Spyware, Malware, and Viruses Anthony Bosnak Department of Computer Science & Software Engineering University of Wisconsin – Platteville

Internet security has recently become a hot topic in today’s world as more and more things are reliant on the Internet. Experts are struggling everyday with the challenges that the world faces with malicious code lurking around every corner. This paper describes some of the most common malicious code in the industry; as well as how different antivirus programs work and concludes with some current issues and threats in the cyber world community.

The Internet is a scary place to be around these days. Everyone who uses the Internet shares information with users they do not personally know on the World Wide Web. Malware can be dangerous if users do not learn to protect themselves from people that intend to take information from right under their nose. The Office of Management and Budget reported that there were over 12,986 cyber-incidents in the federal United States agencies in 2007; this was an increase from the prior year [1]. This paper will describe different types of malware out there, along with how they enter into your computer. This paper will also explain how antivirus programs work and the future threats the world faces in cyberspace.

Most people that experience problems on the computer commonly say they have a virus. Yes, this could be true, but a virus is a subgroup of the category malware. Malware is short for “malicious software.” Malware is any kind of unwanted software that is installed without your consent [2]. This includes viruses, worms, Trojan horses, bombs, spyware, adware, and many more.

A computer virus infects the carrier (the computer), and then relies on the carrier to spread the virus around. A computer virus is a program that can replicate itself and spread from one computer to another [3]. There are many different ways a virus can infect a computer. Through direct infection, the virus can infect files every time the user opens that specific infected program, document, or file. If the user never opens the source then the virus will not spread. Fast infection is when the virus infects any file that is accessed by the program that is infected. Slow infection is when the virus infects any new or modified program, file, or document. This is a great way to fool an antivirus program due to normal use of renaming and modifying files and documents. Another method of infection is sparse infection; this process takes a lot of time because of the fact that it spreads randomly. Finally, another common way to infect a computer is RAM-resident infection. What this infection does is bury itself in your computer’s random access memory, then each time the user runs a program or inserts a flash drive or CD it infects that program, flash drive or CD.

Computer bombs started back in the window-based MS-DOS operating system days. ANSI bombs were a comical malware going around. They would change the code in the file ANSI.SYS which would call a particular driver that would display colors and graphics on the computer. One feature of the ANSI.SYS is keyboard macros. The bomb would mess with the user by remapping common keys the user would press. For example, the bomb could remap the ‘e’ key to delete a file every time the key is pressed. The writer could write this code in any text editor. These ANSI bombs would be disguised as a batch file to be run in the MS-DOS menu. An example of this code is this:

A logic bomb is programming code is designed to execute or explode when a certain condition is reached. They could be placed in a computer and timed to go off after a certain time has elapsed or if a program fails to execute. This bomb waits for a triggered event to happen before it is detonated. Once this bomb goes off it could print out messages to the user, or it could be used to corrupt, delete, or change parts of data [5]. The most common use for this type of malware is in the financial/business world. As most IT employees call this type of malware the “disgruntled employee syndrome”, it targets specific networks or computers, thus making it hard for an outside user to implement this time-triggered malware [6].

A Trojan horse is simply a program or software designed to look like a useful, legitimate file. Once this program is installed and opened it steals information or deletes data. What is unique about a Trojan horse compared to other types of malware is that it usually only runs once and is done functioning [4]. The Trojan Horse is very reliant on users; if the user never opens or downloads the file or program the horse will never become a threat to the user. A Trojan horse can create a back-door effect inside the computer to allow the hacker to reach the computer once again through the network. This is the most common event to happen in our society today. This event allows the hackers to chain together what are called “Zombie Computers.” They use these zombie computers to disperse spam emails, launch denial of service attacks, spread viruses, or even steal the user’s personal information. Another common way of distributing a Trojan horse is by infecting a server that hosts a website. Every time a user visits that website the computer is then infected with that Trojan. This is very hard to do since infecting the right server and then the right computer connected to the server is a matter of chance [4].

The terms worm and virus are commonly used interchangeably by the media, but in reality a worm is more deadly than a virus. While a virus most the time is user propagated, a worm is self-propagating. In simpler terms, worms do not need anything to start itself up. A worm program is designed to replicate itself and disperse throughout the user’s network. There are several ways to get a worm out into a user’s computer that use the Internet, such as through the user’s email or through Internet ports.

Email Worms

What an email worm does is sends a copy of itself to every contact in the user’s address book as an attachment. Most people will open emails from users they know and open the attachment causing the whole process to be repeated again [4].

An Internet worm is designed to be inconspicuous so the user is unaware the worm is trying to corrupt their computer. The worm scans the computer for open Internet ports that the worm can use to download itself onto the user’s computer. Once inside the computer, the worm then scans the Internet to infect more computers [4].

Adware is a type of malware that can be harmless or harmful to the computer depending on how it is implemented. The object of adware is to display advertisements in the user’s software. The program usually gathers information about what the user uses the World Wide Web for and the adware then displays an ad that corresponds to the gathered information. Spyware on the other hand spies on what the user is doing and displays ads mostly in a pop-up window. Spyware typically uses memory from programs running in the background. This can often lead to the program to slow down and become nonfunctional or cause the program to crash. Unlike adware, spyware can be very hard to get rid of since it burrows itself into critical parts of the operating system [4].

An antivirus program is used to detect if malware is trying to enter the user’s system. There are many different ways an antivirus program can keep track of malware trying to enter a system. The software can use signature-based detection, heuristics, cloud antivirus, a network firewall, or online scanning. Most antivirus programs group all malware together into one bundle, which in turn makes security companies group their antivirus software into Internet security software. These programs protect computers from everything that a user could come across on the Internet [7].

Signature-based detection is the most common way an antivirus program finds malware on a user’s computer. The software has a database of virus signatures it uses to scan drives on a computer. When the program finds a matching virus signature it, quarantines the virus. The user will then delete the virus from the computer. The only way a signature-based antivirus program can be efficient is by constantly updating the program with these virus signatures. If the database is out of date, the virus will be undetected by this form of virus scanning. Although keeping this detection up to date will not be entirely foolproof, it will protect the user from the popular viruses on the market at the time [4].

Heuristics is another form of detecting viruses trying to enter into the computer. The way this detection spots out malicious software from entering your computer is by monitoring files and how certain programs are trying to reform files in the system. When the virus tries to modify a file the antivirus program alerts the computer user and tries to elevate the source of the problem [4].

Cloud antivirus is a new form of antivirus program where the user uses a program that is cloud based. Cloud based means the virus scanning is done from a remote location, such as a different computer. This relieves the physical computer in the user’s home. The benefit of doing an antivirus scan this way is the scanning can be constantly running since the program puts little to no strain on the computer’s processing power. Some users have some privacy issues with scanning this way. This is because every file on the user’s hard drive is sent across the Internet to a remote server that scans the files for malware. This can lead to files getting distributed to hackers, so the user must rely solely on the company’s way of handling security [8].

A network firewall is an operating system’s way of protecting the user from unknown programs. Firewalls are technically not antivirus programs at all since they never tamper with, remove, or identify any malware trying to enter the system. The way a firewall works against unknown programs is by monitoring TCP/IP ports that programs try to access in normal processes [9].

Internet safety is a big issue with everyone in the world. Almost every aspect of life is somehow connected to the Internet in some form. One hacker could essentially destroy the whole world by gaining access to high security organizations, infrastructures, or mainframes that people are trying dearly to protect. One click of the mouse could lead to cyberspace World War III. Recent events have brought security issues up in many Internet infrastructures. Is the world really protected from criminals that would try to destroy the world we live in?

The attacks on Estonia in 2007 were one the first widely noticed and broadcasted cyber attacks in the world. This is partly due to Estonia being one of the most wired countries in Europe. The Estonian parliament, banks, ministries, newspapers, and other organizations websites were flooded with denial of service attacks. This left most of the general public stranded in a web-less community. The reason for heavy shock was due to the sophistication of the attacks on the government. This leads experts to agree that there needs to be major developments in security for important infrastructures [10].

This chart shows the current top ten countries in the world that tend to get hit the hardest with malicious code attacking the average user’s computer. As you can see, the United States is not on the top 10 of this chart taken from Kaspersky Antivirus Incorporation, but that does not mean the United States is not hit hard with everyday malware floating around [11].

The Stuxnet virus that hit Iran’s nuclear facilities was a big scare for the world. A hacker having control over something so exclusive could cause havoc to the world. If a hacker can get into a secure infrastructure would he/she be able to launch a nuclear attack without knowing what could happen to the world? Who knows, only time will tell if this could happen in today’s society?

The cyber world can be a dangerous place nowadays because of the recent increase in cloud computing. With could computing, everything is done through secure Internet protocols. Who is to say someone could not easily get into the streaming that occurs when transfer files, data, or anything else over the network? Hackers have always been an issue since the invention of the Internet. Only time will tell if they will play a big part in deciding the world’s fate and what is to come in the world. If people don’t realize how much of a treat malicious code can be soon the Internet will be such an insecure place that no one will rely on the Internet as much as society does now.

Everyone asks how he or she can protect themselves from malicious code that can occur when you come in contact with the Internet. One simple solution is to protect yourself with an Internet security package, and try to keep it as up to date as possible. Users have to remember that these packages will only protect the user from known malicious code out there. New malware will most likely be undetected by the service package; therefore this should not be the only method a user should use to protect themselves [4].

Another way to protect yourself is to keep your operating system up to date. Microsoft Windows is one of the most widely hacked operating systems on the market. One reason for this is it is one of the most widely used operating systems out there. Microsoft tries to keep up to date with their security patches they release, but just like antivirus programs they cannot find the new malware unless they are reported to the company.

Another way the user can try to protect themselves from malicious code is to become aware of what they are doing on the Internet. The user should try to stay away from clicking on pop up ads, spam emails, and other specious links on the Internet. As long as the user becomes involved and up to date with current trends happening on the Internet, the user should be a little bit more protected on the World Wide Web.

The Internet can be a scary place for users if they do not take care and time to protect themselves. There will always be a user out there that will try and deceive people into thinking that the World Wide Web is a safe place. But there will be malicious code that is always trying to find someone or something to take control of if not properly secured. Malware is always getting created in some sort of form and will always be on the Internet causing havoc and destruction to unprotected users.

[1] Fowler, Daniel. (2008). Importance of Cybersecurity Increases as Attacks Get More Dangerous. In Richard Joseph Stein (Ed.), Internet Safety (pp. 5-7). New York, NY: H.W. Wilson Company.

[2] What is Malware?. (n.d.). In Microsoft Safety & Security Center. Retrieved from http://www.microsoft.com/security/resources/malware-whatis.aspx

[3] Comptuer Virus. (n.d.). Retrieved October 30, 2011 from Wikipedia: http://www.en.wikipedia.org/wiki/Computer_virus

[4] Wang, Wallace. (2006). Steal This Computer Book 4.0: What They Won’t Tell You About the Internet. San Francisco, CA: William Pollock.

[5] Logic Bomb (slag code). (2002). Retrieved October 30, 2011 from http://searchsecurity.techtarget.com/definition/logic-bomb

[6] Layton, Julia. (n.d.). How Does a Logic Bomb Work?. Retrieved from http://www.computer.howstuffworks.com/logic-bomb.htm

[7] Viega, John. (2009). The Myths of Security: What the computer Security Industry Doesn’t Want you to Know. Sebastopol, CA: O’Reilly Media, Inc.

[8] Panda Cloud Antivirus. (n.d.) Retrieved October 29, 2011 from Wikipedia: http://www.en.wikipedia.org/wiki/Panda_Cloud_Antivirus

[9] Firewall: Frequently Asked Questions. (2011). Retrieved October 28, 2011 from: http://www.windows.microsoft.com/en-us/windows7/Firewall-frequently-asked-questions