Malware: Help prevent the Infection
Published: March 22, 2005
By Sandi Hardmeier
In the past, new computer users often felt at a disadvantage from the moment that they turned on their new machines. Although antivirus protection was sometimes pre-installed, it was very often out of date. Anti-spyware software was rarely part of a standard computer package. If they were lucky enough to have XP (Gold or Service Pack 1) the internet connection firewall was often turned off by default.
That being said, things are improving. For example, two of the big computer manufacturers, Dell Computers and HP, offer security software such as McAfee Security Center and Norton Internet Security as part of their computer packages. Microsoft also has a new anti-spyware solution, but I’ll discuss that later in the article. For computers with Windows XP Service Pack 2 (SP2) pre-installed the Windows Firewall should already be enabled.
Protective software – such as firewalls, antivirus, security software, and anti-spyware products –
is a must-have on all computer systems for new users and the experienced. That being said, no protective software is perfect and I have yet to find any product (or combination of products) that protects everybody from every bad thing that could happen.
Prevention is not only installing protective software. It is also modifying our behavior so that we minimize the risk of exposure, and understanding what to do when we are faced with a risky situation. Knowledge is power and the best defense against bad guys who try to take advantage of the inexperience, trust, and innocence of computer users. Therefore, let’s try and pull all these different threads together, and have a look at the most common ways that the bad guys try to get on to your systems, and what to do when they try.
How Are Computers Infected?
Some ways that computers receive potentially unwanted software via the Internet include:
| • | Drive by downloads |
| • | Freeware (bundled software) |
| • | File sharing (P2P) |
| • | Pop-up advertisements |
Drive-by Downloads
Some Web sites may try to download and install programs onto your computer. Sometimes this is for a legitimate purpose, but if unexpected should be looked at with suspicion: the software the site is trying to install could be malware. Once malware is on a computer it can be very hard to remove, so if you have any doubts at all about what is happening, refuse the install. You can always go back and install the software later once you have had a chance to think, and do some research.
We can refuse software installations when the Internet Explorer Security Warning dialogue box appears. Note that this is a screen shot of the Windows XP SP2 version of the dialogue window, and that the "Never install software…" option we see below was added with that update.
This is an example of an ActiveX warning in Windows XP SP2.
Older versions of Windows will produce the dialogue box below:
This is an example of an old style Internet Explorer Security Warning.
Tip: You can sometimes learn more about who is trying to install software on your computer, and what it is that they are trying to install, by clicking on the "Name" and "Publisher" hyperlinks.
My personal opinion is that “Always install software…” should be used with caution. “Ask me every time” is the option that I use most often unless I know that the software in question is something that I would never want to be on my machine or the Web site in question repeatedly offers the same software despite my refusal. In such cases “Never install software…” is very useful, stopping the nagging and preventing any other site from offering the same software in the future.
If "Always install software…" has been chosen, and you later change your mind, the decision can be reversed by deleting the Publisher's Security Certificate from the "Trusted Publishers" list, accessed via Tools, Internet Options, Content Tab, Certificates button.
Publisher Certificates can be managed via the Certificates option.
If "Never install software…" has been chosen, and you later wish to install the software, the setting is easily reversed by using Internet Explorer's Manage Add-ons Wizard. Simply highlight the blocked software, and change the setting from Enable to Disable.
Windows XP SP2 makes it very easy to manage installed or blocked ActiveX Controls or browser extensions.
You will see that I have an entry for IE PLUGIN in my blocked list. IE PLUGIN is a classic example of what can go wrong when we install software from the Internet. A comprehensive explanation of exactly what happened when I installed the software can be found on my Web site.
For more information about the Windows XP SP2 Manage Add-ons Wizard and other new security features I recommend that you review Windows XP Service Pack 2: What's New for Internet Explorer and Outlook Express.
Freeware (bundled software)
Although some software developers write and provide for download software purely for the love of coding, others may decide to earn some money from their efforts (which, of course, they are entitled to do). Some will charge for their software, some will set up a voluntary donation facility, some will earn income from advertisements on their Web site, some will offer two versions of their software, a free (limited) version and a pay-for version with more features, and some will decide to earn an income from adware which they bundle with their product. It is the last group that may cause users to receive software that they might not want to have.
When we come across those who choose the bundled adware path, we have to find out if the adware can be easily removed, how trustworthy and family-friendly its advertisements are, and what sort of an effect it will have on our systems. None of us wants adware that cannot be removed, none of us wants our computers to crash or be slowed down by too many pop-up advertisements, and we may not want to see adult advertisements. Some people download software applications that include bundled adware with the intention of removing the adware and keeping the application. It is important to check the application’s EULA (End User License Agreement) before taking this step. Some EULAs specifically forbid the removal of bundled adware.
We should always research a product before installing it on our computers. Even if a Web page attempts to reassure us that a particular product does not include spyware, or that the software in the bundle is perfectly safe, we must still complete independent checks. Sadly, some vendors use a different definition of “safe” than you and I.
Try using a search engine to look for the name of the product together with the word ”spyware” or ”adware”. Read through the results you receive, but don’t take one person’s word for it. Familiarize yourself with the overall perception as revealed by your search. I know that this seems like a lot of effort but believe me, it’s easier than trying to fix things if you get burned.
There are Internet sites, which I have found very useful, run by anti-spyware and Windows specialists that provide information about spyware and related problems, such as www.spywareinfo.com, www.aumha.org, and www.castlecops.com. Thanks to a lot of testing and experience, advisors in these forums are very experienced in spyware, and know where much of it comes from and how to get rid of it. They are more than happy to assist and advise any person who would like advice about what may or may not be safe to install.
P2P (file sharing)
P2P (Peer to Peer) technology is software that allows computers to connect directly to each other for the purpose of sharing and swapping computer files that have been stored in specific directories. Basically, any file that you put in your shared folder can be seen and downloaded by any other person using the same P2P technology, no matter where they are in the world.
Back in January 2004 a security company called TruSecure reported that out of 4,778 files downloaded over a period of one month using a popular P2P program, 45% were infected with malicious code. The malicious software included viruses, password stealers, spam bots, and software designed to allow the theft of personal data and files
If you use P2P networks, it is important to install antivirus and anti-spyware software, and check for updates daily. Ensure that you have a firewall installed that provides comprehensive information about what is trying to get in (and out) of your network.
Bear in mind that many P2P programs come bundled with adware; some of which specifically forbid the removal of same in their End User License Agreements (EULAs).
Read Those EULAS
EULA stands for "End User License Agreement.” Invariably it is necessary to accept the conditions of the EULA before software will install. Unfortunately, many of us do not read these EULAs. They are long, sometimes difficult to understand, and in small print. Despite these difficulties I advise you to always make the effort because they can be quite revealing about what the software you are going to install will do. Here are two excerpts from EULAs that I have examined recently:
"As part of the installation process, *** will access your Microsoft Outlook(r) contacts list and send an email to persons on your Contacts listing inviting them to download *** or related products…" (In other words, you are giving permission for the software to link itself to your Contacts list and use your computer to send them spam).
"You also grant **** permission to collect and store information of your internet usage habit, including but not limited to information about every web page you view with the full URL, and the content of web page. You understand and accept that URLs and the content of web pages you view may include your personally identifiable information." (In other words, they know where you are going, and what you are doing and what is on the page you are looking at. Do you feel nervous about using online banking under such circumstances? I do.)
Pop-up Advertisements
If you see a pop-up window that says you may be, or have been, infected with spyware, don't believe it. Sadly there are suppliers that encourage the purchase of their products with fright tactics. If a user believes what is said in the pop-up and downloads the offered “free” version of software, a scan may pretend that malware is present on the computer, and an invitation to pay money for a full version of the product to remove that non-existent malware will appear.
Some pop-up windows will offer to download and install software, and offer a “yes” or “no” button to choose from. Do not click on either button. Instead, use the close button in the top right hand corner of the window or, even better, use the ALT + F4 key combination to close the window instead. This is because I have seen pop-up windows that will trigger an installation of spyware even if you click on a “no” or “cancel” button; often clicking anywhere on the ad will start the installation. I have also seen a pop-up window where the close button [x] was disabled. The only option was to force a shutdown using Task Manager. My personal opinion is that if the advertised software’s owner is going to make avoidance of their software advertisements difficult, I certainly don’t want their wares anywhere near my machine.
Avoid Web sites that are advertised by, or accessed via, pop-up windows. As an example, recently I tested a pop-up window generated by adware that advertised a casino. This window led me to a site that immediately offered free software, and then generated its own pop-up window for another casino site which offered even more free software. The free software offered by both sites was very hard-to-remove malware.
Avoiding the Scary Stuff
Microsoft has put together a Protect Your PC Web site. The information provided for Windows 95, 98, NT, 2000 and ME is quite comprehensive but I will expand on the information provided about Windows XP.
Windows XP includes a firewall, originally called the Internet Connection Firewall (now called the Windows Firewall). Check to make sure that your computer's firewall is turned on, even if you are running Windows XP SP2.
Windows XP (Gold and Service Pack 1)
1. | In Control Panel, double-click Networking and Internet Connections, and then click Network Connections. |
2. | Right-click the connection on which you would like to enable ICF, and then click Properties. |
3. | On the Advanced tab, select “Protect my computer or network.” |
Windows XP Service Pack 2
1. | Click Start and then click Control Panel. |
2. | Double-click the Security Center icon. |
3. | Make sure that the Windows Firewall is turned on (and while you're there turn on Automatic Updates and make sure that virus protection is on). |
I do not recommend that Windows XP users depend on just the Windows Firewall. If you have a router with a built in firewall, turn on that firewall (consult your router's documentation for information about how to do this). You may also want to install a third-party firewall on your computer(s) (whether or not they are behind a router firewall, and even if you are running Windows XP SP2) because there are viruses and other hostile software that are network aware – they can spread from one computer to another on a network. If you run firewalls on all computers on your network in addition to a router firewall, the risk of an infection on one computer spreading to other systems is reduced.
Many third-party firewalls can be run at the same time as the Windows firewall without any problems, and it is a good idea to do this, if only because the Windows firewall provides a boot time filter, protecting computers during that short period of time between when the network starts and a third-party firewall fires up.
My network as a whole is currently protected by my router’s firewall, and the individual computers are protected by the Windows Firewall and either Kerio Personal Firewall, Sygate, or ZoneAlarm various (the one I choose for each computer depends on the expertise of the primary person using the computer).
Anti-spyware Products
As much as I would like to see specialized anti-spyware software included as standard for all systems, for the time being we sometimes have to find and install this stuff ourselves.
The Spyware Warrior Web site hosts a comparison of anti-spyware products. One of them, the Microsoft Windows AntiSpyware (Beta) was recently released by Microsoft. This software proved to be very useful during recent tests against spyware that kept on trying to reinstall after removal. If you are more experienced, and feel confident installing a beta product, you may like to give this a go. Make sure you read all information before downloading and installing.
I should point out that Microsoft Windows AntiSpyware (Beta) is pre-release (beta) software that is offered to Windows users for feedback and testing purposes. Microsoft does not provide technical support for beta releases, although they have set up a newsgroup forum to help users of the beta get answers to their questions. If you decide to try out Windows AntiSpyware (Beta) and it causes an issue with your system, Microsoft recommends removing it by using Add or Remove Programs through the Control Panel and even using System Restore if the problem persists. As is the case for all betas, if you are not willing to risk problems (up to and including a need to reformat your computer’s hard drive and start afresh) you should not install the software.
The Final Word
Remember, prevention is always better than cure. Be cautious and be careful.
Although there are programmers who code and release software for the love of it, there are those who need (and deserve) to earn an income from their endeavors. That being said, there are many different ways to earn an income from software. Is the free software you have installed worth a blizzard of pop-up advertisements, extra toolbars, or a reduction in privacy or a loss of choice of home page or search engine? Be careful about who you support financially and how you support them. Who we support, and more importantly what we support in terms of income producing behavior, can send a very powerful message. Remember, there are adware companies that have changed the way they do business because of negative feedback.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, places, or events is intended or should be inferred.
