Malware
From HelpDeskWiki
Malware, short for "malicious software", is any software installed on computers that their owners probably would not want if they knew of the software's existence (or if they had full knowledge of the software's negative functions and/or consequences). The main types of malware are viruses, spyware, adware, browser hijackers, rogue toolbars, trojan horses, worms, and dialers. Most people and even journalists use the term "virus" loosely in talking about almost all forms of malware.
If you are in a corporate environment or a business of larger than trivial size, there will normally be an IT (information technology) person or team that will take care of malware prevention and removal; do NOT attempt to make any significant changes without their approval. Depending upon the environment, you may not even be able to make changes, which is good; if you can't make changes, it's much harder for malware to do anything either.
Unfortunately, more time, money, and peace of mind, even mental stability, of most people and companies have been wasted and taxed due to incorrect information, legends and myths, hysteria, and outright hoaxes concerning malware than all damage caused by malware attacks combined. (In case you or an acquaintance are suffering from virus hysteria, you can get good antidotes here (http://www.tourbus.com/vp101.htm) and here (http://www.vmyths.com/).) Before forwarding any "virus" warnings ever to anyone (especially mailing lists!), first check here (http://www.vmyths.com/), here (http://www.f-secure.com/virus-info/hoax/), here (http://www.scambusters.org/legends.html), and here (http://www.snopes.com/) to make sure you are not unnecessarily wasting other people's time and upsetting them without reason. (In case you're interested in urban myths and legends, here (http://www.scambusters.org/legends.html) and here (http://urbanlegends.about.com/) are other related sites.) Classic and very common worst case situations of real damage caused by hoaxes that is worse than any ever caused by real malware (at least so far), is when a hospital's switchboard or email address is blocked by thousands of people complaining or asking about a hoax related to the hospital.
| Table of contents |
Definitions
- A trojan horse is a malicious program that is hidden inside a program that seems innocuous and is often free. The name refers to the Greek legend of the Trojan Horse (http://en.wikipedia.org/wiki/Trojan_horses).
- A virus is a program which makes changes so that it is executed when another program is executed. Usually, the virus does this by hiding itself inside another program. Viruses spread to other computers when their host program is spread. There are five (http://www.virus.org/subjectview-2.html) recognized types of computer viruses.
- A worm is a program that can spread itself to other computers, usually by taking advantage of security holes.
- A spyware program is one which, after being installed on a system, collects information about the computer and the user without the knowledge or permission of the user. This information is often then sent to another system. Spyware can be manually installed or can be distributed using worm or virus techniques. Some spyware is installed as part of another program and may be mentioned in the "fine print" of the legal agreement for the main application.
- An adware program is one which displays advertising to the user. Some programs use direct advertising to pay for their development, but in the cases that cause the most problems, the advertising IS the application. Such advertising applications often create problems such as many popups appearing so that the computer is difficult to use, subverting the normal usage of Internet Explorer, or destabilizing the system. Adware, by accessing data across the Internet, also increases the attack surface of the computer. "Legitimate" adware tells the user clearly that the program is supported by advertising and almost always gives the user the option of purchasing a non-adware version. Removal of the ad-displaying portions of an application without removing the entire application may be a violation of the user agreement. "Non-legitimate" adware, the type that makes "adware" a derogatory term, generally pops up the advertising unexpectedly, replaces existing advertising on web pages, often installs without user knowledge or intervention, and is often difficult to remove, among other techniques that are generally considered improper and antisocial.
Some trojan horses, viruses, worms, and spyware provide remote control capabilities, allowing the victim's computer to be actively spied upon, or secretly used to attack other computers. This is what is used for many Distributed Denial of Service (DDoS) attacks; many unknowingly-compromised computers ("zombies") of normal, honest citizens are configured to access a specific web site or computer, thus overloading the system, web site, web host, or even the Internet backbone provider.
At present, antivirus software is used to block, catch, and remove viruses, worms, and sometimes trojan horses, while anti-spyware software is used to block, catch, and remove spyware, adware, and sometimes trojan horses. Trojan horses are still a less common threat, but they can be very difficult to remove, and there are specific anti-trojan horse programs. Much malware nowadays is "blended", so that it uses a variety of methods to spread, and offers a variety of threats. For example, spyware and adware are often installed on a system without the user's knowledge, via security holes.
Malware symptoms
Much malware is poorly written, so it may cause unintended side effects. Sometimes the side effects are worse then the "payload", or the intended effects.
Malware can cause corruption of files, sluggishness, unexpected error messages, can send emails out without your knowledge, or even directly attack other computers, among many other things. In some cases, users will not know until someone else tells them, and sometimes even then they will not believe it. In other cases, the system is so glutted with malware that it is unusable, and even highly-experienced techs have difficulty making any headway with cleanup efforts.
Malware blocking and avoidance
Most malware can be avoided by following some common-sense safe computing, safe browsing, and safe email tips, so that you rarely become a target of malware. The three most important common sense rules that ensure safe computing perhaps 99% of the time are the following:
1) Open an email attachment only after first manually updating your antivirus program and only if you trust the sender and only if the sender announced its arrival. (The infected computers of friends attach malware without the friends' knowledge, and new malware spreads so rapidly nowadays that your antivirus program may not know about the threat yet even if you just updated it.)
2) Never install anything when invited/forced to do so by a popup that suddenly pops up of its own accord (press Alt+F4 to get rid of it; the X in the corner often does the same as clicking OK!), only if you were in the process of installing something you know to be trustworthy and this generates a popup. (The only exception is when your browser says it needs a missing element, but then it's usually best to first ask someone if you're not sure whether this is a legitimate request.)
3) Use Firefox (http://www.mozilla.org) or Opera (http://www.opera.com) or any other safe browser (not ones based on IE like ?) instead of Internet Explorer. Use Internet Explorer only if you can't avoid it and only if hardened (http://www.local.nu/HelpDesk/index.php?title=Fixing_Internet_Explorer) against drive-by downloads. The U.S. government's Computer Emergency Readiness Team (US-CERT) has advised against (http://www.eweek.com/article2/0,1759,1617931,00.asp) use of Internet Explorer because of unpatchable (http://www.internetnews.com/security/article.php/3374931) flaws. And don't use programs like Outlook or Outlook Express at all because they use Internet Explorer to render email and automatically run attachments even when you don't open them (http://aroundcny.com/technofile/texts/vir100501.html).
It should be fairly obvious that p*rn and w*rez (names edited to avoid being indexed by search engines) sites are NOT good to visit if you want your system clean, but if you are the type of person to want to visit that type of site, then this warning will do little good.
Unless a computer has no access to the outside at all, it is impossible to completely avoid contact with malware. Most malware can be blocked, so that it is harder for it to get onto the system, and if it does get onto the system, infection will not occur, although the file(s) containing the malware may still be on the system. Most malware can be blocked by ensuring that security patches are up to date and that programs are properly configured to do only what you want, and no more; turn off functionality that you don't use. Uninstall any programs that you no longer use.
For more specific details, see the article malware blocking and avoidance.
Malware detection and removal
In case you have an emergency and need help, this (http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction) is a good place to start. The present wiki's Windows cleanup page has a list of more detailed steps to take to clean up a system and hopefully get it running smoothly, including instructions on removing viruses, spyware, and other malware.
There are a large number of programs which detect and remove malware. Note that some of the vendors who claim to offer such solutions, especially for removing spyware and adware, are unscrupulous, claiming to detect problems that don't exist, installing their own malware, or refusing to uninstall without payment. Thus, it is important to check (http://www.spywarewarrior.com/rogue_anti-spyware.htm) that vendors have a good reputation before dealing with them. In the case of spyware and adware removal, it is however much easier to simply avoid all except trustworthy (http://www.spywarewarrior.com/rogue_anti-spyware.htm#trustworthy) antispyware programs.
For most normal users, it is enough to scan and clean the computer with an antivirus program about once a month, with an antispyware program about once a week, and with an antitrojan program if the first two say that they did not succeed in deleting something they discovered (or if the user notices that problems continue to exist despite the first two claiming the computer is clean).
The main reasons most antivirus programs often can't remove trojans and some other malware are because the malware is running (and therefore "protected") and/or in temp(orary) and/or system restore folders. It's a sign of the lack of professionalism in the whole security industry that most security programs don't tell you what you need to do if they are unsuccessful in removing malware. Usually, it's enough to run them in safe mode (tap F8 once every second after rebooting) after first emptying temporary folders and turning off system restore (temporarily).
In highly secure organizations, the treatment for any malware infection is to wipe the hard drive and reinstall everything from scratch. While this has the obvious disadvantage of losing all data since the last backup (if there is one), it has the advantage that the system can be confirmed clean, without any possibility of the system remaining infected by something that looks like a known variant but is actually a new variant with unknown capabilities, or worse yet, still infected by something that is not yet detected by the scanners.
Regular shops and users working on badly infected systems should seriously consider backing up all data, scanning the backed-up data to ensure that it's clean, wiping and reinstalling the hard drive(s), restoring the data, and then reconfiguring for tighter security against malware.
For some manufacturers of anti-spyware/adware programs and issues concerning them, see anti-spyware software.
For some manufacturers of other anti-malware programs (including anti-virus, anti-trojan, and anti-worm programs) and issues concerning them, see anti-virus software.
Offensive material and "warez"
Two categories that are closely related to malware are offensive material (such as pornography) and "warez". Warez is illegal software; much of it contains viruses and trojan horses. Implementing the steps above and in the malware blocking and avoidance article will stop nearly all accidental exposure to pornography or warez. For more on blocking offensive material, see the Blocking offensive material article.
