A client recently asked me, “What’s the difference between ‘malware’ and a ‘virus’? Is ‘spyware’ still a thing? Are these pop-ups a virus, or something else? Was I hacked?!?” As a computer user who could easily remember the earliest days of computer viruses, his confusion was understandable, especially when the media and sometimes even industry pros have a tendency to use those terms interchangeably when they really aren’t. The complexity of today’s malware landscape is complex enough to fill multiple textbooks, but I’ll try to boil it down to the things most professionals should know.
Hacking
The term “hacking” is probably the most mis-appropriated term in use today. Originally, the true purpose of hacking something was to make alterations to how a device (or system) operated in order to achieve results different from the originally intended purpose of the hacked object. This could take just about any form: the brilliant, life-saving hacks used to return the Apollo 13 crew safely to earth in 1961, all the way to subverting computer security systems to paralyze a giant corporation in 2014. The important qualifier in determining if something was “hacked” is identifying actual, human-driven intent. In most cases, malware-compromised systems are the result of an “infection” versus a purposeful hacking.
Malware
The term “malware” is a portmanteau of the two words “malicious software” which, as you might imagine, is used to describe any sort of non-native programming or code loaded into a device that subverts the device’s original purpose, with the result that its activities cause some form of harm (hence the “mal” part). Malware covers a broad range of code including the annoying pop-ups and browser redirects that take control of your internet searches to show you advertising (aka “adware”), to the incredibly disruptive (and effective) malware that encrypts your data and holds it for ransom (aka “ransomware”). “Spyware” still exists – though it has taken a dark turn from it’s original advertising roots of harvesting your demographics to now harvesting your sensitive personal information for the purposes of identity theft.
Viruses
Though a computer “virus” is still considered malware, most malware found today are not considered actual viruses. In keeping with the spirit of its biological predecessor, a true computer virus distinguishes itself by insinuating itself into or altering the host’s code with the express purpose of multiplying and spreading, something that is relatively rare at the moment in most malware, even the ones that spread via email. Though they exhibit virus-like infection patterns, their methods of spreading are more akin to poisoning or parasitic infection.
How it all comes together
It’s important to note that malware is often a primary tool in any computer hacking effort. It can be used to weaken or subvert security systems, usually by installing other programs that facilitate other activities that can range from gathering passwords, data and opening security backdoors to erasing hard drives and crippling critical network infrastructure. Though they find little comfort in it, I tell my clients that most malware infections are akin to getting the flu: it’s highly unlikely someone set out to get you sick. Typically you got it from someone who didn’t even know they were contagious.
However, similar to their biological counterparts, other digital pathogens may take advantage of your computer’s compromised immune system to cause further damage. At best, these malware infections take the form of a symbiotic parasite that may surface relatively innocuous symptoms (pop-ups, Google doesn’t work, etc.), but those redirects can lead you to further infection by more harmful malware. At the extreme, they can lead to the digital equivalent of metastatic cancer, usually with fatal results. Suffice it to say, any form of malware infection should not be tolerated, regardless of the host machine’s primary purpose, and should be taken care of immediately.
It’s a common practice in the technology industry to describe computer viruses and the way they behave using the same terms and concepts as the medical industry, primarily because the reality of how digital viruses work is rather boring and technical. Up until now.
In the “surprising no one” category of research findings, scientist in the UK have built a prototype computer virus called “Chameleon” that spreads via Wi-fi access points, and upon testing it discovered that it exhibited similar characteristics to airborne pathogens, ie. it spread more quickly in densely populated environments. The virus was also designed to keep its actions from interfering with normal device operations and to bypass well-protected devices for easy-to-infect models with weaker security, much in the same way biological viruses operate. It’s not clear whether the virus was designed to behave this way because the scientists knew how effective biological viruses worked and incorporated that into the design, or whether these traits manifested spontaneously from a “traditionally” designed computer virus.
What this means for you:
Don’t panic yet. The “Chameleon” virus was designed and tested in a lab by trained professionals, and never actually unleashed into “the wild”. Oh wait, did that sound like the premise of just about every virus outbreak movie in the history of Hollywood? Seriously, wi-fi viruses have not yet been found in the wild (but they are really close – see last week’s warning about Linksys routers), but you can bet that black-hat forces are hard at work trying to figure out how to attack wi-fi access points, and the first ones to be targeted will be devices used in heavily trafficked venues like airports, restaurants, coffee-shops and malls. Unless you happened to be in the business of designing wi-fi devices, there’s really not much you can do at this point beyond the usual mantra: keep your software and anti-malware up to date, avoid accessing sensitive data on public wi-fi access points, and use strong passwords. Stay vigilant!
It sounds like the title of a wonderfully bad sci-fi B-movie, but it’s actually happened: the Internation Space Station is infected with a computer virus. Not only is it infected, it’s infected with a famous virus, Stuxnet, which was used to cripple (allegedly) Iran’s nuclear weapons program. Originally designed specifically for infecting Iranian nuclear power plant systems, Stuxnet has since “gone rogue” and is now doing its dirty work around the globe. The virus was designed to be spread not only via network connections, but through flash drives and disk drives as well, primarily because many nuclear power plant control systems are too old to be connected to the internet, which is a scary thought on its own. In the case of the ISS, Stuxnet stowed away on a USB thumb drive brought on board by an astronaut.
What this means for you:
As the story above illustrates, humans continue to be the weakest link in the chain of security. You can spend tons of money on securing your technology, but it can all be blown away by a $10 thumb drive and 30 seconds of careless behavior. A big part of security is training your people not only on what NOT to do, but also on how to be vigilant and careful. As a society, we are starting to understand just how pervasive malware has become, but there are still a surprising number of people who continue to be caught off guard and impacted negatively. Given how this paradoxical, and very human behavior isn’t limited to just technology risks (think about drugs, alcohol, tobacco, base jumping, junk food, etc.) it’s no wonder malware has continued to thrive despite its destructive nature.
For many professionals, LinkedIn plays an important role in their ability to network and market themselves to others, but the primary business tool of choice for just about everyone is still email. Realizing this, LinkedIn has created an app (currently only for iOS) that puts a lot more LinkedIn into your email. The app, dubbed “Intro”, is designed to provide you LinkedIn profile information (if it exists) of your recipients while you are writing your email, as well as automatically inserting an “Intro” banner that includes your profile information into every email you send. It’s this latter function that has security analysts up in arms, because in order for Intro to do its thing, it requires the user to switch their email server from the provider to LinkedIn’s own mail servers, which in turn authenticate on the user’s behalf while inserting the Intro snippet into each email as it makes its way through LinkedIn’s service. You read that right: every email you send using Intro goes through LinkedIn’s servers as well.
What this means for you:
For decades now, hackers have used a similar technology process to compromise security systems: the “Man in the Middle” attack basically tricks a computer into sending information to an alternate destination, which then forwards on the information to the intended destination, all the while pretending to be the original sender, with neither endpoint being the wiser. In this manner, the “man” in question is able to collect any information passing between the two points, including passwords and other sensitive information. Obviously, LinkedIn’s Intro app is purposefully inserted into the middle of a user’s email by the user himself, but the principle remains the same, and, at minimum, complicates security. Think of it as an email “love triangle.”
On top of this concern, security analysts have already figured out a way to spoof the information Intro inserts into your emails, essentially “weaponizing” Intro’s banner to carry any sort of payload the hacker would like, including links to hijacked websites. Imagine if you sent your client an email with a compromised LinkedIn Intro banner that led to them getting infected and their information destroyed by a virus. For now, I’d recommend sticking to inserting your own signatures into your email (which can include a link to your LinkedIn profile) and waiting a few months to see if LinkedIn has worked out all the security concerns in their new app.
In August of this year, one of the world’s largest oil producers, Saudi Aramco, was targeted in a cyberattack that crippled tens of thousands of its computers. Despite the apparent success of the attack and the impact this would have had on the company’s operations, oil production did not falter, and the global economy continued its drunken flirtation with failure instead of rushing into an oil-shortage-fueled orgy of self-destruction. Saudi Aramco has not been forthcoming on the details of the attack, or how they managed to survive it relatively unscathed, but in the eyes of security analysts and even our own Secretary of Defense, Leon Panetta, this attack was “probably the most destructive attack that the private sector has seen to date.”
There are conflicting reports about the motivation behind the attack. The hacktivist group “Cutting Sword of Justice” has claimed responsibility, citing the act as a strike at the House of Saud, the ruling body of Saudi Arabia, refuting claims by security analysts who believe the attack to be a state or government-sponsored reprisal for the Stuxnet attacks that crippled the Iranian Nuclear Program. Intended to cripple oil-dependent economies like the US, government-backed cyberattacks on companies like Saudi Aramco can also gain proprietary geological survey data that could be extremely profitable for other, competing state-sponsored oil companies.
What this means for you:
Information is power, and there are very few companies that don’t store their most valuable data on computers and servers that are somehow connected to a network, if not the internet itself. Even if they had the best security known to man, it’s believed that at least one individual inside Saudi Aramco provided the means for attackers to compromise a company that produces 12% of the world’s oil. You should never rely 100% on technology alone for security – humans will always be more fallible than computers. Additionally, it’s important to provide some level of separation in your core business operations so that if a segment of your business is paralyzed, the entire operation doesn’t grind to a halt because the computers are offline getting repaired.
Kaspersky Labs just released their quarterly threat report for Q3 2012, and it’s dry reading for most folks not fascinated by IT security as I am. There are some notable trends that their research has surfaced, and I thought you might find some of these data points interesting:
- You are least likely to be infected by a fellow countryman in the nation of Denmark. (The US is in the lower first quartile, in case you were wondering.)
- Russia has overtaken the US as having the most websites hosting malware software.
- The most commonly found smartphone virus is designed to steal money from you by texting premium-rate numbers without you noticing.
- The most common way to get a virus infection is via drive-by infections, ie. visiting a dodgy website and getting infected when your browser loads pages that have embedded viruses.
- Of the top 10 most commonly found software vulnerabilities, 2 are found in Oracle software (Java), 5 from Adobe (Flash, Shockwave & Acrobat), 2 from Apple (Quicktime and iTunes), and 1 from Winamp.
- Over half of the detected malware infections came from Java vulnerabilities.
- For the first time in many years, Microsoft did not make the Top 10 list of vulnerabilities!
What this means for you:
Keep your software up to date. The java vulnerabilities have been patched, but many people ignore (or aren’t even aware) that Java needs to be kept up to date just like any other software installed on their machine. Keep your browser up to date, and if you have the choice, use the latest version of IE, or even better, Google’s Chrome browser. However, nothing will keep you safe if you don’t have proper malware protection installed, updated and ACTIVE. If you use an Android phone, see my previous article on the dangers of side-loading questionable apps. As of the moment, buying smartphone anti-virus software isn’t at the same state of “must-have” as computers, but we may be fast approaching that point. If you are careful about the apps you install on your phone, you don’t need it…yet.
Security analysts are uncovering a troubling rise in sophistication and cunning in targeted phishing attempts – also known as “spear phishing” – where attackers are actually adapting their tactics to exploit weaknesses revealed in common business worker behavior. Most obvious and easy to exploit is the fact that many businesses “shut down” on Fridays, and most workers, including corporate IT, disengage from the job and stop reading emails. Attackers savvy to this behavior trend send out the usual phishing emails with URL’s that are actually clean at the time of delivery, allowing them to arrive in user inboxes unmolested by corporate malware detection platforms. The attacker bides his time and waits to compromise the websites that were linked in the phishing emails until the last moment, say early Monday morning, hopefully just before users start to read the email that arrived over the weekend. Because the email managed to make it past corporate filters, the user wrongly assumes it’s safe, clicks the URL and his or her computer is then compromised through the usual malware attacks.
What this means for you:
Phishing emails are becoming increasingly harder to distinguish from the real thing, and it takes a trained eye to spot the best fakes. The most common phishing tactics are to email you about the following:
- Your account has been accessed by a third party
- (Bank Name) Internet Banking Customer Service Message
- Security Measures
- Verify your activity
- Account security Notification
When you receive an email like the above, and it appears to have come from a company or institution with which you work, examine the source of the email carefully to make sure the links actually go where they say they go. (See our previous news item Ransomware Targets Skype Users for more tips on how to tell if an email is legitimate or not.) If there’s any doubt at all, don’t use the links provided, but type them in or use a bookmark you created to ensure you are going to the proper website, or call a known, publicly-available phone number for the company to verify the request with a real human.
Image courtesy of David Castillo Dominici / FreeDigitalPhotos.net
Ars Technica is reporting that there was a significant increase in exploitation attacks over the weekend on a previously unknown vulnerability in Microsoft’s Internet Explorer, including the most recent version, IE9. What’s very unusual is that this vulnerability appears to occur in all major versions of Microsoft’s OS, including Windows XP, Vista and 7, and and uses the Adobe Flash Player plugin to gain a foothold on a user’s computer. This exploit has been able to circumvent most commercial anti-virus and anti-malware programs in use currently.
What this means to you:
On an Apple computer like an iMac or MacBook? Nothing you need to worry about – this exploit only affects Windows-based computers.
For all Windows users: Until Microsoft admits to, and then patches this vulnerability (so far they haven’t responded), and until the major anti-malware manufacturers like McAfee, Symantec, etc. can successfully detect and protect against this exploit, using any version of Internet Explorer will come with increased risk, especially if you surf to unknown or undocumented sites (ie. follow a link sent by a friend or co-worker, without knowing whether the link is legitimate). If it’s possible, I would recommend installing and using Google Chrome or Mozilla Firefox, at least until MS can patch this vulnerability.
At minimum:
- Make sure your computer has a working anti-virus program installed, updated and running.
- Avoid browsing websites with which you are unfamiliar.
- Stay alert for unusual behavior on your computer, such as sluggish performance, unusual pop-up windows and inability to surf to websites, specifically anti-virus websites and the alternate browser sites that I linked above.
Keep in mind, if your computer is managed by an IT department, using a browser other than IE may not be allowed, or, if it is allowed, Chrome and/or Firefox may not work with some of your company’s web applications, as many are designed and tested to work with IE only.