From: cquirke@iafrica.com
Newsgroups: comp.virus
Subject: Safe Computing Primer
Date: 26 Jun 1999 04:41:34 -0000
Administivia
Yeah, you can recycle this, but it would be a courtesy to acknowledge
Chris Quirke (cquirke@iafrica.com) as the source ;-)
Safe Computing Primer
~~~~~~~~~~~~~~~~~~~~~
Although most ppl think about viruses, the full picture is a bit wider
as viruses are not the only problem. ANY code or file from outside
the system is a potential threat:
1) Sent deliberately by one who means you ill
2) Sent accidentally (i.e. by computer, not user)
3) Assumed safe, but harbors dangerous content
4) Intended safe, but programming bugs cause danger
5) Intended safe, but incompatible with system
Basic principle of safe computing:
"Nothing runs on this system unless I choose to run it"
Corollory:
"I will assess and decide on all content before running it"
[What Runs?]
In the old days, only "programs", i.e. files with names ending in
bat, .com or .exe could be a problem.
But this has changed:
1) MS Word will automatically run macros in documents
2) MS Word will do that no matter the extension, even .txt
3) Web browsers and e-mail programs may run code within HTML
So my current advice is to treat *any* file as a potential problem, no
matter what it is called. Even .txt. .rtf and .htm files may be a
risk, thanks to "active content" in HTML web pages and e-mail and
Word's stupidity regarding macros.
And it's not only files that run; web pages that you visit on the
Internet may contain malicious or buggy active content, and some
e-mail programs can be tricked into running raw code hidden within
hyperlinks in the message itself.
[How Does it Get In?]
There are various entries to the system:
1) Booting off diskette drive (set boot order C: before A:)
2) Running or "opening" files off diskette or CD
3) Auto-running computer CDs (disable)
4) Visiting web sites on the Internet
5) Reading e-mail in an insecure e-mail program
6) Running or "opening" files recieved as e-mail attachments
7) Running software that auto-installs stuff from the Internet
8) Being on-line when someone else hacks in over the Internet
9) Allowing access the PC keyboard or via modem "data calls"
Of these, the BIGGIE is (6). FWIW, my standard setup practice
protects against (1,3,4,5,9) by setting up the system and its software
to minimise risk - but (2,6) are up to the user.
[What is Malware?]
Malicious wares are files, code or content that act in an unexpected
or undesirable manner; includes trojans, viruses and worms.
[What is a Virus?]
A virus is code that causes itself to be reproduced, infecting other
disks or files and so causing it to spread. Because Word auto-runs
macros, it is possible to write viruses that infect Word documents;
indeed, these are now the world's most common viruses.
Viruses may attempt to do no harm, but cause problems as a side effect
of bad coding or compatibility issues. OTOH many (if not most)
viruses will carry a payload that causes damage, timed to be executed
after a certain number of days or events, or on a certain date (e.g.
the original CIH hatched on 26 April).
[What is a Worm?]
A worm is code that causes itself to spread over a network, infecting
other systems. Typically it will do so by mailing itself to other
addresses (e.g. Melissa) or by attaching itself to all messages you
send (e.g. Happy99). Because it automates the send to addresses
derived from your address book or mail, it is not enough to know the
sender of a message to trust it.
The distinction between worm (e.g. Happy99) and virus (e.g. CAP) is
blurred by malware such as Zipped_Files and Melissa. These arrive as
trojans or viruses, may spread as viruses, but also send themselves
off directly as worms do.
[What is a Trojan?]
A trojan is a program or file that appears to be desirable, useful or
interesting, but harbours malicious code. "Joke" programs sent via
e-mail, pirate software downloaded from "warez" sites, and even web
pages themselves can be trojans.
Unlike worms and viruses, trojans do not have to infect other
networks, systems, disks or files to spread.
[What are Attachments?]
One can send arbitrary files along with an e-mail message as
enclosures or attachments.
Those files can be anything; trojans, trojan web pages, virus infected
documents and other files. This is THE most common form of malware
spread, and clueless users are not only falling victim to this but are
causing the problem by allowing thier systems to spread this to other
users. It will only be a matter of time before we read about a
'net-rage incident where some user who refuses to clean up thier
system gets whacked by someone else who has lost data as a result of
something they sent.
[What is Active Content?]
Active content includes Java, JavaScript and VBScript. These are
programming or scripting languages that are sent from a website to the
computer that visits the site, and run on that computer, without the
user's knowledge or consent. This is clearly beyond the bounds of
safe computing practice!
Because active content can go anywhere HTML can go, and because many
e-mail programs send mail in HTML form, even the e-mail message itself
can be dangerous.
[What is a Payload?]
The payload is what the malware does that is offensive! Includes:
1) Privacy; passwords, credit card numbers etc. sent over Internet
2) Impersonation; sending messages as if from yourself
3) Damage; deleting and trashing your data and system files
4) Hardware damage; reprogramming the BIOS so system cannot boot
5) Denial of service; interferres with system functionality
By the way, (3) and (4) are non-trivial. Corrupted data cannot always
be recovered, no matter how many hours labour you are prepared to pay
for, and a corrupted BIOS can require replacement of motherboard or
entire system (proprietary PCs and laptops).
[What's Wrong With Microsoft?]
Part of the reason Microsoft products are targeted is because they are
so commonly used, and because Microsoft is unpopular with some users
for various reasons. But a large part of the problem is the nature of
Microsoft's products themselves.
MS Word is a great word processor, but has the cluelessness to not
only automatically run macros (i.e. programs) of a certain name within
any document, but to do so even when the file has an non-Word file
extension such as .txt (plain text), .rtf (Rich Text Format, which is
an open standard and should have no macros) or .htm (HTML, the stuff
of which web pages are made).
This is nasty, because ppl wil typically use .txt, .rtf and .htm in an
attempt to send data in a safe way that can be read in any program -
so these should NEVER contain Word macros anyway!
MS PowerPoint and Excel also autorun macros within thier files.
MS Outlook (nicknamed 'Outbreak') has several fatal flaws:
1) Outlook Express is part of browser, thus accessible to web sites
2) Reads HTML mail and executes active content in it
3) Has "unchecked buffer" vulnerabilities
4) Stores attached files within mailboxes
5) Creates and jumps into these files when these are "opened"
6) May be controlled via Word macros as well as active content
Item (3) is interesting. If one creates a very long hyperlink (those
blue things that run attached files or whisk you off to a web site
when clicked) and places raw code in the end of it, one can cause the
program to crash or run that code as if it was part of the program -
and raw code can do anything; infect files, trash data, whatever
software can do.
Most programs will check that external data (such as a link) is not
too long to fit in the program's buffer before copying it in. Alas,
not MS - even thier heavy-duty NT Server has situations where
unchecked buffer overruns can be exploited.
[Safe Computing]
How to be safe?
1) Choose your software carefully.
Where e-mail is concerned, I stick to Eudora 3.0 as it is not
vunerable to buffer overruns, does not execute active content in HTML
mail, and (the biggie) it creates incoming attached files as files as
these are downloaded.
That means you can simply virus check one (known) directory to scan
all files downloaded to date - whereas in (say) Outbreak, you have to
NOT double-click the link ("bang; you're dead" if you do) but save as
a file instead. Then, remember where you saved it and what it was
called, then go out of Outbreak to (say) Explorer to find the file and
scan it. And repeat all that all over again for each file you
receive. Or rely on a resident scanner, if you like.
It also means that if you receive a trojan and want to delete all
occurances of it, you can simply do a Find for that file and you will
find them all. Whereas with Outbreak, the file will be hidden within
the mail box where Find can't find it and the virus scanner can't scan
it. Even if you delete the message, it will still be in the "Trash"
unless you delete it there as well.
2) Set up the system for safety.
- Set boot order to C: before A:
- Disable auto-running of computer CDs
- Disable or prompt on active content in web browsers
- Use fake e-mail settings in web browsers
- Make it easy to virus check attachments, diskettes and files
- Don't use known-dangerous software, e.g. browser e-mail apps
- Set dangerous applications for safety, e.g. Word and browsers
Even if your system builder does that, by installing an ISP's
software, you have most likely breached this protection. You may have
re-enabled auto-running of CDs, your newly-installed web browser will
have valid e-mail settings that facilitates malicious auto-sending of
malware, and it is probably set to run all forms of active content
without your knowledge or consent.
You should consider re-instating protection against active content (in
MSIE, that's Tools, Options, Security tab, Custom, set everything
except download and drag-n-drop to Prompt or Disable), and the use of
a safer e-mail application.
3) Think before you click
Don't even *consider* "opening" an attachment unless:
- It is from someone you know, *and*
- The message makes MEANINGFUL reference to all files, *and*
- All files pass virus check with up-to-date virus checker
"Here are the files you requested" is NOT a meaningful reference to
attached files; several trojans and worms use similar generic phrasing
when sending themselves to addresses stolen from your own "address
book" (Melissa with Outlook 97) or incoming and queued-outgoing
messages (Zipped_Files trojan/worm).
Don't send attachments unless you need to, and if you do, describe
every file you send in a meaningful way. Don't presume the trust of
strangers by sending them unsolicited attachments, especially "joke"
files received from other strangers.
Don't allow active content to run unless you trust the site and the
site needs it to do something important and useful to you (e.g. a
banking site or a sign-up server).
Don't "open" files off a diskette without virus checking first, and
I'd extend that advice even to computer CDs.
Virus check any files you download off the web before using them.
4) Be realistic about your virus scanner
A scanner is only as good as its signature files, so update these
regularly - preferably every month. A scanner that does not offer
free updates is not worth the cost of the disks it came on.
A possible exception to this rule are heuristic protectors that do not
depend on signature pattern matching. Evaluate claims made for such
products with care, and consider a conventional product as a backstop.
A scanner will know many viruses and worms, but cannot know every
trojan, and will miss the very latest worms and viruses that send
themselves automatically from users' e-mail programs.
So, check everything external before use, but if the file is dubious
in origin and unsolicited (see "Think before you click") just don't
"open" it at all. After all, you don't feel obliged to read every
junk mail stuffed into your letterbox; why should you open every
potential parcel-bomb thrown through the window?
>--------------- ----- ---- --- -- - - -
Error Messages Are Your Friends
>--------------- ----- ---- --- -- - - -
AntiVirial main page