Digital Fever: Malware
misunderstandings
1-29-09
by Mike Kroll
In my
computer business today the single biggest problem I address for my customers
is removal of malicious software, malware. Most of the customers who
bring in their computers for this service believe that what they are suffering
from are computer viruses but in nearly all cases this just isn't accurate. The
vast majority of malware infected computer I service today suffer from spyware,
not viruses, and my customers are always amazed when I tell them that computer
viruses are a very small problem today.
Not only is spyware a much, much more common problem it is also much
more difficult to correct. Additionally, there is no antivirus or anti-spyware
program that I am familiar with that can truly clean a spyware-infected
computer completely by itself.
The good
news is that the drastic decrease in the number and volume of viruses that a
typical computer user can come across means antivirus software and the
attending performance hit imposed by it, is much less important now than one or
two years ago. Like vendors of office software before it nearly all of the
commercial antivirus software vendors have gotten caught up in a feature war.
Nearly all the vendors now sell “computer security” software rather than
antivirus software and their packaging boasts a long list of features as the
products themselves have become humongous resource consuming beasts that
inflict huge performance penalties upon their users.
Merely
installing most commercial “computer security” software today will noticeably
slow down your computer. This performance hit is only magnified when such software is installed on a
Windows Vista machine already struggling under the weight of that bloated-beast
of an operating system. To make matters worst the decline in viruses coupled
with the questionable usefulness of many or the addition “features” means that
users are paying a very high price indeed for s security gain that is marginal
at best. If a computer user exercises good judgement and avoids the most common
exposures there is really little need for antivirus software on most computer
today. Alas bad judgement and lack of common-sense is exactly why the spyware
industry is thriving today.
It is worth
noting that malware is a problem almost exclusively on computers running some
version of Microsoft Windows. While it is possible to create viruses or spyware
to run on other computers, like Apple or Linux, this seldom occurs and the
reason is not solely due to the greater market share of Windows machines. Mostly
this is due to the relative ease of infecting a Windows computer due to design
and architectural weaknesses across the entire Windows family. I have often
told my customers that if one were teaching a computer science class on how to
design an operating system you could use the various versions of Windows to
demonstrate the wrong approach to just about every design decision.
Not only is
Windows inherently insecure by design flaws it employs “features” that actually
make it easy for relatively non-sophisticated people to do harm. It is the
“features” designed into Microsoft's Internet Explorer and Outlook that make
these two products security nightmares. Features like a powerful ActiveX
scripting language that enables a website designer to do all kinds of nasty
things to Internet Explorer users who merely browse the site in question.
Features that offer wonderful capabilities to corporate IT departments seeking
enhanced, long distance, hands-off opportunities to maintain corporate PCs with
minimal direct human intervention. The problem is that these powerful features
are available to every web designer including those with far less benign
intentions.
The first
and simplest thing you can do to reduce your exposure to malicious software is
to immediately cease using any version of Microsoft's Internet Explorer and
Outlook products (the Live Mail in Vista is really no more secure than Outlook
but a much bigger application). There are plenty of very capable and much safer
replacement products available free on the Internet. I strongly suggest
replacing Internet Explorer with Mozilla Firefox and Outlook Express with
Mozilla Thunderbird (www.Mozilla.com).
Both are not only more secure but also expand significantly on the Microsoft
feature set. These are just my two favorite options, another I should mention
is the Opera web browser (www.Opera.com).
Each of these replacements are not only free and feature packed but they abound
in safe and useful add-ons that can be easily installed directly from the
programs themselves. And all three programs are available for Mac and Linux
users as well.
The most
important points you should take away from this column are (1) that spyware,
not viruses, is the real threat today and (2) since nearly all spyware
infections are self-inflicted there is really no software that can either
protect you from infection nor totally clean that infection once in-place.
While
viruses could be major nuisances few caused anywhere near the headaches of
spyware and by comparison infections were rare. By and large viruses were the products of computer geeks
proving to their geeky friends just how “clever” they were. In most cases no one
really gained monetarily from viruses, excepting the antivirus software
industry (which did quite well thank you). Spyware is a different story and its
very origins can be traced to making money on the Internet. Where it is now
well understood that selling advertising space on the Internet offers most web
sites limited profit potential there is much higher profit in helping companies
better target Internet users who may be interested in their products.
Spyware is
really an elaborate data-mining operation whereby someone seeks to learn as
much about you as possible so they can sell that information to Internet
marketers. When you receive a spam message that closely targets your interests,
hobbies or lifestyle you are many times more likely to open and perhaps respond
to that message. Ditto for popup ads or even regularly displayed ads on a
website that has been specifically designed to offer a customized experience to
each user based on that user's spyware deduced preferences. Spyware is big and
sophisticated because the people behind it can make big bucks doing it and in
most cases it is perfectly legal.
To be
successful a spyware entrepreneur doesn't need your credit card or social
security number – all they need is to learn all about you and your habits. In
today's world monitoring personal computer usage is a great tool to accomplish
this task. It is such an opportunity that there are literally thousands of
spyware operations trying to do just that and each one seeks to place their
monitoring software on every possible computer. As that installed spyware works
it uses your computer resources for tasks that do not benefit you but slow down
your computer. The greater the number of installed spyware tools the slower and
slower you computer gets. By the time most people get fed up and bring their
computer into my shop for cleaning they have at least dozens of spyware
applications in operation on their machine, sometimes well over a hundred resource-consuming spyware
applications.
A spyware
application doesn't want you to know it is there and it wants to run constantly
so it can learn as much as possible. Therefore most spyware applications are
designed to begin as you boot your computer and run in the background the
entire time the computer in in operation. Thus the proliferation of spyware
contributes to the gradual lengthening of the time it takes you computer to
boot up. They store their information discretely somewhere on your hard disk
and wait for a good opportunity to transmit it across your Internet connection
back to their home server. The now common always-on high speed Internet
connections most of enjoy today have been a boon to spyware shops. Two things
that spyware authors don't want to see occur is for you to discover and stop
their data collection effort.
Unlike
viruses of the past which depended upon haphazard dispersal and really didn't
take a systematic approach to dissemination spyware authors are business people
seeking a consistent and wide ranging infection pattern. They want to maximize
the number of computers they infect and they want to keep their monitoring
software operating for as long as possible and whenever the computer is powered
up. For this reason they have turned to clever social engineering to get their
victims to download and install their software by including it as part of free
apparently useful programs that appeal to the computer user.
For
example, nearly all of the free screen savers or weather monitoring programs
now available on the Internet are conduits for spyware. Ditto for lots of free
utilities, games, music and video files. When you download and install a
spyware infected program such as these you are doing the heavy lifting for the
spyware authors without realizing it. Most of the so-called “Internet security”
software suites will gleefully permit you to install these infected
applications and once installed frequently do nothing to alert you to the
problem much less remove it.
Many
websites use the security holes built into Internet Explorer to unleash spyware
on to your system while you visit. The most common offenders are gambling
sites, adult sites, on-line gaming sites, software-music-video piracy sites and
even many children's game sites. You need only visit the site to get infected
if you use Internet Explorer while competitors Firefox and Opera are immune
from most of these attacks and frequently will even warn your that the site in
question is dangerous.
Another
common route for spyware infections are the many various peer-to-peer file
sharing sites. When you install the software for Bearshare or Limewire or the
like you are creating a ready-made infection route to your computer. The files
shared in this manner do not come from carefully monitored and policed
corporate web servers. Instead you are downloading files for other people's
home computers and should have absolutely no expectation of the quality or
security of the files garnered in this manner. To the extent that the computer
you are downloading from has itself downloaded numerous infected files it is
very likely that many of the users they serve will likewise become infected.
You can consider this as akin to a digital form of promiscuity where malware
plays the role of STD.
What makes
this behavior even worse it that many peer-to-peer users stream these files
onto their computer as live feeds of music or video which maximizes the risk
and can circumvent most anti-spyware or antivirus software monitoring your
computer. If you must use a peer-to-peer file sharing service I strongly
recommend that you never stream audio or video and that you never play any
downloaded audio or video file before running a thorough scan with your
security software. Any file that is identified as infected by such a scan
should be deleted. Do not simply “repair” or quarantine the infected file – GET
RID IF IT IMMEDIATELY.
If you
believe your computer is infected with spyware you are probably correct. Most
of the Windows computers that are brought into my shop for any reason have at
least some spyware and some are so bogged down that they are painful to use. I
do not recommend purchasing most of the commercial anti-spyware programs as
they are really limited in what they can do despite their advertising. Most of
the commercial antivirus software packages now claim to protect you from
spyware as well with various degrees of accuracy. The simple fact is that most
serious spyware cannot be removed by any software package alone. In most cases
you only develop a false sense of security while the infection remains.
Removing
spyware infections really requires a knowledgeable person who is able to
manually hunt down and eradicate the infection. This doesn't necessarily have
to be a professional like myself but it is not a task for the novice or faint
of heart. Often times key program files or libraries used by Windows itself or
some other commonly used software program are changed or replaced with the
infected versions. These files must not only be deleted but they must be
replaced by the correct uninfected version of the file in question. Sometime
merely deleting the infected file is not possible or will render the computer
non-bootable. Caution is the watchword here. In a properly designed operating
system critical OS files and libraries are protected from such shenanigans but
by design Microsoft encourages it in all versions of Windows.
It is
possible to operate a Windows computer relatively malware free but it takes
constant vigilance and the willingness to avoid the most common forms of
exposure. In contrast Mac and Linux users are free to use their computers with
far less fear or trepidation. Perhaps someday Microsoft will learn... when pigs
with lipstick fly!
Mike Kroll
operates his shop, Dr. Mike Computer Therapist in downtown Galesburg. He can be
reached by e-mail at Dr.Mike@Bizconnect.net
or you can visit with him at the shop.