Dealing with spyware and viruses

From Ganfyd

Jump to: navigation, search


Criminal activity using Internet access to other people's computers has increased in recent years and has been vertically and horizontally integrated, following sound business and software design practices on the part of the criminals. "Malware" from this source, and also from arguably non-criminal sources has increased greatly, almost all of it targeted on Windows users.

So the problem with a computer that is running slowly or crashing often could well be a number of things, including old or damaged hardware, or - more often these days - unwanted and dangerous software ("malware") running on your computer.

There are several healthcare analogies. Prevention is better than cure. Environment can be important, with exposure being a risk, benefit balance. Host factors can make infections harder to establish. Treatment is not risk free.

LogoKeyPointsBox.png
  • Internet connecting software such as browsers and email clients and human nature are exploited to get most spyware or viruses on to your computer
  • Out of date software and operating systems is easier to exploit (exceptions of course exist). Update regularly remembering backup
  • Internet Explorer, Outlook and Outlook Express appear to have a higher absolute risk and potentially a higher relative risk than alternatives presently
  • Microsoft Windows systems require a functioning
  • Given risks of zero day exploits, updates making systems unusable and hardware failure consider having a clone

Contents

Microsoft Windows

One of the biggest considerations is the program you use to browse the web or read your email as these interact with a dangerous world. Unless you are confident enough that you don't need to be reading this, you are advised to strongly consider not using Internet Explorer, Outlook or Outlook Express as your first-line programs for the web and emails. Faults in these programs tend to be exploited rapidly, and appear to have a higher absolute risk than other software. Alternatives are Firefox, Chrome, Edge and Thunderbird. This advice may not be relevant to computers owned by others, which can need Microsoft sourced software for corporate reasons. In such a computer that you can not administer yourself, it may be consistent with your corporate IT policy to run Firefox and Thunderbird using a pendrive. (http://www.portableapps.com). Please take care on this point as corporate IT policies in health related fields could well ban attaching hardware or using software not approved by the organisation. Trojans and viruses have been introduced into systems from USB sticks, and it is fairly easy for a skilled systems administrator to identify the footprints retrospectively of actions that contravene an organisation's IT policy.

Consider quarantine. Virus checkers may take a week or more to update to the latests risks and so for risky downloads you may wish to quarantine the file for a good few days and run a manual scan on it after updating your virus checker database before executing it.

Apart from that, you should have certain programs on your computer to keep it running healthily. The most important ones fall into one of the following three groups:

Prevention

Ensure security updates are applied, especially for software such as your operating system, email client and browser that interact electronically with the wider world. While what is termed "zero day" exploits do exist, every bit helps. Indeed security updates can be considered essential on Windows, the Apple Mac and Linux/Unix, with multiple examples of major security compromise due to exploitation of known bugs. All these operating systems have had major flaws addressed in the last few years, but more are sure to exist. Some operating systems are much more secure out of the box than others. Most modern operating systems are reasonably secure on standalone boxes (computers isolated from electronic input), but of course if access is allowed, the security can be broken. Encryption of the entire file system can help prevent some sorts of unwanted access.

Antivirus Software

This is absolutely essential for computers running Microsoft Windows or MS-DOS operating systems, but might be considered irrelevant for those running Unix or Linux, including the Apple Mac, unless they are mail-servers for other machines using Windows. However, please see below. Anti-virus software may be out of date at start-up. Commercial anti-virus software competes with free equivalents which most users describe as being just as good, or sometimes even better. It is important also to be aware that there are a significant number of Trojans which masquerade as anti-virus or anti-spyware software.

Of course, don't forget the open-source antivirus (now available for Windows) ClamAV

There are some issues with Antivirus Software such as the potentially disastrous false detection of key files.

Firewall

The concept of "firewall" is that of perimeter defence. The idea is that a good perimeter defence prevents external attacks and guards against unauthorised removal of data from inside the perimeter to the outer world. Obviously, if your attacker (e.g. Trojan) is already within the perimeter, this will be substantially less effective. A firewall is pretty well essential for any computer going on the internet. It prevents people and programs on the internet from having free access to your computer whenever you have your modem plugged in. This is because, in effect, the network is a specialised hardware bus (port) connecting the components of your computer with other hardware components on an attacker's computer. Sniffer packets to identify computers with open ports are being sprayed out at random, usually now days from other compromised computers. Until quite recently, Microsoft Windows was lacking in a firewall. This has had to be addressed. Smoothwall is another option for those who require additional security for a home network. Smoothwall is a customised distribution of Linux specifically designed for securing a private network. IP Cop is a related project, which has some advantages over Smoothwall, at the cost of being more tricky to set up. Either of them can be run on a low-specification PC, typically one which has been retired from the desktop.

There are some issues with Firewalls.

Spyware Protection

Spyware protectors usually protect against a miscellaneous group of malware, and can very important for the security of your computer. However take care as some have proved to be malware and Windows 10 and standard anti virus packages can be as effective as some.

Curing an infection

This may be trivial as you may be lucky with your antiviral software or anti spam software. It often is not and the options include:

  1. Testing the market, as some software will be better than others in clearing up the computer. May work.
  2. Going back to a restore point before the infection was established. Will not work with root kits unless you choose the ultimate restore point...
  3. Reinstall operating system
    • Best if done on a completely new disk with old disk stored away until safe to access (never safe if you boot from old disk, as this will tend to transfer infections to new disk)
    • Access safely proven non-infected data from your old disk
      • Linux generally recommended for this step via either new install or a CD-bootable install
    • Best if you move to a non-windows OS at same time (consider dual boot)
    • A Windows reinstall prior to Vista might best be done disconnected from the internet until you need to connect, although a router only allowing connection to Microsoft update (set up from say another box) is a reasonable option.
  1. Buying a new computer and transferring proven non-infected data from old

Safe data

If the virus infection has been quite malignant much of the information on your old disk is suspect. This can include basic files used in initial booting which may refer to files totally hidden from operating system view (root kit) or files activated as part of the boot process that now have payload that reinfects. Any Windows application may now be suspect ( eg *.exe, *.pif, *.ws, *.bat and .dll files), script program files (eg *.vb, *.js, *.jar) as well as Windows Office files (eg *.doc) through macros (script programs included in file) and even rarely certain image files (eg *.jpg) and document files (eg *.pdf).

In general it is possible to convert much data from say Windows Office binary files to a text based format (care with *.rtf as it may not be truely converted) without macros. Such conversion is possibly safest done for free using libre office or open office (oOo) in Linux, although libre office/oOo on Windows will do the job and most certainly must not be done by reading the original Windows binary file using a Microsoft office application.

Some generalisations on likely infection risk of files

  • If you downloaded and executed an application that you should not have (after disregarding any computer generated warnings) the infection might be very deep with keyboard readers, root kits and self regenerating infections being all too common
  • Standard Windows programs and file formats increase infection risk as they are common, well understood and tend to obscure the infection in non text based formats
  • Text based file formats can transfer infection. Some of the safety is the assumption that you can inspect them yourself. XML formats (such as HTML) used for macro's and scripts need to be inspected before you transfer in from an infected system.


Unix and Unix-like operating systems

The Unix operating system was designed from the start, like main-frame computer operating systems and unlike Microsoft MS-DOS and Windows, as a multi-user operating system. With the expectation of multiple users on a single computer the necessity of protecting each user against accidental or deliberate effects of another user's actions required and resulted in an operating system designed from the outset to be secure.

The result is that the systems based on Unix or a recreation of Unix including BSD, Linux and the BSD/Darwin underpinnings of OS/X are intrinsically much less prone to exploitation. This does not rule out mistakes and idiocy, but does mean bigger mistakes and greater foolishness are required to let the enemy in, and once in the ability to cause harm is more limited.

Apple Macintosh OS/X

"Huh? Why are you here? You don't need this stuff." Although this has historically been the case, this has a lot to do with criminals preferring the "low hanging fruit". As Macs increased in popularity, their known vulnerabilities also increased. Macs definitely have had some significant vulnerabilities and trojans exist out there to exploit them. They are less secure than some iOS devices due to mainly hardware constraints.

GNU/Linux or *BSD

You already know you don't need this stuff. Well increasingly this is not the case. Historically, this is partly due to criminals preferring the easier targets but also because of good security design out of the box. Increasingly now you need applications such as AppArmour and to use distributions that allow you to sandwall the user who accesses email and the internet. However not all distributions maintain this security as has been found with Android. No system can be 100% secure against hacking, however well-designed. Servers tend to be more targeted as they declare themselves to the net. For a review of linux and unix exploits see Radatti PV. Computer Viruses In Unix Networks.

But... In case you're paranoid (or running a mailserver), there are antivirus options available for Linux, including Panda Freeware and ClamAV. Sophos antivirus is an excellent commercial product.

Firmware

Unhappily it is also possible to exploit Firmware. Some such exploits will be impossible to protect against as they bypass OS protections and can be problematical in parallel virtual environments where an OS more easily exploitable is next to an OS hard to exploit but the first OS can allow you to get into the firmware faults and then into the virtal OS controlling OS. The microcode of some modern processors is very complex so hard to debug, but more problematical is that firmware often uses stripped down and easy to outdate versions of Unix/Linux

Hoaxes

There are many stories circulating on the internet about computer viruses and other risks. Many of these are hoaxes. Bandwidth is wasted if these stories are forwarded to others.

If you receive a scary message about computer viruses it's a good idea to check whether it's a hoax, and the following web sites are good places to start: