N-CAP Users Guide. Everything You Need to Know About Using the Internet! How Worms Spread via (and How to Avoid That)

Transcription

1 N-CAP Users Guide Everything You Need to Know About Using the Internet! How Worms Spread via (and How to Avoid That)

2 How Worms Spread via (and How to Avoid That) Definitions of: A Virus: is a software program capable of reproducing itself and usually capable of causing great harm to files or other programs on the same computer; "a true virus cannot spread to another computer without human assistance" A Worm: is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause harm to the network, if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer. A Trojan: is a piece of software which appears to perform a certain action but in fact performs another such as a computer virus. Contrary to popular belief, this action, usually encoded in a hidden payload, may or may not be actually malicious, but Trojan horses are notorious today for their use in the installation of backdoor programs. Simply put, a Trojan horse is not a computer virus. Unlike such malware, it does not propagate by self-replication but relies heavily on the exploitation of an end-user (see Social engineering). It is instead a categorical attribute which can encompass many different forms of codes. Therefore, a computer worm or virus may be a Trojan horse.

3 Worms A worm s mission is to replicate and spread itself from one computer infected with the worm to the next, to the next again and so on. What better and easier way can there be to travel from computer to computer than the Internet? What better and easier way to use the Internet for traveling can there be than to hop on an ? Attachments This is why worm usually come as attachments to messages. But how do they go as attachments to messages? They need to find a way to be sent on. Trojan Horses One apparent strategy is to make the recipient send me to their friends. To achieve this, I need to be attractive. There needs to be something in me for the recipient, the best choice probably being fun. Thus I am quickly becoming a Trojan horse -- a malicious program inside a harmlesslooking piece of software. People would open the attachment to have a look, find it amusing and send it on to their friends. This is how a worm can spread and travel with minimal programming effort. Real Worms Of course, such a trojan horse does not spread very fast and probably not very far. It depends on both people opening the attachment and finding it attractive enough to send it to their friends or colleagues. Life as a worm would be much easier if at least the second step could be automated. Fortunately, the first step -- opening the attachment -- is very difficult to automate. This is an important fact and we'll get back to it later.

4 In order for programs to be able to interact, they often offer a so-called API (Application Program Interface). Via such an interface, any program can make a certain software do something. For example, you can make Word open a text document, or a Web browser go to a specific URL, or make an program send a message -- make an program send a message? Isn't that exactly what we need? You bet it is. Via the MAPI (Mail Application Program Interface) -- a Microsoft development -- it is possible to have an program perform a number of tasks. The most important for us worms are the possibility to access the address book, to create messages with attachments and to be able to send them immediately. As a worm we'd choose Microsoft Outlook to perform these tasks. Outlook is usually used in a corporate environment, and bringing corporation's computer down and rendering a company's computing infrastructure -- and thus often the company (showing how dangerously dependent we have become on computers and networks is what we are really after) -- useless is the most fun.

5 How to Avoid Spreading Worms Now that we know what worms do to spread themselves via , the measures we can take to avoid serving as a welcome sender to the worm are apparent. Not Using Specific Software If the worm uses specific software to travel it is unlikely we help spreading the virus if we do not use the software it exploits. As Microsoft Outlook is often used by authors of worms, not using this program is probably useful. In corporate environments, this is often no option, however. And if nobody uses Outlook, worms will certainly find another, popular client to exploit. Roughly the same applies to not using Windows as an operating system. So not using specific software does not look like the best way to avoid worms, but it may still be very useful for some. Not Opening Attachments If worms are generally attachments, they have no chance of doing anything malicious or replicating themselves if they are not executed. The code that may be hidden in attachments gets

6 executed when the attachment is opened. No attachments opened, no worms replicated. It's as easy as that. To not open any attachments of course is no option, so our strategy becomes to not open certain attachments. In former times, when viruses were sent manually, it was good advice not to open anything coming from a stranger. Yet, as today's worms pick their recipients from somebody's address book the senders are likely to be (very well) known. So it's generally a good idea not to open attachments that you did not ask for. If you get something you have never requested (which might happen more often than not), ask! If the sender has not consciously sent you the attachment, it's almost certainly some kind of worm. But even if the sender has sent you the pretty, funny, hilarious, shocking attachment, you're in danger. But you're "merely" in danger of getting your computer infected with a virus, not in danger of falling victim to a worm. Lucky you! Being careful with all kinds of attachments, especially those you never asked for, is, in general, a good strategy to avoid spreading worms.

7 More, Even Better Strategies Making Digital Signatures Mandatory The best strategy against anything trying to spread itself via is to make digital signatures mandatory. Unfortunately, it is also probably the most difficult strategy to realize. A digital signature verifies that something is coming from a certain person and that they sent it consciously, just like an (analog?) signature does. Worms, or any program for that matter, cannot create a digital signature for an . They cannot do it without the user. This is not a theoretical impossibility, but for now it certainly is a practical one. I see danger in programs mimicking the behavior of software like PGP, however. This is the way passwords necessary to create a signature automatically may be "stolen". Still opening s that carry a valid signature only is an almost perfect strategy against worms. It is, unfortunately, not perfect against viruses, as somebody may very well sign a message with an attachment containing a virus (whether they know that or not). Using Anti-Virus Software Not my favorite solution to worms, but still a very useful one is anti-virus software. Installing any good virus-checker and keeping it up to date is a good means of avoiding both infection with viruses or Trojan horses and spreading worms. This is especially true if you are an administrator and know your users are a bit careless (or -- "stressed"; there's nothing wrong with being careless). Since they would not care to update their virus descriptions, you have to do that too, of course. Even if you do not have anti-virus software installed, their Web sites are real mines for virus information. Check them frequently to find out about hoaxes and real threats, and what to do about them -- even if you do not own the specific anti-virus program.