Safe Computing - The Risks
Although most people think about viruses, the full picture is a bit wider as viruses are not the only problem. Any code or file from outside the system is a potential threat:
Basic principle of safe computing:
"Nothing runs on this system unless I choose to run it"
"I will assess and decide on all
content before running it"
In the old days, only "programs", i.e. files with names ending in .bat, .com or .exe could be a problem. But this has changed:
So my current advice is to treat any file as a potential problem, no matter what it is called. Even .txt. .rtf and .htm files may be a risk, thanks to "active content" in HTML web pages and e-mail and Word's inanity regarding macros.
It's not only files that
run; web pages that you visit on the Internet may contain
malicious or buggy active content, scripts can be embedded within
HTML formatted email message bodies, and some email programs can
be tricked into running raw code hidden within hyperlinks within
the message itself.
How does it get in?
There are various entries to the system:
The big one is (6). Good
build practice protects against (1, 3, 4, 5, 9) by setting up the
PC and its software to minimize risk - but (2, 6) are up to you.
What is malware?
Malicious wares are
files, code or content that act in an unexpected or undesirable
manner; includes trojans, viruses and worms - and yes, some
commercial software. There's more on how these work.
What is a virus?
A virus is code that causes itself to be reproduced, infecting other disks or files and so causing it to spread. Because Word auto-runs macros, it is possible to write viruses that infect Word documents; indeed, these may now (mid-2000) be the world's most common viruses. However, expect active content in HTML e-mail to become as common.
Viruses may attempt to
do no harm, but cause problems as a side effect of bad coding or
compatibility issues. On the other hand, many (if not most)
viruses will carry a payload that causes damage, timed to be executed
after a certain number of days or events, or on a certain date (e.g.
the original CIH hatched on 26 April).
What is a worm?
A worm is code that causes itself to spread over a network, infecting other systems. Typically it will do so by mailing itself to other addresses (e.g. Melissa) or by attaching itself to all messages you send (e.g. Happy99). Because it automates the send to addresses derived from your address book or mail, it is not enough to know the sender of a message to trust it.
The distinction between
worm (e.g. Happy99) and virus (e.g. CAP) is blurred by malware
such as Zipped_Files and Melissa. These arrive as trojans or
viruses, may spread as viruses, but also send themselves off
directly as worms do.
What is a trojan?
A trojan is a program or
file that appears to be desirable, useful or interesting, but
harbors malicious code. "Joke" programs sent as e-mail,
pirate software downloaded from "warez" sites, and even
web pages and HTML e-mail "text" can be trojans. Unlike
worms and viruses, a pure trojan does not have to infect other
networks, systems, disks or files to spread. However, many
automate their spread as worms.
What is a RAT?
A Remote Access Trojan
is a program that effectively acts as a "virtual keyboard"
on the system, allowing hackers to access your computer over the
Internet. Files can be downloaded and read, uploaded to your
system, or deleted and arbitrary programs can be run on the
system as well. As there is a live human at the other end, with a
high degree of access to the PC, the behavior of a RAT is
unbounded by the code itself. In particular, passwords and credit
card numbers may be stolen and used.
What are attachments?
Arbitrary files can be sent along with e-mail messages as enclosures or attachments.
Such files can be
anything; trojans, trojan web pages, virus infected documents and other files. This is the
most common form of malware spread, and clueless users are not
only falling victim to this but are causing the problem by
allowing their systems to spread this to other users. Please do not be part of this problem!
What is active content?
Because active content
can go anywhere HTML can go, and because many e-mail programs
send mail in HTML form, even the e-mail message itself can be
What is a payload?
The payload is what the malware does that is offensive! Includes:
By the way, (3) and (4)
are non-trivial. Corrupted data cannot always be recovered, no
matter how many hours labor you are prepared to pay for, and a
corrupted BIOS can require replacement of motherboard or entire
system ("name" PCs and laptops).
What's wrong with Microsoft?
Part of the reason Microsoft products are targeted is because they are so commonly used, and because Microsoft is unpopular with some users for various reasons. But a large part of the problem is the nature of Microsoft's products themselves.
MS Word will not only automatically run macros (i.e. programs) of a certain name within any document, but to do so even when the file has an non-Word file extension such as .txt (plain text), .rtf (Rich Text Format, which is an open standard and should have no macros) or .htm (HTML, the stuff of which web pages are made).
This is nasty, because people will typically use .txt, .rtf and .htm in an attempt to send data in a safe way that can be read in any program - so these should never contain Word macros anyway! There is another flaw, that if a file recognized as being associated with Word is right-clicked and the Print option is used (intuitively, this would appear to be safe practice), the macro warning is bypassed and macros run.
MS PowerPoint and Excel also autorun macros within their files, and hybrid malware were beginning to appear when this document was written, which can hop from one Office application to another or attack the system via active content scripting or dropped program code files. Active content can re-attack the system via "Active Desktop" and "View as Web Page".
MS Outlook (nicknamed 'Outbreak') has several fatal flaws:
Item (3) is interesting. If one creates a very long hyperlink (those blue things that run attached files or whisk you off to a web site when clicked) and places raw code in the end of it, one can cause the program to crash or run that code as if it was part of the program. That raw code can do anything; infect files, trash data, whatever software can do. Most programs will check that external data (such as a link) is not too long to fit in the program's buffer before copying it in. Alas, not MS - even their heavy-duty NT Server has situations where unchecked buffer overruns can be exploited.
One of the worst bugs
allows arbitrary files to be embedded in HTML (email "messages",
web pages) in such a way that they are automatically "opened"
even if you don't click anything. You simply have to fix
Safe Computing - The Response
How to be safe?
Choose your software carefully.
Where e-mail is concerned, I used to stick to Eudora 3.06 as it is not vulnerable to buffer overruns, does not execute active content in HTML mail, and (the biggie) it creates incoming attached files as files as these are downloaded. I now (end 2000) use Eudora 5.02, which requires some options settings to wall out a few risks (e.g. don't use Microsoft's HTML viewer) but thereafter is as safe as Eudora 3.xx, though prettier.
That means you can simply virus check one (known) directory to scan all files downloaded to date - whereas in (say) Outbreak, you have to not double-click the link ("bang; you're dead" if you do) but save as a file instead. Then, remember where you saved it and what it was called, then go out of Outbreak to (say) Explorer to find the file and scan it. And repeat all that all over again for each file you receive.
It also means that if
you receive a trojan and want to delete all occurrences of it,
you can simply do a Find for that file and you will find them all.
Whereas with Outbreak, the file will be hidden within the mail
box where Find can't find it and the virus scanner can't scan it.
Even if you delete the message, it will still be in the "Trash"
unless you delete it there as well.
Set up the system for safety.
My build practice does that, but by installing an ISP's software CD, you will most likely breach this protection. This may have re-enabled auto-running of CDs, your newly-installed web browser will have valid e-mail settings that facilitates malicious auto sending of malware, and it is probably set to run all forms of active content without your knowledge or consent.
You should consider re-instating
protection against active content (Tools, Options, Security tab,
Custom, set everything except download and drag-n-drop to Prompt
or Disable), and the use of a safer e-mail application.
Think before you click
Don't even consider "opening" an attachment unless:
"Here are the files you requested" is not a meaningful reference to attached files; several trojans and worms use similar generic phrasing when sending themselves to addresses stolen from your own "address book" (Melissa with Outlook) or incoming messages (Zipped_Files trojan).
Don't send attachments unless you need to, and if you do, describe every file you send in a meaningful way. Don't presume the trust of strangers by sending them unsolicited attachments, especially "joke" files received from other strangers.
Don't allow active content to run unless you trust the site and the site needs it to do something important and useful to you (e.g. a banking site or a sign-up server).
Don't "open" files off a diskette without virus checking first, and I'd extend that advice even to computer CDs.
check any files you download off the web before using them.
Be realistic about your virus scanner
A scanner is only as good as its signature files, so update these regularly - preferably every month at least. For example, F-Prot uses files from www.complex.is, and these are updated several times a month.
However, in an age of easy-to-use scripting and macro languages that comprise editable source code others can modify, you can expect script kiddies to spawn new variants at a prodigious rate. With online web pages that can be updated (or hacked) every few hours, and CD-ROM disks that contain a million e-mail addresses for sale, the risk of encountering new malware unknown to your scanner is non-trivial.
So, check everything external before use, but if the file is of dubious origin and/or unsolicited (see "Think before you click") just don't "open" it at all.
After all, you don't feel obliged to read every junk mail stuffed into your letterbox; why should you open every potential parcel-bomb thrown through the window?
(C) Chris Quirke, all rights reserved
Back to index