Protecting Your Computer From Viruses and Trojans v1.0
By Rich Christie <rrchristie@clarityconnect.com>
Introduction
After being hit by quite a few viruses myself and a bombardment of
trojan horses on The Internet, I decided that a paper like this must be
written. A paper directed at the general user. Not a paper "..for Dummies"
or "An Idiot's Guide to..", but rather a paper designed to bring this information
to the masses in a simple, non-technical and no non-sense approach.
Trojan Horses
Trojan Horse's, or simply trojans, are programs that you think do one
thing, and they might actually perform a function, but also something additional
that you aren't aware of. For example, if someone were to write a program
and disguised it as a game, and in fact, it was. However, while you were
playing the game your files were being uploaded to The Internet.
Windows-based trojans are getting more and more common, especially the 'remote administration tools' using a client/server architecture. That may sound fancy, but it really isn't. Let's look at it by using a very popular example. Netbus is a trojan just as I described, and here is how it works:
Someone with intentions to use this program would download the client and the server programs, as they work together. He would then give out the server to who he wishes to do this to. This 'server' would go on the victim's computer, perhaps disguised as something else. It will allow the person who wishes to gain access to the system a way of doing so. The application must be executed in order for it to work. Then, the cyberpunk will use the 'client' to access the system of the victim, that is, the client will interact with the server and the victim doesn't know what is happening. Let's look at a case scenario to give you a better understanding of how this works:
John Doe aquires Netbus, and sends the server (by default it is called patch.exe) to Jane Doe. He decided he will be tricky and pretend it is a picture of himself, and renames it to picture.exe. He knows that Jane Doe is not familiar with file extensions, and she will not know that .exe indicates that it is an executable file and in fact, not a picture. He sends it to her through ICQ telling her it is his picture. She accepts it an opens it, which activates the server. John Doe obtains her IP address (an easy thing to do, especially with ICQ) and types it into his Netbus client. Now, he can do a variety of things to her including, but not limited to:
Open/Close her CD-ROM
Swap her mouse buttons (left button begins to act like the right button,
and vice versa)
Run programs
Send messages to her screen
Capture and retrieve a screen shot of her screen
Play sounds
Record sounds (if her mic is on, it will pick up sounds in the room)
See what windows she has open (as well as close any of them)
Exit Windows
Move her mouse (that is kind of a funny one if done with class..)
See what she is typing (can be dangerous if you type in a password
or confidential information)
Send her to any URL
Read, Delete, and Download her files from any of her drives. He can
even upload files to her system.
That is not everything either, there are many other features not listed and if John Doe was creative enough, he could really do a lot. Basically, the person in John Doe's position has complete control over the 'infected' system.
The sad but true aspect of this is that it is extremely common. I'd estimate that an average of 3-5 people a week try and send this to me through ICQ. Obviously, I know how to handle it but what about those people that do not? Most people I know are not even aware of this, let alone how to handle it.
Luckily, there is some hope. There is software available to help combat against this and there is a growing trend of informed users, which this paper hopes to increase. Follow these simple tips and you should be safe:
Don't accept executable files, and if for some reason it gets onto your system, do not execute it. (I've seen people try and be clever by putting it in a zip file). This especially holds true for people you don't even know. I've seen countless attempts to send me this trojan by Random Chat users on ICQ send me a message from out of no where saying "WOULD YOU LIKE A PIC?" or "WOULD YOU LIKE A GAME?", or something similar. Be extremely wary of these, er..people. Remember that even though the default name form the Netbus server is patch.exe, it could be renamed to anything with a .exe at the end of it. And Netbus is not the only Trojan, as I'll get into later.
Get Netbuster (or any one of the other anti Netbus applications, but I suggest Netbuster because I've personally used it and it has been proven faithful). Netbuster is an application that in layman's terms, gets the person trying the Netbus attack on you "by the balls". It runs quietly in the background, and requires no attention from you after you set it up (which is very simple). First, it alerts you that someone has connected by playing a .wav sound and a box pops up. It logs the attackers IP address, which is vital in tracing them (we'll get to that). Along with the IP address, it also records time, date, and what they were trying to do (for example, if they tried to disable some keys on your keyboard, it would tell you so). All the meanwhile, they would actually think they were connected. They will go on freely doing everything as they wish, not knowing they aren't really doing anything and are being logged. If you want, Netbuster will even give you the choice of sending THEM a message, which can be quite handy. I always like to scare them a little (use your imagination). Netbuster has many other features, so i suggest you download it and well as read more about Netbus at the Netbus Homepage: http://www.netbus.com.
Once you get their IP, you can easily trace them (unless they are really slick, which if they are trying this attack chances are they are not). You may not know how, but it is quite easy. Their IP address is similar to a unique ID, but most IP's are dynamic- meaning they change every time you connect. But if you can get this IP, you'll have an idea of where they are coming from. The IP will in what is known as dotted quad notation, and look like this: 127.0.0.1. It won't be (or shouldn't be!) that address as that is a network loopback, but it will be similar in style, perhaps something like 209.150.250.64 or whatever. You or someone more familiar with this can then run this IP through the Domain Name System (DNS). It should result in giving you a server, like ppp-0069.lame.attacker.com or something similar. You then do a WHOIS on attacker.com, and you will find information on who that domain is registered to, the location, and who to contact with any problems. You then send them an e-mail with your complain about the user trying this on you (especially if it was intended to be malicious, such as 'Exit Windows') and send them a copy of your proof (that log with their IP in it, etc.).
The tools to perform these operations are freely available in programs such as Netlab (as well as many others). You can find them on most any download site in the Networking section (try http://www.download.com)
This all may seem a bit much for something like this, but if they were intending to do harm to your system, that is bad enough, but what about everyone else they try it on? You could stop others from getting their computer damaged. If you have any more questions or problems on Netbus, e-mail me or send me a message via ICQ (5807288).
I've personally done this method many times, and it seems to have worked quite well. I've gotten messages back from the contacts I got through the WHOIS search stating that they were sorry, it would not happen again. et cetera.
As stated before, Netbus is far from the only trojan. Netbus is often called a rip off of Back Orifice. Back Orifice (BO) is a program that does the same thing, and was developed by the Cult Of The Dead Cow. However, since it takes much more knowledge and you can't be quite the dunce that Netbus allows you to be, it is a little less common.
Not all trojans are 'remote administration' type or 'client/server' type either. I've seen trojans that claim to be games, word processors, system utilities, etc. Any program could contain a trojan, which is why downloading is very risky (see below for downloading and virus information). Ideally speaking from an anti-trojan perspective, you would never download anything and always purchase software on disks from reputable vendors, but that is certainly not always the case.
If more than one person uses your system, make sure that everyone who
does use it is aware of these dangers. It may not be a bad idea to have
everyone that uses your system read this or a similar file (though I am
a bit partial to this one..).
Viruses / Virii
A virus does not always have to be malicious, some of them are humorous
and designed as a practical joke. Some you may never even notice you have.
However, most do cause some degree of harm. A virus os often defined as
a program that can infect other programs by modifying them include a, possibly
evolved version of itself. In simple terms, it is a computer program that
is "smart" enough to replicate itself, which is what classifies it as a
virus. Just like the flu bug spreads from person to person and replicating
itself, a computer virus spreads itself from computer to computer.
There are thousands and thousands of them, and there are many types. There are file infectors and then there are boot infectors. They are just what they sound like; a file infector would infect files while a boot infector would infect the boot sector of a disk (floppy disk or hard drive).
Every virus has at least two parts. There is the activation and the outcome, think of it as a cause and effect relationship. The 'cause' triggers the activation of the virus by whichever means it was coded to, and the 'effect' is what the virus actually does. For example, if a particular virus is coded to activate at 5:00pm and at that time delete all text files on your system, the cause would be 5:00pm and the effect would be the virus deleting your text files.
Stealth viruses are a type of virus that tries to be sneaky and undetectable by anti-virus software. One of the things most anti-virus software scanners look for is a change in the size of programs (remember that they need to replicate themselves to be considered a virus) so the stealth type virus will try and hide by infecting a program without changing the size, while some will disable virus scanners. A polymorphic virus is also pretty sneaky, as it will produce varied copies of itself, in hope that anti-virus scanners will not be able to detect each copy.
As a general rule of thumb, keep in mind that only 10% of the viruses cause 95% of the infections, meaning that the most prevalent viruses are certainly the most common. This is quite obvious, since a virus is easily able to spread itself from system to system, often times being untraced. A virus is able to spread through floppy disks, downloaded programs from The Internet, e-mail attachments, and basically anyway that a file is able to get onto your system. Keep in mind these tips:
Get a good virus scanner. Some of the more popular are McAfee, Dr. Solomon's,
F-Prot, among others. A virus scanner is no good if you don't keep it updated
often. Be sure to keep it updated no less than once a month. To some, that
may seem a bit extreme but to download a small update that probably won't
take longer than 5 minutes could save you a lot of aggravation.
No one is immune from viruses. DOS, Windows, MAC, and even Linux
have viruses. However, they are not usually (?) interchangeable, that is,
a MAC virus won't harm a DOS machine. A DOS virus will affect Windows since
Windows run on DOS, but a Windows-only virus will not affect a DOS-only
machine. etc.
For more information on this topic, consult the following sources:
http://www.datafellows.com/
http://www.symantec.com/avcenter/
http://www.avpve.com/
http://www.commandcom.com/html/virus/virus.html
http://www.kumite.com/myths/
Conclusion
I hope this paper was informative to you, and I hope that I can stop
at least one person from getting infected. If you have any further questions,
comments, suggestions or wish to contact me for any reason, please do so.