Malware from the Consumer Jungle

Editor's Notes

• #3: Malware: Software designed to infiltrate or damage a computer system, without the owner's consent and most commonly in the form of a virus, trojan, or spyware. 1-in-3 chance of suffering: Consumers have a 1-in-3 chance of suffering computer damage, financial loss, or both because of a computer virus or spyware that sneaks onto their computer. - 2005 Consumer Reports State of the Net survey of online consumers. In a nationally representative survey of more than 3,200 households with at-home Internet access, Viruses & Spyware Although American consumers invested more than $2.6 billion in protection software over the past two years, they still spent more than $9 billion for computer repairs, parts, and replacement to solve problems caused by viruses and spyware. Those problems were so extensive and so serious that they prompted almost 8 percent of all computer purchases by consumers during 2003 and 2004. - 2005 Consumer Reports State of the Net survey of online consumers. Source: “Net threat rising,” Consumer Reports, September 2005.
• #5: Spam : An unsolicited e-mail sent via bulk e-mail. Spamming is the abuse of any electronic communications medium to send unsolicited messages in bulk. While its definition usually extends to any unsolicited bulk electronic communication, some exclude from the definition of the term "spam" messages considered by the receiver (or even just the sender) to be targeted, non-commercial, or wanted. In the popular eye, the most common form of spam is that delivered in e-mail as a form of commercial advertising. However, over the short history of electronic media, people have spammed for many purposes other than the commercial, and in many media other than e-mail. Spammers have developed a variety of spamming techniques, which vary by media: e-mail spam, instant messaging spam, Usenet newsgroup spam, Web search engines spam, weblogs spam, and mobile phone messaging spam. Spamming is economically viable because advertisers have effectively no operating costs beyond the management of their mailing lists. Because the barrier to entry is so low, the volume of unsolicited mail has produced other costs which are borne by the public (in terms of lost productivity and fraud) and by Internet service providers, which must add extra capacity to cope with the deluge. Spamming is widely reviled, and has been the subject of legislation in a number of jurisdictions. Source: Wikipedia – The Free Encyclopedia, “Spam (electronic),” January 2006.
• #6: The CAN-SPAM Act of 2003 (Public Law No. 108-187, was S.877 of the 108th Congress), signed into law by President Bush on December 16, 2003, establishes the United States' first national standards for the sending of commercial e-mail and requires the Federal Trade Commission (FTC) to enforce its provisions. The acronym CAN-SPAM derives from the bill's full name: Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003. Critics of the law's perceived weaknesses sometimes refer to it as You CAN SPAM. It also requires the FTC to promulgate rules to shield consumers from unwanted mobile service commercial messages. CAN-SPAM defines spam as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose)." It exempts "transactional or relationship messages." The FTC has yet to clarify what "primary purpose" means; it has already delayed rule-making for this terminology. Previous state laws had used bulk (a number threshold), content (commercial), or unsolicited to define spam. The bill permits e-mail marketers to send unsolicited commercial e-mail as long as it contains all of the following: an opt-out mechanism; a valid subject line and header (routing) information; and the legitimate physical address of the mailer. a label if the content is adult If a user opts out, a sender has ten days to remove the address. The legislation also prohibits the sale or other transfer of an e-mail address after an opt-out request. Use of automated means to register for multiple e-mail accounts from which to send spam compound other violations. It prohibits sending sexually-oriented spam without the label later determined by the FTC of SEXUALLY-EXPLICIT. This label replaced the similar state labeling requirements of ADV:ADLT or ADLT. Labeling regulations for general spam will be commented on by the FTC this summer. CAN-SPAM pre-empts existing state anti-spam laws that do not deal with fraud. It makes it a misdemeanor to send spam with falsified header information. A host of other common spamming practices can make a CAN-SPAM violation an "aggravated offense," including harvesting, dictionary attacks, Internet protocol spoofing, hijacking computers through Trojan horses or worms, or using open mail relays for the purpose of sending spam. Source: Wikipedia – The Free Encyclopedia, “CAN-SPAM Act of 2003,” January 2006.
• #8: Virus: A program that can replicate itself and spreads itself by means of a transferable host. In computer security technology, a virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. Viruses are one of the several types of malicious software or malware. In a common parlance, the term virus is often extended to refer to worms, trojan horses and other sorts of malware, however, this can confuse computer users, since viruses in the narrow sense of the word are less common than they used to be, compared to other forms of malware. This confusion can have serious consequences, because it may lead to a focus on preventing one genre of malware over another, potentially leaving computers vulnerable to future damage. However, a basic rule is that computer viruses cannot directly damage hardware, but only software. A virus is a type of program that can replicate itself by making (possibly modified) copies of itself. The main criterion for classifying a piece of executable code as a virus is that it spreads itself by means of 'hosts'. A virus can only spread from one computer to another when its host is taken to the uninfected computer, for instance by a user sending it over a network or carrying it on a removable medium. Additionally, viruses can spread to other computers by infecting files on a network file system or a file system that is accessed by another computer. Viruses are sometimes confused with worms . A worm, however, can spread itself to other computers without needing to be transferred as part of a host. Many personal computers are now connected to the Internet and to local-area networks, facilitating their spread. Today's viruses may also take advantage of network services such as the World Wide Web , e-mail , and file sharing systems to spread, blurring the line between viruses and worms. Source: Wikipedia – The Free Encyclopedia, “Computer Virus” January 2006.
• #9: A computer virus behaves in a way similar to a biological virus, which spreads by inserting itself into living cells. Extending the analogy, the insertion of a virus into the program is termed as an infection, and the infected file (or executable code that is not part of a file) is called a host. The term "virus" was first used in an academic publication by Fred Cohen in his 1984 paper Experiments with Computer Viruses, where he credits Len Adleman with coining it. However, a 1972 science fiction novel by David Gerrold, When H.A.R.L.I.E. Was One, includes a description of a fictional computer program called "VIRUS" that worked just like a virus (and was countered by a program called "ANTIBODY"); and John Brunner's 1975 novel The Shockwave Rider describes programs known as "tapeworms" which spread through a network for deleting data. The term "computer virus" with current usage also appears in the comic book "Uncanny X-Men" No. 158, published in 1982. Therefore, we may conclude that although Cohen's use of "virus" may, perhaps, have been the first "academic" use, the term had been used earlier. The term "virus" is often used in common parlance to describe all kinds of malware (malicious software), including those that are more properly classified as worms or trojans. Most popular anti-virus software packages defend against all of these types of attack. Source: Wikipedia – The Free Encyclopedia, “Computer Virus” January 2006.
• #10: Most malevolent software won't infect your machine unless you open an e-mail attachment. So virus distributors use various tricks, which experts call "social engineering," to con you into clicking. A common way to draw you in is to have the e-mail come from a family member or friend. These illustrations show other basic types of tricks that have been used by well-known viruses and worms. Antidotes were developed for all of them. If you receive messages like these, delete them and run a virus check before doing anything else with the computer. Source: “How to outsmart computer viruses,” Consumer Reports, July 2005.
• #11: Macro : An invisible, embedded program that runs when Microsoft Word opens up a document. Here, the subject line includes the name of the sender, probably someone you know. The message itself tempts you to open the attached Microsoft Word document ("don't show to anyone else"). The attachment is a legitimate Word file--but infected with a macro, an invisible, embedded program that runs when Word opens the document. Source: “How to outsmart computer viruses,” Consumer Reports, July 2005.
• #12: Windows script : A rudimentary computer program that an intruder writes to run on your Windows operating system. If you aren't familiar with the way Windows names files, you can easily mistake the attachment's name, "LOVE-LETTER-FOR-YOU.TXT.vbs," for that of a harmless text file. In fact, the file's "vbs" suffix is the real one, which identifies it as a type of program known as a Windows script--a rudimentary computer program that an intruder writes to run on your Windows operating system. The suffix may be hidden entirely on your computer, thus appearing to be a type of file you'd willingly open, such as a JPEG image, MP3 music, or PDF document. Source: “How to outsmart computer viruses,” Consumer Reports, July 2005.
• #13: This example relies on a message so compelling--an offer to rid your computer of a virus--that it doesn't need to disguise the fact that the attachment is a program. Unfortunately, the program is a worm that sends itself to e-mail addresses it finds on your computer. Source: “How to outsmart computer viruses,” Consumer Reports, July 2005.
• #14: This example uses several tricks. The subject and message suggest that opening the attachment will take you to a web page containing party photos. The attachment's name resembles a web address, but there's no web site involved. This is actually a program that sends itself to your friends and colleagues. This particular intrusion was designed to tie up your e-mail; it could easily have been designed to destroy data. Source: “How to outsmart computer viruses,” Consumer Reports, July 2005.
• #16: Spyware : Malicious software that subverts the computer’s operation for the benefit of a third party. Spyware is a broad category of malicious software designed to intercept or take partial control of a computer's operation without the informed consent of that machine's owner or legitimate user. While the term taken literally suggests software that surreptitiously monitors the user, it has come to refer more broadly to software that subverts the computer's operation for the benefit of a third party. Spyware differs from viruses and worms in that it does not usually self-replicate. Like many recent viruses, however, spyware is designed to exploit infected computers for commercial gain. Typical tactics furthering this goal include delivery of unsolicited pop-up advertisements; theft of personal information (including financial information such as credit card numbers); monitoring of Web-browsing activity for marketing purposes; or routing of HTTP requests to advertising sites. Source: Wikipedia – The Free Encyclopedia, “Spyware,” January 2006.
• #17: As of 2005, spyware has become one of the pre-eminent security threats for computers running Microsoft Windows operating systems. According to an October 2004 study by America Online and the National Cyber-Security Alliance, 80% of surveyed users had some form of spyware on their computer. Source: Wikipedia – The Free Encyclopedia, “Spyware,” January 2006.
• #19: Phishing: An attempt to fraudulently acquire confidential information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The email appears to come from a legitimate financial institution or business. Many of these schemes contain links to “look-alike” websites that are loaded with actual trademarked images. The websites then instruct consumers to “re-enter,” “verify” or “confirm” their personal information such as Social Security numbers, bank account or credit card numbers. Source: Wikipedia – The Free Encyclopedia, “Phishing,” January 2006.
• #20: The first recorded mention of phishing is on the alt.2600 hacker newsgroup in January 1996, although the term may have appeared even earlier in the printed edition of the hacker newsletter "2600 Magazine". The term phishing was coined by hackers attempting to "fish" for accounts from unsuspecting AOL members; ph is a common hacker replacement for f, and is a nod to an older form of hacking known as "phone phreaking." Source: Wikipedia – The Free Encyclopedia, “Phishing,” January 2006.
• #21: contain links to “look-alike” websites that are loaded with actual trademarked images. The websites then instruct consumers to “re-enter,” “verify” or “confirm” their personal information such as Social Security numbers, bank account or credit card numbers. Source: Wikipedia – The Free Encyclopedia, “Phishing,” January 2006.
• #22: Source: Wikipedia – The Free Encyclopedia, “Phishing,” January 2006.
• #23: Source: Wikipedia – The Free Encyclopedia, “Phishing,” January 2006.
• #24: Source: McAfee White Paper Report, “Understanding Phishing and Pharming,” August 2005.
• #25: Don’t get hooked. Consumers can use these tips to spot suspicious phishing email: Be skeptical of warnings that accounts will be shut down if you “confirm” your billing information. Don’t click on the link – contact the company directly using a legitimate telephone number or website. A legitimate company won’t ask for this information via e-mail anyways. Look at the “address bar” at the top of the browser; it is often a different domain name than the firm being represented.
• #26: Don’t email personal or financial information. Email is not a secure method of transmitting personal information. If you initiate a transaction and want to provide your personal or financial information through an organization’s website, look for indicators that the site is secure, like a lock icon on the browser’s status bar or a URL for a website that begins “https:” (the “s” stands for “secure”). Unfortunately, no indicator is foolproof; some phishers have forged security icons.
• #27: Forward spam that is phishing for information to [email_address] and to the company, bank, or organization impersonated in the phishing email. Most organizations have information on their websites about where to report problems. If you believe you’ve been scammed, file your complaint at ftc.gov , and then visit the FTC’s Identity Theft website at www.consumer.gov/idtheft. Victims of phishing can become victims of identity theft. While you can't entirely control whether you will become a victim of identity theft, you can take some steps to minimize your risk. If an identity thief is opening credit accounts in your name, these new accounts are likely to show up on your credit report. You may catch an incident early if you order a free copy of your credit report periodically from any of the three major credit bureaus. See www.annualcreditreport.com for details on ordering a free annual credit report. The FTC works for the consumer to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint or to get free information on consumer issues, visit www.ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad. Source: FTC, January 2006. Contact the legitimate company with information on the phishing scam.
• #29: Pharming : The exploitation of a vulnerability in the hosts’ file or DNS server software that allows a hacker to: acquire the domain name for a site and redirect that website’s traffic to another website for the purpose of gaining access to usernames, passwords, etc. Criminals can fool your computer into visiting websites that you don’t want to. The criminals are fooling your computer, not you. The end result is that you send private information to someone who isn’t legitimate. Pharming is the exploitation of a vulnerability in the DNS server software that allows a hacker to acquire the Domain name for a site, and to redirect, for instance, that website's traffic to another web site. DNS servers are the machines responsible for resolving internet names into their real addresses — the "signposts" of the internet. Every host on the Internet has a so-called IP Address which consists of four numbers, each between 0 and 255, which are separated by . (dots), for example "192.0.2.213". These IP Addresses are comparable to the telephone numbers on a telephone system. As it would be very difficult to remember these numbers, websites usually also have a domain name, for example "wikipedia.org". The domain name server acts as a "phone book" to associate the domain name of a website with its IP Address ("resolving the domain name"). If the web site receiving the traffic is a fake web site, such as a copy of a bank's website, it can be used to "phish" or steal a computer user's passwords, PIN number or account number. Source: Wikipedia – The Free Encyclopedia, “Pharming January 2006.
• #30: The use of virus or Trojan to modify the user’s ‘Hosts’ file. This file is left over from the early days of the Internet and is used to relate a web address (URL) to a specific machine address (IP address) and is a simple text file. The Pharming technique modifies this file to include the web address of well known banks and financial institutions with the IP address of the phishing site. So when the user opens the browser and enters the address of the bank, they get sent to the phishing site instead. No clicking on links in e-mails, etc. The second technique is equally sinister and again relies on an obsolete piece of functionality, this time implemented in DNS. DNS replaced the local hosts file as the mechanism for resolving a web address to a specific IP address. When a user enters an address, it is looked up in the DNS server; if that DNS server doesn’t know the IP address, it asks other DNS servers for the address and then gets the result. The problem is that part of the protocol allows extra information to be passed back as well. So the phisher sends and e-mail that contains a link to a website. When the DNS lookup for that address is done, this extra information is included with the URL of the bank, but directed at a phishing site. Source: McAfee White Paper Report, “Understanding Phishing and Pharming,” August 2005.
• #32: Trojan : A malicious program that is disguised as a legitimate program. A Trojan horse program has a useful and desired function, or at least it has the appearance of having such. In most cases the program performs other, undesired functions, but not always. The useful, or seemingly useful, functions serve as camouflage for these undesired functions. The kind of undesired functions are not part of the definition of a Trojan Horse; they can be of any kind, but typically they have malicious intent. In practice, Trojan Horses in the wild often contain spying functions (such as a packet sniffer) or backdoor functions that allow a computer, unbeknownst to the owner, to be remotely controlled from the network, creating a "zombie computer". Because Trojan horses often have these harmful functions, there often arises the misunderstanding that such functions define a Trojan Horse. Packet Sniffer : A software program that can intercept and log traffic passing over a digital network or part of a network. The basic difference from computer viruses is: a Trojan horse is technically a normal computer program and does not possess the means to spread itself. Originally Trojan horses were not designed to spread themselves. They relied on fooling people to allow the program to perform actions that they would otherwise not have voluntarily performed. Trojans of recent times also contain functions and strategies that enable their spreading. This moves them closer to the definition of computer viruses, and it becomes difficult to clearly distinguish such mixed programs between Trojan horses and viruses. Source: Wikipedia – The Free Encyclopedia, “Trojan Horse (computing),” January 2006.
• #33: The term is derived from the classical myth of the Trojan horse. In the siege of Troy, the Greeks left a large wooden horse outside the city. The Trojans were convinced that it was a gift, and moved the horse to a place within the city walls. It turned out that the horse was hollow, containing Greek soldiers who opened the city gates of Troy at night, making it possible for the Greek army to pillage the city. Trojan horse programs work in a similar way: they may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed. Often the term is shortened to simply Trojan, even though this turns the adjective into a noun, reversing the myth (Greeks were gaining malicious access, not Trojans). Source: Wikipedia – The Free Encyclopedia, “Trojan Horse (computing),” January 2006.
• #34: Example of a simple Trojan horse A simple example of a Trojan horse would be a program named “FREEMP3.EXE" that is posted on a website with a promise of “free mp3 files"; but, when run, it instead erases all the files on the computer and displays a taunting message. Source: Wikipedia – The Free Encyclopedia, “Trojan Horse (computing),” January 2006.
• #35: Keystroke Logger: Software that captures the user's keystrokes providing a means to obtain passwords or encryption keys. Types of Trojan horses Trojan horses are almost always designed to do various harmful things. Examples are: erasing or overwriting data on a computer corrupting files in a subtle way spreading other malware, such as viruses . In this case the Trojan horse is called a 'dropper'. setting up networks of zombie computers in order to launch DDoS attacks or send spam . spying on the user of a computer and covertly reporting data like browsing habits to other people logging keystrokes to steal information such as passwords and credit card numbers phish for bank or other account details, which can be used for criminal activities. installing a backdoor on a computer system. Source: Wikipedia – The Free Encyclopedia, “Trojan Horse (computing),” January 2006.
• #36: Infected Programs: The majority of trojan horse infections occur because the user was tricked into running an infected program. This is why you're not supposed to open attachments on emails -- the program is often a cute animation or a sexy picture, but behind the scenes it infects the computer with a trojan or worm . The infected program doesn't have to arrive via email, though; it can be sent to you in an Instant Message, downloaded from a Web site or by FTP, or even delivered on a CD or floppy disk. Furthermore, an infected program could come from someone who sits down at your computer and loads it manually. Websites: You can be infected by visiting a rogue website. Internet Explorer is most often targeted by makers of trojans and other pests, because it contains numerous bugs , some of which improperly handle data (such as HTML or images) by executing it as a legitimate program. Email: Email is vulnerable to many of the same problems that Internet Explorer has. The same vulnerabilities exist since email contains HTML and images just like a web browser. Direct Connection to the Internet: This allows data to be received by a computer without anyone requesting it. A firewall may be used to limit access to the internet from outside criminals. Firewalls are widely used in practice, and they help to mitigate the problem of remote trojan insertion via open ports, but they are not a totally impenetrable solution, either. Source: Wikipedia – The Free Encyclopedia, “Trojan Horse (computing),” January 2006.
• #38: Worm : A self-replicating computer program that is self-contained and does not need to be part of another program to propagate itself. Source: Wikipedia – The Free Encyclopedia, “Computer Worms,” January 2006.
• #39: The name 'worm' was taken from The Shockwave Rider , a 1970s science fiction novel by John Brunner. Researchers writing an early paper on experiments in distributed computing noted the similarities between their software and the program described by Brunner and adopted the name. Source: Wikipedia – The Free Encyclopedia, “Computer Worms,” January 2006.
• #40: Payload : Any action taken by a virus or worm other than merely spreading itself. The term is used for all intended functions, whether they actually work or not. In addition to replication, a worm may be designed to do any number of things, such as delete files on a host system or send documents via email . More recent worms may be multi-headed and carry other executables as a payload . However, even in the absence of such a payload, a worm can wreak havoc just with the network traffic generated by its reproduction. Mydoom , for example, caused a noticeable worldwide Internet slowdown at the peak of its spread. A common payload is for a worm to install a backdoor in the infected computer, as was done by Sobig and Mydoom . These zombie computers are used by spam senders for sending junk email or to cloak their website's address. Spammers are thought to pay for the creation of such worms, and worm writers have been caught selling lists of IP addresses of infected machines. Others try to blackmail companies with threatened DoS attacks. The backdoors can also be exploited by other worms, such as Doomjuice , which spreads using the backdoor opened by Mydoom . Source: Wikipedia – The Free Encyclopedia, “Computer Worms,” January 2006.
• #41: Backdoor : Method of remaining hidden on a computer while bypassing normal authentication and securing remote access to a computer. The main purpose of a backdoor is to allow an illegitimate user to gain control of your computer. At that point, they can do anything they want to with it. Source: Wikipedia – The Free Encyclopedia, “Backdoors,” January 2006.
• #42: Zombie Computer : A computer attached to the Internet that is under remote direction by an illegitimate user. A zombie computer (abbreviated zombie) is a computer attached to the Internet that has been compromised by a cracker, a computer virus, or a trojan horse. Generally a compromised machine is only one of many in a "botnet", and will be used to perform malicious tasks of one sort or another, under remote direction. Most owners of zombie computers would be unaware that their system was being used in this way. Source: Wikipedia – The Free Encyclopedia, “Zombie Computers,” January 2006. The website ordb.org accumulates lists of computers that send out spam. ORDB stands for open relay data base. Go to the website and select “test an open relay”. Enter your computer’s ip address. You can find your computer’s ip address by browsing to Network Neighborhood/Properties.
• #43: Zombies have been used extensively to send e-mail spam; between 50% to 80% of all spam worldwide is now sent by zombie computers. This allows spammers to avoid detection of the source of spam, and presumably reduces their bandwidth costs, since the owners of zombies pay for their computers' use of bandwidth. Source: Wikipedia – The Free Encyclopedia, “Zombie Computers,” January 2006.