C/IL 102   Computing & Information Literacy
Notes about computer Malware

Acknowledgement: Much of the material in this document is based upon the Wikipedia entry on Malware and several entries reachable therefrom.

Malware

Malware (which is a contraction for "malicious software") is "software designed to infiltrate or damage a computer system without the owner's informed consent".

This covers a variety of hostile, intrusive, and/or annoying categories of software that are commonly referred to as viruses, worms, trojan horses, rootkits, spyware, adware, and ransomware.

The earliest examples of malware (which go back to at least 1988 and the infamous Internet Worm) were simply experiments or pranks (some instigated by teenagers wanting to prove themsleves to be computer "whizzes") that were meant to be, at worst, annoying, rather than to cause any serious damage.

More recently, however, the typical motives for purveyors of malware are either purely malicious or to make (or steal) money.

Among the destructive actions that malware can take is to delete or corrupt data that resides on a storage device (e.g., hard disk).

Another use of malware is to turn a computer into a zombie, meaning one whose processing and/or storage capabilities are being used (surreptitiously) by an unauthorized party to perform unauthorized actions. Examples of how zombies are used include

The category of malware known as spyware (also called privacy-invasive software) monitors the computer user, keeping track of things such as which web sites the user visits or even recording every keystroke the user makes, and possibly sending (some of) this information back to the source.

Why? So that the unscrupulous people behind the spyware can mine the data to obtain credit card numbers or user id's and passwords that allow access to web sites where private information (such as bank account records) could be found or where they could commit theft. Or, somewhat less malevolently, to collect data about the user's preferences (in terms of consumer products) either for marketing purposes or to make personalized pop-up advertisements appear as the user is working.

Ransomware is a class of malware that restricts access to the computer that it infects, demanding a ransom be paid in order for the restrictions to be removed.

Viruses and worms are the best-known types of malware, and what distinguishes them from the others is that they are able to self-replicate.

A computer virus is a small piece of (executable) software that gets "attached" to ("embedded within" is probably more accurate) another (typically, legitimate) program. (A program that has a virus embedded within it is said to be infected.)

When an infected program is executed, the embedded virus (which itself gets executed) searches for one or more other programs (typically on the same storage device as the infected program) to infect, and does so. In this way, each time an infected program is executed, the virus spreads to one or more others (on the same computer system).

A virus can spread from one machine to another if an infected program is downloaded from a web page or is e-mailed from one computer to another (and later executed). A clever way in which a virus can spread itself via e-mail is to form an innocuous e-mail message that includes as an attachment a copy of the virus itself (or some program infected with it) and then to send that e-mail message to one or more of the e-mail addresses that appears in the user's e-mail address book. Any recipient who, while reading her e-mail, allows the attachment to execute ends up with an infected computer!

Indeed, this ploy was especially effective in spreading viruses to machines running older Microsoft operating systems (e.g., Windows 95) because the standard e-mail program would open an attachment immediately rather than waiting for the user to do so explicitly (by clicking on it). If the attachment was an executable file containing a virus, this would cause the machine to become infected. This is a classic example of a security hole.)

If viruses did nothing other than to spread from program to program, they would be doing little more harm than to waste storage space and processing time. But a virus usually also carries a payload, which is executable code that performs some other (usually malicious, or at least annoying) actions (such as deleting or corrupting data on a storage device, or displaying some kind of goofy message on the user's screen). Often, a virus is designed so that its payload lays dormant until some event triggers it. An example of a trigger is the arrival of a particular calendar date. Or the trigger could be based upon how many times the virus had been replicated, so that, for example, the 20th time it happens, the payload would be executed. If no trigger occurs for days or weeks after an infection, and hence the virus causes no visible "symptoms" during that period of time, it may be very difficult to determine its source.

A worm is much like a virus (indeed, for the purposes of this course it is not essential that you really appreciate the distinction), but it is more aggressive in terms of how it spreads: it actively transmits itself over a network in order to infect other computers on that network. (It, too, typically carries a payload.) It is able to spread by exploiting security holes that exist in operating systems and/or programs.

The existence of such security holes explains why it is a good idea to keep up-to-date with respect to Microsoft's Windows Updates. These updates are software patches that, at least in part, are for the purpose of plugging newly-discovered security holes.

A somewhat related topic is spam, which is unwanted e-mail, typically either for the purposes of advertising (e.g., penis-enlargement products have recently become all the rage) or phishing. In phishing, you get an e-mail that, seemingly, is from some reputable outfit, such as amazon.com, ebay, paypal, a bank, or a credit card company. It might tell you something to the effect that there have been attempts to break into your account, and that, as a result, some of your account's privileges have been suspended. It asks you to click on a link to get to the web site, where you can log in and straighten things out. But the web site to which the link takes you is phony (even though it may look legitimate) and it asks you to enter your user id and password (or credit card number). By doing so, you will have given this valuable data to unscrupulous people who may decide to use it to rip you off or "steal your identity".

How does your computer get infected?

Infection occurs when a program executes and literally infects one or more of the programs already residing on the hard drive (or other storage device) by attaching a virus to them. From where would such a program come?

Two common sources are e-mail attachments and web pages. An e-mail attachment can be any kind of file, including one that contains a program (i.e., executable code). If it happens to be an infected program, and it is executed, it could infect others. Hence, be very wary about double-clicking on an e-mail attachment from an untrusted source, especially if it is indicated that the attachment is a file whose name ends with .exe, .com, or .vbs (as these are common suffixes of files containing programs). And keep in mind that even "trusted sources" should not be trusted too highly, for at least two reasons. One is that an e-mail that says it's from a particular source may actually be from someone else. (This is called address spoofing.) Another reason is that, as explained above, some viruses spread themselves by sending copies of themselves via e-mail attachments in messages sent to addresses in the infected computer's e-mail addressbook. Hence, if your friend's computer gets infected, the virus may send a copy of itself to you without your friend having any idea that it happened (even though the e-mail's return address is your friend's address).

Similarly, if you are browsing a web page and a pop-up window appears, be careful about clicking on any links/buttons there, as doing so may result in your machine becoming infected.

What can you do to combat malware?

Be careful what you click on, as pointed out above! Also, keep up-to-date anti-virus software running on your machine, as well as anti-spyware software. (Some anti-virus software includes protection against spyware, too.)

Unfortunately, detecting viruses is difficult, and even the best anti-virus software cannot detect all viruses. (In fact, it's theoretically impossible to do so!) It's important to keep anti-virus software up-to-date because such software typically works, at least in part, by scanning for known viruses, and new viruses appear often.

Another software tool for protecting yourself is the firewall, which is a program that monitors and filters the flow of data between computer networks. In the context of the user of a PC or laptop computer, the purpose of a firewall is to prevent Internet intruder from gaining access to the user's data and programs.

The web site OnGuardOnline.gov has some good advice about how to secure your computer.