Malware

Hackers are becoming increasingly sophisticated and adept at creating exploits that combine these categories to produce programs that threaten networked computers. Over the last several years, the term "malware" has been used to describe various kinds of malicious software that hackers engineer to compromise personal computers. For best protection against malware (and other threats), be sure to install and update anti-virus software, keep operating system patches and service packs up to date, and never open an e-mail attachment unless absolutely sure it is harmless. The four main categories of malware are Viruses, Worms, Trojans, and Back Doors.

Viruses

In their simplest form, viruses are individual programs that can produce results ranging from the innocuous placement of a "test" file to the deletion of data and reformatting of the hard drive. Not all viruses are malicious - some are written by "white hat" programmers as tests to help discover vulnerabilities and remove/strengthen them. There are many "families" of viruses with variations (or strains) that have been around many years, and new viruses appear almost daily. To combat viruses, it's essential to install anti-virus software and update it frequently. For more information on anti-virus efforts at Penn, visit https://www.isc.upenn.edu/how-to/antivirus-desktops-and-laptops

Worms are programs whose sole purpose is to replicate and spread to other computers. Some programmers write worms solely to see how far they spread, and in many cases, there is no actual payload or threat. However, in recent years, worms have been used to more rapidly spread viruses. Once a computer has been infected by a virus/worm (usually by an opened, infected e-mail attachment), the virus component will begin running an SMTP mail server; the worm component will begin to replicate the virus and e-mail it to addresses found in the computer's address book with the "From:" header (This most frequently occurs with computers using Microsoft Outlook.)

As in "Trojan Horse", these programs are designed to imitate normal, useful programs. However, they contain hidden code that can perform a wide variety of compromises, including granting a remote user complete control of the compromised computer. For example, the Trojan may be a version of a common command-line utility, such as 'ls' in Unix, with the same file name and which performs all the normal command functions, in addition to other functions known only to the attacker.

A "back door" is an entry point the programmer leaves himself in order to gain quick access without dealing with built-in security checks. In theory, back doors are removed from final release of the software, but history has shown that often they are not. Though in the current network climate, a back door is generally considered a program that has been placed on a computer (usually discretely) and allows a remote user to gain/maintain complete administrative control, typically without the knowledge of the computer's primary user. The most infamous examples of back door programs have been SubSeven and Back Orifice, but there are many others, with new ones appearing regularly. There are several ways back doors can be placed on a computer, though this can never be a truly complete list:

  • Opening an infected e-mail attachment (They are often combined with viruses and worms)
  • Exploiting a computer left vulnerable by a previous, existing virus
  • Following a URL to a malicious website that surreptitiously downloads the back door to the computer
  • Exploiting a vulnerable, unpatched software application or operating system service (which happened with the famous Code Red exploits)
  • Leaving the computer unattended and unsecured (no password-protected screen saver), so that the back door can be loaded directly from floppy disk, "thumb drive", CD-ROM, etc.
  • Active FTP server on the computer (especially one that allows "anonymous" sessions)

For a computer that has been corrupted or compromised by malware, the remedy depends almost exclusively on the virus. In some cases, vendors such as Symantec, McAfee, and eEye make available software tools that can remove the exploit and repair the damage. However, in many cases, the exploit has either installed and activated a back door that permits remote administrative access, leaving the computer vulnerable: Once the possibility of a back door exists, it's impossible to be certain that additional back doors haven't also been installed. When a computer has been exposed to a possible administrative, "root-level" compromise, Penn Information Security requires that the computer be disconnected from the network, all hard drives reformatted, the operating system re-installed from original media, and all current patches/service packs be applied before the computer can be re-attached to the network. 

For more information on why this is an industry-recommended remedy for compromised computers, please read Help: I Got Hacked! Now What Do I Do? on Microsoft's website at http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

We recommend that Local Support Providers (LSPs) review the options below and use their judgment regarding whether deployment makes sense for their unit. There may be local solutions already in place that fulfill the same roles (e.g. different patch management software). Before making a systemic change to how you manage systems, be sure to consult with IT leadership in your organization.

Prevention

Resources Provided by Penn
Other Resources

Detection