A quick & dirty guide to malware (part 2: viruses)

A dialogue screen shown by Virus:W32/Duts.A

This is the second posting in a three-part series covering common threats a user may encounter.

This series serves as a rough and ready guide, highlighting key features and trends relevant to most users.

The One That Left

Last week I spoke of Trojans, Viruses and Worms as The Big Three. I lied a bit, though. Viruses – as a distinct malware type – probably shouldn’t be on that list any more.

Viruses have always loomed large in users’ minds as the poster child of malicious programs – heck, we even call it the anti-virus industry. In the last 10 years or so however, the number of virus infections has nosedived; our Labs, which once dealt with viruses routinely, now sees a proper virus infection about once or twice a month. Today when people talk of ‘viruses’, more often than not what they’re describing is technically a trojan or a worm, and they’re using the term in a general, ‘any malware will do’ kind of way.

That’s not to say viruses are extinct; we still receive a small, if persistent, number of queries about viruses. This may be because many businesses, households and users (both in developed countries and in recently connected developing ones) still use old, out-dated, unpatched machines or programs, or haven’t yet developed a security-conscious habits.

Whatever the case, virus infections will probably still cling on to life for a weary day after, so let’s take a look at them.

Highlights of a virus

Definition of a virus given by Merriam-Webster online dictionary

The Merriam-Webster online dictionary’s bare-bones definition of a computer virus touches on important elements most users should know, so I’ll just elaborate a bit more on some key concepts:

“usually hidden within another seemingly innocuous program”

Last week I compared a virus to a parasite, because not only does it ‘hide’ in another program, but also depends on its host to function. For the virus to run, the unsuspecting user must actively launch the infected program, which in turn launches the virus.

For this reason, virus writers usually create viruses that infect executable files (especially popular programs such as word processors or media files), which have a higher chance of being run; programs with files that get passed around a lot are extra attractive, since they can affect even more potential victims.

A good example is the Microsoft Office suite which, with their huge community of business and personal users, used to be a popular target for macro viruses. We still see queries related to this virus type, though thankfully far less than previously.

“Produces copies of itself and inserts them into other programs”

If you think of the common cold virus spreading from one person to another, you’ll have a pretty good idea of why this behavior can be so damaging. When a infected file is executed, it searches for and infects new files; if the newly infected files are launched, they find and infect new files in turn, like some evil Multi-Level Marketing operation. At worst, this pattern can lead to every targeted file on the system being infected.

“Usually performs a malicious action”

The damage a virus can do by replicating and infecting new files is bad enough; its payload, a completely separate set of nasty actions, can be worse. The range of actions a virus can take is huge – connecting to a remote site, changing the desktop wallpaper, displaying silly notification messages, deleting data files…it really just depends on the virus author’s imagination and programming skills.

If you’re lucky, they’re not that good and you get failed viruses like Virus:W32/Stardust; if they’re good, then you get really nasty beasts like Virus:W32/Virut or Virus:W32/Sality.AA (one of the few viruses we still find regularly active).

Appending, prepending, cavity…who cares?

A dialogue screen shown by Virus:W32/ZMK

With thousands of unique viruses out in the wild, antivirus companies find it necessary to divide them into sub-types. Unlike trojans though, viruses don’t fall into neat categories reflecting their actions; instead, they naturally fall into groupings based on technical differences in the way they infect a file – which is  basically gobbledeegook to a user not interested in detailed analysis.

Gnerally, viruses can be divided into two groups – system infectors and file infectors. The majority of viruses are the latter and infect programs or data files. System infectors on the other hand write their malicious code to specific, critical sections of the hard disk containing the operating system, so that while the OS is running its normal routines, it’s also unintentionally executing the virus code.

Fortunately, for most users a virus’s classification is largely academic. For better or for worse, the sheer variety of possible effects each unique virus can have on a file or system makes it more practical to take each virus on a case by case basis.

Back to what’s important – why should the user  care?

So let’s go back to the original question that sparked off this series: do you really need to know if it’s a virus – as opposed to, say, a trojan or worm – infecting your computer?

Well, it helps to know because the two malware types tend affect your data and computer in different ways. As a (very) general rule, trojan infections is more about data theft and loss of control over the computer; virus infections tend to result in software disruptions or damage.

Trojans may copy and steal your data, but they don’t usually destroy the data file itself; they may stop programs from running but they don’t destroy the program. A virus on the other hand, insert its own code into a program or data file, and depending on how it does so, may either leave the host completely unharmed and functional, slightly disrupted, or completely non-functional.

Another difference between trojans and viruses that really affects the user involves disinfection. For one thing, a trojan is usually a single, discrete program – getting rid of it tends to be fairly simple, a matter of removing the malicious file and its residuals (registry keys, processes, icons, etc). Removing the trojan also generally doesn’t affect the integrity of other files on the computer.

Viruses are far more nebulous by design – they can be present in multiple files, in different locations. Identifying a virus-infected file may require scanning the entire computer to be sure every affected file is caught. Removing malicious code from an infected file or – if it can’t be saved, deleting the infected file entirely – can also be problematic if the damaged data is important or the program is a critical system component.

And this doesn’t even take into account the virus’s payload, which can produce a whole other set of worries.

If you’re still interested

Still, there is a ray of hope. If current malware trends persist, we may soon see adware or backdoors promoted to being the newest member of The Big Three, and viruses – as a distinct malware type – can finally be relegated to joining 3½” floppy disks in Computer Hell.

In the meantime, here’s some links to other, more in-depth resources on viruses:

Or partially available on Google Books:

  • “Elements of Computer Security” by David Salomon
  • “Cybercrimes: A Multidisciplinary Analysis” by Sumit Ghosh

Next

Coming soon – Worms!

More posts from this topic

842710939_d8f092ed9f_b (1)
April 28, 2016
BY 
Why press freedom matters and how tech can help

World Press Freedom Day: Why it Matters and How Tech Can Help

Finland is home to the freest news media in the world, according to Reporters Without Borders. It's fitting, then, that the annual UNESCO World Press Freedom Day conference will be held in Helsinki this year, May 2-4. Freedom of information is a topic that's close to our heart. We were fighting for digital freedom before it was cool - yes, before Edward Snowden. A free press is foundational to a free and open society. A free press keeps leaders and authorities accountable, informs the citizenry about what's happening in their society, and gives a voice to those who wouldn't otherwise have one. Journalists shed light on issues the powers that be would much rather be left in the dark. They ask the tough questions. They tell stories that need to be told. In a nutshell, they provide all of us with the info we need to make the best decisions about our lives, our communities, our societies and our governments, as the American Press Institute puts it. That's a pretty important purpose. But it can also be a dangerous one. Journalists working on controversial stories are often subject to intimidation and harassment, and sometimes imprisonment. Sometimes doing their job means risking their lives. According to the Committee to Protect Journalists, 1189 journalists have been killed worldwide in work-related situations since 1992, when they began counting. 786 of those were murdered. Freedom of the press and digital technology are inextricably intertwined. Journalists' tools and means of communication are digital - so to protect themselves, their stories and their sources, they also need digital tools that enable them to work in privacy. Encrypted email and messaging apps. Secure, private file storage. A password manager to protect their accounts. A VPN to hide their Internet traffic and to access the content they need while they're on assignment abroad. F-Secure at World Press Freedom Day It's because press freedom and technology are so intertwined that it's our honor to participate in this year's World Press Freedom Day conference. Here's how we'll be participating in the program: Mikko Hypponen, Chief Research Officer at F-Secure, will keynote about protecting your rights. Tuesday May 3, 14:00 to 15:45 Erka Koivunen, our Cyber Security Advisor, will participate in a pop-up panel debate on digital security and freedom of speech in practice. Tuesday May 3, 15:45 – 16:15 Sean Sullivan, our Security Advisor, will be on hand to answer journalists' questions about opsec tools and tips. One of our lab researchers, Daavid, will be inspecting visitors' mobile devices for malware. We'll feature our VPN, Freedome.   Check out our Twitter feed on May 3 for livestream of Mikko's and Erka's stage time.                 Banner photo: Getty Images

April 27, 2016
BY 
Internal startups are a way for big companies to innovate and adapt.

Why an Internal Startup Could Be Companies’ New Recipe for Success

AirBNB. Uber. These are but two examples of disruptive startups that are popping up to challenge big organizations' legacy mindsets and business models. Digitalization has completely shaken the world, and companies have two options: adapt to stay in the game, or be left behind in a cloud of dust. But it's hard to turn a big ship around. That's why F-Secure's Harri Kiljander, Janne Jarvinen and Marko Komssi believe that a great way for companies to accelerate innovation is to bring the startup model in-house. They've collaborated with peers from other organizations in a new ebook, The Cookbook for Successful Internal Startups. The book is a practical guide to establishing and running an internal startup. An internal startup, they say, is a great route to cheaper innovation execution and faster time to market. And the three have experience to draw on: F-Secure has developed its VPN product, Freedome, its password manager, Key, and its smart home security device, Sense, all as internal startups. The book pulls together F-Secure's learnings as well as the learnings of other companies who use the model. I caught up with Harri, Janne and Marko to talk about the internal startup scene. What is your definition of a startup? Harri: A startup is an organization that is established to build a new product or a new service under a significant uncertainty. Trying to do something new that doesn't exist yet, and constrained by a lack of established processes or budgets or resources. Janne: To me, a startup is the means to build something new and disruptive, and build it as fast as possible, with the intention of scaling as quickly as possible. You're not trying to make something that just a few people can do for a living, but you're trying to build up a big business quickly from something new. Marko: A startup is an entity that is searching for a scalable, profitable business model. It differs from a company in that a company has already found its business model. Why do you want to encourage big companies to form internal startups? Harri: Big companies are really good at doing old things. An internal startup is great way to introduce new ways of working and to try developing and launching new and better products and services. Janne: All companies want to explore new areas, but in the established organization it's difficult to start something new. With an internal startup, you don't worry about the existing organizational structures. From a company perspective, because the startup is not embedded into the larger organization, it's easier to handle and it's easier to see whether it's producing results. It also gives employees the chance to be involved in something new. How has the internal startup model been beneficial for F-Secure products Freedome and Key? Harri: One of the key elements has been the rapid development and feedback cycle - the classic cycle of build, measure, learn. Build something, release it, gather feedback from users and markets, and then adjust your product, pricing, channels, etc. The more rapid you can make this cycle, the higher the likelihood of being able to generate success. Janne: We built Freedome and Key much faster as internal startups than we would have done in the traditional way. The global launch took place just nine months after the idea, and that's extremely fast. Marko: Freedome was incubated in strategic unit, not the business unit. It had more freedom as it was able to work independently, without being under any existing business pressure. What is the biggest advantage an internal startup has over an independent startup? Harri: The ability to access the big company resources, including free labor and expertise. In a big company there are a lot of experienced people who yes, may be stuck with old ways of working, but they still have lots of experience and know about doing business. Marko: Access to the company lawyers, marketing competence, PR, company name brand, social media channels with established followings, etc. A startup has to pay for everything or get the competence somehow, whereas a big company has it in house. And vice versa, what is the biggest advantage an independent startup has over an internal startup? Janne: It's not constrained by a company's mindset and objectives, so it has more freedom. However, once an independent startup gets financing, the people writing the checks will start to want some control anyway, so in that sense it's not so different from an internal startup. Marko: The feeling of ownership. The independent startup team really feels that they own the idea. With an internal startup you somehow still feel that you are a company employee first. So ownership is weaker in an internal startup and that has an impact. What do you hope people take away from the startup cookbook? Harri: I hope people get a spark of courage to establish this kind of exercise in their own established organization. If they're not sure how to go about it, they are welcome to contact the writers of the book and we might be able to help them. Even big organizations can do things fast if they follow the recipes or principles we outline in the book. Janne: I hope people in large organizations see that they can explore new areas using this model. Our goal is to really help people learn from other companies' experiences so that they don't have to learn everything on their own. Read The Cookbook for Successful Internal Startups The Cookbook for Successful Internal Startups was created by the industrial organizations and research partners of Digile’s Need 4 Speed program. F-Secure is the driver company of N4S and Janne Järvinen leads the N4S consortium. Harri Kiljander is Director of Privacy Protection, Janne Jarvinen is Director of External R&D Collaboration, and Marko Komssi is Senior Manager, External R&D Collaboration at F-Secure.

April 26, 2016
BY