Understanding Computer Infections
From CastleCopsWiki
| Caution | The article below is currently in beta and has not been reviewed for factual errors. |
Contents |
[edit] Introduction
The first rule of avoiding infection is to avoid getting malicious code or program from running on your system. As scary as undetectable rootkits sound, they can't hurt you, if the attacker can't find a way to get it to run and install on your system. As such you should try to understand how such programs get run on your computer and ways to avoid that from happening unless that is what you intended to do.
Many experts talk about vectors of infection, to describe the different ways in which malware
can get onto your computer and run, this includes via email attachments, ActiveX or Java on web pages, direct downloads via P2P,Instant Messengers , security exploits and so on.
However another way of seeing things might be to realize that in essence you get infected because either I) You chose to run the infected content (infecting yourself) , II) you mis-configured software settings so that they automatically run infected content without your consent or III) The infected content ran because of a security exploit in a program you were using.
[edit] Three types of infections
Though a lot of people worry about some elite hacker hacking into their systems via a security exploit to install rootkit (possible but rare see later), by and large the most common way someone gets infected is because they choose to run the infected content. Whether it's an unexpected email 'joke' attachment they received, a dubious pirated file they got from P2P , a crack they got from a pirate site or some interesting freeware posted on the net, this is how malware gets on their computer - they choose to download it, and then run it by clicking on the file. This is the first and most obvious way in which you infect yourself.
A more subtle second method of infecting yourself occurs when you give permission for an application to run executable content it comes in contact with, but you aren't aware of doing it. By far the most common way to do this is when you choose to allow in response to a prompt (or choose to allow by default settings without any prompting) to install and run ActiveX content (install extensions for Mozilla) via your browser or to a lesser extent allow a Java applet to run. These are the so called driveby downloads. You should be aware that this is in most cases the same as downloading and running the program on your computer.
Lastly, even if you refrain from running content from dubious sources and set up your software configuration correctly, you can still be infected via exploits of vulnerabilities in your software. The worst vulnerabilities enable attackers to bypass your software settings and run their own malicious code on your computer.
For the first article in this series, we will be focusing on protecting yourself from programs that you choose to run by clicking on them. In the follow up article, we will cover typical errors (poor browser settings are the most common cause) that allow executables to automatically run. In the last article of this series we will address the issue of code running due to exploiting security vulnerabilities.
[edit] Executable Content
In the above sections we talked about executable content as if it was obvious what counts as executable content or not. Some types of files are inherently less dangerous, because they are data (such as text files, image files or multi-media files) as opposed to programs, Scripts or executable content that carry out actions instead of just displaying data. For example everyone probably already knows that files with extension .exe are executable content and hence are dangerous to run while image files such as jpg or png are not executable content and hence generally safe to open.
The first thing to note is that while images files are generally safe, a security vulnerability in the image processing application can cause the running of malicious shell code (Type III infection in diagram above). Typically this will result in downloading and running of a exe file of the attacker's choice.
Leaving aside security exploits which are not very common (we will see how to handle them in the last part of this series article), another problem is that in terms of file extensions there are hundreds of them that are executable and some file types blurr the distinction between executable content and data by combining the two together.
Word documents for example are not purely data because they can be embedded with Macros leading to the existence of Macro viruses. Similarly if you listen to media files with Windows Media player , Windows Media player can run scripts embedded within media files (movies/music).
Another problem is that by default, Windows hides the extension of the file being viewed, so you can't tell if a file you are examining is a dangerous exe file or a harmless JPEG file. These are called hidden file extensions. This page shows how to make hidden extensions visible. Unfortunately, this doesn't completely deal with the problem, there are super hidden extensions that are still not visible (most critically files with the .shs extension). To enable them, is a tricky business requiring editing of the registry something I don't recommend unless you know what you are doing.
Another typical email worm trick is to use double extensions like goodfile.jpg.exe so don't be fooled into thinking it is a image file! Please refer to [1] and [2] for more information about extensions and executable file types. To further complicate matters, in the case of Word documents, if the extension is unknown, Windows will automatically use the file header information to open with Word!
Though all this might seem worrying, the best advise that I can give you is if you are not sure if a certain file is executable content or not, it is best to treat it as if it were!
Though technically scripts are different from compiled programs (scripts are interpreted not compiled), most of the comments above apply. If you do not use scripts (most regular users do not), you can disable Windows Script Host.
[edit] Choosing to run a file or how to reduce the chance of infecting yourself
Choosing to download and then run a program on your computer locally can be a very risky business, below I set down some steps that might help to reduce the risk.
[edit] Steps to take before running a program locally
1. The most important rule is to never download and run files from dubious sources. This means pirated software (by p2p, normal download, or whatever other method). If you break this rule, your chances of being infected goes up quite a bit.
2. Be wary about freeware products. Always read the EULA (End User License Agreement) carefully, some of these "freeware" actually come bundled with adware or worse. Javacool's Eulalyzer which analyzes EULAs for dubious clauses can help. Research unknown software by using Google or Google groups to see what others think of the software. Be careful, don't believe everything you read, some comments are by people who are ignorant or worse shrills. You can also research the site hosting the download. Study the site for suspicious details by doing a whois. Where it is hosted and long long it has being existence can give you clues. Not technically inclined? Use Siteadvisor which does auto-analysis of sites and warns you among other things of spyware/adware downloads residing on sites (See other freeware alternatives). Please note that this does not give you perfect assurance that everything is fine.
3. If you are updating software that you already have, or even downloading some new software that is highly recommended and known to be safe, always ensure that you download from the official source page. For example, if you always download from www.realsoftware.com, do not download it from elsewhere, nor ask someone else to email you the file.If the site posts the hash of the new update, check to see that the hash is identical (note this may not work if the attacker has gained control of the same server that serves the download). Even more secure would be to verify the files digital signature if any (see this or this if they were digitally signed with GPG or PGP).If you download from a major, well known download site, check the policy of the site to see if it has a policy of delisting adware products , some big well known sites (eg www.download.com) actually list adware products!
Here are a couple of download sites that are probably safe, www.majorgeeks.com , http://sourceforge.net and http://snapfiles.com/.
4. Always scan the downloads with your antivirus and antitrojans. Even trusted sites have being known to be compromised. The problem is antiviruses and antitrojans are far from foolproof because their signature databases do not contain every malware in the world. You can reduce this risk by scanning with both your primary and backup antiviruses on your computer or with online scanners as well to increase coverage. If the files are pretty small , you can even scan them on multiple antivirus engines such as Virustotal (accepts up to 10mb sized file) and Jotti malware scan (accepts up to 15mb sized file) . (See also other alternatives). Please note that even doing this you are not 100% protected; there is always the rare home brew malware that is not detected by any antivirus, and in some cases, on demand scans might not be sufficient to detect malware while on-access scanners will.
If you are technically skilled you might also run particularly suspicious samples through either CWSSandbox or Anubis (see alternatives) which will analyze the files and tell you about the various changes it will make when run. These changes might include changes in the filesystem, modified registry keys, or network communication etc. Here's a comprehensive list of online scanners maintained on this wiki.
5. Having gone through steps one to four, you should have a sense of how trustworthy the program is that you intend to run. If you have a lot of doubts you might consider not running it at all. Or if you do decide to run, you can reduce the risk somewhat with the following steps.
5a. Running as a limited user account. Similar ideas include using dropmyrights or secureit (which adds to the user context menu the ability to run files with lower privileges). By running programs with restricted privileges you reduce the amount of damage it can cause if it turns out to be dangerous. Please note that even with restricted privileges, quite a bit of damage can be done and many software cannot run unless with administrative privileges.
5b. Run a Sandbox program. The free Sandboxie is a good program to use when testing programs that you are not quite sure of. Programs running in the sandbox are restricted in even more ways than a limited user account, and cannot modify other files outside the sandbox. In addition, the file and registry systems are virtualized, so you can flush them away without causing damage to the system. Unfortunately like above not all programs will install properly in Sandboxie, particularly those that install drivers. An alternative includes using Bufferzone or the free Altiris SVS which is in some ways more flexible than Sandboxie but more difficult to use. Here are lists of free sandboxes and virtualization software maintain on this wiki.
5c. If you truly don't trust the program or the program fails to install using steps 5a and 5b you might consider testing the program first on a spare PC, but that isn't always available. The next best alternative is to run the suspected program in a Virtual Machine. This allows you to use software packages to emulate hardware operations allowing you to run one more (guest) operating systems on the normal host operating system. Each guest operating system is hence isolated from the host operating system which gives you a lot of security and freedom to test software. In recent months, many such software packages have become free, or nearly free with reducted features. These include VMware (VMware Player and Server versions are free) and Microsoft Virtual PC 2007. Please note that for licensing purposes, a separate Windows License is needed for each virtual machine. Also be aware that it not totally unheard of for malware to be VM aware and refuse to run when it detects it is running in a virtual machine or worse yet act nice when running in vm machines.
5d Backups. Always backup, so you can revert if the software you installed turns out to be bad. Some free options include installing in 'protected mode' under Returnil Virtual System Personal Edition , Windows SteadyState which allows everything to be removed on rebooting. Or you can use conventional disk imaging backup like Driveimage XML.
6. Handling warning prompts from behavior blockers. If you have software that monitors and warns of malicious behavior (Process Guard, Prevx, Winpatrol, Regdefend, Teatimer etc) you will often get warnings from them during the installation process. Unfortunately, whether to heed such warnings is not an easy matter, but is mostly based on your judgment, your common sense and knowledge of computer software. For example, I would be very suspicious of programs that want to install drivers and services unless they are security related programs or programs of similar nature. Note that even this isn't a hard and fast rule. Let your experience guide you.
[edit] Handling files from Email attachments and other sources
Generally, most people download dubious files from two main sources, the world wide web via their browser and through email (POP3). Some people also choose to download files via P2P file sharing software and through Instant Messaging.
In principle, assuming no exploit of the browser, email client, P2P, Instant Messaging client etc doing the download, how the file is downloaded makes no difference. The steps above should be taken before you run any executable content.
Email attachments should be treated the same way as any program you download from the web.Much has being said about handling email attachments. But the main thing is to always be careful about email attachments from unknown sources. Treat them the same way you would programs downloaded from dubious sources. You can in theory treat them using the steps outlined above (running them in sandboxes, reduced user rights, with backups etc) for normal downloads but the risk is much much higher. I would say choosing to run email attachments from unknown senders is nearly suicidal and should never be done unless you enjoy playing malware! For anyone else do not open and run them even if your antivirus says they are clean. This is because for a new fast spreading worm, there is a moderate to high chance you might be unfortunate enough to get them before your antivirus is updated.
Even if the email attachment comes from someone you know, please keep your guard up, often the From: portion is forged (knowing how to read email headers helps here), or the person is infected himself. If you are expecting the email attachment, then chances are it's legitimate. However if the body text of the email is short and vague, a one liner - for example something along the lines of "here is the file you requested". You should be very suspicious.
The advise above about file extensions should be considered as well.
[edit] Conclusion
In the first part of this series, we have shown you various ways how to protect yourself by reducing your chances of getting infected in the first place by making informed choices on the type of software you choose to install. We have also showed you ways of mitigating the damage by sandboxing, virtualization or backups if the software or program you have shown to install turns out to be malicious.
In the second part of this series, we will show you how to avoid accidentally picking up unwanted malware due to poor software configuration. Finally in the last part we will address the question of security exploits and how to protect yourself from them.
