Digital Fever: Malware misunderstandings

1-29-09

by Mike Kroll

 

In my computer business today the single biggest problem I address for my customers is removal of malicious software, malware. Most of the customers who bring in their computers for this service believe that what they are suffering from are computer viruses but in nearly all cases this just isn't accurate. The vast majority of malware infected computer I service today suffer from spyware, not viruses, and my customers are always amazed when I tell them that computer viruses are a very small problem today.  Not only is spyware a much, much more common problem it is also much more difficult to correct. Additionally, there is no antivirus or anti-spyware program that I am familiar with that can truly clean a spyware-infected computer completely by itself.

The good news is that the drastic decrease in the number and volume of viruses that a typical computer user can come across means antivirus software and the attending performance hit imposed by it, is much less important now than one or two years ago. Like vendors of office software before it nearly all of the commercial antivirus software vendors have gotten caught up in a feature war. Nearly all the vendors now sell “computer security” software rather than antivirus software and their packaging boasts a long list of features as the products themselves have become humongous resource consuming beasts that inflict huge performance penalties upon their users.

Merely installing most commercial “computer security” software today will noticeably slow down your computer. This performance hit  is only magnified when such software is installed on a Windows Vista machine already struggling under the weight of that bloated-beast of an operating system. To make matters worst the decline in viruses coupled with the questionable usefulness of many or the addition “features” means that users are paying a very high price indeed for s security gain that is marginal at best. If a computer user exercises good judgement and avoids the most common exposures there is really little need for antivirus software on most computer today. Alas bad judgement and lack of common-sense is exactly why the spyware industry is thriving today.

It is worth noting that malware is a problem almost exclusively on computers running some version of Microsoft Windows. While it is possible to create viruses or spyware to run on other computers, like Apple or Linux, this seldom occurs and the reason is not solely due to the greater market share of Windows machines. Mostly this is due to the relative ease of infecting a Windows computer due to design and architectural weaknesses across the entire Windows family. I have often told my customers that if one were teaching a computer science class on how to design an operating system you could use the various versions of Windows to demonstrate the wrong approach to just about every design decision.

Not only is Windows inherently insecure by design flaws it employs “features” that actually make it easy for relatively non-sophisticated people to do harm. It is the “features” designed into Microsoft's Internet Explorer and Outlook that make these two products security nightmares. Features like a powerful ActiveX scripting language that enables a website designer to do all kinds of nasty things to Internet Explorer users who merely browse the site in question. Features that offer wonderful capabilities to corporate IT departments seeking enhanced, long distance, hands-off opportunities to maintain corporate PCs with minimal direct human intervention. The problem is that these powerful features are available to every web designer including those with far less benign intentions.

The first and simplest thing you can do to reduce your exposure to malicious software is to immediately cease using any version of Microsoft's Internet Explorer and Outlook products (the Live Mail in Vista is really no more secure than Outlook but a much bigger application). There are plenty of very capable and much safer replacement products available free on the Internet. I strongly suggest replacing Internet Explorer with Mozilla Firefox and Outlook Express with Mozilla Thunderbird (www.Mozilla.com). Both are not only more secure but also expand significantly on the Microsoft feature set. These are just my two favorite options, another I should mention is the Opera web browser (www.Opera.com). Each of these replacements are not only free and feature packed but they abound in safe and useful add-ons that can be easily installed directly from the programs themselves. And all three programs are available for Mac and Linux users as well.

The most important points you should take away from this column are (1) that spyware, not viruses, is the real threat today and (2) since nearly all spyware infections are self-inflicted there is really no software that can either protect you from infection nor totally clean that infection once in-place.

While viruses could be major nuisances few caused anywhere near the headaches of spyware and by comparison infections were rare.  By and large viruses were the products of computer geeks proving to their geeky friends just how “clever” they were. In most cases no one really gained monetarily from viruses, excepting the antivirus software industry (which did quite well thank you). Spyware is a different story and its very origins can be traced to making money on the Internet. Where it is now well understood that selling advertising space on the Internet offers most web sites limited profit potential there is much higher profit in helping companies better target Internet users who may be interested in their products.

Spyware is really an elaborate data-mining operation whereby someone seeks to learn as much about you as possible so they can sell that information to Internet marketers. When you receive a spam message that closely targets your interests, hobbies or lifestyle you are many times more likely to open and perhaps respond to that message. Ditto for popup ads or even regularly displayed ads on a website that has been specifically designed to offer a customized experience to each user based on that user's spyware deduced preferences. Spyware is big and sophisticated because the people behind it can make big bucks doing it and in most cases it is perfectly legal.

To be successful a spyware entrepreneur doesn't need your credit card or social security number – all they need is to learn all about you and your habits. In today's world monitoring personal computer usage is a great tool to accomplish this task. It is such an opportunity that there are literally thousands of spyware operations trying to do just that and each one seeks to place their monitoring software on every possible computer. As that installed spyware works it uses your computer resources for tasks that do not benefit you but slow down your computer. The greater the number of installed spyware tools the slower and slower you computer gets. By the time most people get fed up and bring their computer into my shop for cleaning they have at least dozens of spyware applications in operation on their machine,  sometimes well over a hundred resource-consuming spyware applications.

A spyware application doesn't want you to know it is there and it wants to run constantly so it can learn as much as possible. Therefore most spyware applications are designed to begin as you boot your computer and run in the background the entire time the computer in in operation. Thus the proliferation of spyware contributes to the gradual lengthening of the time it takes you computer to boot up. They store their information discretely somewhere on your hard disk and wait for a good opportunity to transmit it across your Internet connection back to their home server. The now common always-on high speed Internet connections most of enjoy today have been a boon to spyware shops. Two things that spyware authors don't want to see occur is for you to discover and stop their data collection effort.

Unlike viruses of the past which depended upon haphazard dispersal and really didn't take a systematic approach to dissemination spyware authors are business people seeking a consistent and wide ranging infection pattern. They want to maximize the number of computers they infect and they want to keep their monitoring software operating for as long as possible and whenever the computer is powered up. For this reason they have turned to clever social engineering to get their victims to download and install their software by including it as part of free apparently useful programs that appeal to the computer user.

For example, nearly all of the free screen savers or weather monitoring programs now available on the Internet are conduits for spyware. Ditto for lots of free utilities, games, music and video files. When you download and install a spyware infected program such as these you are doing the heavy lifting for the spyware authors without realizing it. Most of the so-called “Internet security” software suites will gleefully permit you to install these infected applications and once installed frequently do nothing to alert you to the problem much less remove it.

Many websites use the security holes built into Internet Explorer to unleash spyware on to your system while you visit. The most common offenders are gambling sites, adult sites, on-line gaming sites, software-music-video piracy sites and even many children's game sites. You need only visit the site to get infected if you use Internet Explorer while competitors Firefox and Opera are immune from most of these attacks and frequently will even warn your that the site in question is dangerous.

Another common route for spyware infections are the many various peer-to-peer file sharing sites. When you install the software for Bearshare or Limewire or the like you are creating a ready-made infection route to your computer. The files shared in this manner do not come from carefully monitored and policed corporate web servers. Instead you are downloading files for other people's home computers and should have absolutely no expectation of the quality or security of the files garnered in this manner. To the extent that the computer you are downloading from has itself downloaded numerous infected files it is very likely that many of the users they serve will likewise become infected. You can consider this as akin to a digital form of promiscuity where malware plays the role of STD.

What makes this behavior even worse it that many peer-to-peer users stream these files onto their computer as live feeds of music or video which maximizes the risk and can circumvent most anti-spyware or antivirus software monitoring your computer. If you must use a peer-to-peer file sharing service I strongly recommend that you never stream audio or video and that you never play any downloaded audio or video file before running a thorough scan with your security software. Any file that is identified as infected by such a scan should be deleted. Do not simply “repair” or quarantine the infected file – GET RID IF IT IMMEDIATELY.

If you believe your computer is infected with spyware you are probably correct. Most of the Windows computers that are brought into my shop for any reason have at least some spyware and some are so bogged down that they are painful to use. I do not recommend purchasing most of the commercial anti-spyware programs as they are really limited in what they can do despite their advertising. Most of the commercial antivirus software packages now claim to protect you from spyware as well with various degrees of accuracy. The simple fact is that most serious spyware cannot be removed by any software package alone. In most cases you only develop a false sense of security while the infection remains.

Removing spyware infections really requires a knowledgeable person who is able to manually hunt down and eradicate the infection. This doesn't necessarily have to be a professional like myself but it is not a task for the novice or faint of heart. Often times key program files or libraries used by Windows itself or some other commonly used software program are changed or replaced with the infected versions. These files must not only be deleted but they must be replaced by the correct uninfected version of the file in question. Sometime merely deleting the infected file is not possible or will render the computer non-bootable. Caution is the watchword here. In a properly designed operating system critical OS files and libraries are protected from such shenanigans but by design Microsoft encourages it in all versions of Windows.

It is possible to operate a Windows computer relatively malware free but it takes constant vigilance and the willingness to avoid the most common forms of exposure. In contrast Mac and Linux users are free to use their computers with far less fear or trepidation. Perhaps someday Microsoft will learn... when pigs with lipstick fly!

Mike Kroll operates his shop, Dr. Mike Computer Therapist in downtown Galesburg. He can be reached by e-mail at Dr.Mike@Bizconnect.net or you can visit with him at the shop.