. What then? Ah, then we move on to reason 4:

  4. Not my department. (IT/Tech Support/the computer guy) will just clean out any infection for me.

    OK, so the person fixing an infected computer should be the one with the technical knowledge, true. That person may not be the user, true. If you have someone dependable, willing and trustworthy, who can fix anything that goes wrong…can I have their number? Such a person is a godsend. Treasure him/her.

    Still, even if you’re that lucky, it’s often a great help to the actual technician if the user can pinpoint the probable cause. Knowing what type of dastardly program is screwing around with the computer gives the technician a good place to start investigating, and maybe also some idea of how to fix it.

    Or, to use an analogy, it’s the difference between driving to a workshop and telling the mechanic, “My car’s making a funny sound”, and saying, “The fan belt’s busted.”‘

And the Conclusion Is…

If you’re not in one of the 4 ‘Ideal Situations’ listed above, then it would probably be helpful for you to know the different kinds of malicious programs that can damage your computer, because…well, refer to condensed Analyst’s answer above.

Realistically though, learning about malware types, even superficially, requires investing time and energy that not every user can spare – which is why technical writers (ahem) have to find ways of communicating these concepts in ways that are interesting and easily accessible for everyone. Which brings us back to the condensed Analyst’s answer. It’s short, to the point and gives just enough information without being overwhelming. And if more information is asked for, well that’s the time to start going in-depth.

Personally, I like it – but since my part of my work deals with malware types anyway, I freely admit to being biased about this. So really, the best people to evaluate how useful that answer is – You, dear reader. So how about it? Do you think the condensed Analyst’s answer is a helpful, informative reply?

——

Oh and since we’re on the topic, here are the Types F-Secure uses to classify the samples – the good, the bad and the merely suspicious. You can also find plenty of other sites with excellent information on this topic – for example, HowStuffWorks.com has great articles explaining how trojans, viruses and worms work.

More posts from this topic

Windows 10, Windows privacy and security, Windows 10 new features

5 things you need to know to feel secure on Windows 10

New versions of windows used to be like an international holiday. PC users around the world celebrated by sharing what they liked -- much of Windows 7 --- and hated -- all of Windows 8 and Vista -- about the latest version of the world's most popular operating system. In this way, Windows 10 is the end of an era. This is the "final version" of the OS. After you step up to this version, there will be continual updates but no new version to upgrade to. It's the birth of "Windows as a service," according to Verge. So if you're taking free upgrade to the new version, here are 5 things you need to know as you get used to the Windows that could be with you for the rest of your life. 1.Our Chief Research Office Mikko Hypponen noted Windows 10 still hides double extensions by default. “Consider a file named doubleclick.pdf.bat. If ‘hide extensions’ is enabled, then this will be shown in File Explorer as ‘doubleclick.pdf’. You, the user, might go ahead and double-click on it, because it’s just a PDF, right?” F-Secure Security Advisor Tom Gaffney told Infosecurity Magazine. “In truth, it’s a batch file, and whatever commands it contains will run when you double-click on it.” Keep this in mind when you do -- or DON'T -- click on unknown files. 2. You could end up sharing your Wi-Fi connection with all your contacts. There's some debate about whether or not Windows 10's Wi-Fi Sense shares your Wi-Fi connection with social media contacts by default, as Windows Phone has for a while now. ZDNet's Ed Bott says no, noting that "you have to very consciously enable sharing for a network. It's not something you'll do by accident." Security expert Brian Krebs is more skeptical, given how we're "conditioned to click 'yes' to these prompts." "In theory, someone who wanted access to your small biz network could befriend an employee or two, and drive into the office car park to be in range, and then gain access to the wireless network," The Register's Simon Rockman wrote. "Some basic protections, specifically ones that safeguard against people sharing their passwords, should prevent this." Gaffney notes that Wi-Fi Sense is “open to accidental and deliberate misuse.” So what to do? Krebs recommends the following: Prior to upgrade to Windows 10, change your Wi-Fi network name/SSID to something that includes the terms “_nomap_optout”. [This is Windows opt-out for Wi-Fi Sense]. After the upgrade is complete, change the privacy settings in Windows to disable Wi-Fi Sense sharing. 3. There are some privacy issues you should know about. Basically "whatever happens, Microsoft knows what you're doing," The Next Web's Mic Wright noted. Microsoft, according to its terms and conditions, can gather data “from you and your devices, including for example ‘app use data for apps that run on Windows’ and ‘data about the networks you connect to.'” And they can also disclose it to third parties as they feel like it. You should check your privacy settings and you can stop advertisers from know exactly who you are. Want a deep dive into the privacy issues? Visit Extreme Tech. 4. The new Action Center could be useful but it could get annoying. This notification center makes Windows feel more like an iPhone -- because isn't the point of everything digital to eventually merge into the same thing? BGR's Zach Epstein wrote "one location for all of your notifications is a welcome change." But it can get overwhelming. "In Windows 10, you can adjust notifications settings by clicking the notifications icon in the system tray," he wrote. "The click All settings, followed by System and then Notifications & actions." 5. Yes, F-Secure SAFE, Internet Security and Anti-Virus are all Windows 10 ready. [Image by Brett Morrison | Flickr]

July 30, 2015
BY 
Android

Android’s Stagefright bug – phone vendors taken with their pants down

You have all heard the classic mantra of computer security: use common sense, patch your system and install antivirus. That is still excellent advice, but the world is changing. We used to repeat that mantra over and over to the end users. Now we are entering a new era where we have to stress the importance of updates to manufacturers. We did recently write about how Chrysler reacted fairly quickly to stop Jeeps from being controlled remotely. They made a new firmware version for the vehicles, but didn’t have a good channel to distribute the update. Stagefright on Android demonstrates a similar problem, but potentially far more widespread. Let’s first take a look at Stagefright. What is it really? Stagefright is the name of a module deep inside the Android system. This module is responsible for interpreting video files and playing them on the device. The Stagefright bug is a vulnerability that allows and attacker to take over the system with specially crafted video content. Stagefright is used to automatically create previews of content received through many channels. This is what makes the Stagefright bug really bad. Anyone who can send you a message containing video can potentially break into your Android device without any actions from you. You can use common sense and not open fishy mail attachments, but that doesn’t work here. Stagefright takes a look at inbound content automatically in many cases so common sense won't help. Even worse. There’s not much we can do about it, except wait for a patch from the operator or phone vendor. And many users will be waiting in vain. This is because of how the Android system is developed and licensed. Google is maintaining the core Linux-based system and releasing it under an open license. Phone vendors are using Android, but often not as it comes straight from Google. They try to differentiate and modifies Android to their liking. Google reacted quickly and made a fix for the Stagefright bug. This fix will be distributed to their own Nexus-smartphones soon. But it may not be that simple for the other vendors. They need to verify that the patch is compatible with their customizations, and releasing it to their customers may be a lengthy process. If they even want to patch handsets. Some vendors seems to see products in the cheap smartphone segment as disposable goods. They are not supposed to be long-lived and post-sale maintenance is just a cost. Providing updates and patches would just postpone replacement of the phone, and that’s not in the vendor’s interest. This attitude explains why several Android vendors have very poor processes and systems for sending out updates. Many phones will never be patched. Let’s put this into perspective. Android is the most widespread operating system on this planet. 48 % of the devices shipped in 2014 were Androids (Gartner). And that includes both phones, tablets, laptops and desktop computers. There’s over 1 billion active Android devices (Google’s device activation data). Most of them are vulnerable to Stagefright and many of them will never receive a patch. This is big! Let’s however keep in mind that there is no widespread malware utilizing this vulnerability at the time of writing. But all the ingredients needed to make a massive and harmful worm outbreak are there. Also remember that the bug has existed in Android for over five years, but not been publically known until now. It is perfectly possible that intelligence agencies are utilizing it silently for their own purposes. But can we do anything to protect us? That’s the hard question. This is not intended to be a comprehensive guide, but it is however possible to give some simple advice. You can stop worrying if you have a really old device with an Android version lower than 2.2. It’s not vulnerable. Google Nexus devices will be patched soon. A patch has also been released for devices with the CyanogenMod system. The privacy-optimized BlackPhone is naturally a fast-mover in cases like this. Other devices? It’s probably best to just google for “Stagefright” and the model or vendor name of your device. Look for two things. Information about if and when your device will receive an update and for instructions about how to tweak settings to mitigate the threat. Here’s an example.   Safe surfing, Micke Image by Rob Bulmahn under CC BY 2.0

July 30, 2015
BY 
browser security, business security, banking trojan

The Devil’s in… the browser

This is the fourth in a series of posts about Cyber Defense that happened to real people in real life, costing very real money. It was only just past 1 pm, but Magda was already exhausted. She had recently fired her assistant, so she was now having to personally handle all of the work at her law office. With the aching pain in her head and monstrous hunger mounting in her stomach, Magda thought it was time for a break. She sat at her desk with a salad she had bought earlier that morning and decided she’d watch a short online video her friends had recently told her about. She typed the title in the browser and clicked on a link that took her to the site. A message popped up that the recording couldn’t be played because of a missing plugin. Magda didn’t have much of an idea what the “plugin” was, which wasn’t surprising considering that her computer knowledge was basic at best – she knew enough to use one at work, but that was pretty much all. It was the recently sacked assistant, supported by an outsourced IT firm, who took care of all things related to computers and software. A post-it stuck to Magda’s desk had been unsuccessfully begging her to install an antivirus program. “What was this about?”, Magda tried to remember. At moments like this, she regretted letting the girl go. After some time, she recalled that her assistant had mentioned something about a monthly subscription plan for some antivirus software to protect the computers, tablets and mobile phones. This solution, flexible and affordable for small businesses like Magda’s firm, had also been also recommended by the outsourced IT provider. Despite a nagging feeling that something wasn’t right, she clicked “install”. After a few seconds, the video actually played. Magda was very proud of herself: she had made the plugin thing work! A few days later, she logged into her internet banking system to pay her firm’s bills. As she looked at the balance of the account, she couldn’t believe her eyes. The money was gone! The transaction history showed transfers to accounts that were completely unknown to her. She couldn’t understand how somebody was able to break in and steal her money. The bank login page was encrypted, and besides that, she was the only person who knew the login credentials... At the bank she learnt that they had recorded a user login and transfer orders. Everything had been according to protocol, so the bank had no reason to be suspicious. The bank’s security manager suggested to Magda that she may have been the victim of a hacker’s attack. The IT firm confirmed this suspicion after inspecting Magda’s computer. Experts discovered that the plugin Magda had downloaded to watch the video online was actually malware that stole the login credentials of email accounts, social networking sites and online banking services. Magda immediately changed her passwords and decided to secure them better. She finally had good antivirus software installed, which is now protecting all of the data stored on her computer. She recalled that her bank had long been advising to do that, but she had disregarded their advice. If only she hadn’t... Her omission cost her a lot of money. She was happy, though, that money was all she lost. She didn’t even want to imagine what might have happened if any of her case or clients information had been compromised. That would have been the end of her legal career. "If you have to use dangerous plugins like Java to do banking, you can enable those in one browser and use it only for the banking stuff," F-Secure Director of Security Response Antti Tikkanen explains.​ To get an inside look at business security, be sure to follow our Business Insider blog.

July 28, 2015