Self-protection from malware

Introduction

There are several levels where you can set up protection mechanisms in order to minimize the risk of falling victim to malware. Different protection mechanisms are needed depending on which danger situation we are discussing. One useful way to look at the protection situations is like this:

1. Personal awareness (actions prior to exposure)
2. Protection by software
3. Procedures when infected
   

In this two-part security article we will examine what you as a user can do to yourself against malicious software - the personal awareness protection scheme. These are actions that come into effect even before any security software are involved in any protection attempts.
Personal awareness may be the most important protection instrument to your disposal. And it is even free! However, it does require a particular mind-set in order to function properly.
The clue can be summarized in these three words:

Use common sense!

In the following we shall examine some of the dangers that you may be exposed to, and how common sense, a few simple procedures, and a critical mind-set, can protect you.

Social engineering

Almost all techniques that are used to try to trick you into performing an action that results in an infection of your computer, boil down to social engineering. A person or persons with criminal intent want to persuade you to do something that has a consequence that you did not expect (or want).
The social engineering schemes vary from the ridiculously simple (sending a message with nothing but a link, hoping that recipients will click the link), to the sophisticated (investigating the recipients before contact and designing specially crated personal messages) – and everything in between.
Since the different social engineering schemes are so varied, one cannot make a complete list of how they look. The ambition should rather be for each and every one of us to recognize typical patterns, and thus avoid being tricked.
At the end of article series we will identify some such patterns.

Examples and discussion

Here are some typical scenarios where your increased awareness may protect you from infection attempts.

Links in instant messaging programs

There are a lot of instant messaging (IM) programs in use in the Internet community. These may be used as spreading devices for malware by at least two different techniques:

1. An IM account is compromised and the person who has taken control over the account uses this to send messages to those who are in the owner’s contact list. These messages can be tailor-made and potentially quite convincing and thereby difficult to protect against.
    
2. A computer is infected by malware, which sends instant messages – usually links - to persons in the contact list. These messages will often be easy to spot as they may not be similar to the way you normally communicate with the person who sent you the message.

One message of type 2 may look like the one below received in Windows Live Messenger. Typical is that the message is in English and consist of a short text with a link. Even more common is a message with a link only. The sender’s status often appears as Away when the message is sent (and thereby not able to contact for verification of the message’s validity).
As we shall see later, clicking on such a link may turn out to be quite dangerous.

 Click image to enlarge

In order to protect yourself against this type of attacks, consider the following:

• Does your friend/colleague usually contact you without any introduction?
• Does your friend/colleague usually use the language that the message shows?
• Is the content of the message in line with your friend/colleagues usual behavior?

If the answer is ‘no’ to any of these questions, you should not click on the link.
If you suspect that something smells fishy even if the answer is ‘yes’ to all questions, you might still take the extra precaution and verify with the person at the other end that the message is legitimate. This may take some extra seconds, but may turn out to be a smart use of your time.

Obfuscated links in email messages

One of the most used devices for social engineering is the good old email message.
One of the most famous, and successful examples of using email as a social engineering vehicle, happened ten years ago when millions of computer users around the world received an email with the subject ILOVEYOU and a body text with this sentence:

kindly check the attached LOVELETTER coming from me.

The alleged love letter was the attachment LOVE-LETTER-FOR-YOU.TXT.vbs.
Vast numbers of people clicked and were subsequently infected with the Loveletter or I-Love-You malware.
The malware spreaders these days are usually a least a bit more sophisticated. A typical social engineering email nowadays might look like this:

Click image to enlarge

Characteristics are:

• a friendly subject line,
• a body text in html format aimed to pick the recipient’s interest,
• a link to a web page – this will often appear to be to a well-known and trusted web site.

Since this email is written in html format, the link that appears as seen in the email text may be completely different from what the link actually leads to when clicking on it. The real link will be displayed in the email client’s status bar at the bottom of the window when you hover the mouse pointer over the email link. As you can see from the image above, clicking the link does not take you to the www.cool.imagelibraryonline.net.woah-imgs/ address, rather to the more suspect-looking www.terribly-dangerous-web.com site.
Here is another example of a typical email designed to try to trick the recipient:

Click image to enlarge

Another social engineering attempt, aimed at users of the social network Facebook. The Facebook community has a huge number of members, and the probability is high that recipients of this email are Facebook members. However, none of the three links in this email (the Sign In button, the http://www.facebook.com/home.php URL and the “here” link do actually link to any Facebook resource.
An important lesson to learn from these examples is that links in messages are dangerous to click on. A more secure way is to copy and paste the text into the browser or tediously type it into the browser.

Manipulating search engine results

Big media events are loved by cyber criminals. They may be used to trigger social engineering schemes like those shown above, and they can be used in at least one totally different manner.
It is a fact that big media events like the swine flu pandemic, the volcano eruption in Iceland, the world’s championship in football and similar, inspire people to use search engines to search for new and updated information about the events.
By registering domain names (Internet names) that are associated with the event in question, and crafting web pages that are specially designed to satisfy search engines’ requirements, malicious web sites/pages may be “seeded” to appear near the top of results from search engines.
The events most suited for search engine manipulation are those that appear suddenly, like disasters. Specially crafted malicious web sites may then be created quickly and not compete with the real stuff about the event. Web sites about well-planned events will have had months to grow and already obtained good search engine results, are more difficult to compete with.
Such a malicious web site will unfortunately not offer particularly useful information about the searched-after event – it will rather only attempt to infect the customer with malicious program code.
You will find more information about manipulating search engines in this security article from last year.

Next part

In the next article in this series we shall examine more closely 

• infected web sites
• characteristics of social engineering attempts
• protection against unknown threats

Infected web sites

There are two different types of infected web sites/pages:

1. Those where the person with malicious intent herself has set up the web server and controls it. This type is normally the easiest ones to spot, even though some are quite clever and may replicate legitimate sites regarding look and feel, and have an address similar to the legitimate site. www.nicefeaturessite.com and www.nicefeatureesite.com look quite similar, but proof-reading will show that an ‘s’ in the former has been substituted by an ‘e’ in the latter.
    
2. Legitimate sites that have malicious elements. This may be because the site has been compromised and malicious elements have been inserted, or because the administrator of the legitimate web site has been tricked to add for example a malicious advertisement or another type of banner.

Recent studies indicate that the most malicious web sites are by far of type 2 above. Some studies show more than 90%.
A full examination of the different techniques used for inserting malicious elements on a web site is beyond the scope of these article. An Internet search will reveal lots of interesting information if you want more in-dept details. Suffice it to say in this context that some techniques used are:

• Cross Site Scripting (XXS),
• PDF files that exploit vulnerabilities in this file format,
• Malicious scripts (Javascripts or Active scripts),
• Malicious flash elements that exploit vulnerabilities in the flash player,
• Invisible IFRAMEs that loads malicious web elements,

Characteristics of social engineering attempts

It is close to impossible that you can be able to protect yourself against well-planned, targeted social engineering attempts. However, there are quite a few characteristics of the more mundane type, which are useful to remember.
Knowing these may save you from becoming a victim to scams of the kind each and every one of us are likely to be exposed to.
After all, few of us will ever experience a targeted attack directed at one person. Only particularly "interesting" persons merit such exceptional effort on an attacker’s side. Most of us are (unfortunately?) not that interesting.
A typical social engineering attack will often consist of some of the following or similar elements:

• Phrases that obviously intend to pick your curiosity.
• A link that turns out to be another one than the one displayed in the message.
• The displayed link is often to a well-known respectable organization.
• A message from an acquaintance of yours that is not in his or hers usual manner.
• A message from a completely unknown person.
• A message from yourself!

Protection against unknown threats

By increasing your awareness the way we have described in this and the previous article, you are better protected against typical, popular and traditional infection attempts.
More importantly, however, is that as a spin-off from your increased awareness, you are better equipped against infection attempts using completely new spreading mechanisms. It is a fact that whenever a new “device” is used for malware spreading, our previous, well-learned protection mechanisms tend to be completely forgotten. This issue has been discussed in several of our security articles the recent years - see for example this article from March this year.
By focusing on awareness rather than relying on previous knowledge and protection by software, you are less inclined to be infected.

Useful resources

Useful information about social engineering trends and examples can be found all over the Internet.
Some recommended resources with general information as well as information about the latest threats are:

• Norman’s Security center: http://www.norman.com/security_center/ (this section of our web)
• SANS’ Storm center: http://isc.sans.org/ 
• Different countries’ CERT (Computer Emergency Response Team) web sites and mailing list. (Use a search engine to find your own local CERT.)
• Lots of other security organizations’ web sites and independent blogs.

Source