Saturday, 21 March 2015

The Big Virus Guide

Virus Guide

Knowing your enemy is half of the fight

As the internet changes, both in terms of the technology that underpins it and the way in which we use it, so too does the type of viral threat we can expect to encounter. The 'mischief' viruses of the past gave way to commercially motivated adware and spyware, and so too have these been succeeded by ransomware and scareware - programs that rely on social engineering to survive instead of semi-legitimate business.

The sheer number of threats out there means that making sense of them all can be confusing. What's the difference between a virus and worm? What does adware do that scareware doesn't? And how do you even end up infected with these different types of malware?


To answer these questions (and hopefully a lot more!), we've put together this guide to the various types of malware you might encounter. As well as explaining what those threats do and where they might come from, we'll also look at what they might look like in the near future - and most importantly, how you can protect yourself against them.

The Past: Viruses, Worms And Trojans


A computer virus is any self-replicating program designed to either damage or impede a system or network, though in some cases this is only by leeching resources rather than by actively attacking it. The worst examples can wreak havoc on a computer by deleting data, preventing access to your files and even rewriting parts of your operating system entirely.

The word 'virus' is often used as a generic term to encompass any malware, including worms and trojans, but it often specifically refers to programs that attach themselves to executable files so they can spread and replicate in a covert manner. Unlike trojans, which don't self-replicate, viruses carry a 'payload' - damaging behaviour that activates under certain conditions, such as on a specific date or if a certain program is run.

Strictly speaking, a worm is a piece of self-replicating code that doesn't require a host program to become active like a virus does. It propagates through unplugged security holes in operating systems and software, and while they're often harmless to individual PCs, they do their damage on a macro level by clogging up networks and servers with massive amounts of unwanted traffic. Worms don't usually carry a payload, but they do actively copy themselves to as many places as possible.

Today, most worms spread themselves using email or social media, contacting the people in your address book or friends list to spread themselves further - something that's both inconvenient and embarrassing for the original sender. While Facebook, Tumblr and Twitter have become much better at preventing social media worms (which use scripts to repost themselves to a user's feed), the likelihood of this style of attack becoming prominent remains high as long as social media remain popular.

Finally, a trojan is a program that can be hidden in another executable, though unlike viruses, they are not usually self-replicating and tend to be attached to another program deliberately by a malicious user. When a trojan is executed, it delivers its payload, which is usually an attempt to open a 'backdoor' to your PC, allowing hackers unauthorised access to your personal files. Trojans typically stay hidden because they cause no direct damage to your system; as long as they're installed, the backdoor remains open, so they don't want to make it clear that they're there at all.

The difference between these different types of malware is subtle and largely academic in a world where the primary types of threat come in a more sophisticated forms. One quality that viruses, trojans and worms all share is that they tend to be quite simple, small and parasitic - something that isn't true of most modern malware, not least because the goal of most modern malware isn't to attack and destroy a system, but to harness its resources and steal the information on it.

You can only be infected with a virus, worm or trojan by executing an infected piece of software or using an infected piece of media. Floppy disks used to be the prime suspects, but these days anything from a USB memory key to a rewritable DVD could harbour one. The most likely suspect, though, is your e-mail. When you get a piece of e-mail spam that isn't trying to sell you something, it's a safe bet there's a virus of some kind attached in the hope that you'll carelessly run it. For this reason, many mail clients block attachments of certain kinds altogether.

The best way to stop viruses is by installing an anti-virus program; it'll not only remove existing infections, but can actively prevent known viruses from installing themselves. You can get hold of many different anti-virus applications free, so there really isn't any excuse for not having one. If you're still stuck, then the popular choice remains AVG Free (available at free.avg.com), which will provide plenty of protection, as well as constant virus updates to ward off the newest infections.

Despite their best efforts, antivirus programs can't always be fully up to date and comprehensive, if only because new viruses have to appear in the wild before they can be analysed and fixed. Users must be constantly vigilant about not running programs from unreliable sources, whether it's an executable attached to a piece of spam, a piece of pirated software or a seemingly harmless joke application. To do so risks infection, and the damage to your system could be immediate.

Malware


Although any malicious software can be called malware, the term usually refers to a set of specifically malicious programs; spyware, adware and ransomware. Like the mutant offspring of simple viruses, malware programs are designed to install themselves on your system and stay there. They don't usually try to replicate themselves across to other systems, but they are likely to replicate themselves on your system so they can easily restore their infection if one copy gets removed.

Spyware refers to any program that tracks your online activity as an ostensibly secondary function. Examples may include a search engine toolbar which, while purporting to give you quicker access to a search engine, is actually more interested in which pages you visit and how long you spend on them. This information is used to build up an advertising profile, which can be sold on so advertisers know which sites to target and what type of adverts to serve on them, based on a range of profiles. Most spyware is easy to uninstall, but since you don't often realise it exists, the privacy implications are potentially huge.

Adware (a blending of the words 'advert' and 'software') goes a step further and may actively alter the functionality of some applications - typically your browser or messenger program - so it serves extra adverts or redirects internet traffic to sites other than the ones you intended to visit. This is done to generate revenue for its creators and can be as simple as embedding its own adverts into a page that would normally show someone else's or as devious as redirecting your Google searches through the creator's own affiliate program. Certain adware will even prevent you from searching for fixes, intentionally blocking access to anti-malware websites. Where spyware attempts to stay hidden (and indeed, sometimes tries to be actively useful in some way, if only as a secondary effect), adware tries to make sure you don't notice it and think that the adverts are coming from somewhere else.

Ransomware is the worst of the bunch, a type of malware that quite literally holds your system to ransom. Adware and spyware might be on the fringes of legality, but at least they're harvesting data that has actual value to someone. Ransomware simply demands that you pay up, locking your system until you do. The more insidious examples of ransomware will go so far as to encrypt your hard drive and force you to pay for access to your own files, which will otherwise become inaccessible forever.

At best, you lose the money you've paid them, and the software gives you control of your system back long enough for you to remove it. At worst, your credit card details are stolen, and the software remains in place, demanding ever more money. Some ransomware may be 'scareware', which lies about the nature of the payment, perhaps by claiming you have to pay a spot-fine for illegal activity or that your system has been infected and you should 'subscribe' to protection, but which doesn't actually do anything to back up those claims (hence scareware - it scares you into paying).

It goes without saying that you should never make a payment through a ransomware program. Instead, strong anti-malware protection and backup policies are the best defence against it.

Although many forms of malware are installed semi-legitimately (either by asking the user to do it under false pretences or by bundling themselves up with legitimate software by paуing the developers a fee), some programs dispense with the formalities entirely. These 'drive-by' installations are performed automatically and without permission through exploits and security flaws on your machine. While it could be argued that some types of adware and spyware don't harm a system too badly, the real concern is that these programs open up security flaws on your system and leave you further vulnerable to attack.

Indeed, if left unchecked, more and more adware will build up on your system, slowing it down substantially. Eventually, things will become so clogged up that a complete reformat and reinstall becomes your best option. Malware is one of the most common threats to modern PC, probably because it works so well: most users are simply not savvy enough to get rid of it on their own means. To remove malware manually you have to be familiar with registry editing, background services and file systems on a level that's simply beyond most users.

Many programs exist that can remove malware for you, but prevention is always better than cure. To minimise the risk, make sure you have the latest security updates to your operating system installed and, similarly, make sure you don't agree to install software unless you're certain that it's legitimate. If you're invited to install a program while visiting a website, there's a strong chance that it'll be nothing but thinly disguised malware. To avoid participating in your own infection, make sure you read all dialogue boxes properly and always click 'cancel' if it's something you don't want or don't understand!

Rootkits


A rootkit is a type of spyware that allows unauthorised users to act as the administrator (or 'root' user) for a system, without even the need to crack the password for it. Once installed, rootkits open a backdoor that can allow any user full control over the target PC, to the extent that you can't really see the infection from within an infected PC; it allows modification of behaviour on a level between the operating system and hardware, as opposed to between the operating system and user like regular forms of malware.

The most common rootkits are used by other malware programs to hide their existence from antispyware scanners, preventing their own removal. By exploiting the rootkit, a spyware program can use the administrator-level access it grants to prevent anti-spyware scans from detecting their own registry keys or active processes. Their popularity has waned of late due to an aggressive campaign against them, but a few years ago rootkits were everywhere, and there's no guarantee that modern systems are completely immune to them.

Rootkits can be installed by just about any method, though perhaps the most famous example is the Sony-BMG copyright-enforcement rootkit, which was designed to prevent computers from copying the contents of music CDs but in doing so opened up a backdoor that compromised any PC with the rootkit installed. The worst part of the whole affair was that the program could be installed simply by putting the CD in the drive, if autorun was enabled (which it inevitably was on systems of the era).

While there are some examples of legitimate rootkits to be found in hardware emulation and security software, the majority are used to exploit a PC illegally. Frustratingly, the very nature of rootkits means that you often can't stop them after installation, if at all. They hide beneath the normal level of detection and can be all but impossible to remove without using software designed for the task.

The Future of Viruses


Virtually as long as there have been computers, there have been programs written that, in one way or another, are intended to have a malicious impact on a computer system. The big question isn't 'Will there still be malware in the future?' It's 'What will malware be like in the future?'

Although much effort has been put into eradicating malicious software in its entirety, the war to keep computers safe and secure will always be an ongoing concern. As the continued computerisation of society affects everything from TVs to traffic control, the opportunities for malicious software to cause damage continues to grow. As recently as a few years ago, the idea that your computer would be able to spontaneously bombard you with adverts based on your hourly behaviour sounded like a nightmare scenario, and yet it is instead a harsh reality for millions of computer users logging into their computers each day. In retrospect, the opportunistic floppy-bound viruses of the 80s and 90s look almost quaint by comparison!

The next obvious step for malware is to migrate away from traditional PCs. The number of smartphones, tablets and ereaders has exploded, and it's a logical expectation that malware will eventually make the leap to such devices in earnest, bringing with them the same kind of irritants and inconveniences as you already regularly encounter on your home PC. The good news is that the systems have been so tightly engineered that it's hard to infect modern mobile devices, but there's sure to come a day when a security flaw or leaked credentials leaves millions of systems vulnerable.

Of course, while developers can plug security holes, there's no stopping users from doing what they want, which is why social engineering is becoming more prevalent. The first ever mobile virus, the Cabir worm, required users to manually accept the transfer of the worm onto their phones, but even that didn't stop it from actually getting out. Users happily accepted a Bluetooth application transfer from a completely unknown source, then ran the software. It's therefore likely that the malware of the future will require users to actually be complicit in their own infection, adding insult to injury!

An infected mobile device brings with it obvious new avenues to exploit. Gone are such rudimentary tactics as serving adverts and tracking web pages; modern mobiles track everything from where you visit to when you sleep to how many times your heart beats a minute - data that any sufficiently maniacal advertiser would salivate over. Direct theft is also easier, thanks to NFC and wallet-based payment systems. It's not beyond the realm of possibility that malware in the future could use your mobile phone to try to make payments without your authorisation.

In the worse cases, your mobile might even become complicit in a real-world theft. It would only take a rudimentary amount of access to make a smartphone alert a third party when you've left the GPS location it understands to be your home, informing them that the building might therefore be unoccupied and vulnerable. Not a happy idea.

As well as looking at what tomorrow’s malware will do, we should also look at where it's likely to come from. As depressing as it might be to think about, malware does not simply spring forth into existence - someone, somewhere, has had to sit down and actually write the code.

In the past, virus writers traditionally operated in the Western, developed world. For the first 15 years, malware was mostly written by 'hobbyist' programmers in Europe, the US and Australia. Such crime was mostly disorganised and untargeted, but as computer systems became more and more interlinked because of the internet, the creation of 'criminal' software slowly became more and more targeted, and better organised for maximum ruthlessness. The hobbyists were turning professional.

Over the last few years, more and more malware has started coming from countries that were part of the Soviet Union - Russia, Latvia, Kazakhstan and Ukraine. Other developing economies with large numbers of skilled computer workers but not enough job opportunities in the IT sector, such as Brazil and China, already see potential workers taking up cybercrime to make a living. After all, such a lifestyle often presents a lucrative and relatively easy way to make money; the world is up for grabs, and the crime is difficult to combat over international boundaries. Today, the countries that originate most malware are Russia, China and South America - all of which have developing economies of growing size, complexity and importance.

In early 2008, computer security company F-Secure released a report that showed a growing level of e-crime coming from countries such as Central America, India and Africa. The trend continues today, and it's likely that crime in these three areas will continue to rise until they are definitively producing the next wave of malware. Attacks are likely to become more sophisticated as broadband reaches these areas (allowing high-speed links to any computer on the planet) but, as with current crime hotspots, the lack of a significant job market capitalising on the infrastructure diverts skilled computer users towards criminal activity.

These trends don't indicate that malware will stop coming out of the Western world, however. The overall volume may be reduced, but just as software engineering becomes more complicated in Western economies, so the development of malware will follow suit. The open-source movement has been around for long enough to become cemented in the ideologies of technically skilled programmers, and that means that 'open-source malware' - already in existence - may not be far away from becoming a much more serious problem.

As you may have guessed, the future of malware is rife with conflicting possibilities and probabilities. It's easy to see the general trends of malware - where it's coming from and what it'll do - but as with any attempt at futurist predictions, it's hard to see whether there's a game-changing development lurking around the corner.

One thing is certain, though: as long as there are computers and software, there will be people attempting to abuse them for their own purposes, and that means malware will be a part of all our lives. Sadly, there's no happy ending here - just a constant threat that simply isn't going to go away any time soon.