A quick & dirty guide to malware (part 2: viruses)

A dialogue screen shown by Virus:W32/Duts.A

This is the second posting in a three-part series covering common threats a user may encounter.

This series serves as a rough and ready guide, highlighting key features and trends relevant to most users.

The One That Left

Last week I spoke of Trojans, Viruses and Worms as The Big Three. I lied a bit, though. Viruses – as a distinct malware type – probably shouldn’t be on that list any more.

Viruses have always loomed large in users’ minds as the poster child of malicious programs – heck, we even call it the anti-virus industry. In the last 10 years or so however, the number of virus infections has nosedived; our Labs, which once dealt with viruses routinely, now sees a proper virus infection about once or twice a month. Today when people talk of ‘viruses’, more often than not what they’re describing is technically a trojan or a worm, and they’re using the term in a general, ‘any malware will do’ kind of way.

That’s not to say viruses are extinct; we still receive a small, if persistent, number of queries about viruses. This may be because many businesses, households and users (both in developed countries and in recently connected developing ones) still use old, out-dated, unpatched machines or programs, or haven’t yet developed a security-conscious habits.

Whatever the case, virus infections will probably still cling on to life for a weary day after, so let’s take a look at them.

Highlights of a virus

Definition of a virus given by Merriam-Webster online dictionary

The Merriam-Webster online dictionary’s bare-bones definition of a computer virus touches on important elements most users should know, so I’ll just elaborate a bit more on some key concepts:

“usually hidden within another seemingly innocuous program”

Last week I compared a virus to a parasite, because not only does it ‘hide’ in another program, but also depends on its host to function. For the virus to run, the unsuspecting user must actively launch the infected program, which in turn launches the virus.

For this reason, virus writers usually create viruses that infect executable files (especially popular programs such as word processors or media files), which have a higher chance of being run; programs with files that get passed around a lot are extra attractive, since they can affect even more potential victims.

A good example is the Microsoft Office suite which, with their huge community of business and personal users, used to be a popular target for macro viruses. We still see queries related to this virus type, though thankfully far less than previously.

“Produces copies of itself and inserts them into other programs”

If you think of the common cold virus spreading from one person to another, you’ll have a pretty good idea of why this behavior can be so damaging. When a infected file is executed, it searches for and infects new files; if the newly infected files are launched, they find and infect new files in turn, like some evil Multi-Level Marketing operation. At worst, this pattern can lead to every targeted file on the system being infected.

“Usually performs a malicious action”

The damage a virus can do by replicating and infecting new files is bad enough; its payload, a completely separate set of nasty actions, can be worse. The range of actions a virus can take is huge – connecting to a remote site, changing the desktop wallpaper, displaying silly notification messages, deleting data files…it really just depends on the virus author’s imagination and programming skills.

If you’re lucky, they’re not that good and you get failed viruses like Virus:W32/Stardust; if they’re good, then you get really nasty beasts like Virus:W32/Virut or Virus:W32/Sality.AA (one of the few viruses we still find regularly active).

Appending, prepending, cavity…who cares?

A dialogue screen shown by Virus:W32/ZMK

With thousands of unique viruses out in the wild, antivirus companies find it necessary to divide them into sub-types. Unlike trojans though, viruses don’t fall into neat categories reflecting their actions; instead, they naturally fall into groupings based on technical differences in the way they infect a file – which is  basically gobbledeegook to a user not interested in detailed analysis.

Gnerally, viruses can be divided into two groups – system infectors and file infectors. The majority of viruses are the latter and infect programs or data files. System infectors on the other hand write their malicious code to specific, critical sections of the hard disk containing the operating system, so that while the OS is running its normal routines, it’s also unintentionally executing the virus code.

Fortunately, for most users a virus’s classification is largely academic. For better or for worse, the sheer variety of possible effects each unique virus can have on a file or system makes it more practical to take each virus on a case by case basis.

Back to what’s important – why should the user  care?

So let’s go back to the original question that sparked off this series: do you really need to know if it’s a virus – as opposed to, say, a trojan or worm – infecting your computer?

Well, it helps to know because the two malware types tend affect your data and computer in different ways. As a (very) general rule, trojan infections is more about data theft and loss of control over the computer; virus infections tend to result in software disruptions or damage.

Trojans may copy and steal your data, but they don’t usually destroy the data file itself; they may stop programs from running but they don’t destroy the program. A virus on the other hand, insert its own code into a program or data file, and depending on how it does so, may either leave the host completely unharmed and functional, slightly disrupted, or completely non-functional.

Another difference between trojans and viruses that really affects the user involves disinfection. For one thing, a trojan is usually a single, discrete program – getting rid of it tends to be fairly simple, a matter of removing the malicious file and its residuals (registry keys, processes, icons, etc). Removing the trojan also generally doesn’t affect the integrity of other files on the computer.

Viruses are far more nebulous by design – they can be present in multiple files, in different locations. Identifying a virus-infected file may require scanning the entire computer to be sure every affected file is caught. Removing malicious code from an infected file or – if it can’t be saved, deleting the infected file entirely – can also be problematic if the damaged data is important or the program is a critical system component.

And this doesn’t even take into account the virus’s payload, which can produce a whole other set of worries.

If you’re still interested

Still, there is a ray of hope. If current malware trends persist, we may soon see adware or backdoors promoted to being the newest member of The Big Three, and viruses – as a distinct malware type – can finally be relegated to joining 3½” floppy disks in Computer Hell.

In the meantime, here’s some links to other, more in-depth resources on viruses:

Or partially available on Google Books:

  • “Elements of Computer Security” by David Salomon
  • “Cybercrimes: A Multidisciplinary Analysis” by Sumit Ghosh

Next

Coming soon – Worms!

More posts from this topic

yahoo

What You Need to Know About the Yahoo Hack

Reports that half a billion Yahoo accounts were hacked in 2014 "by a state-sponsored actor" were confirmed today by the tech giant. This hack of "names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions" is the largest in the company's history and one of the most consequential breaches of all time. Our security advisor Sean Sullivan told CNN what Yahoo users need to know right now: [youtube https://www.youtube.com/watch?v=kO-70yKF4bE] He also gave a longer interview to Data Breach Today about the wider implications of the hack. The most important takeaway from this attack is you should always use an extra layer of protection -- in this case Yahoo's two-factor authentication on all your accounts -- and never reuse any important password. Even though Yahoo's passwords stored your passwords with encryption, it's still possible for criminals to get access to them, especially if they are weak. A former Yahoo employee told Reuters that the answers to security questions were deliberately left unencrypted to help catch fake accounts more easily because fake accounts that used the same answers over and over. Sean always uses nonsense answers for so-called security questions so they aren't guessable by anyone who knows him or follows him on social media. He recommends you do the same. So what should you do now? Sean recommends you "walk, not run" to your Yahoo account to disable your security questions and change your password -- and change them on any other site where you've used them to something unique. Make sure you create non-human passwords -- not patterns like yahoo1985. Make them long and difficult to remember. If they're between 20 and 32 characters, they are nearly uncrackable, as our senior researcher Jarno Niemelä recommends. And to deal with all that complexity, use a password manager like our F-Secure KEY, which is free on one device. You can also store your nonsense answers to your security questions in there. Then turn on two-factor authentication, if you haven't already. If you're wondering who might have carried out such a massive attack, Sean does have a hypothesis. [Image by Christian Barmala | Flickr]

September 23, 2016
BY 
android_wi-fi

How to Create a Portable Hotspot on Android with VPN on

Many Android users (myself included) have long found it annoying that creating a working portable hotspot is not possible while using a VPN on the device that shares the connection.  From the user interface to the lines of code that power the app behind it, a driving principle of designing Freedome has always been to make the kind of VPN that only makes your online experience better, without hindering it in any way. Tethering with VPN is now possible This is why we are extremely happy - both personally and for our users - to announce that our new Android release (out now on Google Play) makes it possible to have Freedome turned on while sharing your connection with other devices. We are also the first (as far as we know) major VPN provider to make this happen. Instructions on setting up a portable hotspot The new update automatically allows you to create a portable hotspot with Freedome VPN, so the instructions are fairly simple. Download Freedome VPN on your Android Turn on the portable hotspot feature from your Android settings Keeping it simple, as usual! A note on privacy It’s worth noting for the sake of your privacy that the tethered device’s traffic will NOT go through the VPN tunnel of the device sharing the connection. As Freedome lead Android developer Antti Eskola (who, by the way, you can thank for making this feature a reality) says: “Android does not allow tethered devices access to the VPN tunnel. This is a deliberate choice forced by Android for security reasons. For instance, when using VPN to access your employer’s network, they might not want your friends and family there. Also a VPN tunnel shared with others wouldn’t really be a private network anymore” In other words, remember to use Freedome on laptops and any other devices you connect to your own hotspots with. If you have any questions, drop us a line on Twitter. Enjoy!

September 23, 2016
BY 
webcam

QUICK TIP: Change the Default Passwords on Your Webcams and Baby Monitors

If you don't want to read the manual for the new Wi-Fi-connected device you just installed in your home, do yourself a favor and at least check how to change the default password. A new report finds that more than 100,000 devices in the United Kingdom alone could be possibly be accessed by peeping strangers. How is this possible? "Two words," explains F-Secure security advisor Sean Sullivan. "Default settings." Most consumers don't seem to imagine that their baby monitor, web cam of Wi-Fi router might be targeted by a hacker. "That’s called security through obscurity and it just does not work," Sean explains. "There are 'deep-web' search engines --such as Shodan -- that routinely scan for devices on the Internet. And just about anybody can find interesting things there that shouldn’t be publicly accessible but are." Often all online intruders need to do is type in the password that the manufacture sent the device out with. "You need to change the webcam’s password to something complex and unique," he says. "Don’t worry about having to type it all the time, you’ll probably only need to configure the associated mobile app once. And then the app will remember the password for you." This one simple step will greatly reduce your risk of having your devices hacked. Still many of us won't do it. The time to get rid of this terrible habit of leaving default passwords untouched is now, before our homes become so overrun by Wi-Fi-connected devices that hackers begin to devote serious resources to this sort of intrusion and possibly find some convenient way to monetize it. So don't let your fear of not being able to remember the passwords for all these devices become the weak link in your security. "Once you’ve set your secure password, store it someplace safe for future use," Sean says. He suggests a using a password safe like F-Secure KEY or a piece of paper in a secure location in your home. Just don't store it anywhere in sight of a webcam that still is using its default password. [Image by DAVID BURILLO | Flickr]

September 22, 2016