Self-protection from malware - part I

Introduction

There are several levels where you can set up protection mechanisms in order to minimize the risk of falling victim to malware. Different protection mechanisms are needed depending on which danger situation we are discussing. One useful way to look at the protection situations is like this:

1. Personal awareness (actions prior to exposure)
2. Protection by software
3. Procedures when infected

In this two-part security article we will examine what you as a user can do to yourself against malicious software - the personal awareness protection scheme. These are actions that come into effect even before any security software are involved in any protection attempts.

Personal awareness may be the most important protection instrument to your disposal. And it is even free! However, it does require a particular mind-set in order to function properly.

The clue can be summarized in these three words:

Use common sense!

In the following we shall examine some of the dangers that you may be exposed to, and how common sense, a few simple procedures, and a critical mind-set, can protect you.

Social engineering

Almost all techniques that are used to try to trick you into performing an action that results in an infection of your computer, boil down to social engineering. A person or persons with criminal intent want to persuade you to do something that has a consequence that you did not expect (or want).

The social engineering schemes vary from the ridiculously simple (sending a message with nothing but a link, hoping that recipients will click the link), to the sophisticated (investigating the recipients before contact and designing specially crated personal messages) – and everything in between.

Since the different social engineering schemes are so varied, one cannot make a complete list of how they look. The ambition should rather be for each and every one of us to recognize typical patterns, and thus avoid being tricked.

At the end of article series we will identify some such patterns.

Examples and discussion

Here are some typical scenarios where your increased awareness may protect you from infection attempts.

Links in instant messaging programs

There are a lot of instant messaging (IM) programs in use in the Internet community. These may be used as spreading devices for malware by at least two different techniques:

1. An IM account is compromised and the person who has taken control over the account uses this to send messages to those who are in the owner’s contact list. These messages can be tailor-made and potentially quite convincing and thereby difficult to protect against.
    
2. A computer is infected by malware, which sends instant messages – usually links - to persons in the contact list. These messages will often be easy to spot as they may not be similar to the way you normally communicate with the person who sent you the message.

One message of type 2 may look like the one below received in Windows Live Messenger. Typical is that the message is in English and consist of a short text with a link. Even more common is a message with a link only. The sender’s status often appears as Away when the message is sent (and thereby not able to contact for verification of the message’s validity).

As we shall see later, clicking on such a link may turn out to be quite dangerous.

 Click image to enlarge

In order to protect yourself against this type of attacks, consider the following:

• Does your friend/colleague usually contact you without any introduction?
• Does your friend/colleague usually use the language that the message shows?
• Is the content of the message in line with your friend/colleagues usual behavior?

If the answer is ‘no’ to any of these questions, you should not click on the link.

If you suspect that something smells fishy even if the answer is ‘yes’ to all questions, you might still take the extra precaution and verify with the person at the other end that the message is legitimate. This may take some extra seconds, but may turn out to be a smart use of your time.

Obfuscated links in email messages

One of the most used devices for social engineering is the good old email message.

One of the most famous, and successful examples of using email as a social engineering vehicle, happened ten years ago when millions of computer users around the world received an email with the subject ILOVEYOU and a body text with this sentence:

kindly check the attached LOVELETTER coming from me.

The alleged love letter was the attachment LOVE-LETTER-FOR-YOU.TXT.vbs.

Vast numbers of people clicked and were subsequently infected with the Loveletter or I-Love-You malware.

The malware spreaders these days are usually a least a bit more sophisticated. A typical social engineering email nowadays might look like this:

Click image to enlarge

Characteristics are:

• a friendly subject line,
• a body text in html format aimed to pick the recipient’s interest,
• a link to a web page – this will often appear to be to a well-known and trusted web site.

Since this email is written in html format, the link that appears as seen in the email text may be completely different from what the link actually leads to when clicking on it. The real link will be displayed in the email client’s status bar at the bottom of the window when you hover the mouse pointer over the email link. As you can see from the image above, clicking the link does not take you to the www.cool.imagelibraryonline.net.woah-imgs/ address, rather to the more suspect-looking www.terribly-dangerous-web.com site.

Here is another example of a typical email designed to try to trick the recipient:

Click image to enlarge

Another social engineering attempt, aimed at users of the social network Facebook. The Facebook community has a huge number of members, and the probability is high that recipients of this email are Facebook members. However, none of the three links in this email (the Sign In button, the http://www.facebook.com/home.php URL and the “here” link do actually link to any Facebook resource.

An important lesson to learn from these examples is that links in messages are dangerous to click on. A more secure way is to copy and paste the text into the browser or tediously type it into the browser.

Manipulating search engine results

Big media events are loved by cyber criminals. They may be used to trigger social engineering schemes like those shown above, and they can be used in at least one totally different manner.

It is a fact that big media events like the swine flu pandemic, the volcano eruption in Iceland, the world’s championship in football and similar, inspire people to use search engines to search for new and updated information about the events.

By registering domain names (Internet names) that are associated with the event in question, and crafting web pages that are specially designed to satisfy search engines’ requirements, malicious web sites/pages may be “seeded” to appear near the top of results from search engines.

The events most suited for search engine manipulation are those that appear suddenly, like disasters. Specially crafted malicious web sites may then be created quickly and not compete with the real stuff about the event. Web sites about well-planned events will have had months to grow and already obtained good search engine results, are more difficult to compete with.

Such a malicious web site will unfortunately not offer particularly useful information about the searched-after event – it will rather only attempt to infect the customer with malicious program code.

You will find more information about manipulating search engines in this security article from last year.

Next part

In the next article in this series we shall examine more closely 

• infected web sites
• characteristics of social engineering attempts
• protection against unknown threats