Time and again one hears in the media of stolen credit card data, emptied online accounts and various other threats from the Internet. Possibly you yourself have already suffered such a catastrophe. To provide yourself with optimum protection, it does not harm to be aware of such risks and have a sound background knowledge so that you have the possible protective measures available.
It is difficult to conceive of a world around us where there are no computers. All areas of our day-to-day life make use of computers. For this reason, cyber security affects all of us, even if not everybody is aware of it. The concept of cyber security encompasses the protection of personal information as well as the avoidance, detection and reaction to attacks on this information.
There is a wide range of possible risks. Ranging from malware which can irretrievably delete your entire system, through targeted intrusions into computer systems, in which your data is manipulated in addition to the illegal exploitation of your PC to attack other systems, through to the theft of your personal data and the resulting damage. Although there is no such thing as 100% protection, you can easily get close to this ideal by using small protective measures and markedly reduce the risk.
First of all, we want to try to identify risks and clarify the associated background terminology.
Hackers / Attackers
This term is used to refer to uninvited guests, who have not actually lost anything on your computer system. They use security loopholes and weak points and exploit the illegally adopted computer system for their own schemes.
The term malware encompasses all software that carries out undesired functions on the PC concerned, without the user being aware of it. The generic term malware is roughly sub-divided into the following sub-categories:
Trojan horses - often incorrectly referred to as Trojans - are different from worms and viruses in that they do not independently replicate themselves. Following the example of its historical namesake, the name Trojan horse refers to a program that pretends to be performing a particular function that is desired by the user. In addition, however, Trojans also include a hidden program component which, at the same time, opens a backdoor into the affected computer and can thereby allow almost full access to the affected system without the user noticing.
Trojans' methods of concealing themselves are almost unlimited. They can hide in command lines for UNIX system administrators, such as passwd, ps or netstat (simple rootkits), or turn up as "Remote Access Trojans" (known as RATs or also backdoors). These insidious programs are also sent as screen savers or games via e-mail. One start-up is enough for the malware program to infect the system.
Unlike viruses, a worm does not attach itself to executable files. It spreads by transferring itself via networks or computer connections to other PCs.
Several ports on randomly selected network computers are scanned and, if an attack is possible, the weak points in the protocols (e.g. IIS) or their implementation are used to spread the worm. Infamous representatives of this type include "Lovsan/Blaster" and "CodeRed".
Sasser exploits a buffer overflow error in the "Local Security Authority Subsystem Service" (LSASS) and infects computers while they are connected to the Internet.
When spread via email, the worm can use the available email programs (e.g. Outlook, Outlook Express) or it may bring its own SMTP mail engine with it. Aside from the resulting network traffic and the increased use of system resources, worms may contain other harmful payloads. Notable email worms include "Beagle" and "Sober".
P2P worms copy themselves into the sharing files of P2P file sharing services such as "Emule", "Kazaa" etc.. Here they wait for potential victims with enticing file names of current software or celebrity names.
Instant Messaging Worms
IM-worms use chat programs to spread themselves. They do not just rely on file transfer functions in the process. Even more frequently they send a link to a harmful website. Many IM worms are even able to chat to the would-be victims.
Viruses also aim to reproduce themselves and spread to other computers. To do so, they attach themselves to other files or embed themselves in the boot sector of data carriers. They are often smuggled onto the PC undetected on exchangeable media (e.g. diskettes), via networks (including peer-to-peer), by email or via the Internet.
Viruses can attach themselves to many different parts of the operating system and can function using the widest range of different channels. They can be divided into the following categories:
Boot sector viruses
Boot sector or MBR viruses (= master boot record viruses) position themselves at the front of the actual boot sector of data media, thus ensuring that the virus code is read first and then the original boot sector, when the computer boots from this medium. This enables the virus to embed itself in the system undetected and then it also runs when the hard disk boots up. Often the virus code remains in memory after it has infected the system. These viruses are known as memory-resident. The virus is then passed on by formatting diskettes, thus enabling it to spread to other computers. However, boot sector viruses are not just activated during formatting processes. A virus can be transferred from an infected diskette via the DOS "DIR" command. Depending on the malware routine, boot sector viruses can range from merely being a nuisance to being extremely dangerous. The oldest and most widespread virus of this type is called "Form".
Many viruses make use of the chance of hiding themselves in executable files. This is achieved by either deleting or overwriting the host file or by the virus attaching itself to the file. In the latter case the executable code in the file remains functional. If the executable file is accessed, the virus code, mostly written in assembly code, starts running first and then the original program opens (if it has not been deleted).
This type of virus is particularly dangerous as its representatives not only infect executable files, but also the boot sector (or partition table).
Under DOS, COM files are executed before EXE files of the same name. In the era when computers were frequently or exclusively operated via command line instructions, this was an effective mechanism for running harmful code on a computer undetected.
Macro viruses also attach themselves to files. However, they are not in themselves executable. Furthermore, macro viruses are not written in assembly code, but in a macro language such as Visual Basic. The viruses require a macro language interpreter, as found in Word, Excel, Access and PowerPoint, to enable them to run. Otherwise, macro viruses operate in the same ways as file viruses. They can also disguise themselves and in addition contaminate the boot sector or create companion viruses.
Stealth viruses and rootkits
Stealth- oder Tarnkappen-Viren besitzen spezielle Schutzmechanismen, um sich einer Entdeckung durch Virensuchprogramme zu entziehen. Dazu übernehmen sie die Kontrolle über verschiedene Systemfunktionen. Ist dieser Zustand erst einmal hergestellt, so können diese Viren beim normalen Zugriff auf Dateien oder Systembereiche nicht mehr festgestellt werden. Sie täuschen dem Virensuchprogramm einen nicht infizierten Zustand einer infizierten Datei vor oder machen die Datei für den Virenschutz unsichtbar. Die Tarnmechanismen von Stealth-Viren wirken erst, nachdem der Virus im Arbeitsspeicher resident geworden ist.
Polymorphic viruses contain mechanisms to change their appearance with each infection. To enable them to do this, parts of the virus are encrypted. The encryption routine integrated in the virus generates a new code for each copy and sometimes even new encryption routines. Command sequences that are not required to operate the virus can also be substituted or randomly rearranged. In this way, billions of variants of a virus can easily be created. In order to be sure to detect and remove encrypted and polymorphic viruses, it is often not enough to use classic virus signatures. In most cases, special programs must be written. The expense required for analysis and to prepare suitable countermeasures can be extremely high. Thus, when it comes to viruses, polymorphic viruses may truly be regarded as belonging to the premier league.
The term "intended virus" refers to a partially defective virus which initially infects a file but which is then unable to replicate itself.
Email viruses belong to the so-called "blended threat" category. Malware of this kind combines the properties of Trojans, worms and viruses. When the BubbleBoy virus appeared on the scene, it became common knowledge that you could smuggle a virus onto a PC via the preview function of an HTML mail. The dangerous virus code hides itself in HTML emails and exploits a security loophole in Microsoft Internet Explorer. The threat posed by these "combination viruses" should not be underestimated.