Computer Security and Anti-Virus Techniques

for Rice University

Introduction
What Are Viruses, Worms, and Trojans?
Is it more dangerous to have an Internet connection?
Safe E-mail Practices
Securing Outlook 98/2000 and Outlook Express
Safe Microsoft Word/Office Practices
Other Ways to Secure Your System
Hoaxes
Forged E-mail Addresses
Anti-virus Software
Malicious Software Documented at Rice
Where to Find More Help
Where to Find Security Patches
More Useful Web Links

Introduction

As computers and their operating systems become more advanced and complicated, they become more susceptible to wrongdoing. Pranksters and "crackers" have learned to exploit errors in operating system and application software in order to manipulate computer systems. This manipulation may take the form of harmless self-propagating software in the form of a "virus" or "worm", or a much more insidious version which can make a nuisance of itself or destroy data. Sometimes, viruses will exploit normal features of a software application or operating system in ways that the original programmers never imagined. In the worst case, crackers will take advantage of poor security to install software which allows them to control the computer remotely. They can see files, monitor the user's typing, and use the computer as a jump off point (or "zombie") for attacking other computers.

We must not believe the many, who say that only free people ought to be educated, but we should rather believe the philosophers who say that only the educated are free.

-Epictetus, "Discourses"

This document explains the various types of dangerous software, and proposes simple techniques you can use to minimize the likelihood that you will be victimized. Most of this document applies to both Mac and Windows/PC users. Differences between the two platforms will be noted.

Throughout this document, you will find illustrated guides to performing tasks on your computer called pictoguides. To open a pictoguide, simply click the miniature thumbnail or the heading at the top of the thumbnail.

What Are Viruses, Worms and Trojans?

Malicious software has developed its own terminology. The news media tend to use the various names for dangerous software interchangably, and even I have been guilty of interchanging them for convenience. But these terms do have specific meanings, and it's important to know the difference in order to assess the potential threat.

Viruses

A virus is a piece of malicious software which is attached to an existing and otherwise normal software application. The virus code is not part of the original application, so we say that the application has been "infected" and has become the "host" for the virus. When the application is started, the virus goes into action and copies itself to other applications. If those applications are opened, the virus runs again, possibly spreading to previously uninfected applications. Once the virus is installed, it may also do things other than simply replicate, such as display messages on screen, damage and destroy files, or even try to damage the computer's hardware. This malcious behavior is called the "payload". The infected applications may also develop problems, such as crashing or other strange behavior.

True viruses are much less common than they used to be, for several reasons. Today, computer users rarely exchange software applications directly, since they can buy applications on CD or download free software from major Internet Web sites. Viruses that infect application files directly are usually detected on these sites and removed before users can copy them.

However, traditional viruses are still a threat if you trade software with friends using any kind of removable media like Zip, writable CD or floppy disks. Traditional viruses are specific to the computer platform for which they are designed; a PC virus cannot affect a Mac, or vice versa.

Macro Viruses

Macro viruses are a special case of viruses. Instead of infecting software program files directly, macro viruses infect Microsoft Office documents and templates. They exist because Microsoft has implemented a complete programming language in their Office applications which allows any document to contain software code. This software code can be saved and it will run again the next time one opens that Office application. Macro viruses are most common in Microsoft Word documents, and there are also many Microsoft Excel macro viruses. Much less common but still a threat are Microsoft Powerpoint and Microsoft Access viruses.

Macro viruses can be extremely dangerous, since the scripting language built-in to Microsoft Office (called "Visual Basic for Applications") gives the virus full control of the computer, including the ability to run arbitrary software, send e-mail, delete files, or activate some other malicious payload. Most macro viruses copy themselves to other Office documents, so if you open an infected Microsoft Word document for example, you may find that all other Word documents which you open will also become infected.

Unlike any other malicious software, macro viruses can cross between Mac and PC. The versions of Microsoft Office applications on these two platforms are very similar, and they use the same programming language.

Viruses get their name from the fact that regular viruses require a software program and macro viruses require a Microsoft Office document. Without these "hosts", the viruses cannot function. Since the host may appear to function as a perfectly normal program or document, one can become infected without even realizing it.

Worms

Worms are malicious software which spreads without any user intervention at all. They take advantage of bugs or errors in the computer's operating system or applications; a true worm does not require that the user commit any specific action in order to propagate itself to other computers.

Fortunately, true worms are very rare on personal computers. The worm requires operating system services which are not very common in desktop operating systems. Worms are a problem for servers, however, which maintain constant network connections and run services which perform periodic communication. One of the earliest and most successful pieces of malware, the Morris Internet Worm, infected UNIX servers across the world in 1988 by exploiting a bug in the way servers exchange e-mail. Rice's own Owlnet servers were infected as well, but the damage was limited because we ran out of disk space!

Rice recently suffered a genuine worm attack in the form of the BleBla worm, which takes advantage of programming flaws in Outlook/Outlook Express.

Trojan Horses

I have never seen such another man as Ulysses. What endurance too, and what courage he displayed within the wooden horse, wherein all the bravest of the Argives were lying in wait to bring death and destruction upon the Trojans.

The Odyssey, translated by Samuel Butler, Project Gutenberg

Trojan horses take their name from the famous Trojan horse of Homer's Odyssey. A computer trojan horse is an apparently normal piece of software which may function as expected, but which may also deliver a malicious payload, such as deleting or modifying files, transmitting keystrokes or files to someone else, or causing other damage.

Unlike a virus-infected application, the trojan horse is designed maliciously from the start to masquerade as a normal document or software application. There is no "infection" process. Trojans don't propagate by adding copies of themselves to existing files. Unlike a worm, the trojan horse software requires the user to open it.

Hybrids

In fact, most dangerous software combines the features of several types. One of the first successful e-mail attacks, the Happy99 Virus, wasn't merely a virus. It combined the features of trojan, a worm and a virus! Happy99 appeared as an e-mail attachment. When opened, it displayed a pleasant fireworks animation, tricking the user into thinking it was a harmless entertainment like a trojan. Then, like a virus, it modified the computer's operating system files and installed software code which would create copies of itself whenever the user sent e-mail. Finally, like a worm, Happy99 propagated to other computers via e-mail.

Malicious Software

Taken as a group, these many types of software are called "malicious software", because they modify your computer's files without asking and attempt to perform some kind of annoying or dangerous activity. In the computer community, the spectrum of malicious software is often called malware.

By understanding the various attack mechanisms which malware will use to get a foothold on your computer system, you can prepare yourself and avoid any costly mistakes.

Summary:

Viruses propagate by infecting applications and operating system software.
Operating system or application software which has been modified by a virus is infected.
Malicious or annoying actions committed by a virus, worm or trojan are the payload.
Macro viruses behave like normal viruses, except they infect Microsoft Office documents.
Worms are designed to propagate automatically and silently, without modifying software or alerting the user.
Trojan Horses are apparently normal pieces of software which are designed to deliver a malicious payload.
Hybrids combine several of these techniques into a single attack.
Malware is malicious computer software that falls into any of these groups.

Is it more dangerous to have an Internet connection?

Since I help many Rice users with their home dial-up connections, I am often asked whether having a connection to the Internet puts the computer at risk for exploitation by malicious software.

Superficially, the answer is yes. Since many modern forms of malware propagate by e-mail, it's easy to blame the Internet for these problems. It's also possible to download malware from the World Wide Web, in the form of a Trojan horse program that looks normal, but installs malicious software.

The fascination resides in the thorough rightness of computers as communications instruments, which implies some revolutions.

"Spacewar: Fanatic Life and Symbolic Death Among the Computer Bums"
by Stewart Brand, Rolling Stone 7 Dec 1977

However, there is nothing fundamentally evil about e-mail. Malware exploits e-mail because e-mail is the most common form of communication available for personal computers. Back in the old days before e-mail, virus writers learned how to infect the "boot sector" on floppy disks, taking advantage of the fact that people used to use floppies to trade software. If a new form of communication becomes popular, you can be sure that malware will follow suit. Already, malware writers are working on ways to trick users of chat software like ICQ, AOL Instant Messenger and mIRC into downloading malware by exploiting the file-transfer capabilities of these tools.

In fact, one might think that the only secure computer system is one that is disconnected from the Internet, in a locked room, with the power turned off. But such a computer is useless; the reason we own computers is to take advantage of the rich communication facilities of the Internet, even if it is more dangerous to be connected. So we'd better get comfortable with the idea of defending ourselves from malicious software.

Electronic "mail" delivery is another exciting prospect of the very near future. Letters, typed or written on special forms like wartime V-mail, will be automatically read and flashed from continent to continent and reproduced at receiving stations within a few minutes of transmission.

Arthur C. Clarke, speech to the American Insitute of Architects, May 1967

Safe E-mail Practices

Fortunately, protecting yourself from e-mail-borne malicious software is easy, once you understand the nature of the threat. All e-mail viruses take advantage of attachments, the special ability of modern e-mail software to include any type of file with an e-mail message. Most e-mail attacks rely on psychological tricks to convince you, the e-mail recipient, to open an attachment which contains malware code.

The solution to this problem is easy, and it can summed up in one simple rule. In fact, you might want to print this and paste it prominently on your keyboard:

The Golden Rule of E-mail Protection

NEVER OPEN AN E-MAIL ATTACHMENT UNLESS YOU HAVE INDEPENDENTLY CONFIRMED ITS CONTENT AND VALIDITY!

Independent confirmation can consist of:

a separate e-mail with a clear description of the file names and contents of the attachments,
a telephone call discussing the attached files,
a face-to-face conversation, or
any other communication independent of the e-mail containing the attachments, which specifies the file names and file contents.

Remember, the e-mail containing the attachment cannot be trusted. If the sender's computer has been infected with malware, it may generate friendly-looking e-mail messages. It might use randomly generated text or subject lines, or it might look at existing e-mail messages on the sender's computer and create a fake message that looks like a reply to one of your messages! So, you must obtain confirmation outside of the e-mail message containing the attachment.

Even before you get independent confirmation, you can identify characteristics of the e-mail which could raise a warning flag. Look at the names of the attachments. If the names end with any of the following three-letter extensions, be suspicious that you received malware.

File Extensions of Evil

.BAS .BAT .CHM .CMD .COM .CRT .DOC .DOT .EXE .HLP .INF .INS .ISP .LNK .MDB .MDW .MST .MTX .PCD .PI .POT .PPA .PPS .PPT .REG .RTF .SCR .SHS .URL .VBS .XLS .XLT .XLW .WSF .WSH

You will note that some of the three-letter file extensions (.DOC, .XLS, .PPT, and .MDB) correspond to Microsoft Word, Excel, PowerPoint and Access respectively. Because of macro viruses, these file types can propagate malicious code. Microsoft Office files are only safe if you have secured your installation of Microsoft Office, see below.

This list is not (and cannot be) exhaustive; it is simply provided as a quick checklist. Do not open unidentified attachments without independent confirmation, even if their three-letter extensions are not on this list.

Macintosh users need to be especially careful -- unlike PC users, Mac files do not require three-letter extensions. So there is no immediate way to identify the file type of an incoming attachment. While there is less documented malware on the Mac platform, don't be fooled into a false sense of security. The Mac is just as capable of propagating malware as its PC counterpart, and the Mac version of Microsoft Office shares the same marginal security. So exercise the same good common sense as you would if using a PC!

Summary:

Always confirm the validity of e-mail attachments with the original sender.
Avoid sending or receiving attached files which can carry viruses.

Securing Outlook 98/2000 and Outlook Express

Microsoft's Outlook line of e-mail software for Windows presents a serious security challenge. These e-mail readers allow scripting commands in e-mail which will activate malware without requiring the user to open an attachment. Simply reading the message will cause the malicious software to run, immediately without prompts or warning.

This concern only applies to the Windows versions of Outlook and Outlook Express. The Mac version of Outlook Express (or the new e-mail product, Entourage) does not suffer from this dangerous flaw, and other mail readers for the PC (Eudora, Netscape) are also unaffected.

To secure your version of Outlook 98/2000 or Outlook Express, first open your Internet Options control panel. Click the Security tab, then the Restricted Sites icon. Click the Default Level button, then slide the security level slider to High. Click the Custom Level button.

In the Security Settings panel, scroll down to Script ActiveX Controls Marked Safe for Scripting, and make sure the Disabled box is checked. If it's not checked, click it once to check it. Scroll down to the Downloads section, and make sure the Disabled box is checked under File download. While you are using this panel, you might want to disable everything else that can be disabled. Then click the OK button to close the Security Settings panel and OK to close the Internet Options panel.

Next, open your copy of Outlook or Outlook Express. Select Tools, Options, and click the Security tab. For Outlook, use the Zone pull-down menu to select Restricted Sites, then click OK. For Outlook Express, click the Restricted Sites checkbox if it is not already checked, then click OK. Complete details are in the following illustrated guide.

Outlook 98/2000/Express:
Turning on Restricted Sites Security Pictoguide

Safe Microsoft Office Practices

Unfortunately, even the safest e-mail practices do not confer total protection. Because many Office macro viruses are subtle, it's possible for someone to be infected without even knowing it. This person may give documents to others and spread the macro virus, even though the documents look perfectly normal.

However, a important steps can reduce your likelihood of being infected.

If you use Office 4.2 (with Word 6) for Windows, Office 95 (with Word 95) for Windows or Office 4.2 (with Word 6) for the Mac, you can install the Microsoft Virus Protection Macro. See Where to find security patches below for more information. This protection mechanism is not very effective, however. It only protects against early, basic macro viruses.

If you use Office 97 for Windows, you can turn on Macro Virus Protection. The macro virus protection feature causes Office applications to prompt you before opening a document with macros. In every case, you should choose to disable macros unless you know that the macros are not malware. For complete protection, you will need to turn on macro virus protection in each Office application that you use. In each application, open the Tools menu, select Options. Click the General tab, and make sure the Macro Virus Protection checkbox is checked. If it's not checked, click it so that it's checked and click OK to close the Options box.

In Office 98 for the Macintosh, you can turn on Macro Virus Protection in a similar way. The results are the same; Office 98 applications will prompt you if you attempt to open a document with macros. Always disable the macros unless you've got a good reason not to. To turn it on, open the Tools menu and select Preferences in any Office application. Make sure the Macro Virus Protection checkbox is checked. If it's not checked, click it once to check it and click OK to close the Preferences box. You'll need to do this for each Office 98 application for complete protection.

Windows Office 97: Turn On Macro Virus Protection Pictoguide

Turn on Macro Virus Protection in Word 97 (part of Office 97) under Windows

Mac: Turn On Macro Virus Protection Pictoguide

Turn on Macro Virus Protection in Word 98 (part of Mac Office 98) on the Macintosh

Office 2000 for Windows uses a slightly different technique. Instead of a simple checkbox, Office 2000 offers several levels of protection. For the best protection, you'll want to choose the highest setting. In any Office 2000 application, select Tools, Macros, Security. Click the Security Level tab, and make sure the High checkbox is checked. If it's not checked, click it to check it.

Windows Office 2000: Set Macro Security to High Pictoguide

Set Macro Virus Security to High in Word 2000 (part of Office 2000) under Windows

You can also reduce your likelihood of infecting others, if you happen to get infected. Because Microsoft Word macro viruses can only exist in standard documents and document templates, you can prevent the spread of infection by sending RTF ("Rich Text Format") files to your correspondents. RTF files contain all the images and formatting of your original Word document, but they cannot contain macro viruses. RTF files are more compatible, and can be opened by all versions of Microsoft Word and many other word processors without special converters.

To save documents as RTF files in Microsoft Word 2000, simply select Save As... from Word's File menu. There's a pull down menu with different file formats. Select Rich Text Format (*.rtf) from the list and save your document as you normally would. You might even want to save all your documents as RTF, to avoid the slightest likelihood of virus infection and improve compatibility with other users. To save all future documents in RTF format, use Tools, Options and click the Save tab. Select Rich Text Format (*.rtf) from the Save Word files as: menu.

Summary:

Secure your Microsoft Office installation by turning on macro virus protection.
When exchanging Microsoft Word files with others, always save in Rich Text Format (RTF), and ask others to do the same before sending files to you.

Other Ways to Secure Your System

Aside from being careful with e-mail and securing Microsoft Office, there are a few other things you can do to protect yourself. Here is a checklist.

Don't use file and print sharing unless you must

A few types of malware spread by taking advantage of the file sharing capability of Windows 95/98. Often, we need to look at files which have been shared by others, or print to printers attached to other people's computers. This carries some risk, since it's possible that others have been less vigilant about viruses than you are, and they may have infected their own files. Copying and executing a program or Office document from their shared volumes could lead to infection.

If you share your own files or printers, you need to be especially careful. If you allow others to write to your hard disk, it's possible that they could introduce virus-infected documents or software without you realizing it. In addition, a few types of malware spread by taking advantage of the file sharing capability of Windows 95/98. If you are sharing your hard disk with write access enabled, you could become a victim. Although no viruses use this method of transmission on the Macintosh, there is no technical reason that it can't happen.

If you don't need to share your files, it's best to turn this service off entirely.

Under Windows 95/98, click on Start -> Settings -> Control Panel. Double click on the Network control panel. Click the File and Print Sharing button. Uncheck the two boxes.

On the Mac (MacOS 8.0 or later), open Control Panels -> File Sharing from the Apple menu. If the two buttons on this page are labelled Stop, then click them to stop file sharing. On older versions of the MacOS, the procedure is the same but you will need to open the Sharing Setup panel instead of the File Sharing panel.

Windows 95/98: Turn Off File Sharing Pictoguide

MacOS 8.0 or higher: Turn Off File Sharing Pictoguide

If you do use file sharing, use good passwords

If you must use file sharing, always require passwords from those who might connect to your system. Never ever allow write access to your computer without a password!

Under Windows 95/98, right-click the shared volume and select Properties. Click the Sharing tab. If possible, specify an access type of Read-Only, and make sure you have a password. If you must use Full Access or Both, make absolutely certain that you have a long password that is not easy to guess.

On the Mac, you need to secure your system with an Owner name and password. Open the Apple menu, Control Panels, File Sharing. Make sure you have both an Owner name and Owner password entered in the appropriate boxes. The Owner password should be long and hard to guess.

Windows 95/98: Requiring a Password for File Sharing Pictoguide

Mac: Setting the Owner name and Owner password Pictoguide

Don't allow Windows to open .VBS or .WSF files

Visual Basic Scripting (.VBS or .WSF) files are one of the most common ways that malware spreads. Most installations of Windows 95 and all installations of Windows 98 include Visual Basic Scripting. Almost no commercial or free software uses or requires Visual Basic Scripting, so it's easy and safe to turn it off.

Double-click the My Computer icon. Select View..., Folder Options. Click the File Types tab. Scroll down to the entry labelled VBScript File. Click it to highlight it and click the Edit... button. In the Edit File Type window, click to highlight the Edit entry in the list and click the Set Default button. The Edit entry will turn bold, indicating that editing is now the default action for these files. Repeat this process for the Windows Script File type.

Windows 95/98: Disabling Visual Basic Script and Windows Scripting Pictoguide

Beware software of unknown origin

When you download a piece of software from an Internet web site or install it from a CD-ROM, you are placing trust in the person or corporation that wrote that software that it is not malicious. However, even legitimate software may be wrapped with a modified installer that infects your computer with malicious software, essentially turning legitimate software into a trojan horse.

To avoid this threat, make sure you know your software sources. When downloading or installing software:

Go to the original web site. Always download software directly from the company that makes the software, or from a reputable software distribution site. For example, if you need a copy of RealPlayer to play some audio or video, go directly to Real Networks' web site to download the software -- don't just click the "Download Realplayer" button on some web page of unknown origin.
Use commercially produced installation CDs. Aside from the issues of software piracy, CD duplicates can contain intentional or unintentional malware. Even a friend that you trust could unintentionally infect you by making an infected copy of an installation CD.
Check the software with an anti-virus package, if you have one. Even reputable companies sometimes get caught distributing viruses with their software.

Hoaxes

Hoaxes have developed hand-in-hand with malware. Hoaxes consist of notifications, usually via e-mail, which issue some dire warning about potential viruses, application bugs, or operating system problems. To give you an idea of what a hoax is, consider the following message:

Subject: Wobbler Virus

WARNING: If you receive an e-mail with a file called California, do not open the file. The file contains the WOBBLER virus. This information was announced yesterday morning from IBM; AOL states that this is a very dangerous virus, much worse than "Melissa", and that there is NO remedy for it at this time.

Some very sick individual has succeeded in using the reformat function from Norton Utilities causing it to completely erase all documents on the hard drive. It has been designed to work with Netscape Navigator and Microsoft Internet Explorer. It destroys Macintosh and IBM compatible computers. This is a new, very malicious virus and not many people know about it. Pass this warning along to EVERYONE in your address book ASAP so that this threat may be stopped.

Mary Landesman, About: Antivirus

Hoaxes are usually easy to identify, if you know what to look for.

Hoaxes have been forwarded many times. If the message headers indicate that the message has gone through many hands, it's probably a hoax. On the other land, legitimate virus notifications here at Rice will be sent to the ALLDEPTS mailing list, and forwarded to faculty and staff by departmental secretaries.
Hoaxes name a lot of names. In an effort to sound authoritative, hoax messages will usually name impressive-sounding corporations, goverment agencies or individuals. In the example above, the hoax author mentions a half dozen corporations and commercial products. This is a strong indicator that the message is a fake; a real warning from an IT professional will only include relevant information.
Hoaxes never have references. A legitimate virus warning will always refer you to a Web page where you can get more information. Hoaxes never do, because there is no more information.
Hoaxes never have dates. When a real IT professional sends out a message about a virus, he or she will include an action date and a time period during which users should be concerned. Since the hoaxsters want their message to propagate for as long as possible, they never include dates.
Hoaxes never have remedies. Hoaxes are always hopeless; the hoaxster wants you to think that the problem is so serious that there is no hope of recovery. Of course, if there were hope of recovery, the hoaxster would have to refer you to information about recovery... but they can't, because it's all lies.
Hoaxes always ask you to forward the e-mail. If you don't forward the e-mail to everyone you know, then the hoax never propagates. So hoax messages will always encourage you to forward the e-mail. Real messages from IT professionals will never ask you to forward the message willy-nilly.

... ignorance itself, without malice, is able to make a man both to believe lies and tell them, and sometimes also to invent them.

Leviathan, Thomas Hobbes
infidels.org

What do you do when you receive a hoax? Simple. Just delete it. If it really makes you uncomfortable, or if it contains harassing or threatening statements targeted at you, please feel free to contact IT staff for more information or the Rice Campus Police if the threats are specific and immediate. See below for where to find more help, and links to hoax information sites.

Forged E-mail Addresses

Recently many members of the Rice community have received e-mail complaints alleging that they have a virus, or that they sent e-mail to an invalid address that they have never heard of. Most of these complaints result from viruses or commercial e-mail spammers that forge the return address on their outgoing mail. The forged addresses point to individuals that are completely unrelated to the virus-infected computer system; they are innocent third parties.

When the recipient of a virus-infected e-mail responds to the forged address, the holder of that address is understandably concerned. Not only did the innocent party not send a virus to the recipient -- but they didn't send any mail at all! Confusion and frustration result, since neither the recipient of the original mail nor the falsely accused third party know where the mail actually came from.

If you receive a complaint that you sent out a virus, or an error message that indicates a failed e-mail delivery to an address you've never heard of, don't panic!. In most cases, these warnings are the result of a forged return address.

Anti-virus Software

Rice University now licenses the Network Associate's McAfee suite of antivirus software. McAfee's Mac and PC products are licensed for installation on all Rice systems. Rice faculty, staff and students may also install the products on home PCs or Macs of their choice. The license extends only to those computers which are personally owned by Rice faculty, staff and students.

To download McAfee products now, visit software.is.rice.edu. For additional useful information on McAfee products, including links to the latest updated virus signatures, visit the Rice Antivirus Quick Links page.

Malicious Software Documented at Rice

Unfortunately, malware has visited Rice a few times. Here are a few cases that you might want to read about.

Additional virus warnings will be added to this list when necessary.

Where to Find More Help

If you think your computer has a virus, or if you have questions about viruses or how to prevent them, contact one of these support sources:

All faculty, staff and students may submit a request for help via the Problem web interface or send e-mail to problem@rice.edu. IT is committed to processing such requests quickly and efficiently.
All faculty, staff and students may visit or call the Consulting Center, which is staffed during business hours and some after hours to answer your computing questions.
Faculty, staff and graduate students may contact their Divisional Computing Team.
Undergrads may contact their College Computing Associate.