Viruses, Spyware and Trojans

Introduction

To examine the phenomenon of computer viruses (virii), trojans, spyware etc., it is necessary to understand the reasons behind their existence. It is an unfortunate fact of life that some individuals are inclined towards actions which are devious, underhand, or just plain evil - and often for no other reason than empty unfulfilled lives.

Malicious software is written for many (twisted and hard to understand) reasons, but you can break these mindsets down into the following broad groups:

• Virus - The author wants to cause damage to your computer for no other reason than to prove how clever he is.
• Spyware - The author wishes to sniff your computer over a period of time in the hope of gaining valuable information (bank details).
• Trojan - The author wishes to use your computer (and many others) to help in sending out large amounts of spam, or being part of a large scale denial of service attack, or helping to distribute illegal pirate software, pornography etc.

Ironically, more than once, a large company has inadvertently released something to market that opens up new security risks for everyone. In 2005, Sony BMG Music Entertainment was found to have been including software on it's music CD's (in an attempt to enforce copy protection) that infected Windows PCs, and rendered them vulnerable to all kind of rootkit security exploits! Microsoft's Windows Genuine Advantage software, in 2006, was found to be "phoning home" on a daily basis, just like spyware.

The Virus

A computer virus, just like a biological one, aims to use it's host computer in order to replicate and distribute itself to other hosts. These days viruses are normally spread through infected documents, spreadsheets, or programs that people willingly open or install (pirate software is often infected with viruses on purpose). How many times have you opened an attachment from a friend without question? It is a fact sociological factors play a huge part in the spread of viruses.

Viral replication behaviour can also be exhibited by Spyware and Trojans, but the most basic Virus is little more than something which replicates itself and carries a payload of software that could do anything from destroy data on your hard disk to displaying harmless but annoying messages on your screen.

Some viruses remain in memory, and attempt to infect every file the operating system accesses. So, every time you open a document, the virus will try to infect the file.

Anti-virus software usually scans every file that you open, and should also spot a virus that's sitting in your memory, and wipe it out. However, if you don't keep your antivirus software up to date, it may not spot a virus in memory. This creates the dangerous possibility that the next time your scan your hard disk for viruses (and therefore access every file on your system), the virus will piggyback, and attach itself to every file on your system it can.

Spyware

Spyware is often installed through web browser plugins (which may be installed without you knowing, particularly with Internet Explorer). It can also be part of the payload of viruses, and dropped onto your system as a result of infection. Again, it can be installed by fooling you into thinking you are installing something useful (Like Web Accelerator, or several other programs that are advertised as "optimising" your computer).

Spyware is software written to record information from your activities and send it back to a central system. This may be information as innocent as what websites you are visiting, so that targetted advertising can be provided (this is what some web browser toolbar extensions do). However, spyware can also record your online banking sessions and send your confidential data to criminals intending to commit identity fraud.

Trojans

Trojans are often installed by unsuspecting users as part of pirate software, or other softwre that may look useful, or be offered free. Trojans can be hard to detect because many are hand coded, and don't cause any direct damage - so it can take some time before they get noticed. It is only when somebody notices the trojan communicating on the network that they are discovered.

Trojan software generally tries to turn your computer into a Zombie participant on a Botnet. A Zombie is a computer that can be called to action at any time. A Botnet is a huge collection of Zombie computers all being controlled by someone, somwehere. The diagram below shows the structure of a typical botnet.

Once your computer has been zombified, it may be asked to participate in distributing spam, pirate software, porn, or worse. It may also be included in a denial of service attack. A DoS attack is where many hundreds or thousands of Zombies are used to access a website or corporate server at once, thus overloading it, and taking it out of service. There have been a number of such attacks in recent years, and the traffic they produce can affect large areas of the internet for several hours causing serious slowdowns.

Protecting against infection

It goes without saying that you should run quality antivirus software, and most importantly, keep it up to date. Most antivirus software will protect you against viruses, trojans AND spyware.

If you have a broadband router with NAT enabled (and more than 99.9% of broadband users in the UK do) then personal firewall software is largely redundant for stopping incoming threats. They are more use for checking what software on your computer is trying to get OUT. If you only run registered software from well known sources, then it's unlikely this will ever need more than the firewall built into Windows.

Don't open attachments from people you don't know or trust. Even then, NEVER open attachments with filenames ending in .exe .cmd .bat .com or other executable extensions.

Recovering from Infection

AntiVirus software is not guaranteed to get you out of trouble. In many cases it will safely remove the infection, but because many viruses, spyware and trojans may alter several (hundred) other files on your computer or damage them, it is impossible to repair the damage.

THE best way to protect yourself is to buy an external hard disk (currently less than £80 on Amazon), and some hard disk imaging software, like Norton Ghost, or Acronis True Image. Take a snapshot of your hard disk at least every week - and keep the last two or three weeks of snapshots before removing them. This way, if you find you have fallen prey, then you can restore your whole system in minutes, instead of having to re-install Windows and all of your software from scratch (which can take hours, and may require sedatives!).