DRAFT Mar 2001 DRAFT
As computers and their operating systems become more advanced and complicated, they become more susceptible to wrongdoing. Pranksters and "crackers" have learned to exploit errors in operating system and application software in order to manipulate computer systems. This manipulation may take the form of harmless self-propagating software in the form of a "virus" or "worm", or a much more insidious version which can make a nuisance of itself or destroy data. Sometimes, viruses will exploit normal features of a software application or operating system in ways that the original programmers never imagined. In the worst case, crackers will take advantage of poor security to install software which allows them to control the computer remotely. They can see files, monitor the user's typing, and use the computer as a jump off point (or "zombie") for attacking other computers.
We must not believe the many, who say that only free people ought to be educated, but we should rather believe the philosophers who say that only the educated are free. -Epictetus, "Discourses" |
Throughout this document, you will find illustrated guides to performing tasks on your computer called pictoguides. To open a pictoguide, simply click the miniature thumbnail or the heading at the top of the thumbnail.
Malicious software has developed its own terminology. The news media tend to use the various names for dangerous software interchangably, and even I have been guilty of interchanging them for convenience. But these terms do have specific meanings, and it's important to know the difference in order to assess the potential threat.
A virus is a piece of malicious software which is attached to an existing and otherwise normal software application. The virus code is not part of the original application, so we say that the application has been "infected" and has become the "host" for the virus. When the application is started, the virus goes into action and copies itself to other applications. If those applications are opened, the virus runs again, possibly spreading to previously uninfected applications. Once the virus is installed, it may also do things other than simply replicate, such as display messages on screen, damage and destroy files, or even try to damage the computer's hardware. This malcious behavior is called the "payload". The infected applications may also develop problems, such as crashing or other strange behavior.
True viruses are much less common than they used to be, for several reasons. Today, computer users rarely exchange software applications directly, since they can buy applications on CD or download free software from major Internet Web sites. Viruses that infect application files directly are usually detected on these sites and removed before users can copy them.
However, traditional viruses are still a threat if you trade software with friends using any kind of removable media like Zip, writable CD or floppy disks. Traditional viruses are specific to the computer platform for which they are designed; a PC virus cannot affect a Mac, or vice versa.
Macro viruses are a special case of viruses. Instead of infecting software program files directly, macro viruses infect Microsoft Office documents and templates. They exist because Microsoft has implemented a complete programming language in their Office applications which allows any document to contain software code. This software code can be saved and it will run again the next time one opens that Office application. Macro viruses are most common in Microsoft Word documents, and there are also many Microsoft Excel macro viruses. Much less common but still a threat are Microsoft Powerpoint and Microsoft Access viruses.
Macro viruses can be extremely dangerous, since the scripting language built-in to Microsoft Office (called "Visual Basic for Applications") gives the virus full control of the computer, including the ability to run arbitrary software, send e-mail, delete files, or activate some other malicious payload. Most macro viruses copy themselves to other Office documents, so if you open an infected Microsoft Word document for example, you may find that all other Word documents which you open will also become infected.
Unlike any other malicious software, macro viruses can cross between Mac and PC. The versions of Microsoft Office applications on these two platforms are very similar, and they use the same programming language.
Viruses get their name from the fact that regular viruses require a software program and macro viruses require a Microsoft Office document. Without these "hosts", the viruses cannot function. Since the host may appear to function as a perfectly normal program or document, one can become infected without even realizing it.
Worms are malicious software which spreads without any user intervention at all. They take advantage of bugs or errors in the computer's operating system or applications; a true worm does not require that the user commit any specific action in order to propagate itself to other computers.
Fortunately, true worms are very rare on personal computers. The worm requires operating system services which are not very common in desktop operating systems. Worms are a problem for servers, however, which maintain constant network connections and run services which perform periodic communication. One of the earliest and most successful pieces of malware, the Morris Internet Worm, infected UNIX servers across the world in 1988 by exploiting a bug in the way servers exchange e-mail. Rice's own Owlnet servers were infected as well, but the damage was limited because we ran out of disk space!
Rice recently suffered a genuine worm attack in the form of the BleBla worm, which takes advantage of programming flaws in Outlook/Outlook Express.
I have never seen such another man as Ulysses. What endurance too, and what courage he displayed within the wooden horse, wherein all the bravest of the Argives were lying in wait to bring death and destruction upon the Trojans. The Odyssey, translated by Samuel Butler, Project Gutenberg |
Unlike a virus-infected application, the trojan horse is designed maliciously from the start to masquerade as a normal document or software application. There is no "infection" process. Trojans don't propagate by adding copies of themselves to existing files. Unlike a worm, the trojan horse software requires the user to open it.
In fact, most dangerous software combines the features of several types. One of the first successful e-mail attacks, the Happy99 Virus, wasn't merely a virus. It combined the features of trojan, a worm and a virus! Happy99 appeared as an e-mail attachment. When opened, it displayed a pleasant fireworks animation, tricking the user into thinking it was a harmless entertainment like a trojan. Then, like a virus, it modified the computer's operating system files and installed software code which would create copies of itself whenever the user sent e-mail. Finally, like a worm, Happy99 propagated to other computers via e-mail.
Taken as a group, these many types of software are called "malicious software", because they modify your computer's files without asking and attempt to perform some kind of annoying or dangerous activity. In the computer community, the spectrum of malicious software is often called malware.
By understanding the various attack mechanisms which malware will use to get a foothold on your computer system, you can prepare yourself and avoid any costly mistakes.
Summary: |
|
Since I help many Rice users with their home dial-up connections, I am often asked whether having a connection to the Internet puts the computer at risk for exploitation by malicious software.
Superficially, the answer is yes. Since many modern forms of malware propagate by e-mail, it's easy to blame the Internet for these problems. It's also possible to download malware from the World Wide Web, in the form of a Trojan horse program that looks normal, but installs malicious software.
The fascination resides in the thorough rightness of computers as communications instruments, which implies some revolutions. "Spacewar: Fanatic Life and Symbolic
Death Among the Computer Bums" |
In fact, one might think that the only secure computer system is one that is disconnected from the Internet, in a locked room, with the power turned off. But such a computer is useless; the reason we own computers is to take advantage of the rich communication facilities of the Internet, even if it is more dangerous to be connected. So we'd better get comfortable with the idea of defending ourselves from malicious software.
|
Electronic "mail" delivery is another exciting prospect of the very near future. Letters, typed or written on special forms like wartime V-mail, will be automatically read and flashed from continent to continent and reproduced at receiving stations within a few minutes of transmission. Arthur C. Clarke, speech to the American Insitute of Architects, May 1967 |
Fortunately, protecting yourself from e-mail-borne malicious software is easy, once you understand the nature of the threat. All e-mail viruses take advantage of attachments, the special ability of modern e-mail software to include any type of file with an e-mail message. Most e-mail attacks rely on psychological tricks to convince you, the e-mail recipient, to open an attachment which contains malware code.
The solution to this problem is easy, and it can summed up in one simple rule. In fact, you might want to print this and paste it prominently on your keyboard:
The Golden Rule of E-mail Protection |
| NEVER OPEN AN E-MAIL ATTACHMENT UNLESS YOU HAVE INDEPENDENTLY CONFIRMED ITS CONTENT AND VALIDITY! |
Independent confirmation can consist of:
Remember, the e-mail containing the attachment cannot be trusted. If the sender's computer has been infected with malware, it may generate friendly-looking e-mail messages. It might use randomly generated text or subject lines, or it might look at existing e-mail messages on the sender's computer and create a fake message that looks like a reply to one of your messages! So, you must obtain confirmation outside of the e-mail message containing the attachment.
Even before you get independent confirmation, you can identify characteristics of the e-mail which could raise a warning flag. Look at the names of the attachments. If the names end with any of the following three-letter extensions, be suspicious that you received malware.
File Extensions of Evil |
.BAS .BAT .CHM .CMD .COM .CRT .DOC .DOT .EXE .HLP .INF .INS .ISP .LNK .MDB .MDW .MST .MTX .PCD .PI .POT .PPA .PPS .PPT .REG .RTF .SCR .SHS .URL .VBS .XLS .XLT .XLW .WSF .WSH |
You will note that some of the three-letter file extensions (.DOC, .XLS, .PPT, and .MDB) correspond to Microsoft Word, Excel, PowerPoint and Access respectively. Because of macro viruses, these file types can propagate malicious code. Microsoft Office files are only safe if you have secured your installation of Microsoft Office, see below.
This list is not (and cannot be) exhaustive; it is simply provided as a quick checklist. Do not open unidentified attachments without independent confirmation, even if their three-letter extensions are not on this list.
Macintosh users need to be especially careful -- unlike PC users, Mac files do not require three-letter extensions. So there is no immediate way to identify the file type of an incoming attachment. While there is less documented malware on the Mac platform, don't be fooled into a false sense of security. The Mac is just as capable of propagating malware as its PC counterpart, and the Mac version of Microsoft Office shares the same marginal security. So exercise the same good common sense as you would if using a PC!
Summary: |
|
Microsoft's Outlook line of e-mail software for Windows presents a serious security challenge. These e-mail readers allow scripting commands in e-mail which will activate malware without requiring the user to open an attachment. Simply reading the message will cause the malicious software to run, immediately without prompts or warning.
This concern only applies to the Windows versions of Outlook and Outlook Express. The Mac version of Outlook Express (or the new e-mail product, Entourage) does not suffer from this dangerous flaw, and other mail readers for the PC (Eudora, Netscape) are also unaffected.
To secure your version of Outlook 98/2000 or Outlook Express, first open your Internet Options control panel. Click the Security tab, then the Restricted Sites icon. Click the Default Level button, then slide the security level slider to High. Click the Custom Level button.
In the Security Settings panel, scroll down to Script ActiveX Controls Marked Safe for Scripting, and make sure the Disabled box is checked. If it's not checked, click it once to check it. Scroll down to the Downloads section, and make sure the Disabled box is checked under File download. While you are using this panel, you might want to disable everything else that can be disabled. Then click the OK button to close the Security Settings panel and OK to close the Internet Options panel.
Next, open your copy of Outlook or Outlook Express. Select Tools, Options, and click the Security tab. For Outlook, use the Zone pull-down menu to select Restricted Sites, then click OK. For Outlook Express, click the Restricted Sites checkbox if it is not already checked, then click OK. Complete details are in the following illustrated guide.
Unfortunately, even the safest e-mail practices do not confer total protection. Because many Office macro viruses are subtle, it's possible for someone to be infected without even knowing it. This person may give documents to others and spread the macro virus, even though the documents look perfectly normal.
However, a important steps can reduce your likelihood of being infected.
If you use Office 4.2 (with Word 6) for Windows, Office 95 (with Word 95) for Windows or Office 4.2 (with Word 6) for the Mac, you can install the Microsoft Virus Protection Macro. See Where to find security patches below for more information. This protection mechanism is not very effective, however. It only protects against early, basic macro viruses.
If you use Office 97 for Windows, you can turn on Macro Virus Protection. The macro virus protection feature causes Office applications to prompt you before opening a document with macros. In every case, you should choose to disable macros unless you know that the macros are not malware. For complete protection, you will need to turn on macro virus protection in each Office application that you use. In each application, open the Tools menu, select Options. Click the General tab, and make sure the Macro Virus Protection checkbox is checked. If it's not checked, click it so that it's checked and click OK to close the Options box.
In Office 98 for the Macintosh, you can turn on Macro Virus Protection in a similar way. The results are the same; Office 98 applications will prompt you if you attempt to open a document with macros. Always disable the macros unless you've got a good reason not to. To turn it on, open the Tools menu and select Preferences in any Office application. Make sure the Macro Virus Protection checkbox is checked. If it's not checked, click it once to check it and click OK to close the Preferences box. You'll need to do this for each Office 98 application for complete protection.
Windows Office 97: Turn On Macro Virus Protection Pictoguide Turn on Macro Virus Protection in Word 97 (part of Office 97) under Windows
|
Mac: Turn On Macro Virus Protection Pictoguide Turn on Macro Virus Protection in Word 98 (part of Mac Office 98) on the Macintosh
|
Office 2000 for Windows uses a slightly different technique. Instead of a simple checkbox, Office 2000 offers several levels of protection. For the best protection, you'll want to choose the highest setting. In any Office 2000 application, select Tools, Macros, Security. Click the Security Level tab, and make sure the High checkbox is checked. If it's not checked, click it to check it.
Windows Office 2000: Set Macro Security to High Pictoguide Set Macro Virus Security to High in Word 2000 (part of Office 2000) under Windows
|
You can also reduce your likelihood of infecting others, if you happen to get infected. Because Microsoft Word macro viruses can only exist in standard documents and document templates, you can prevent the spread of infection by sending RTF ("Rich Text Format") files to your correspondents. RTF files contain all the images and formatting of your original Word document, but they cannot contain macro viruses. RTF files are more compatible, and can be opened by all versions of Microsoft Word and many other word processors without special converters.
To save documents as RTF files in Microsoft Word 2000, simply select Save As... from Word's File menu. There's a pull down menu with different file formats. Select Rich Text Format (*.rtf) from the list and save your document as you normally would. You might even want to save all your documents as RTF, to avoid the slightest likelihood of virus infection and improve compatibility with other users. To save all future documents in RTF format, use Tools, Options and click the Save tab. Select Rich Text Format (*.rtf) from the Save Word files as: menu.
Summary: |
|
Aside from being careful with e-mail and securing Microsoft Office, there are a few other things you can do to protect yourself. Here is a checklist.
A few types of malware spread by taking advantage of the file sharing capability of Windows 95/98. Often, we need to look at files which have been shared by others, or print to printers attached to other people's computers. This carries some risk, since it's possible that others have been less vigilant about viruses than you are, and they may have infected their own files. Copying and executing a program or Office document from their shared volumes could lead to infection.
If you share your own files or printers, you need to be especially careful. If you allow others to write to your hard disk, it's possible that they could introduce virus-infected documents or software without you realizing it. In addition, a few types of malware spread by taking advantage of the file sharing capability of Windows 95/98. If you are sharing your hard disk with write access enabled, you could become a victim. Although no viruses use this method of transmission on the Macintosh, there is no technical reason that it can't happen.
If you don't need to share your files, it's best to turn this service off entirely.
Under Windows 95/98, click on Start -> Settings -> Control Panel. Double click on the Network control panel. Click the File and Print Sharing button. Uncheck the two boxes.
On the Mac (MacOS 8.0 or later), open Control Panels -> File Sharing from the Apple menu. If the two buttons on this page are labelled Stop, then click them to stop file sharing. On older versions of the MacOS, the procedure is the same but you will need to open the Sharing Setup panel instead of the File Sharing panel.
Windows 95/98: Turn Off File Sharing Pictoguide
|
MacOS 8.0 or higher: Turn Off File Sharing Pictoguide
|
If you must use file sharing, always require passwords from those who might connect to your system. Never ever allow write access to your computer without a password!
Under Windows 95/98, right-click the shared volume and select Properties. Click the Sharing tab. If possible, specify an access type of Read-Only, and make sure you have a password. If you must use Full Access or Both, make absolutely certain that you have a long password that is not easy to guess.
On the Mac, you need to secure your system with an Owner name and password. Open the Apple menu, Control Panels, File Sharing. Make sure you have both an Owner name and Owner password entered in the appropriate boxes. The Owner password should be long and hard to guess.
Windows 95/98: Requiring a Password for File Sharing Pictoguide
|
Mac: Setting the Owner name and Owner password Pictoguide
|
Visual Basic Scripting (.VBS or .WSF) files are one of the most common ways that malware spreads. Most installations of Windows 95 and all installations of Windows 98 include Visual Basic Scripting. Almost no commercial or free software uses or requires Visual Basic Scripting, so it's easy and safe to turn it off.
Double-click the My Computer icon. Select View..., Folder Options. Click the File Types tab. Scroll down to the entry labelled VBScript File. Click it to highlight it and click the Edit... button. In the Edit File Type window, click to highlight the Edit entry in the list and click the Set Default button. The Edit entry will turn bold, indicating that editing is now the default action for these files. Repeat this process for the Windows Script File type.
When you download a piece of software from an Internet web site or install it from a CD-ROM, you are placing trust in the person or corporation that wrote that software that it is not malicious. However, even legitimate software may be wrapped with a modified installer that infects your computer with malicious software, essentially turning legitimate software into a trojan horse.
To avoid this threat, make sure you know your software sources. When downloading or installing software:
Hoaxes have developed hand-in-hand with malware. Hoaxes consist of notifications, usually via e-mail, which issue some dire warning about potential viruses, application bugs, or operating system problems. To give you an idea of what a hoax is, consider the following message:
| Subject:
Wobbler Virus WARNING: If you receive an e-mail with a file called California, do not open the file. The file contains the WOBBLER virus. This information was announced yesterday morning from IBM; AOL states that this is a very dangerous virus, much worse than "Melissa", and that there is NO remedy for it at this time. Some very sick individual has succeeded in using the reformat function from Norton Utilities causing it to completely erase all documents on the hard drive. It has been designed to work with Netscape Navigator and Microsoft Internet Explorer. It destroys Macintosh and IBM compatible computers. This is a new, very malicious virus and not many people know about it. Pass this warning along to EVERYONE in your address book ASAP so that this threat may be stopped. Mary Landesman, About: Antivirus |
Hoaxes are usually easy to identify, if you know what to look for.
| ...
ignorance itself, without malice, is able to make a man
both to believe lies and tell them, and sometimes also to
invent them. Leviathan, Thomas Hobbes |
vv TOPIC UNDER CONSTRUCTION vv
Recently many members of the Rice community have received e-mail complaints alleging that they have a virus, or that they sent e-mail to an invalid address that they have never heard of. Most of these complaints result from viruses or commercial e-mail spammers that forge the return address on their outgoing mail. The forged addresses point to individuals that are completely unrelated to the virus-infected computer system; they are innocent third parties.
When the recipient of a virus-infected e-mail responds to the forged address, the holder of that address is understandably concerned. Not only did the innocent party not send a virus to the recipient -- but they didn't send any mail at all! Confusion and frustration result, since neither the recipient of the original mail nor the falsely accused third party know where the mail actually came from.
If you receive a complaint that you sent out a virus, or an error message that indicates a failed e-mail delivery to an address you've never heard of, don't panic!. In most cases, these warnings are the result of a forged return address.
^^ TOPIC UNDER CONSTRUCTION ^^
Rice University now licenses the Network Associate's McAfee suite of antivirus software. McAfee's Mac and PC products are licensed for installation on all Rice systems. Rice faculty, staff and students may also install the products on home PCs or Macs of their choice. The license extends only to those computers which are personally owned by Rice faculty, staff and students.
To download McAfee products now, visit software.is.rice.edu. For additional useful information on McAfee products, including links to the latest updated virus signatures, visit the Rice Antivirus Quick Links page.
Unfortunately, malware has visited Rice a few times. Here are a few cases that you might want to read about.
Additional virus warnings will be added to this list when necessary.
If you think your computer has a virus, or if you have questions about viruses or how to prevent them, contact one of these support sources:
Here are some quick links you can use to locate useful security tools and patches.
http://www.microsoft.com/technet/security/
Windows 95: http://www.microsoft.com/windows95/downloads/
Windows 98/Millenium/2000: http://windowsupdate.microsoft.com/
Internet Explorer & Outlook Express: http://www.microsoft.com/windows/ie/download/default.htm
Microsoft Office 2000: http://officeupdate.microsoft.com/
Microsoft Office 97: http://officeupdate.microsoft.com/downloadCatalog/dldWord.asp
--> Click Word 97 Downloads
Microsoft Office 4.2/Word 6 Macro Virus Protection Macro: ftp://ftp.microsoft.com/softlib/mslfiles/wd1215.exe
Apple MacOS Updates: http://asu.info.apple.com/
Microsoft Office 98 for Mac: http://www.microsoft.com/macoffice/
Internet Explorer/Outlook Express for Mac: http://www.microsoft.com/mac/ie/default.asp
Office 4.2/Word 6 Macro Virus Protection: ftp://ftp.microsoft.com/softlib/mslfiles/mw1222.hqx
DataFellows Virus Info Center
Well-researched virus information library from Finland.
Best search capability.
Kapersky Labs Virus List
Large, well-researched virus library with good search facility.
McAfee Virus Library
Good virus info, but a poor search facility.
Symantec Anti-Virus Research Center
Searchable encyclopedia of virus information.
antivirus.about.com
Feature articles on virus
concepts, virus prevention, new virus announcements, hoaxes, etc.
Not tied down to an AV software vendor, which is good.
Ten Immutable Laws of Security
Excellent overview of computer security principles from Microsoft
engineer Scott Culp, although he makes too many excuses for flawed
design of MS products.
DataFellows Hoax Reference
Very complete tracking list of virus hoaxes.
Kapersky Labs Hoax/Joke List
Article about virus hoaxes.
urbanlegends.about.com
Good coverage of many e-mail hoaxes, including fake
virus warnings and chain letters.
Questions about this document or generous material gifts may be directed to Rick Russell, IT Consulting Specialist and all-around Virus Guy.
