|
Because a macro virus infects files, it is technically a file virus. However, unlike a traditional file virus it targets data files instead. Macro viruses are becoming increasingly common (one year
ago the were about 80% of new viruses created); therefore they still deserve to be treated as a separate category.
What kind of files can spread viruses?
Viruses have the
potential to infect any type of executable code, not just the files that are commonly called 'program files'. For example, some viruses infect executable code in the boot sector of floppy disks
or in system areas of hard drives. Another type of virus, known as a 'macro' virus, can infect word processing and spreadsheet documents that use macros. And it's possible for HTML
documents containing JavaScript or other types of executable code to spread viruses or other malicious code.
Since virus code must be executed to have any effect, files that the computer
treats as pure data are safe. This includes graphics and sound files such as .gif, .jpg, .mp3, .wav, etc., as well as plain text in .txt files. For example, just viewing picture files
won't infect your computer with a virus. The virus code has to be in a form, such as an .exe program file or a Word .doc file that the computer will actually try to execute.
How do viruses spread?
When you execute program code that's infected by a virus, the virus code will also run and try to infect other programs, either on the same computer or on other
computers connected to it over a network. And the newly infected programs will try to infect yet more programs.
When you share a copy of an infected file with other computer users,
running the file may also infect their computers; and files from those computers may spread the infection to yet more computers.
If your computer is infected with a boot sector virus, the
virus tries to write copies of itself to the system areas of floppy disks and hard disks. Then the infected floppy disks may infect other computers that boot from them, and the virus copy on the hard
disk will try to infect still more floppies.
Some viruses, known as 'multipartite' viruses, can spread both by infecting files and by infecting the boot areas of floppy disks.
What do viruses do to computers?
Viruses are software programs, and they can do the same things as any other programs running on a computer. The actual effect of any particular virus
depends on how it was programmed by the person who wrote the virus.
Some viruses are deliberately designed to damage files or otherwise interfere with your computer's operation, while others
don't do anything but try to spread themselves around. But even the ones that just spread themselves are harmful, since they damage files and may cause other problems in the process of
spreading.
Note: Very few viruses can damage hardware: the CIH virus can damage your CPU, but can not burn your hard drive, cause your monitor to explode, etc. Warnings about
viruses that will physically destroy your computer are usually hoaxes, not legitimate virus warnings with the exception of the CIH virus.
What's the story on viruses and E-mail?
You can't get a virus just by reading a plain-text E-mail message or Usenet post. What you have to watch out for are encoded messages containing embedded executable code (i.e., JavaScript in an
HTML message) or messages that include an executable file attachment (i.e., an encoded program file or a Word document containing macros).
In order to activate a virus or Trojan horse program,
your computer has to execute some type of code. This could be a program attached to an E-mail, a Word document you downloaded from the Internet, or something received on a floppy disk.
There's no special hazard in files attached to Usenet posts or E-mail messages: they're no more dangerous than any other file.
What can I do to reduce the chance of getting viruses from E-mail?
Treat any file attachments that might contain executable code as carefully as you would any other new files: save the
attachment to disk and then check it with an up-to-date virus scanner before opening the file.
If your E-mail or news software has the ability to automatically execute JavaScript, Word macros,
or other executable code contained in or attached to a message, I strongly recommend that you disable this feature.
My personal feeling is that if an executable file shows up unexpectedly
attached to an E-mail, you should delete it unless you can positively verify what it is, who it came from, and why it was sent to you.
The recent outbreak of the Melissa virus was a vivid
demonstration of the need to be extremely careful when you receive E-mail with attached files or documents. Just because an E-mail appears to come from someone you trust, this does NOT mean the
file is safe or that the supposed sender had anything to do with it.
Some general tips on avoiding virus infections:
1. Install anti-virus software from a well known,
reputable company, UPDATE it regularly, and USE it regularly. New viruses come out every single day; an a-v program that hasn't been updated for several months will not provide much protection
against current viruses.
2. In addition to scanning for viruses on a regular basis, install an 'on access' scanner (included in most good a-v software packages) and configure it to start
automatically each time you boot your system. This will protect your system by checking for viruses each time your computer accesses an executable file.
3. Virus scan any new
programs or other files that may contain executable code before you run or open them, no matter where they come from. There have been cases of commercially distributed floppy disks and CD-ROMs
spreading virus infections.
4. Anti-virus programs aren't very good at detecting Trojan horse programs, so be extremely careful about opening binary files and Word/Excel documents from
unknown or 'dubious' sources. This includes posts in binary newsgroups, downloads from web/ftp sites that aren't well known or don't have a good reputation, and executable files unexpectedly
received as attachments to E-mail or during an on-line chat session.
5. If your E-mail or news software has the ability to automatically execute JavaScript, Word macros, or other
executable code contained in or attached to a message, I strongly recommend that you disable this feature.
6. Be extremely careful about accepting programs or other files during on-line
chat sessions: this seems to be one of the more common means that people wind up with virus or Trojan horse problems. And if any other family members (especially younger ones) use the computer,
make sure they know not to accept any files while using chat.
7. Do regular backups. Some viruses and Trojan horse programs will erase or corrupt files on your hard drive, and a recent
backup may be the only way to recover your data. Ideally, you should back up your entire system on a regular basis. If this isn't practical, at least backup files that you can't afford to lose
or that would be difficult to replace: documents, bookmark files, address books, important E-mail, etc.
Where can I go to find information on how to protect myself against macro viruses?
The following strategies provide a guide is the most effective ways to avoid a macro virus infection. Macro virus control will be discussed in terms of the following objectives:
Ø Preparation
Ø Prevention
Ø Detection
Ø Containment
Ø Recovery
Initially, the definition of what constitutes a macro virus must be made. A macro virus is
a virus written in one of the many macro languages. It spreads via infected files, which can be documents, spreadsheets, databases or any computer program that employs any of the macro languages.
Ø Preparation:
Preparation strategies involve education, awareness, and formation of a team for the purpose of creating prevention policies, selection
of anti-virus software, and a fail-safe plan in the event that an unknown macro virus surfaces.
Education:
All staff members should be aware of the macro virus risk. Then,
depending on the philosophy of the direction, the education process should intensify to enable those who need increased knowledge (such as a help desk, system administrator, etc.) to understand and
cope with this threat. Educate everyone regarding the importance of using anti-virus software. Continuously update employees with the latest information regarding macro viruses and the latest update
for the anti-virus program.
Awareness:
As a result of a well-planned education program, there will be an increased awareness of ways to avoid infection. Alertness for macro
(viral) type behaviour becomes evident. Promote this by providing incentives to those staff members who identify potential dangers existing in their areas.
Form a Team:
Whether
you opt for a team or simply an individual, it is absolutely essential to have a methodology in place prior to a virus crisis. The team then needs to formulate specifics for designing the policy to
work with you AV software. Designating key individuals who will handle the virus incident. Instruction, at all levels, for the procedures to follow if a virus is reported; i.e. what the user needs to
do, what the system administrator needs to do, who is informed etc. Setting up the education process.
Outline a plan for action in the event of a virus epidemic. Think of this as Fire
Drill. Incorporate a review process to allow these policies to grow and change to fit the company and new technology.
Ø Prevention:
Create
Prevention Policies: We suggest the following measures are implemented and, even though they may be inconvenient at times, make a commitment to stick to them.
Daily Backups:
Try a method of rotating tapes so that if a virus is not detected immediately, there is a good copy of files prior to the infection. Stopping the source through policy and
by utilizing AV tools. Consider the possibility of infection brought in via disks that travel to and from employee's homes. Is this something you want to disallow? Perhaps you need to assure that
any disk brought, either out or in, to the facility is scanned.
Consider the possibility of infection by employees downloading files from unknown sources, including the Internet. Should access
to these be controlled?
Consider the possibility of remote users attaching to the network and causing an infection.
Consider inter-office disk sharing. Do employees hand disks to one another and should this practice be restricted?
Infection can come from files attached to e-mail, Inadvertent spread of infection via inter-departmental exchanges.
Consider using something such as Word Viewer, which is not capable of using
macros, for viewing and printing Word documents. Consider using a format, e.g. .txt or .rtf that cannot carry macros.
Intentional sabotage. Track all incidence of infection to its source and
keep real-time virus protection active. Scan for viruses daily and tighten security. Eliminate any apprehension on the part of employees for reporting either real or suspected viruses. Scan, scan and
scan. Even software that is purchased and packaged could be infected. Ascertain that you hardware (workstations, memory, processor power, and servers) will adequately support the AV software you have
selected. Think about what or where is the weakest link in the chain in your company and strengthen it.
Alert all necessary personnel of the incident. It is critical to determine if the
infection has spread and, if so, just how widespread it actually is.
Ø Recovery:
Run your AV software on the infected system. Disinfect and run it
again just to be sure the system is clean. In an emergency, if for some reason the files cannot be disinfected, they can always be saved in a format that does not use macro (i.e. txt format). The
content can then be deleted. Restore backups of files if necessary.
Javascript/ActiveX and Cookies what are they?
Java is a programming language that is
translated/compiled into bytecode, rather that into processor-specific code this is why it is so portable and platform independent. The introduction of Java applets has taken the World Wide Web by
storm. Information servers can customize the presentation of their content with server-supplied codes, which executes inside the Web browser. We examine the Java language and the HotJava, Netscape
and Microsoft Internet Explorer browsers, which support it, and find a significant number of flaws, which compromise their security. These flaws arise for several reasons, including implementation
errors, unintended interactions between browser features, differences between the Java language and bytecode format. On a deeper level, these flaws arise because of weaknesses in the design
methodology used in Java and browsers.
ActiveX programs, however, unlike Java applets, reside on the user's hard drive. That is, when the browser encounters an ActiveX control that does not
reside on the user's system, the browser downloads and saves a copy of each ActiveX control to the user's hard drive. If someone wanted to write an ActiveX control that scans your hard drive and
sends him all your personal files, then writes a virus to your boot sector, then shouts obscenities at you, then formats your hard drive, he could. Then he could have it digitally signed and
placed on the web. The best part is, he could even register the digital signature under a fake name. Remember, the big premise here is that you can identify who did damage to you, then no one will
write malicious ActiveX controls for fear of getting caught. The fact of the matter is, it's pretty easy to get a digital signature, and it's just as easy to get a digital signature under a fake
name, as it is to get a signature under your real name. And if he can do it, so could someone from Finland, Cuba, China, where ever. How do you hold someone responsible for uploading a virus to your
machine when they live in another country? Even better, who do you prosecute when it turn out the holder of the digital signature doesn't even exist? Many people think that just because they see a
little green fakey certificate the control is safe. Don't be fooled.
A cookie is a text file that your browser maintains on your computer's hard drive. The cookies.txt file contains
significant information about the individual using the browser.
Ø RTF (Rich Text Format)
Rich Text Format (RTF) is a specification for encoding
formatted text and graphics. The principal benefit of RTF is that it's supported by a number of word processors on a number of different platforms. For instance, if someone uses Word on a PC
to create RTF files, he could share them with someone else, who uses an entirely different word processor on a Macintosh. All versions of Word dating back to Word 1.0 natively support RTF. Word can
open and process RTF documents, and Word documents can be saved in RTF if desired. However, there is a security vulnerability involving the way Word opens such files, and this could allow macros to
run without the user's permission.
Until now, an RTF exploitation that does an end run around Microsoft's built-in checks for potentially malicious Word macros has been theoretical. A new
Trojan called GOGA was discovered in the wild. This Trojan which is invited into unsuspecting user's computers by RTF documents opened in the Word program. One install on the PC, Goga
collects information about the user's Internet accounts and relays it to a location where the Trojan's creator might receive it.
Microsoft Word can alert users when a document they are
about to open contains macros scripts which automate Word tasks and which also have access to system resources of the PCs on which they execute. However, the security hole reported not long ago
allows a Word template file containing macros to be loaded without such checks if that file is linked to an RTF document. The linked template can even reside on a remote Web site. Once up and
running, the macro's code in the Word template extracts a binary executable from the original RTF file. That code then searches the infected computer for Internet-account logon and password
information, storing it in a test file. Goga then launches a script that posts the contents of the text file in the guest book of Web site open to the public. Presumably, the hacker who created
the program can then retrieve the information from the public site anonymously.
Ø What's a macro?
In general, the term macro refers to a small
program that automates commonly performed tasks within a operating system or an application. For instance, all members of the Office family of products support the use of macros. This allows, for
instance, companies to develop macros that perform sophisticated productivity tolls running within Word, Excel, or other because of the popularity of Office products, many viruses are written as
macros and embedded within Office documents. To combat this threat, Office has developed a security model that is designed to ensure that macros can only run when the users wants them to. In this
case, however, there is a flaw in the security model, which can occur when opening an RTF document that is linked to a template containing a macro.
Ø
What's a template?
A template can be thoughts of as a skeleton document. For instance, a template of a research paper might define the needed styles, include pre-built headers and
footers, and include any required boilerplate text. When a user needs to create a new research paper, she or he could use the template as a foundation upon which to develop her or his actual paper.
Example of templates can be found in the Microsoft Office Template Gallery.
Like other documents, templates can contain macros. When Word is used to open a document that's based on a
template, both the document and the template should be checked for macros. The vulnerability involves a case in which this isn't done correctly.
Ø
What's a cookie?
A cookie on the World Wide Web is a line of text with a server address and an ID number stored on your computer (usually in a file named cookie.txt).
Cookies, on their own, are not harmful. They do not contain any information that you have not voluntarily entered on your own. They are not applications or virus spreaders. They can't, for
instance, be used to search your local hard drive. Furthermore, cookies may only be read by the site that sent them. Cookies may be used to track where you go on a site or to pass information from
one page to the next (so you don't, for example, have to enter your name and address every time you submit a form).
To protect your privacy, be sure to close your browser completely after
you have finished conducting business with a Web site that uses cookies. If you are concerned about the potential use of the information gathered from your computer by cookies, you can set your
browser to prompt you before it accepts a cookie. Most Internet browser does have settings that let you identify and/or reject cookies.
For additional info refer to this site: http://www.cookiecentral.com/
|
