Investigation Report: Remove a Computer Virus

How to Remove a Computer Virus

---

Laptop Image Gallery If your computer has been hit with a virus, don't give up. There's still hope! 

­We all know malware is out there. Malware includes applications that spy on you, corrupt your data, destroy your hard drive or give control of your machine to someone thousands of miles away. No matter what form it takes, it's bad business. And since there are a lot of examples of malware in the wild, it may only be a matter of time before you become the victim of a malware attack.

The most important advice we can give anyone who believes he or she has a computer with malware on it is this: Don't panic. Also, don't assume that you need to wipe your computer clean and start from scratch. Often you can remove malware without having to erase everything else. You may lose some data in the process, but you probably won't lose everything.

First you need to determine if your computer has a virus at all. You might suspect your computer of having a virus if it seems to be sluggish. If your Web browser suddenly looks different or automatically goes to a site you don't recognize, that's a good indication that you've got some malware. If your computer is unstable and crashes fairly often, you may have a problem. And if you try to access files but receive a message saying they're corrupted, that's another sign.

­If you do think your computer has a virus, you need to run antivirus software to weed it out. Some viruses disable antivirus software -- they're clever that way. If you don't have any antivirus software, now's a good time to purchase or download an application. A few malware variants will try to block you from downloading antivirus software. If that's the case, you may need to download the software on another computer and transfer it to disk or a flash drive.

Detecting and Removing a Computer Virus:

­Antivirus software is practically a requirement for anyone using the Windows operating system. While it's true you can avoid computer viruses if you practice safe habits, the truth is that the people who write computer viruses are always looking for new ways to infect machines. There are several different antivirus programs on the market -- some are free and some you have to purchase. Keep in mind that free versions often lack some of the nicer features you'll find in commercial products.

Let's start with the assumption that you're able to run antivirus software -- we'll look into what to do if this isn't the case a little later. Assuming your antivirus software is up to date, it should detect malware on your machine. Most antivirus programs have an alert page that will list each and every virus or other piece of malware it finds. You should write down the names of each malware application your software discovers.
Many antivirus programs will attempt to remove or isolate malware for you. You may have to select an option and confirm that you want the antivirus software to tackle the malware. For most users, this is the best option -- it can be tricky removing malware on your own.

If the antivirus software says it has removed the malware successfully, you should shut down your computer, reboot and run the antivirus software again. This time, if the software comes back with a clean sweep, you're good to go. If the antivirus software finds different malware, you may need to repeat the previous steps. If it finds the same malware as before, you might have to try something else.

Two's a Crowd:

If one antivirus program is good, two is better, right? Wrong. Antivirus software tends to use up a large percentage of your computer's processing power. Running more than one antivirus program will slow your computer to a crawl and possibly cause it to crash. And not all antivirus programs are compatible with one another, which can make your computer even more unstable.

Advanced Computer Virus Removal Tips:

­
­If you can't access your antivirus software or you keep seeing the same malware pop up scan after scan, you may need to try and start your computer in Safe Mode. Many computer viruses will store files in your Windows registry folder. This folder acts like a database of instructions and tells your operating system important information about the programs you have on your computer. It can also tell viruses to activate as soon as the operating system loads. Starting your computer in Safe mode allows you to work with your machine using only the core elements of the Windows OS.

Try running your antivirus software in this mode. If you see new malware pop up, you may have hit upon your solution. Some malware exists only to download other kinds of malware and install them on your machine. If you can remove all of these applications, you'll be in good shape.

If for some reason your antivirus software can't remove the virus on its own, it's time to do a little more research. Remember when we said you should write down the names of all the malware applications that your software discovered? Here's where that comes into play. You'll need to research each of those files online using the appropriate Internet security firm. Make sure to use the same firm that produces the antivirus software you're using. That's because different firms sometimes give the same virus different names. Not all firms will refer to the same virus the same way.

Most Internet security firms will list all the files associated with a particular virus and tell you where you can expect to find those files. You may have to do some digging to find each file. Before you delete any files, you should save a backup copy of your Registry folder. If you accidentally delete the wrong file, you may make it difficult or impossible to run your computer properly.

Delete all the files associated with the malware on your list. Once that's done, you'll need to reboot your computer and run your antivirus software again. Hopefully nothing else will pop up.
You may want to update your login information for your various accounts online. Some malware has keylogging software that can send your passwords and information to a remote user. It's better to be safe than sorry.

Give Viruses the Boot (Disk):

Some antivirus software will let you create a special boot disk. After creating a boot disk, you should reboot your computer with the disk in the drive. Your computer will read from the disk and load a limited OS and run a virus scan. With luck, this method will allow you to bypass the malware's code and disable it.

Computer Virus Protection:

­
­There are some simple rules you can follow that will help you avoid computer viruses. Most of these fall under the category of common sense.

Don't open strange e-mail attachments or click on hyperlinks in e-mail. Virus programmers love to trick people into clicking on links that will lead them to malicious software. Let people know that you don't click on hyperlinks in e-mail unless the sender includes a description of the link and what it leads to. If your e-mail client supports autolaunch, turn it off. Otherwise you might automatically activate a computer virus just by opening the e-mail.

The same applies to other messages you might encounter. Hyperlinks in message boards, Facebook messages or instant messages can sometimes lead to malware. Pay attention to the source of the message. Look for any unusual signs like misspellings or odd sentence structure, particularly if the person who sent you the message normally avoids errors. If you do see an odd link, you may want to let the sender know -- he or she might be the victim of a hacked account.

Don't visit questionable Web sites. This includes everything from software, music and video piracy sites to porn pages. Many current Web browsers will alert you if you try to go to a site that is known for hosting malware. Pay attention to these warnings and stay away from those sites.

Pay close attention to any windows that pop up while you surf the Web. If you see a notification claiming that you need to download the latest video driver to watch something, use caution. This is a common tactic used to distribute malware.

Run your antivirus software at least once a week. You should also make sure your antivirus software and OS remain current by downloading updates and patches on a regular basis. Most antivirus software updates at least once a week as security firms add more virus information to their databases.

Avoiding viruses might sound like a lot of work but keep in mind it's easier than fixing a computer that's been hit with a virus. Learn more about computer viruses and safe computing on the next page.

Worst-case Scenario:

If you can't seem to delete the viruses no matter which method you try, it may be time to bite the bullet and perform a complete system wipe. This involves formatting your hard drive and reloading the operating system. This will delete all of your information -- be sure to save backups of any important, virus-free files before you start.

Investigation Report: Computer Viruses Work

How Computer Viruses Work

---

Anyone who has ever been through a virus attacking their system knows all too well that it can be incredibly stressful.

Strange as it may sound, the computer virus is something of an Information Age marvel. On one hand, viruses show us how vulnerable we are -- a properly engineered virus can have a devastating effect, disrupting productivity and doing billions of dollars in damages. On the other hand, they show us how sophisticated and interconnected human beings have become.
For example, experts estimate that the Mydoom worm infected approximately a quarter-million computers in a single day in January 2004. Back in March 1999, the Melissa virus was so powerful that it forced Microsoft and a number of other very large companies to completely turn off their e-mail systems until the virus could be contained. The ILOVEYOU virus in 2000 had a similarly devastating effect. In January 2007, a worm called Storm appeared -- by October, experts believed up to 50 million computers were infected. That's pretty impressive when you consider that many viruses are incredibly simple.

When you listen to the news, you hear about many different forms of electronic infection. The most common are:

• Viruses: A virus is a small piece of software that piggybacks on real programs. For example, a virus might attach itself to a program such as a spreadsheet program. Each time the spreadsheet program runs, the virus runs, too, and it has the chance to reproduce (by attaching to other programs) or wreak havoc.
• E-mail viruses: An e-mail virus travels as an attachment to e-mail messages, and usually replicates itself by automatically mailing itself to dozens of people in the victim's e-mail address book. Some e-mail viruses don't even require a double-click -- they launch when you view the infected message in the preview pane of your e-mail software [source: Johnson].
• Trojan horses: A Trojan horse is simply a computer program. The program claims to do one thing (it may claim to be a game) but instead does damage when you run it (it may erase your hard disk). Trojan horses have no way to replicate automatically.
• Worms: A worm is a small piece of software that uses computer networks and security holes to replicate itself. A copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the new machine using the security hole, and then starts replicating from there, as well.

In this article, we will discuss viruses -- from "traditional" viruses to e-mail viruses and exploits that could target your mobile phone -- so that you can learn how they work and understand how to protect yourself.

Virus Origins:

Computer viruses are called viruses because they share some of the traits of biological viruses. A computer virus passes from computer to computer like a biological virus passes from person to person.

Unlike a cell, a virus has no way to reproduce by itself. Instead, a biological virus must inject its DNA into a cell. The viral DNA then uses the cell's existing machinery to reproduce itself. In some cases, the cell fills with new viral particles until it bursts, releasing the virus. In other cases, the new virus particles bud off the cell one at a time, and the cell remains alive.

Similar to the way a biological virus must hitch a ride on a cell, a computer virus must piggyback on top of some other program or document in order to launch. Once a computer virus is running, it can infect other programs or documents. Obviously, the analogy between computer and biological viruses stretches things a bit, but there are enough similarities that the name sticks.

People write computer viruses. A person has to write the code, test it to make sure it spreads properly and then release it. A person also designs the virus's attack phase, whether it's a silly message or the destruction of a hard disk. Why do they do it?

There are at least four reasons. The first is the same psychology that drives vandals and arsonists. Why would someone want to break a window on someone's car, paint signs on buildings or burn down a beautiful forest? For some people, that seems to be a thrill. If that sort of person knows computer programming, then he or she may funnel energy into the creation of destructive viruses.

The second reason has to do with the thrill of watching things blow up. Some people have a fascination with things like explosions and car wrecks. When you were growing up, there might have been a kid in your neighborhood who learned how to make gunpowder. And that kid probably built bigger and bigger bombs until he either got bored or did some serious damage to himself. Creating a virus is a little like that -- it creates a virtual bomb inside a computer, and the more computers that get infected, the more "fun" the explosion.

The third reason involves bragging rights. Sort of like Mount Everest -- the mountain is there, so someone is compelled to climb it. If you are a certain type of programmer who sees a security hole that could be exploited, you might simply be compelled to exploit the hole yourself before someone else beats you to it.
And then there's cold, hard cash. Viruses can trick you into buying fake software, steal your personal information and use it to get to your money, or be sold on the digital equivalent of the black market. Powerful viruses are valuable -- and potentially lucrative -- tools.

Of course, most virus creators seem to miss the point that they cause real damage to real people with their creations. Destroying everything on a person's hard disk is real damage. Forcing a large company to waste thousands of hours cleaning up after a virus attack is real damage. Even a silly message is real damage because someone has to waste time getting rid of it. For this reason, the legal system continues to develop more rigorous penalties for people who create viruses.

Patch Tuesday:

On the second Tuesday of every month, Microsoft releases a list of known vulnerabilities in the Windows operating system. The company issues patches for those security holes at the same time, which is why the day is known as Patch Tuesday. Viruses written and launched on Patch Tuesday to hit unpatched systems are known as "zero-day" attacks. Thankfully, the major anti-virus vendors work with Microsoft to identify holes ahead of time, so if you keep your software up to date and patch your system promptly, you shouldn't have to worry about zero-day problems.

Virus History:

Ah, the floppy disk: When most people were using these to store and transport computer programs, viruses spread like wildfire.

Traditional computer viruses were first widely seen in the late 1980s, and came about because of several factors. The first factor was the spread of personal computers (PCs). Prior to the 1980s, home computers were nearly non-existent. Real computers were rare, and were locked away for use by "experts." During the '80s, real computers started to spread to businesses and homes because of the popularity of the IBM PC (released in 1982) and the Apple Macintosh (released in 1984). By the late 1980s, PCs were in businesses, homes and college campuses.

The second factor was the use of computer bulletin boards. People could dial up a bulletin board with a modem and download programs of all types. Games were extremely popular, and so were simple word processors, spreadsheets and other productivity software. Bulletin boards led to the precursor of the virus known as the Trojan horse. A Trojan horse masquerades as a program with a cool-sounding name and description, enticing you to download it. When you run the program, however, it does something uncool, like erasing your hard drive. You think you're getting a neat game, but instead, you get a wiped-out system. Trojan horses only hit a small number of people because they're quickly discovered, and word of the danger spreads among users.

The third factor that led to the creation of viruses was the floppy disk. In the 1980s, programs were small, and you could fit the entire operating system, a few programs and some documents onto a floppy disk or two. Many computers did not have hard disks, so when you turned on your machine it would load the operating system and everything else from the floppy disk. Virus authors took advantage of this to create the first self-replicating programs.

Early viruses were pieces of code embedded in a larger, legitimate program, such as a game or word processor. When the user downloads and runs the legitimate program, the virus loads itself into memory --­ and looks around to see if it can find any other programs on the disk. If it can find one, it modifies the program to add the virus's code into that program. Then the virus launches the "real program." The user really has no way to know that the virus ever ran. Unfortunately, the virus has now reproduced itself, so two programs are infected. The next time the user launches either of those programs, they infect other programs, and the cycle continues.

If one of the infected programs is given to another person on a floppy disk, or if it is uploaded so other people can download it, then other programs get infected. This is how the virus spreads -- similar to the infection phase of a biological virus. But viruses wouldn't be so violently despised if all they did was replicate themselves. Most viruses also have a destructive attack phase where they do real damage. Some sort of trigger will activate the attack phase, and the virus will then do something -- anything from displaying a silly message on the screen to erasing all of your data. The trigger might be a specific date, a number of times the virus has been replicated or something similar.

In the next section, we will look at how viruses have evolved over the years.

Virus Evolution:

Virus creators have added new tricks to their bag throughout the years. One such trick is the ability to load viruses into memory so they can keep running in the background as long as the computer remains on. This gives viruses a much more effective way to replicate themselves. Another trick is the ability to infect the boot sector on floppy disks and hard disks. The boot sector is a small program that is the first part of the operating system that the computer loads. It contains a tiny program that tells the computer how to load the rest of the operating system. By putting its code in the boot sector, a virus can guarantee it's executed. It can load itself into memory immediately, and run whenever the computer is on. Boot sector viruses can infect the boot sector of any floppy disk inserted in the machine, and in places like college campuses, where lots of people share machines, they can spread like wildfire.

In general, neither executable nor boot sector viruses are very threatening today. The first reason for their decline has been the huge size of today's programs. Most programs you buy today come on compact discs. Commercially distributed compact discs (CDs) cannot be modified, and that makes viral infection of a CD unlikely, unless the manufacturer permits a virus to be burned onto the CD during production. People certainly can't carry applications around on floppy disks like they did in the 1980s, when floppies full of programs were traded like baseball cards. Boot sector viruses have also declined, because operating systems now routinely protect the boot sector.

Infection from boot sector viruses and executable viruses is still possible. Even so, it's a lot less likely than it once was. Call it "shrinking habitat," if you want to use a biological analogy. The environment of floppy disks, small programs and weak operating systems made these viruses possible in the 1980s, but that environmental niche has been largely eliminated by huge executables, unchangeable CDs and better operating system safeguards.

E-mail viruses are probably the most familiar to you. We'll look at those in the next section.

E-mail Viruses:

Virus authors adapted to the changing computing environment by creating the e-mail virus. For example, the Melissa virus in March 1999 was spectacular in its attack. Melissa spread in Microsoft Word documents sent via e-mail, and it worked like this:

Someone created the virus as a Word document and uploaded it to an Internet newsgroup. Anyone who downloaded the document and opened it would trigger the virus. The virus would then send the document (and therefore itself) in an e-mail message to the first 50 people in the person's address book. The e-mail message contained a friendly note that included the person's name, so the recipient would open the document, thinking it was harmless. The virus would then create 50 new messages from the recipient's machine. At that rate, the Melissa virus quickly became the fastest-spreading virus anyone had seen at the time. As mentioned earlier, it forced a number of large companies to shut down their e-mail systems to control the spread.

The ILOVEYOU virus, which appeared on May 4, 2000, was even simpler. It contained a piece of code as an attachment. People who double-clicked on the attachment launched the code. It then sent copies of itself to everyone in the victim's address book and started corrupting files on the victim's machine. This is as simple as a virus can get. It is really more of a Trojan horse distributed by e-mail than it is a virus.

The Melissa virus took advantage of the programming language built into Microsoft Word called VBA, or Visual Basic for Applications. It is a complete programming language and it can be used to write programs that do things like modify files and send e-mail messages. It also has a useful but dangerous auto-execute feature. A programmer can insert a program into a document that runs instantly whenever the document is opened. This is how the Melissa virus was programmed. Anyone who opened a document infected with Melissa would immediately activate the virus. It would send the 50 e-mails, and then infect a central file called NORMAL.DOT so that any file saved later would also contain the virus. It created a huge mess.
Microsoft applications have a feature called Macro Virus Protection built into them to prevent this sort of virus. With Macro Virus Protection turned on (the default option is ON), the auto-execute feature is disabled. So, when a document tries to auto-execute viral code, a dialog pops up warning the user. Unfortunately, many people don't know what macros or macro viruses are, and when they see the dialog they ignore it, so the virus runs anyway. Many other people turn off the protection mechanism. Because of this, the Melissa virus spread despite the safeguards in place to prevent it.

In the case of the ILOVEYOU virus, the whole thing was human-powered. If a person double-clicked on the program that came as an attachment, then the program ran and did its thing. What fueled this virus was the human willingness to double-click on the executable. The same kinds of exploits have also been passed over instant messaging networks like AIM and Windows Live Messenger. Commandeered accounts will send out links to viruses in instant messages; anyone who clicks the link and installs a Trojan application will have their own account hijacked and unwittingly spam their own friends with the compromising link.

Now that we've covered e-mail viruses, let's take a look at worms.

Phishing and Social Engineering:

While you may be taking steps to protect your computer from becoming infected by a virus, you may very well run into another, more insidious type of attack. Phishing and other social engineering attacks have been on the rise. Social engineering is a fancy term for someone trying to get you to give up your personal information -- online or in person -- so they can use it to steal from you. Anti-spam traps may catch e-mail messages coming from phishers, but the U.S. Computer Emergency Readiness Team says the best way for you to beat them at their own game is to be wary. And never give out your personal or financial information online.

Worms:

A worm is a computer program that has the ability to copy itself from machine to machine. Worms use up computer processing time and network bandwidth when they replicate, and often carry payloads that do considerable damage. A worm called Code Red made huge headlines in 2001. Experts predicted that this worm could clog the Internet so effectively that things would completely grind to a halt.

A worm usually exploits some sort of security hole in a piece of software or the operating system. For example, the Slammer worm (which caused mayhem in January 2003) exploited a hole in Microsoft's SQL server. Wired magazine took a fascinating look inside Slammer's tiny (376 byte) program.

Worms normally move around and infect other machines through computer networks. Using a network, a worm can expand from a single copy incredibly quickly. The Code Red worm replicated itself more than 250,000 times in approximately nine hours on July 19, 2001 [Source: Rhodes].

The Code Red worm slowed down Internet traffic when it began to replicate itself, but not nearly as badly as predicted. Each copy of the worm scanned the Internet for Windows NT or Windows 2000 servers that did not have the Microsoft security patch installed. Each time it found an unsecured server, the worm copied itself to that server. The new copy then scanned for other servers to infect. Depending on the number of unsecured servers, a worm could conceivably create hundreds of thousands of copies.

The Code Red worm had instructions to do three things:

• Replicate itself for the first 20 days of each month
• Replace Web pages on infected servers with a page featuring the message "Hacked by Chinese"
• Launch a concerted attack on the White House Web site in an attempt to overwhelm it [source: eEyeDigitalSecurity]

Upon successful infection, Code Red would wait for the appointed hour and connect to the www.whitehouse.gov domain. This attack would consist of the infected systems simultaneously sending 100 connections to port 80 of www.whitehouse.gov (198.137.240.91).

The U.S. government changed the IP address of www.whitehouse.gov to circumvent that particular threat from the worm and issued a general warning about the worm, advising users of Windows NT or Windows 2000 Web servers to make sure they installed the security patch.

A worm called Storm, which showed up in 2007, immediately started making a name for itself. Storm used social engineering techniques to trick users into loading the worm on their computers. And boy, was it effective -- experts believe between 1 million and 50 million computers have been infected [source: Schneier]. Anti-virus makers adapted to Storm and learned to detect the virus even as it went through many forms, but it was easily one of the most successful viruses in Internet history and could someday rear its head again. At one point, the Storm worm was believed to be responsible for 20 percent of the Internet's spam mail [source: Kaplan].

When the worm is launched, it opens a back door into the computer, adds the infected machine to a botnet and installs code that hides itself. Botnets are small peer-to-peer groups, rather than a larger, more easily identified network. Experts think the people controlling Storm rent out their micro-botnets to deliver spam or adware, or for denial-of-service attacks on Web sites.

Viruses of all kinds were a major threat in the early years of the Internet's growth. They're still out there, but since the mid-2000s anti-virus software has gotten better and Web browsers and operating systems have become more secure. Will the big threat of the 2010s be levied against smartphones rather than PCs?

Viruses In the 2000s and Beyond:

Anti-virus software is vital to keeping your system free of problems.

New viruses pop up all the time, but it's rare for a worm or other exploit to have the kind of impact that Storm once did. The 10 Worst Computer Viruses of All Time struck around the turn of the century and in the early 2000s. Computers were ripe targets: Anti-virus software was expensive and not always reliable, Microsoft's Internet Explorer was ripe for exploitation and PC users were unaware of how easily viruses could spread over the Internet. Viruses haven't had the same kind of impact in recent years for a number of reasons.

People are a bit better educated about viruses. Free anti-virus software is easy to download. Microsoft recommends its own Security Essentials, while companies like AVG and Avast offer their own free alternatives. Computer software, in general, is designed with the Internet in mind and is less susceptible to viruses. Just compare today's Chrome and Firefox browsers to the infamously terrible Internet Explorer 6, which was patched for over a decade after its release in 2001. Viruses are still around, of course -- in 2009, a worm called Downadup infected millions of computers in a matter of days. We're just getting better at handling them.

There are more viruses than ever out there for anti-virus software to keep track of. These programs will automatically update themselves regularly -- often even daily -- to guard against the latest virus mutations on the Internet. Just look at Avast's Virus Update History to see how many Trojans, worms and other nefarious bits of code are added to the database every day.

In a modern era of smartphones and tablets, it's actually easier than ever to browse the Internet without getting a virus. Why? Because viruses are written for specific platforms. A virus intended to exploit something on Windows won't work on Apple's Mac operating system -- the code that makes up the two systems is completely different. Similarly, the code that makes up mobile operating systems like Android and iOS is different from the code on PCs. Viruses that would cripple your computer won't work on mobile devices.

But mobile devices aren't completely secure, themselves. There are viruses out there that can extract personal information from Android phones. Because Apple's iOS is a closed source platform, unlike the open source Android, it's more difficult to target with viruses. Besides, Windows is still a juicier target. While mobile viruses will certainly become more popular as smartphone sales increase, as of 2011, they're a very minor concern.

In the next section, we'll look at patching your PC and other things you can do to protect your computer.

How to Protect Your Computer from Viruses:

You can protect yourself against viruses with a few simple steps:

If you're truly worried about traditional (as opposed to e-mail) viruses, you should be running a more secure operating system like Linux and, to a lesser extent, Apple's Mac OS X. You never hear about viruses on these operating systems because they represent such a small part of the market they're targeted by far fewer viruses than the Windows operating system. Apple's OS X has seen its share, but viruses are still predominately a Windows problem.

If you're using an unsecured operating system, then installing virus protection software is a nice safeguard. Many anti-virus options are available for free online.

If you simply avoid programs from unknown sources (like the Internet), and instead stick with commercial software purchased on CDs, you eliminate almost all of the risk from traditional viruses.

You should make sure that Macro Virus Protection is enabled in all Microsoft applications, and you should NEVER run macros in a document unless you know what they do. There is seldom a good reason to add macros to a document, so avoiding all macros is a great policy.

You should never double-click on an e-mail attachment that contains an executable. Attachments that come in as Word files (.DOC), spreadsheets (.XLS), images (.GIF), etc., are data files and they can do no damage (noting the macro virus problem in Word and Excel documents mentioned above). However, some viruses can now come in through .JPG graphic file attachments. A file with an extension like EXE, COM or VBS is an executable, and an executable can do any sort of damage it wants. Once you run it, you have given it permission to do anything on your machine. The only defense: Never run executables that arrive via e-mail.

By following these simple steps, you can remain virus-free.

PDF Malware: Pidief

This summary is not available. Please click here to view the post.

PDF Malware Overview

Introduction to PDF Malware

PDF files are so common today it is hard to imagine (or remember) what life was like without them.  Business proposals, product manuals, legal documents, and online game guides are just a sampling of places we see the Portable Document Format.  The utility of this format comes in its ability to deliver "rich" content to a wide array of end users with little regard to the platform or viewer application.  Since its initial release in 1993 (Adobe Systems, Inc.), this format has risen in popularity to become the de facto standard for information sharing.
The "rich" content elements described by this standard include both static and dynamic elements. Table 1 presents an abbreviated list of common PDF elements. 

Static Elements	Dynamic Elements
Text Blocks & Styles Character Encodings & Font Selection Multimedia Support	Embedded JavaScript & ActionScript Support Dynamic Action Triggers (i.e. "On Open") Retrieve "Live" Data (Network URL Based)

Table 1: Common Static & Dynamic PDF Features

Combined, these elements can deliver a visually appealing, interactive, and portable document. While we have all benefited from this feature rich information sharing venue there exists a darker side.  The dynamic PDF capabilities mentioned above can and has been used to house malicious content.  As far back as 2001 (Peachy Worm) we have seen cyber criminals utilize embedded malicious scripts and other dynamic PDF features to install malware and steal user credentials. While the goals and technical payloads of these PDFs have changed over the years, the pattern for creating a malicious PDF remains largely unchanged.

Pattern of PDF Malicious Behavior

Typically, the malicious behavior in PDF malware is contained within one or more embedded scripts.  These embedded scripts can be written in any of the PDF supported scripting languages, with JavaScript being the most popular.  In most cases these scripts implement "dropper" functionality whereby additional OS based malware is installed on the victim's system.  Figure 1 describes in greater detail a typical PDF malware infection.

Figure 1: Pattern for Malicious PDF Execution

1. User opens a malicious PDF (Document loaded into PDF Viewer)

2. An embedded script is set to execute "On Open"

3. Script extracts and decodes embedded malware

-- and / or --

4. Script downloads malware from an internet site

5. New malware is installed on the victim's system

Makers of PDF Viewers quickly realized these dynamic features required additional safeguards to ensure they were not used in this malicious fashion.  As a result, PDF Readers began warning the users for actions such as internet access or local filesystem access. 

Figure 2: Warning of Potential Malicious Behavior 

This posed a minor challenge to the attacker.  To counter, the attacker would often use additional social engineering or make the target so potentially enticing that the user ignores the warning and dismisses the warning dialog.
A more sophisticated approach to this attacker dilema was solved by using specially crafted PDF Reader exploits.  In this scenario, attackers embed exploit code within the PDF document that is designed to bypass the Reader's security controls and execute the malicious content without warning the user.  

Buffer Overflow & Heap Spraying

The combination of Buffer Overflow  +  Heap Spraying is the most common exploitation utilized by malicious PDFs.  The BOF vulnerability usually attacks one or more of the PDF Reader's parsing engines with the intent of flowing data past the end of a buffer boundary. The attacker ensures this "overflow" data is actually shellcode (a small program written in machine code) that will give the attacker additional control over the system when executed. The attacker rarely has control of where this "overflow" data is written so the attacker increases their chance of getting their malicious code to execute by writing it into many memory areas.  The technique of writing shellcode to multiple heap memory areas is known as Heap Spraying.

This approach to exploitation has the potential to infect a larger user population but has its limitations.  These exploits are PDF Reader specific and are usually somewhat short lived (or should be with a good patch management program).

Figure 3 shows the history of vulnerabilities discovered within the popular Adobe Reader.

Figure 3: A History of Adobe Reader Vulnerabilities (National Vulnerability Database)

Most of the high vulnerabilities noted in Figure 3 were/are candidates for malicious PDFs.  It is easy to see that even if these exploits are short-lived, the rate of escalating occurrence makes them a considerable issue.

PDF Malware Life-Cyle

To date PDF Malware has fallen into the purely Trojan category of malware.  As with other Trojans, there is good news in that your known-good PDFs will not become "infected" after opening a malicious PDF.  Each malicious PDF is custom made and contains no reproductive capabilities.  Once created these PDFs are primarily delivered via SPAM email with web sites hosting these malicious PDFs being a distant second.  In either case, social engineering is usually involved that entices users to open these files and unleash the hidden dynamic content.  The social engineering ranges from messages with poor grammar and spelling to highly sophisticated targeted attacks that has the potential to fool even the most highly trained users.

Defending Against PDF Malware

A good enterprise defense against PDF Malware begins with a strong email and web filter.  The goal of this layer is to greatly reduce the volume of malicious PDFs that make it into the enterprise's backend systems.  The volume of malicious PDFs that make it through the initial filtering layer should be further reduced by passing through layers of IPS, Anti-Virus Scanning, and potentially sandboxing technology.  The small percentage of PDF malware that makes it to the end user is hopefully met by a well trained and aware user that knows the potential dangers lurking in suspect PDFs.
One very powerful augment to this defensive approach is the implementation of application controls to limit potentially malicious PDF Reader behaviors.  Examples of application controls include:

1. Disabling JavaScript support within the PDF Reader
2. Disabling automatic rendering of PDFs in browsers
3. Block PDF Readers from accessing the filesystem and network resources using Host IPS, Process Control, or Process Whitelisting Technology

While application controls can be very effective, it may brake some desirable user functionality and may prevent the Reader from patching itself.  Both of these obstacles can be overcome but care should be taken when imposing these controls.

© Kuyasa Mahbub

Tips For Defending Against Malware and Trojan Horse Threats

Defending Against Malware and Trojan Horse Threats

Malware – software written to infect private computers and commit crimes
such as fraud and identity theft—has become big business in the cyber
underworld. As a result, if you use a computer for web surfing, shopping,
banking, email, instant messaging, and gaming without proper protection,
you are putting yourself at high risk of being victimized.
By exploiting vulnerabilities in operating systems and browsers, malware
can sneak malicious Trojan horse programs onto unsecured PCs.
Unsuspecting and unprotected users can also download Trojans, thinking
they are legitimate game, music player, movie, and greeting card files.
Trojans can also lurk in files shared between friends, family, and coworkers
using peer-to-peer file sharing networks.

Trojans have traditionally hidden in worms and viruses spread by email, but
they’re increasingly showing up in instant messages and on PDAs and cell
phones. Organized crime rings have devised insidious new ways of
delivering Trojans, and consumers must stay informed of the latest tricks.
Protection against these multi-faceted attacks requires integrated anti-virus,
firewall, and anti-spyware technologies. Below are the top 10 things you
need to know to protect yourself against malware and Trojan attacks.

What Do Trojans Do?

Trojans corrupt important files and place adware, spyware, keyloggers, and
screen scrapers that can steal personal information and your online
experience. They can also redirect you to fake phishing web sites—even
when you type valid web addresses (URLs) into your browser.
Trojan programs are most dangerous because they can create a back door
into your computer that gives malicious hackers direct access to your
system. Once installed, Trojans can hijack your PC and upload usernames,
passwords, credit card numbers, social security numbers, and bank account
numbers to specified computers for as long as they remain undetected.
Hackers use chat rooms and peer-to-peer file sharing networks to target
and hijack unsecured PCs. Once the Trojan opens a back door, the
computer joins hordes of other "zombie" computers that the hacker can
control remotely. The hacker can launch Denial of Service (DoS) attacks,
generate ad traffic, send out infected software to other vulnerable
computers, and pump out spam.

Cyber gangs even rent networks of these zombie computers (a.k.a. bots) by
the hour to other criminals for extortion and fraud. Users are rarely aware
that their machines have been hijacked, since usually the only indicator is
slightly slower performance.


A new trend in malware is to extort money. This ransomware is a Trojan
that encrypts a PC’s files or threatens to delete them one by one unless the
victim pays up. After the person pays using a money transfer service, the
extortionist sends them a special disarming code or decryption application.
Hackers also use Trojans to exploit weaknesses in legitimate banking,
online bill pay, and e-commerce sites.

How Does My PC Get a Trojan?

Today, Trojans can be spread by browser drive-bys, where the program is
downloaded in the background when you simply surf to a rigged web site.
Shell code runs a Trojan that downloads additional payload code over
HTTP—various forms of bots, spyware, back doors, and other Trojan
programs. Hackers then send phishing emails to lure users to web sites,
where unsuspecting victims are tricked into revealing personal information.
Hackers can also exploit security weaknesses on sites, and then piggyback
their Trojans onto legitimate software to be downloaded by trusting
consumers.

Top 10 Ways to Defend Against Malware and Trojans

Although hackers never stop developing new tricks to commit fraud and
steal identities, consumers can take proactive steps to safeguard their
systems. All it takes is a combination of robust security software and a
commitment to following basic safety rules.
1. Protect your computer with strong security software and make
sure to keep it up to date. McAfee® SecuritySuite provides trusted PC
protection from Trojans, hackers, spyware, and more. Its integrated
anti-virus, anti-spyware, firewall, anti-spam, and anti-phishing work
together to combat today’s advanced multi-faceted attacks. It scans
disks, email attachments, files downloaded from the web, and
documents generated by word processing and spreadsheet programs.
2. Use a security-conscious Internet service provider (ISP) that
implements strong anti-spam and anti-phishing procedures.
3. Enable automatic Windows® updates or download Microsoft®
updates regularly to keep your operating system patched against
known vulnerabilities. Install patches from other software
manufacturers as soon as they are distributed. A fully patched
computer behind a firewall is the best defense against Trojan and
spyware installation.
4. Use extreme caution when opening attachments. Configure your
anti-virus software to automatically scan all email and instant message
attachments. Make sure your email program doesn’t automatically
open attachments or automatically render graphics, and ensure that
the preview pane is turned off. This will prevent macros from executing.
Refer to your program’s safety options or preferences menu for
instructions. Never open unsolicited business emails, or attachments
that you’re not expecting—even from people you know.

5. Be careful when engaging in peer-to-peer (P2P) file-sharing.
Trojans sit within file sharing programs waiting to be downloaded. Use
the same precautions when downloading shared files that you do for
email and IM. Avoid downloading files with the
extensions .exe, .scr, .lnk, .bat, .vbs, .dll, .bin, and .cmd. Anti-virus
software and a good firewall will protect your system from malicious
files.
6. Download the latest version of your browser to ensure that it is
also fully updated and utilizes the latest technologies to identify and
filter out phishing sites that can install Trojans.
7. Use security precautions for your PDA, cell phone, and Wi-Fi
devices. Trojans arrive as an email/IM attachment, are downloaded
from the Internet, or are uploaded along with other data from a desktop.
Cell phone viruses are in their infancy, but will become more common
as more people buy phones with advanced features. Anti-virus
software is available for PDAs and cell phones. McAfee also offers
trusted security solutions for Wi-Fi.
8. Configure your instant messaging application correctly. Make
sure it does not open automatically when you fire up your computer.
Turn off your computer and disconnect the DSL or modem line when
you’re not using it. Beware of spam-based phishing schemes—don’t
click links in emails or IM.
9. Be certain a web site is legitimate before you go there. Use
software that automatically checks this, such as AccountGuard from
eBay and ScamBlocker from Earthlink. You can also check the validity
of individual web addresses (URLs) with a WHOIS search such as
http://www.DNSstuff.com.
10. Back up your files regularly and store the backups somewhere
besides your PC. If you fall victim to a Trojan attack, you can recover
your photos, music, movies, and personal information like tax returns
and bank statements. McAfee PC Protection Plus provides essential
protection from viruses, spyware, and hackers along with automatic
backups of your hard drive.

© Kuyasa Mahbub