VIRUSES, WORMS, AND TROJAN HORSES

 

Quicklinks:

Updating the operating system and patching your machine

Installing and updating virus control software

Installing the XP firewall

 

(SPECIAL NOTE: To do any of the procedures above you will need to have administrative privileges on the box. At home you have this. At work, you may not. Before trying any of this at work, check with your system administrator to see if you have been assigned the necessary permissions on your machine. If not, you will need to have the system administrator do this for you and some of it you will not need to have done due to the way the VUMC network is administered.  Also, to do the Office patches and update, you will need a copy of CD 1 from the Office application.)

 

Over the past several years we have been hit with an onslaught of infections that potentially put our computers, computer software, and data files at risk. Most individuals have no idea how to protect their computers and data from these events. The following series of webpages will educate you on what you need to do at home, and perhaps at work to reduce your exposure to these problems and minimize their effects.

 

First let me start by saying there is no way to create a 100% risk free environment. Short of unplugging your machine from the wall and never turning it on, you are always going to be at risk of contracting one of these nasty “bugs”. However, there are a number of things you can and should do to minimize your risk of infection and you need to remember, failure to protect your machine puts other people’s machines and the entire Internet at risk. It is therefore imperative that you do all of the things outlined in the following webpages.

 

Security is a three step process:

 

First, you must make sure your machine is patched with the latest operating system and software updates. I have my computers set to automatically download patches and update my operating system on a regular basis. I also manually check about once a week to make sure the updater is working properly.

 

Second, you must install a virus control program on your computer AND REGULARLY (AT LEAST WEEKLY) UPDATE THE VIRUS DEFINITION PATTERNS AND RUN THE VIRUS CONTROL PROGRAM AFTER THE PATTERNS HAVE BEEN UPDATED. Most people make the mistake of never updating their virus definition patterns. In that case the virus control program is useless, you might as well never run it. By default, most virus control programs create a shield around your computer that checks all incoming files, including email attachments, as they are downloaded. This active type of checking only works if the patterns are regularly updated. I have Mcafee 4.5.1 installed on my machine and I update my virus patterns at least once a week, more frequently in the event of an outbreak.

 

Third, you should put a firewall around your computer. This helps prevent the most stealth infections from finding and infecting your machine. This firewall could be a personal firewall like XP Firewall and ZoneAlarm, or it could be a router installed in your home (such as a Linksys) configured, by default, to hide your computer to the outside world. I have XP firewall enabled at home AND I have a router. It would be rather difficult for an outside machine to find my home machine. This provides me with a significant, yet not perfect, level of protection.

 

There are three types of infections that you need to worry about: viruses, worms, and trojan horses.

 

Viruses: Viruses are usually transmitted as email attachments. You get an email that looks like it is from a colleague or friend, you open it. Attached to the message is a file that your friend is asking you to open and look at. You click on the attachment. BOOM you are infected! It is NOT the email message that infected you, rather it is the click on the attachment that did it. Several years ago I had a dean at another school who received 15 email messages from the Provost’s office. All were infected and he suspected it. Yet he clicked on the attachment on the 15^th copy. He thought after 15, the Provost was serious. He couldn’t understand how he got infected. Unlike bacteria infections, you ARE infected the first time you click on the infected attachment, no exceptions.

 

There are several ways to protect yourself from these types of viruses. First, never click on an attachment you aren’t expecting, EVEN IF IT IS FROM A FRIEND OR COLLEAGUE. I have heard people say that they don’t open attachments from people they don’t know. Well, that is good as far as it goes. BUT YOU ARE FAR MORE LIKELY TO GET AN INFECTED ATTACHMENT FROM SOMEONE YOU DO KNOW THAN FROM SOMEONE YOU DON’T KNOW. Why? Two reasons. First you probably get a lot more email from people you know. Second, you are more likely to appear as an entry in the address book of people you know and that is where the virus gets its “hit” list.

 

Once your machine is infected the virus then looks to your address book and any other email configured addresses on your machine (such as email addresses in cached webpages you recently visited), replicates itself and sends out the email with the infected attachment to all of those addresses. If you had never opened the attachment, you would not be sending the infection to your friends.

 

Secondly look carefully at the email message and the subject line. If the email is very generic, like it could have been written by a machine, or includes grammatical mistakes that indicate it may not have been written by a native English speaker be VERY VERY suspicious. Do not open the attachment just yet; wait. Wait several hours and see if you get any more that are just like it from others. If you get several that are close (these things are known to morph a bit), you know it is a virus. In that case throw the email and attachment away without opening the attachment. Several years ago, on Valentine’s day, I got a love letter from one of the Provost’s secretaries at another school. I knew her professionally but the love letter was completely out of character. Rather than open the attachment I decided to wait, figuring if she loved me now, she will still love me in 4 hours. I checked my email 4 hours later. By then I had received over 100 copies of the same message from across the entire campus. I knew I wasn’t that loved. It was clearly a virus.

 

Viruses are getting more clever. It used to be you could look at the FROM address and determine whose machine is infected. Not anymore. Now these viruses grab one of the addresses in the infected machine’s address book and places THAT address in the FROM line. This address spoofing makes it very difficult to determine where the email is coming from. It is tempting to write back to the person in the FROM line and report to them that they have an infection, but most likely they are an innocent bystander whose identity has been stolen.

 

Now let’s look at a specific example, the bagle virus (there are various incarnations of this virus but the basic identifiers that demonstrate the email is really a fake occur in one form or another in all of the variations). This is one that fools many people but if you look at it carefully, you won’t be one of the suckers taken in by it (it really is a pretty bad attempt)…….

 

From: staff@Vanderbilt.Edu [mailto:staff@Vanderbilt.Edu]

Sent: Wednesday, March 03, 2004 12:46 AM

To: Gordon, Jeff S

Subject: Notify about using the e-mail account.

 

Dear user of  Vanderbilt.Edu  gateway e-mail server,

 

Our antivirus  software has  detected a large ammount  of  viruses  outgoing from your email account, you may use our  free anti-virus  tool to  clean up your  computer software.

 

For details see the attached file.

 

For security purposes the attached  file is password protected. Password  is "70086".

 

Kind  regards,

      The Vanderbilt.Edu team      

 

This email also had an attachment to it called: moreinfo.zip

 

Let’s dissect the email. First it is from staff@vanderbilt.edu. That is not a standard Vanderbilt address. Obviously a forged return address is a great clue. Then rather than using my name they sent it to: “Dear user of Vanderbilt.edu gateway email server”. That is just ridiculous…..If it were real they wouldn’t have said Dear anybody…they just would have gone into message body. This is a dead giveaway that it isn’t written by a competent native English speaker. But there is more: The word “amount” is misspelled with two copies of the letter m. Again we see evidence of poor English. Then, they have multiple paragraphs with just a single sentence in each; more poor English.  They end the document with the words “Kind regards”. Nobody writes this way. That is how you end a business letter, not an email describing a problem. Finally they sign it “the Vanderbilt.Edu team”. They did this because this is the only way they could customize it to Vanderbilt. However, this isn’t how the email group signs its messages. Have you ever heard anybody call the email group “the Vanderbilt.edu team”? Again, a careful reading shows just how ridiculous this thing is.

 

They include a password protected attachment and then include the password in the body of the message. How stupid is that? If the file is that important, why would they include the password in the body of the message for anyone to read? Finally, no self respecting support group, whether at Vanderbilt, Microsoft, Mcafee or wherever EVER sends an update or patch as an email attachment. It NEVER happens. NEVER.  So you can see, this is a very poor fake email. If the email is fake, the attachment has to be a virus. Therefore, even without virus control this one was EASY to spot. Now I anticipate as websites like this get around, the virus writers will become cleverer about the emails they send out. That is no problem. Be suspicious of all email attachments from everyone. If you aren’t sure, ask your email system administrator if the email is legitimate….and remember, patches, fixes, and updates are never sent by reputable support people as email attachments. You are always directed to websites to download and install the update.

 

One last thing, there was a recently identified bug in Internet Explorer that allows a disreputable email to fake a web address. This problem has been partially fixed in a recent update in of Internet Explorer so make sure your have the latest patches on that. (And no, I am not going to send you the latest patch in an email. Go to:  http://windowsupdate.microsoft.com and run the scan tool.) Furthermore, when in doubt, rather than clicking on the hyperlink in an email or copy/pasting the address into the browser, retype the entire hyperlink address in the address line of your browser. That will guarantee you are going to the address you specify. Just make sure the address is a real address…..but when in doubt, just don’t go there.

 

NEW NOTE as of 11-09-04: There are new viruses that now can take advantage of the bug in Internet Explorer above that are able to transmit their payload by tricking you into going to a website by clicking a weblink to a site containing the virus. Again, reading the email causes no problems BUT when you go to the website by clicking on the weblink the payload for the virus is then transmitted to your computer.

 

Here is an example of just such a message that came in an email to me:

 

Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days. To see details please click this link . DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received. Thank you for using PayPal.

.

Notice that there is a link they want you to click. Now I have redirected that link in this example to bring up the perfectly safe Vanderbilt homepage. But the REAL message sent you to a webpage that installed the virus on your machine. There are, however, a few giveaways that indicate that this message is a fraud.  First, why would anybody congratulate you for charging your credit card? That makes no sense. Second, they mention your item but never mention what the item is. Third the sentence “This email is being sent by an automated message system and the reply will not be received” is very awkward English. If you know how all this stuff works you can also look at the full message headers of the email and see that it never did really come from Paypal. But the problem is that this message is very tempting. If you haven’t charged anything you are curious to see what you did charge. Do yourself a favor and wait. Check your credit card statements and dispute any charge that comes through. 999 times out of 1000 there isn’t a charge. The message is just a trick to get you to go to a website that will infect your machine.

 

There are two ways to protect your machine from viruses. First use common sense and be suspicious of unexpected email attachments even from friends. Second, install and regularly update a virus control program like Mcafee and make sure it is running.

 

Worms: Worms are nasty little bugs that infect your machine regardless of what you are doing. Unlike viruses that require you to affirmatively click on an attachment, worms are stealth and find security holes in your machine through which they launch an attack without the user taking any action. Once your machine has been successfully compromised, your machine is turned into a zombie and starts its own round of attacks looking for any unprotected machines it can find, anywhere on the Internet. You will notice that your machine behaves slowly, not just searching the net but in launching and running applications like Word. This is because most of  your machines resources are being used to launch an attack. If after rebooting your machine, it is still extremely sluggish, there is a good possibility your machine has been compromised.

 

There are three ways you protect your machine. First, make sure it has the current operating system patches installed. Second install and keep current a virus control program like Mcafee. Third, and most importantly, install a personal firewall around your computer to make your computer invisible to these worm attacks.

 

Trojan Horses: A trojan horse is a computer program, usually downloaded from the Internet that purports to be innocuous but can create a problem in your machine. Like viruses, these have to be affirmatively installed in your system. Often times these are transmitted as innocuous looking links through Instant Messenger systems like AIM or file sharing programs like Kazaa. They have no other way of propogating themselves.  In January 2004 a file was transmitted that looked like a link in AIM. If you went to the link it asked you to download a small file to see a game called Osama Bin Laden. Of course, this picqued everyone’s curiosity. So people downloaded and installed the small game. What they didn’t know is that the game also took control of their buddy list and sent the link out via AOL Instant Messenger to all of their buddies on their list. Since their buddies thought it was coming from a friend, they too clicked on it, downloaded and installed the game which, in turn repeated the process to all of their friends on their buddy lists.

 

Trojan horses are hard to protect against. Common sense is the best and only real protection. Don’t load programs where you aren’t certain who the developer is. Be suspicious. Virus control programs generally cannot protect you since YOU affirmatively downloaded and installed the game. The antivirus program has no way of knowing you didn’t really want that game installed, so it lets you do it. (However, as the game becomes known to the antivirus developers, they may include a trap for it in subsequent pattern updates.) Likewise neither patches nor firewalls can protect you since they too cannot interpret your intent.

 

Now that you know what these nasty critters do, go back to the top of this document and click on the quick links to learn the specific steps to protect your machine.