Cozahost Newsletter Archive

Previous issues

"Malware"  - the bane of all computer users on the internet.  Find out what it is, how it works and how to protect yourself.

Please forward this newsletter to friends or colleagues who might like to read it.
 

 
Have you ever been caught?  I mean by a hidden speed camera, or by Mom - with your entire arm in the cookie jar?  How about being the victim of a practical joke?  It sucks doesn't it?

A particularly funny practical joke (for everyone but the victim of course) was when the tribe surreptitiously packed two large stones in the backpack of a friend of mine. 

At the time they were walking the Otter hiking trail.  My friend found the first (smaller) stone very quickly when he realized that his backpack was a lot heavier than he remembered from the previous day of grueling walking. 

Few things are so rewarding as foiling a practical joke where you were the intended victim:  By all accounts my friend made quite a ceremony of removing the offending stone (ie weight) from his backpack, grinning from ear to ear and all the while loudly admonishing the rest of the tribe not to insult his intelligence. 

Of course the first stone was the decoy. 

The second one was well hidden at the bottom of his pack and he unknowingly carried that one for the rest of the day...sweating up and down several hills for six long hours.

This happened about 10 years ago.  He still has to hear about it at just about every braai.  His grand children will probably be told the story too.  He still gets angry about it.  The tribe still teases him when he does.

My best practical joke was when I sabotaged my brother's cool drink with dishwashing liquid.  After my covert commando raid on the refrigerator, I warned him that he better have eyes in the back of his head, because my cousin is out to get him.  Of course I was not obvious about it - just a few small hints to point his suspicions at the correct party when he partook of the beverage.  At the same time, I polished by cousin's bicycle rims with oil (to disable the breaks) and, very carefully, planted a few hints to point the evidence to my brother.

My brother did eventually take his cool drink and had a fit of coughing and involuntary bubble blowing - much to the amusement of my cousin who almost wet himself laughing.  I just shook my head sagely and with a little smile looked at my brother and shrugged.  The hook was set.   Could see him calculate the angles to get back at my cousin.  This was much more fun than watching TV.  When my cousin eventually recovered from his hysterical laughing fit, I asked him to go get us all a cool drink at the nearby shop - knowing full well that he would take his bike...

He almost made it out of our drive way, but, to turn left, he had to use the breaks...which did not work thanks to the oil on the rims. He crashed spectacularly into the sidewalk. My brother screamed with laughter.  I just shook my head and shrugged at my cousin.  The second fish took the hook.  The game was on.

For the next several weeks, they retaliated, launched pre-emptive strikes and pulled just about every conceivable practical joke on one another.  Every time I thought that dust was about to settle, I'd stoke the fire with a bit of sugar in a bed, or dog poo in a shoe, eno in a cup of coffee or itching power on the toilet paper.  The war lasted for months - and they never suspected me - the third force.  It was a thing of beauty.

These practical jokes were harmless for the most part, but, as Leon Schuster said: "A Joke is a joke, but you don't open an umbrella in someone's nether regions."  Installing a virus or a worm on someone's computer, definitely falls into the umbrella category.  Your PC will be carrying several large stones for the rest of time and you will never know it.  Decidedly un-funny.

In this issue we are going to talk about "malware" - the nasty programs designed to cripple your computer and make your life very miserable indeed.  Understand how they work and avoid the open umbrella inserted in your...uhm...nether regions.
   

40 million credit card numbers stolen:
A hacker gained access to some 40 million credit card numbers due to inadequate security measures at a major payment gateway provider.  The sad thing is the gateway provider should not have kept records of the credit card transactions in the first place.
     

 
To avoid being the but of a very, very bad joke, you need to understand viruses and worms (collectively called "malware"), so here is an overview to give you the heads-up you need to protect yourself:

Malware - a brief background

"Malware" is a generic term derived from "mal" (ie maladjusted, malfunction) and "ware" (ie software and hardware).  Malware is software designed to make your life unpleasant.

Malware can be classified into three broad categories: worms, viruses and Trojans.  (Recently the malware family gained a new member - "spyware".  Spyware is software that is installed on your computer without your knowledge in order to steal information.  The data stolen can include important documents, your passwords, banking details and so on.)

We use the "worm", "virus" and "Trojan" classifications to describe the method used by the malware to spread itself and remain hidden:

• Worms - spread copies of themselves as stand-alone programs.
• Viruses - embed themselves in another program just like a real virus will manipulate the genetic structure of a host cell to implant a copy of itself.
• Trojans - pretend to be something else like a useful program or even a computer game.  The name comes from the fabled Trojan horse used by the Greek and Spartan warriors to gain entry to the city of Troy.

It is important to note that viruses and worms are capable of spreading copies of themselves while Trojans rely on people to send them to friends and co-workers.

Malware spreads very quickly - at a rate of about 175 000 computers per day.  The programs have no regard for your nationality, social standing, race, gender or religion.  Everybody on the internet is attacked with the same vigor and efficiency.  Unless you take the necessary precautions, your computer WILL be infected by malware - that's a fact.

In perspective

There is a lot of media attention and sometimes a little hysteria about malware.  Things are made worse by journalists writing about the software when they have no clue about the technical details involved.  These articles often convey a vague sense of impending doom and seems to credit malware with almost supernatural powers.

The fact is that malware are computer programs.  They are normal, mundane programs like Excel, Outlook or Word - written by normal programmers - albeit with a severely challenged sense of right and wrong.  If these guys were walking the Otter trail, they'd just as soon smash your head in with a stone than hide one in your backpack.

Hundreds of new malware programs are written every month and thousands of computers are infected by them every day.  In 99% of the cases malware are allowed to spread only because computer users do not take simple and basic precautions to protect themselves.

Understanding how malware works is your most important defense against becoming a (unhappy) statistic.   

The basics

A computer executes software.  Software is a set of instructions (commands) that tells the computer (it's processor chip) to perform functions - like mathematical calculations, read/write to the hard disk or to display something on the screen. 

Programs are stored on the computer's hard disk, so that, when the computer is started, programs can be loaded from the hard disk into the computer's short term memory (RAM) where it is read and executed by the processor.

Your operating system (eg Windows or Linux) is the first program loaded when you start your computer.

Once the operating system is loaded, the computer is ready to execute more programs and to use it's peripherals (eg modem, mouse or keyboard).

To make life easier for users, most operating systems incorporate a concept of file extensions.  A file extension is the final bit after the "." in a file name; for instance vacation.jpg or calc.exe.  The extension is understood by the operating system to be data of a certain type.  In this case vacation.jpg indicates to the operating system that the file is a graphics file in the jpeg format.  The second file is a program, because the name of the file name ends in ".exe".

When you double click on a file name, the operating system will check it's list of file associations to decide how to load the file.  In the case of a .jpg file the operating system will load a graphics viewer and in the case of a .exe, the operating system will execute the program.

The important thing (in terms of malware) is that your computer can only execute (ie run) programs - not data files.  A graphics file (.jpg) for instance, contains only data required to display an image.  The program responsible for painting the picture on your screen will read the data and show the picture.  The .jpg file does not normally contain instructions to the computer, and even if it did, the program responsible for drawing the picture would not know how to execute the commands.

There are some exceptions to this rule:  Some programs can understand instructions inside a data file and will execute these instructions when the file is opened.  A good example is MS Word.  With MS Word you can create "macros" that are stored inside a .doc file - typically to do things like sorting lists, asking for user input in a form and so on.  These "macros" are special programming instructions that are understood by MS Word.  The same thing holds true for MS Excel and a few others.

The original principle that your computer can only execute  (run) programs is still true, because even tough the .doc file contains programming instructions, these commands are executed by MS Word and not by the operating system itself.  In most cases you can (and should) configure these programs not to run macros without your permission.

As discussed earlier, the operating system can only execute program files.  These files must follow a very specific format that tells the operating system how to execute them - for instance how much memory (RAM) they require, where the processor should start executing and so on.  Malware are computer programs.  In order for them to work, they must be executed by the operating system.

The challenge to the malware programmer is therefore to devise a way to fool you or your operating system to execute (run) his program.  Since most sane people will not purposefully execute malware on their computers, the author of the program must rely on tricks to con you into running their programs.  This will include sending you their program as an email file attachment...with some story to motivate you to run the program. 

An effective way to fool people is to send them a program that pretends to be something else (trojan) - for instance: you visit a site where you can download a free copy of MS Word.  When you execute the program, it runs exactly like MS Word and you think you just scored the bargain of the month; but what you do not know is that the first part of the real MS Word was moved and replaced with a few instructions to install a virus on your computer. 

As soon as the malware is loaded by the computer, it will take several measures to stay invisible: it will not show anywhere on your computer screen - it might even manipulate the operating system into believing it is an important driver or program.

Once installed on your computer the malware will try to spread itself: either by emailing itself or by launching direct attacks to other computers on the same network (internet). 

Writing a program to automatically spread itself by email is very easy.  The fourteen year old next door can probably write it with a few hours of training.  Hiding where the emails came from (ie a bogus "from address") takes just one line of programming code...ie 5 seconds to program.

A more complicated (and much more difficult to defend against) method of spreading is by using network based attacks.  These viruses scan the network and look for computers that do not have the latest operating system security fixes or computers without firewalls.  When it finds one of these vulnerable computers, it opens a network connection to that machine and sends a special series of commands that will manipulate a security weakness in a program running on the target machine - enabling the virus to send a copy of itself to the remote machine and run itself there.

Once on the second machine, the virus starts the same process again.  We now have two virus infected computers searching for more victims.  Then four...then sixteen...then two hundred fifty six...then sixty five thousand...all within a matter of a few minutes.

After malware installed itself on your computer it can:

• Act as a spam sending email server
• Steal your information and documents
• Corrupt (break) your operating system
• Destroy your data

Virus scanners

A virus scanner is a program designed to look for the "finger prints" of known malware.  In a sense, it acts like a security guard checking all visitors against it's list of known offenders...or suspicious behavior.

Unless a program has the equivalent of a burning fuse in it's pants, the virus scanner will not detect it - unless of course it is a previous (k-n-o-w-n offender).  To make matters worse, malware can (just like human criminals) disguise themselves: A computer program's "fingerprint" is calculated by using a mathematical formula.  In essence, the formula takes all the instructions in the program and calculates a very short "summary".  If one or two lines of programming code is changed - the summary is different and the fingerprint no longer matches.

Malware programmers might be nasty but they are not stupid.  They know how virus scanners work.  It is a relatively simple process to change a few things in their program to generate a new fingerprint and fool the scanners...or even better, to program their malware to automatically change themselves to avoid detection.

The virus scanners are now required to scan for hundreds of thousands of new virus signatures - and hundreds of new viruses created every day.  And you, as the virus scanner user, have to update your program several times a day to protect against the new threats.

Given this impossible mission...how effective can the protection provided by a virus scanner be?  Answer: not very.  At best a virus scanner will only protect you against "old" viruses - and only after they caused significant damage on the internet.

The one thing virus scanners are very good at is to protect you against most (about 80%) of the known malware on the internet - and that is why you should use one.  The important thing to remember though is that they do not and can not give you 100% protection...in fact, your computer remains vulnerable to the the most dangerous malware on the internet - the new exploits.

Operating system and network exploits

"Exploit?"  A term used to describe the technique of exploiting a weakness in the network, your operating system or a program to force it to do something bad. 

When programmers first developed software, they designed it to work under specific conditions - for instance, Excel was designed to execute complex formulas immediately when you loaded a spreadsheet.  Using a macro programming language, you could build a spreadsheet that will load information from a central database, do a few calculations, create an output report and email that report to management - and save yourself an hour's work every day.

The malware programmers use the same technology to create or delete files on your hard disk and to email your sensitive data to the mafia...ie they found an exploit (the macro programming language) in Excel.  One of the very first successful computer worms was the Melissa worm.  This malware program used the macro language in MS Word to spread itself with speed and agility never before seen in computer networks. 

Since then Microsoft learned that the macro language can be used by malware programmers to do nasty things to your computer and they fixed MS Word to make it much more difficult to exploit that particular weakness.  The same thing holds true for all the software on your computer - and more importantly for your operating system, ie the heart and mind of your machine.

The initial exploits quite simple and just about any programmer with bad intentions could exploit the operating system (and some software).  Today it is significantly more difficult to do because most software vendors stay on a constant lookout for ways their software can be abused to damage your computer.  When an exploit is identified by the vendor (or thousands of independent researchers), the software is "patched" (updated) to remove that vulnerability.  If you are still running old ("un-patched") versions of your software then you are a very juicy, very soft and soon to be abused target.

Your first and most important defense against malware is therefore to ensure that all known exploits in your operating system (and software) is patched so that they cannot be used by malware programmers against you.  To do this, you must regularly visit http://windowsupdate.microsoft.com to update your copy of windows, or even better, switch on automatic updates so that your operating system is automatically patched as exploits are detected and fixed.

Microsoft has long been criticized for not doing enough to protect their clients against malware.  The Windows operating system was infamously insecure when compared to the older operating systems like Unix (and Linux to some extent). 

Since then Microsoft has made huge improvements in the security of their operating systems and most significantly by producing service pack 2 for Windows XP.  We covered the advantages of Windows XP service pack 2 in this newsletter a while back, but suffice it to say that any internet user using older versions of XP on the internet is in serious need of psychiatric help...

Firewalls

A firewall gets it's name from the metal sheet that separates a car's passenger cabin from the engine compartment.  You know: the thing you kick against when you are in the passenger seat and your wife barrels down on a red traffic light at twice the speed of sound. 

The original role of the firewall was to protect the passengers in a car from a fire in the engine compartment, although I must say that it's dual purpose as a ghost breaking system is less than effective.

In concept a firewall on a computer has much the same purpose.  The firewall isolates your computer from the more than 65000 "doors" the network (internet) creates into your machine.  Each and every one of these doors ("ports") can be used by malware to do nasty things to your computer.

A bit of background:  The internet works on a protocol (set of rules) called TCP/IP.  When your computer connects to the internet, programs "listen" on specific ports: for instance, your email software will listen on ports 110 and 25 for sending and receiving email.  The average computer needs about 12 ports to be open for internet access.  The problem is that windows opens a whole range of other ports for file sharing, printer sharing and so on.  Since these ports are open, malware can send information to it to exploit programs or even the operating system itself.

Computer firewalls act like locks on these ports by blocking all the unnecessary ports and by alerting you when software tries to access them.  Just the act of closing most ports on your computer is a significant security improvement because it reduces the "attack footprint" (the number of possible exploits a hacker / malware can use to attack your computer).

One of the ways malware spreads is by "pinging" machines on the network at random.  Every computer on the internet has a network address that looks something like this: 196.25.1.1.  Malware will try to spread itself by "pinging" all network addresses between 196.25.1.1 to 196.25.1.255.  (A "ping" is like shouting "are you there?" and waiting for a reply).  Every computer that answers the ping is then inspected to check for open ports, ie malware will try to connect to ports 1 through 65000 on the target...or it will look for one specific port where it knows there is a vulnerability.

A firewall protects you by not answering these pings...in other words the malware does not know your computer is at that address and it is therefore much more difficult to attack your machine - once again reducing the attack footprint.  In addition to this, a firewall will warn you when a remote program (malware) tries to talk through one of the network ports - providing another warning that something is afoot.

In time your firewall will "learn" (by asking you) about safe and unsafe computers and programs on the network and can thereby automatically protect you against malware...simply because the firewall will not allow your computer to "talk to strangers".

Even if your computer is infected by malware already, a firewall is helpful because it will a) alert you about the malware trying to spread itself or contact it's master and b) the malware is crippled because it cannot talk to anything on the internet.

Windows XP with service pack 2 includes a firewall.  Alternate (free) firewall software can be downloaded here...

From this information you can clearly see that it is more important (effective) to have a firewall on your computer than virus scanning software...but having both installed is even better.

Meatware

The most important security tool in your arsenal is meatware.

The thing between the chair and the computer.  The orb on your shoulders.  Your head.

Your brain runs on two things: glucose and information.

You know that malware is computer programs relying on you to execute them or to leave holes on your computer so that they can exploit software running on your machine.  You also know that there are a LOT of bad programmers out there writing hundreds of malware programs per day with the sole objective of making your life miserable.

In this edition of the newsletter you learnt that email purporting to be from Thabo Mbeki is not. 

Email containing attachments with file types other than the data formats you trust (.jpg, .doc, .gif, etc) are 99.9% of the time malware.  (Programs, ie malware, will always have one of the following file extensions: .EXE, .COM, .VBS, .PIF, .HTA or .CMD - so do not run them on your computer if you received them via email or in a zip file sent by email)

Install a firewall and virus scanner on your computer and keep them (and your operating system) up to date and configured correctly; and, above all, use your meatware to avoid becoming a sad statistic...not to mention an umbrella casualty.

As they say in the movies: be safe out there...
  

At Cozahost we help small companies and professionals tame the internet so that they can concentrate on making money.  We take care of the technical stuff so that they can take care of business.  Here are some of our products and services:
 

 
After every flight, Qantas pilots fill out a form, called a "gripe sheet," which tells mechanics about problems with the aircraft. The mechanics correct the problems, document their repairs on the form, and then pilots review the gripe sheets before the next flight.

Never let it be said that ground crews lack a sense of humor. Here are some actual maintenance complaints submitted by Qantas' pilots (marked with a P) and the solutions recorded (marked with an S) by maintenance engineers.

Qantas is the only major airline that has never had an accident.

P: Left inside main tire almost needs replacement.
S: Almost replaced left inside main tire.

P: Something loose in cockpit.
S: Something tightened in cockpit.

P: Dead bugs on windshield.
S: Live bugs on back-order.

P: Evidence of leak on right main landing gear.
S: Evidence removed.

P: DME volume unbelievably loud.
S: DME volume set to more believable level.

P: Suspected crack in windshield.
S: Suspect you're right.

P: Number 3 engine missing.
S: Engine found on right wing after brief search.

P: Aircraft handles funny.
S: Aircraft warned to straighten up, fly right, and be serious.

P: Target radar hums.
S: Reprogrammed target radar with lyrics.

P: Mouse in cockpit.
S: Cat installed.

P: Noise coming from under instrument panel. Sounds like a midget pounding on something with a hammer.
S: Took hammer away from midget.
   

The Cozahost newsletter is available as an RSS feed: http://news.cozahost.com/newsfeed.xml
 

Thanks for reading this newsletter and we hope you enjoyed it!  Please contact us if you have comments, suggestions or questions - we would love to hear from you!