Malware. Like software, but bad. Malware is like the stuff on Santa’s naughty list. It includes well-known categories like viruses, trojans, worms, and so on. But how do you end up with malware in the first place? There are two primary ways this happens: user action, and security holes. But before we go into how it happens, we first must define what exactly malware is, and at what point you have become infected.
Malware
Like I said, malware is bad software, doing things it shouldn’t be doing. The behavior of malware changes depending on the category, but what all malware shares is that it is malicious, which is basically a fancy word that means it does bad things that harm the user.
Malware, like software, is a program. Programs are instructions computers follow to perform a specific task. While programs are stored in files the same way other things things like pictures are, program files can be run. You can run your browser program, but you cannot run a picture – instead, you run a program that displays the picture file.
The point of infection is this: you ran a program that was malicious. Up until that point, all was well, but the instant you ran the program you become infected. For example, downloading a virus does not run a virus, and therefore does not infect your computer. Running it after downloading it is a different story. It is like the difference between happily ever after and “all my files got encrypted” ever after. This is where the line of infection is.
It isn’t quite as simple as just running a program, though. Programs also run with certain privileges. There is a principle (not the school sort) in computer security known as the principle of least privilege that says things should only have access to things they need, and no more. For example, the average citizen shouldn’t have access to nuclear launch codes, because they don’t need them (“Mom! Cindy isn’t sharing the nukes!”). Meanwhile, somebody who is responsible with this privilege (say, governments that aren’t North Korea) have access.
In computers, there are two general levels programs run at: as a user, and as a superuser. User level only allows the program to access your files and other programs running under your current user. Superuser level lets a program access everything. The name for superuser privileges varies by operating system – Administrator on Windows, root on Linux, and so on. If you run malware as a normal user, it can only damage that user; the rest of the system is untouched. If it runs as superuser, however, there is nothing it cannot do.
In the two ways that follow, the end result is that malware is run at some point.
User Action
This is the big one. By and large, I’d say 95% if not more of malware cases are caused by user action. What this means is, more or less, operator error. These are cases where the user – that means you – took a deliberate action to allow malware to run. These are also the easiest cases to avoid.
Why would users run malware, you say. Well, in some cases, they know they are running a program but the program is not what it claimed to be – the classic trojan horse. In most cases, though, it is something far more basic: people don’t read. Not sure what passes for education these days, but clearly reading isn’t in there.
It isn’t because people cannot read, though. They just chose not to. So when Windows asks them, “Are you sure you want to run totallylegitpictureofcats.jpg.exe?”, they simply click ok without reading it and run malware in the process.
It gets worse. Windows doesn’t ask you if you are sure every time you run a program. That would get pretty tedious because it would occur for every program you run. Instead, it only occurs for programs that run as superuser. This means that not only did you run malware, but you ran malware as the superuser. Now, Windows asks you for permission to run legitimate and malicious programs alike. It is certainly possible that, while the program you ran did run as superuser, it was legitimate. That is, Windows asking you if you are sure isn’t indicating the program is bad – it just means you should be sure it isn’t bad.
Not reading aside, in general there are steps taken before that point where the user gets the program in the first place. Running random attachments in emails was one of the first widespread ways viruses were spread and is still prevalent today. Trojan horses are also fairly common, where the program claims to be one thing but is actually another. Additionally, a decent amount of adware is distributing bundled with legitimate programs, unfortunately. For example, the Java installer from Oracle offers to also install the Ask toolbar for you (how nice of it), where the default is opt-in. This means you have to explicitly uncheck a box to not install it – and again, users do not read things. They zoom right through the installer, and end up with the Ask toolbar. I don’t know anybody that actually uses the Ask toolbar. Even people that google google before googling (you know who you are) don’t use it. Shame on you, Oracle.
Another big source of these is ads. Some website banner ads are legitimate, but a good number of them, especially on file download sites, are fake. I am pretty sure the average file download page has somewhere in the region of 5 download buttons. So people click them, or misclick onto one, and end up downloading who knows what.
Security Holes
Let’s say you have a yard. You, being cranky, don’t like when those kids keep going on your lawn. “Get off my lawn!”, you say. But they come back later, and it is tiring. So you have an idea. Build a fence! And make them pay for it! Wonderful. Now nobody gets in, and you can be cranky elsewhere.
But then something happened. One day, the kids were in your yard again. But the fence is still there, and there aren’t any UFO’s nearby that are vacuuming up cows from the countryside. So how did they get there? As it turns out, your fence has a hole. The fence went all the way around your yard, but a single hole was all it took for the kids to get in again.
Programs, like fences, can have holes. These holes also go by the name vulnerabilities. I will not go into the technical details of why there are holes, just the result. A program with a security hole is like a fence with a hole: stuff can get in. If a malware creator knows a hole exists, they can create or alter malware to “fit” into the hole, infecting the system.
The key distinction here is that these are not caused by the user at all, but rather the existing, legitimate programs they are running. For example, your browser could have a security hole. As it turns out, things of all sizes end up having a lot of security problems over time. For example, old versions of internet explorer had a problem known as drive-by-downloads. By simply visiting a page, a program was downloaded and ran. Instant infection, not quite as good as instant rice.
There are numerous other cases like this. Email clients used to open attachments when an email was viewed. This meant they also ran programs that were email attachments. You can imagine how that went. Similarly, Microsoft Office programs (Word, Excel, and so on) have their own scripting programs called macros. These macros can do many things, and they are a useful feature. The problem is that they always ran when you opened a document with them. This made actions like opening a word document you got from an email potentially risky because it could be running a program. Modern versions of Office disable running macros by default unless you choose to run them.
Security holes can also be found in operating systems. One such hole is a privilege escalation exploit – a security hole where a program running as a normal user manages to run as superuser.
What can you do about security holes? There are two primary actions available to you. First, don’t run programs that are known to have excessive security problems (looking at you, Flash), or know the risk you are taking if you do. This also applies to outdated programs. For example, Microsoft recently dropped support for Windows XP. This means if a security hole is found they aren’t going to fix it anymore.
Second, when updates are available, get them. When a security hole is discovered, an update is made to fix it (known as a patch), and then the update is released. At that point, malware creators know the flaw exists. They can take advantage of this when people do not update their software to patch the hole.
Sandboxing
There is another interesting concept related to security known as sandboxing. What is a sandbox?
It is a box. Of sand. Not that complicated.
But we can note something about sand boxes; the sand is in the box. Mostly. As usual there is a bit of sand outside the edge, and you know that is never going to end up back in the box. But let’s pretend, for the moment, that every single grain of sand is inside the box.
Every time you go to a new web page, your browser is running a program made in javascript from that webpage. What if it is malware? We would have the drive-by-downloads situation all over again. The reason browsing the web is safe is because of sandboxing. Sandboxing, in software terms, means you keep the sand (program) in the box (boundaries defined for the program). For example, javascript programs are only allowed to do certain things, like change how the website looks. They cannot access your local files.
Mobile devices that run apps are another great example. Have you ever heard of somebody saying their phone got a virus? Me neither. And the reason is because apps are sandboxed. When you install applications, they request certain permissions which you grant by choosing to install. They are only allowed to do what you permit them to do.
For example, if an application does not have network permissions, it cannot communicate outside your phone. Similarly, an application without permission to your calling information cannot get your phone number. By limiting what applications are allowed to do, they can be safely run even if we don’t know if they are malicious or not. Applications are also sandboxed individually, so applications cannot affect other applications.
This is very helpful, as it lets us get the benefits of running these programs without the risks.