Safe Computing - The Risks

Although most people think about viruses, the full picture is a bit wider as viruses are not the only problem. Any code or file from outside the system is a potential threat:

  1. Sent deliberately by one who means you ill 
  2. Sent accidentally (i.e. by computer, not user)
  3. Assumed safe, but harbors dangerous content
  4. Intended safe, but programming bugs cause danger
  5. Intended safe, but incompatible with system

Basic principle of safe computing:

"Nothing runs on this system unless I choose to run it"

Corollary:

"I will assess and decide on all content before running it"

What runs?

In the old days, only "programs", i.e. files with names ending in .bat, .com or .exe could be a problem. But this has changed:

  1. MS Word will automatically run macros in documents
  2. MS Word will do that no matter the extension, even .txt
  3. Web browsers and e-mail programs may run code within HTML
  4. Windows Scripting Host will run a variety of file extensions
  5. Other non-obvious/hidden extensions can carry code; .pif, .shs etc.

So my current advice is to treat any file as a potential problem, no matter what it is called. Even .txt. .rtf and .htm files may be a risk, thanks to "active content" in HTML web pages and e-mail and Word's inanity regarding macros.

It's not only files that run; web pages that you visit on the Internet may contain malicious or buggy active content, scripts can be embedded within HTML formatted email message bodies, and some email programs can be tricked into running raw code hidden within hyperlinks within the message itself.

How does it get in?

There are various entries to the system:

  1. Booting off diskette drive (set boot order C: before A:)
  2. Running or "opening" files off diskette or CD
  3. Auto-running computer CDs (disable)
  4. Visiting web sites on the Internet
  5. Reading e-mail in an insecure e-mail program
  6. Running or "opening" files received as e-mail attachments
  7. Running software that auto-installs stuff from the Internet
  8. Being on-line when someone else hacks in over the Internet
  9. Allowing access the PC keyboard or via modem "data calls"

The big one is (6). Good build practice protects against (1, 3, 4, 5, 9) by setting up the PC and its software to minimize risk - but (2, 6) are up to you.

What is malware?

Malicious wares are files, code or content that act in an unexpected or undesirable manner; includes trojans, viruses and worms - and yes, some commercial software. There's more on how these work.

What is a virus?

A virus is code that causes itself to be reproduced, infecting other disks or files and so causing it to spread. Because Word auto-runs macros, it is possible to write viruses that infect Word documents; indeed, these may now (mid-2000) be the world's most common viruses. However, expect active content in HTML e-mail to become as common.

Viruses may attempt to do no harm, but cause problems as a side effect of bad coding or compatibility issues. On the other hand, many (if not most) viruses will carry a payload that causes damage, timed to be executed after a certain number of days or events, or on a certain date (e.g. the original CIH hatched on 26 April).

What is a worm?

A worm is code that causes itself to spread over a network, infecting other systems. Typically it will do so by mailing itself to other addresses (e.g. Melissa) or by attaching itself to all messages you send (e.g. Happy99). Because it automates the send to addresses derived from your address book or mail, it is not enough to know the sender of a message to trust it.

The distinction between worm (e.g. Happy99) and virus (e.g. CAP) is blurred by malware such as Zipped_Files and Melissa. These arrive as trojans or viruses, may spread as viruses, but also send themselves off directly as worms do.

What is a trojan?

A trojan is a program or file that appears to be desirable, useful or interesting, but harbors malicious code. "Joke" programs sent as e-mail, pirate software downloaded from "warez" sites, and even web pages and HTML e-mail "text" can be trojans. Unlike worms and viruses, a pure trojan does not have to infect other networks, systems, disks or files to spread. However, many automate their spread as worms.

What is a RAT?

A Remote Access Trojan is a program that effectively acts as a "virtual keyboard" on the system, allowing hackers to access your computer over the Internet. Files can be downloaded and read, uploaded to your system, or deleted and arbitrary programs can be run on the system as well. As there is a live human at the other end, with a high degree of access to the PC, the behavior of a RAT is unbounded by the code itself. In particular, passwords and credit card numbers may be stolen and used.

What are attachments?

Arbitrary files can be sent along with e-mail messages as enclosures or attachments.

Such files can be anything; trojans, trojan web pages, virus infected documents and other files. This is the most common form of malware spread, and clueless users are not only falling victim to this but are causing the problem by allowing their systems to spread this to other users. Please do not be part of this problem!

What is active content?

Active content includes Java, JavaScript and VBScript. These are programming or scripting languages that are sent from a website to the computer that visits the site, and run on that computer, without the user's knowledge or consent. This is clearly beyond the bounds of safe computing practice!

Because active content can go anywhere HTML can go, and because many e-mail programs send mail in HTML form, even the e-mail message itself can be dangerous.

What is a payload?

The payload is what the malware does that is offensive! Includes:

  1. Privacy; passwords, credit card numbers etc. sent over Internet
  2. Impersonation; sending messages as if from yourself
  3. Damage; deleting and trashing your data and system files
  4. Hardware damage; reprogramming the BIOS so system cannot boot
  5. Denial of service; interferes with system functionality

By the way, (3) and (4) are non-trivial. Corrupted data cannot always be recovered, no matter how many hours labor you are prepared to pay for, and a corrupted BIOS can require replacement of motherboard or entire system ("name" PCs and laptops).

What's wrong with Microsoft?

Part of the reason Microsoft products are targeted is because they are so commonly used, and because Microsoft is unpopular with some users for various reasons. But a large part of the problem is the nature of Microsoft's products themselves.

MS Word will not only automatically run macros (i.e. programs) of a certain name within any document, but to do so even when the file has an non-Word file extension such as .txt (plain text), .rtf (Rich Text Format, which is an open standard and should have no macros) or .htm (HTML, the stuff of which web pages are made).

This is nasty, because people will typically use .txt, .rtf and .htm in an attempt to send data in a safe way that can be read in any program - so these should never contain Word macros anyway! There is another flaw, that if a file recognized as being associated with Word is right-clicked and the Print option is used (intuitively, this would appear to be safe practice), the macro warning is bypassed and macros run.

MS PowerPoint and Excel also autorun macros within their files, and hybrid malware were beginning to appear when this document was written, which can hop from one Office application to another or attack the system via active content scripting or dropped program code files. Active content can re-attack the system via "Active Desktop" and "View as Web Page".

 MS Outlook (nicknamed 'Outbreak') has several fatal flaws:

  1. Reads HTML mail and executes active content in it
  2. Has "unchecked buffer" vulnerabilities
  3. Stores attached files within mailboxes
  4. Creates and jumps into these files when these are "opened"
  5. May be controlled via Word macros as well as active content
  6. Uses IE's usually-broken HTML rendering engine

Item (3) is interesting. If one creates a very long hyperlink (those blue things that run attached files or whisk you off to a web site when clicked) and places raw code in the end of it, one can cause the program to crash or run that code as if it was part of the program. That raw code can do anything; infect files, trash data, whatever software can do. Most programs will check that external data (such as a link) is not too long to fit in the program's buffer before copying it in. Alas, not MS - even their heavy-duty NT Server has situations where unchecked buffer overruns can be exploited.

One of the worst bugs allows arbitrary files to be embedded in HTML (email "messages", web pages) in such a way that they are automatically "opened" even if you don't click anything. You simply have to fix this!

 

Safe Computing - The Response

How to be safe?

Choose your software carefully.

Where e-mail is concerned, I used to stick to Eudora 3.06 as it is not vulnerable to buffer overruns, does not execute active content in HTML mail, and (the biggie) it creates incoming attached files as files as these are downloaded. I now (end 2000) use Eudora 5.02, which requires some options settings to wall out a few risks (e.g. don't use Microsoft's HTML viewer) but thereafter is as safe as Eudora 3.xx, though prettier.

That means you can simply virus check one (known) directory to scan all files downloaded to date - whereas in (say) Outbreak, you have to not double-click the link ("bang; you're dead" if you do) but save as a file instead. Then, remember where you saved it and what it was called, then go out of Outbreak to (say) Explorer to find the file and scan it. And repeat all that all over again for each file you receive.

It also means that if you receive a trojan and want to delete all occurrences of it, you can simply do a Find for that file and you will find them all. Whereas with Outbreak, the file will be hidden within the mail box where Find can't find it and the virus scanner can't scan it. Even if you delete the message, it will still be in the "Trash" unless you delete it there as well.

Set up the system for safety.

My build practice does that, but by installing an ISP's software CD, you will most likely breach this protection. This may have re-enabled auto-running of CDs, your newly-installed web browser will have valid e-mail settings that facilitates malicious auto sending of malware, and it is probably set to run all forms of active content without your knowledge or consent.

You should consider re-instating protection against active content (Tools, Options, Security tab, Custom, set everything except download and drag-n-drop to Prompt or Disable), and the use of a safer e-mail application.

Think before you click

Don't even consider "opening" an attachment unless:

"Here are the files you requested" is not a meaningful reference to attached files; several trojans and worms use similar generic phrasing when sending themselves to addresses stolen from your own "address book" (Melissa with Outlook) or incoming messages (Zipped_Files trojan).

Don't send attachments unless you need to, and if you do, describe every file you send in a meaningful way. Don't presume the trust of strangers by sending them unsolicited attachments, especially "joke" files received from other strangers.

Don't allow active content to run unless you trust the site and the site needs it to do something important and useful to you (e.g. a banking site or a sign-up server).

Don't "open" files off a diskette without virus checking first, and I'd extend that advice even to computer CDs.

Do virus check any files you download off the web before using them.

Be realistic about your virus scanner

A scanner is only as good as its signature files, so update these regularly - preferably every month at least. For example, F-Prot uses files from www.complex.is, and these are updated several times a month.

However, in an age of easy-to-use scripting and macro languages that comprise editable source code others can modify, you can expect script kiddies to spawn new variants at a prodigious rate. With online web pages that can be updated (or hacked) every few hours, and CD-ROM disks that contain a million e-mail addresses for sale, the risk of encountering new malware unknown to your scanner is non-trivial.

So, check everything external before use, but if the file is of dubious origin and/or unsolicited (see "Think before you click") just don't "open" it at all.

After all, you don't feel obliged to read every junk mail stuffed into your letterbox; why should you open every potential parcel-bomb thrown through the window?

 

(C) Chris Quirke, all rights reserved

Back to index