The Wayback Machine - https://web.archive.org/web/20180325034634/http://www.upenn.edu:80/computing/security/malware.php
Penn Computing

Penn Computing
Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

 

Saturday, March 24, 2018
 
  New Resources
Security Logging Service
Travel Tips for Data Security
Free Security/Privacy Training Resources
Penn+Box
Two-step verification
Combating Malware
SafeDNS
Phishing Archive
Cloud Computing and Data Outsourcing
Best Practices for Applications with Confidential University Data
 
  Security "Greatest Hits"
Managing Passwords
E-mail Harassment & Forgery
Hoaxes, frauds & scams
Spam
Phishing
Wireless Networking
Encryption
 
  Best Practices
Standards
Secure desktop computing
Secure servers
Secure data deletion
Securing printers
Tips for safe computing
Computing policies
 
  More in-depth information for
Local support providers
System administrators
 
  Security initiatives
Critical Component compliance
Authentication & authorization
Penn Security & Privacy Assessment (SPIA)
Security Liaisons (Restricted Access)
Secure Share
Secure Space
Vulnerability Scanner
 
  Related links
Electronic privacy
PennKey
Viruses
Worms, trojans, backdoors

Computer "Malware": Worms, Trojans, Back Doors and Viruses

Over the last several years, the term "malware" has come to be used to describe various kinds of malicious software written and engineered to compromise personal computers in a variety of methods. The four main categories of malware are:

  • Viruses
  • Worms
  • "Trojans"
  • "Back Doors"

Hackers are becoming more and more sophisticated and adept at coming up with exploits that combine two or more of these categories to produce programs that threaten networked computers on multiple levels. Here are brief descriptions of each category:

Viruses

In their simplest form, viruses are individual programs that, when placed on a target computer in such a way that they are subsequently executed (thus "infecting" the computer) can produce results ranging from the innocuous placement of a "test" file to complete deletion of data and reformatting the hard drive. Not all viruses are malicious - some are written by "white hat" programmers as tests to help discover vulnerabilities and remove or strengthen them. There are many "families" of viruses with variations or strains that have been around for many years, and new viruses appear almost daily. To combat viruses, it is essential to install anti-virus software and update it frequently. For more information on anti-virus efforts at Penn, visit www.upenn.edu/computing/virus

Worms

Technically speaking, worms are programs whose sole purpose is to replicate and spread themselves to other computers. Some programmers write them with no other purpose or intent than to see how far they will spread, and in many cases there is no actual payload or threat from a worm. However, in recent years, worms have been used as the vehicle by which viruses are primarily spread. Commonly, once a computer has been infected by a virus/worm (usually by opening an infected e-mail attachment), the virus component will set up and begin running an SMTP mail server, and the worm component will begin to replicate the virus/worm and e-mail it to addresses found in the computer's e-mail address book (this most frequently occurs with computers using Microsoft Outlook), with the "From:" header also taken from the address book.

"Trojans"

...as in "Trojan Horse", these are programs that are designed and written to look like normal, useful programs, but contain hidden code that can perform a wide variety of compromises up to and including granting a remote user complete control of the compromised computer. For example, the Trojan may be a version of a common command-line utility, such as 'ls' in Unix, with the same file name and which performs all the normal command functions in addition to other functions known only to the attacker.

"Back Doors"

In traditional computer programming parlance, a "back door" is an entry point into a program that the programmer leaves himself in order to gain quick access without having to go through all the normal, built-in security checks. In theory, the back doors are taken out of the final release of the software, but history has shown that often they are not. In the current network climate, though, a back door is generally considered to be a program that has been placed on a computer (usually surreptitiously) that allows a remote user to gain and maintain complete administrative control over the computer - almost always without the knowledge of the computer's owner or primary user. The most famous and widespread examples of back door programs over the years have been SubSeven and Back Orifice, but there are many, many others, and new ones appear regularly. There are several ways that back doors can be placed on a computer (though, this can never be a truly complete list):

  • Opening an infected e-mail attachment (they are often combined with viruses and worms)
  • Exploiting a computer left vulnerable by a previous, existing virus infection
  • Clicking on a URL to a malicious website that surreptitiously downloads the back door to the computer
  • Exploiting a vulnerable, unpatched software application or operating system service (this is what happened with the famous Code Red exploits)
  • Leaving the computer unattended and unsecured (no password-protected screen saver), so that the back door can be loaded directly from floppy disk, "thumb drive", CD-ROM, etc.
  • Active FTP server on the computer (especially one that allows "anonymous" sessions)

For best protection against malware (as against many other threats), be sure to install, use and update anti-virus software, keep operating system patches and service packs up to date, and never open an e-mail attachment unless absolutely sure it is harmless.

For a computer that has been corrupted or compromised by one or more of the above types of malware, the remedy depends almost exclusively on the nature of the specific virus, worm, Trojan and/or Back Door (it is possible to have "all in one"). In some cases, vendors such as Symantec, McAfee and eEye make available software "tools" that can effectively remove the exploit and repair the damage.

However, in many cases, the exploit has either installed and activated a back door or other program that permits remote administrative access, or has left the computer vulnerable and open to placement of such a program. In any case where a computer has been exposed to a possible administrative, "root-level" compromise, Penn Information Security requires that the computer be disconnected from the network, all hard drives be reformatted, the operating system be re-installed from original media and all current patches and service packs be applied before the computer can be re-attached to the network. Once the possibility of a back door exists, it is not possible to be certain that multiple additional back doors have not also been installed, and there is virtually no possibility that all can be found and removed.

For a more detailed explanation of why this is an industry-recommended remedy for compromised computers, please read Help: I Got Hacked! Now What Do I Do? on Microsoft's website at:

http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

Last updated: Friday, July 13, 2007

Information Systems and Computing
University of Pennsylvania
Comments & Questions
Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania