I have an antivirus product so why do I keep getting infected with viruses and malware?

There is no simple answer to this question.  To answer this question, we must understand the motivation for writing these malicious programs, the types of viruses, who gets targeted and why and finally, what can be done to prevent viruses and malware from entering your computer system and network.

Evolution of the virus

The answer to this question has changed over the years.  In the early days, it was mainly "script kiddies" that were starting out in programming and they decided to use their new-found skills to cause a nuisance and gain notoriety.  The real world parallel that can be drawn to this behaviour is someone spraying graffiti on walls or playing mailbox baseball.  This requires relatively little skill and infection usually requires user interaction.

As time has progressed, the behaviour has changed from being a nuisance to trying to keep itself alive.  In 1998 we saw email servers crippled with the Melissa Virus which took advantage of a bug in Microsoft Word and propagated itself to all of your Outlook address book contacts.  The ILOVEYOU virus was the successor to the virus in 2000 which operated in a similar way.

The next step in the evolution of the virus is the Worm.  This type of virus takes advantage of holes and bugs in Windows to propagate itself on computer networks and the Internet.  In 2001 Code Red worm was the first worm to grab headlines as it slowed computers and networks as it propagated itself.  An infected computer would then try to infect others and on a particular date and time the virus would try to bring the www.whitehouse.gov down by overwhelming it with traffic.  It managed to infect 250,000 computers in 9 hours.  The good thing is that this worm only affects computers before Windows 2000 (i.e. Windows 95 and 98).  You won't notice it these days but, if you set up a scanner on your internet connection you will see this worm is still living and trying to infect your network even to this day.  A virus called Storm, a follow-up to Code Red, reared its head in 2007 infecting between 1 and 50 million computers, where once infected, the computer would silently send spam email.  At one point it was believed to be responsible for 20% of the world's spam.  The main purpose of spam email is for monetary gain from unsuspecting users.

More recently viruses have not had the same impact as they did in the beginning of 2000.  This is due to people being more aware and preventative technology including Windows updates, firewalls, antivirus products and NAT (Network Address Translation) routers.  With the increase of awareness and security measures, the methods of infection have become much more cunning and required much more skill as a malware author.  As documented previously on this blog, Cryptolocker is the newest, most active and most lucrative piece of malware ever created.  Cryptolocker is a form of "Ransomware" that encrypts your critical data and provides you a means to pay for decryption.  A recent calculation shows Cryptolocker has netted its authors a total of $30 million dollars in 100 days.  As this threat has been so successful, many copycat viruses have shown up on the Internet.  So we are now faced with a threat that not only propagates automatically throughout the Internet but it is a program that is specifically designed to extort money from an end a user.

To summarise, we have seen viruses evolve from a simple nuisance through to an extortion tool.  Unfortunately, these attacks never get worse, they only get better.  Malware authors are always on the lookout for ways to gain access to your system.  The more applications you use, the larger the attack surface becomes.

Why do people write viruses?

These days, the motivation is money.  As described above, over the years viruses have evolved from being a mere nuisance for notoriety to an extremely profitable and damaging product.  With a windfall of $30 million in 100 days, is there any wonder why the virus industry is alive and well?

Types of viruses and malware?

When we talk about malware, there are many types of viruses and malware whose purpose can vary.  These also can vary from poorly written applications that tend to slow down or crash your computer to professionally written applications that perform in exactly the way the author intended and can stay hidden on your system for a long time.  There are two major classes of malware, malicious programs, and Ad/Porn/Riskware.  Within these classes are multiple sub-divisions.  With so many types of viruses and malware, finding an infection and eliminating it can be a difficult, especially if it jumps from computer to computer within a network.  The known malware types are documented below:

Malicious programs

Viruses and Worms:

Net-Worm
Email-Worm
Worm
P2P-Worm
IM-Worm
IRC-Worm
Virus

Trojan programs:

Backdoor
Exploit
Rootkit
Trojan
Trojan-ArcBomb
Trojan-Banker
Trojan-Clicker
Trojan-DDoS
Trojan-Downloader
Trojan-Dropper
Trojan-FakeAV
Trojan-GameThief
Trojan-IM
Trojan-Malifinder
Trojan-Notifier
Trojan-PSW
Trojan-Proxy
Trojan-Ransom
Trojan-SMS
Trojan-Spy

Suspicious packers:

MultiPacked
SuspiciousPacker
RarePacker

Malicious tools:

Adware, Pornware and Riskware

RiskWare:

Client-IRC
Client-P2P
Client-SMTP
Dialer
Downloader
FraudTool
Monitor
PSWTool
Server-FTP
Server-Proxy
Server-Telnet
Server-Web
WebToolbar
NetTool
RiskTool
RemoteAdmin

PornWare:

Porn-Downloader
Porn-Dialer
Porn-Tool

Adware:

Display Advertising
Data collection

How do viruses get in my computer?

As technology becomes more complex, the software that runs on these systems becomes more complex.  It is very difficult to write a software product that is both functional and secure.  Most applications are written without a focus on security which can lead to sloppy programing which hackers can take advantage of.  Security is usually an afterthought as it is very costly to write a functional AND secure application.  The more applications you use on your PC and network, the greater the attack surface is.  The two things hackers looks for are attack surface and attack vectors.

Attack Surface:

The attack surface is increased by the number of applications you have installed on your computer.  The more applications, the more chance an attacker will have to exploit one of these programs.  The greater the install base of a program, the bigger the target.  For example, Windows XP is still being used by 45% of users worldwide, this is a very enticing product to exploit as the install base is so large.  Java (an application installed on Windows and Mac) is installed on over 4 billion devices worldwide.  Both Windows and Java are subject to new attacks almost on a daily basis.

You may remember a few years ago Apple Mac had the unique selling proposition of "we have zero viruses".  The reason they had no viruses was not great coding of their operating system, but it was the fact it had 1% of the worldwide PC market.  This install base was not tempting enough for hackers.  Over the years since then, Apple has increased its market share and as such has become a larger target for attackers.

Attack Vectors:

An attack vector is a path or means by which a hacker can gain access to a computer or network in order to install an application or malicious software.  Attack vectors enable hackers to exploit system or application vulnerabilities which can also include the human element.
Attack vectors include documents, e-mail attachments, Web pages, pop-up windows, instant messages, chat rooms, malformed images, website advertising, scripting, cracked/pirated software, USB or removable drives and deception.  All of these methods involve programming (or, in a few cases, hardware), except deception.  Recent cases of deception include phone calls from a person who claims to be from Microsoft and fools the user in to installing an application on their computer which compromises the security on the PC or network http://apcmag.com/phone-con-no-that-is-not-microsoft-calling.htm.
To some extent, firewalls and anti-virus software can block attack vectors. But no protection method is completely attack-proof. A defence method that is effective today may not remain so for long, because hackers are constantly updating attack vectors, and seeking new ones, in their quest to gain unauthorised access to computers and servers.

The balancing act between usability and security

The main reason for lower security on computer is to provide the user with a better user experience.  The last thing most users want is the computer asking is it okay to perform this task? Or do you really want to access this part of the system?  Or the computer will ask the user for an administrative password to continue.  All of these are inconveniences that people do not have the time for and will increase calls to the helpdesk.  So, to shortcut this, the option is to turn off the warnings and give the user elevated privileges to the computer.  The problem with this scenario is that programs can run on the system without the user knowing.  This is the precise environment that allows viruses and malware to thrive.  So what is better for your business?  Happy users or locked down computer systems?  It seems you can't have both.

How can I protect myself?

The only 100% way to prevent yourself from getting a virus is going back to using pen and paper and not using a computer.  In most cases this is not an option.  So what else can be done to minimise your chances of contracting an infection?

Patch updating:

Every month (or often more frequently) Microsoft and other developers such as Java and Adobe will release patch updates for their software.  These are mostly security patches for their programs and are usually in response to known vulnerabilities in the software which are more than likely being used by hackers to compromise systems without the patch update.  Windows XP is 13 years old and is still having security patches updated each month.  Loyal I.T.'s Managed Services offering manages patch updating on all servers and workstations that it is installed on.

Use an antivirus product:

Installing an antivirus product is not a ticket to reckless on the Internet.  It is simply an extra layer of protection from the bad guys.  Antivirus products determine if a program is malicious by checking the program against its database of known viruses, this database is known as the Virus definitions.  Virus definitions are downloaded by antivirus programs almost once per day.  Whenever a program or file is accessed, the antivirus program scans it for infection, this is known as on-access scanning or real-time protection.  The system is also programmed to perform a full scan of the computer in case a virus has crept into the computer silently using a different/unknown attack vector.  The antivirus will also block suspicious activity which it may notice on your system such as a program trying to access certain files or make changes to the system, this type of detection is called heuristics.  Unfortunately, heuristics may lead to false positives and false negatives.  Depending on how the virus has been written it is possible for it to fool antivirus products into not detecting it, such as the always evolving Cryptolocker.  Loyal I.T. recommends Vipre Antivirus to protect your network, workstations, and servers.

Use an antimalware product:

As discussed above, antivirus products detect viruses by their signature or activity.  Malware that is not classified as a virus (commonly adware and spyware) will not get detected by antivirus products due to the program signature or activity not technically being viral activity (even though the outcome may look the same to an end user).  Whilst malware that is not a virus and is generally not openly malicious, it can invade your privacy by collecting data and sending data about you or leaving a door open (an additional attack vector) for a virus to infect your system.  As the water can sometimes be muddy between the definition of a virus and malware it is recommended to run both an antivirus and an antimalware scanner.  The most common free-for-use antimalware product is Malwarebytes.

Use a security firewall on your Internet connection:

One of the reasons why Code Red and Storm were so successful was that dial-up modems and routers would allow all traffic through them directly to the PC.  These days routers come with a low quality firewall NAT routing as standard which mitigates most unsolicited direct connections from the outside world to your PC.  This slows the propagation of worms.  It is recommended to install a higher quality firewall product on your internet connection.  Loyal I.T. recommends Draytek firewall appliances to protect your network from intrusion.

Disable scripting in your web browser:

99.9% of viruses and malware contracted via the Internet could be prevented by disabling scripting.  Unfortunately, most websites require scripting to display properly and as an unwanted side effect, viruses like to take advantage of scripting to deploy themselves on your PC or network.  Firefox has an add-on called "NoScript" and Google Chrome has "NotScript".  There is currently no comparative product for Internet Explorer.  These products are free however they become hard to manage as most websites will break and require you to manually allow scripting for these sites to work.  This comes back to usability vs security, you lose usability to gain security.

Add an advertising blocker to your web browser:

Surprisingly, even trusted websites can be the source of malware deployment by the way of scripting within advertising.  As many websites provide advertising via web advertising agencies, these agencies may not properly scrutinise the advertising they are providing and as such some advertising can contain malicious software.  The best way to minimise the risk of these advertisements infecting your computer is by using NoScript/NotScript or install an advertising blocker on your browser.  In Firefox and Chrome, the free add-on Ad Block Plus will block most advertising that may compromise your computer.  This however, raises an ethical question: if a website is providing a free service and is relying on revenue by serving you advertising then is it ethical to block the advertising and consume their content anyway?  This ethical conundrum can only be answered by the personal ethics of the end user.

Do not open emails or follow links provided by someone you do not know:

Email is the most common source for "clickbait" followed closely by social media on Facebook and Twitter.  With web services such as Bitly and other URL shortening systems it can be difficult (if not impossible) to know where the shortened URL will take you.  If it is sent to you by a source that you do not know or it is out of character for the person you know to send you a link, it will probably lead you to a website where you will get infected with a type of malware or virus.  It is best to ignore or delete these requests as soon as you get them.  It's akin to taking candy from a stranger don't do it!

Only visit websites you trust:

You can (mostly) get away with not having security on your computers if you enforce a policy of only visiting websites that you trust.  Web sites such as Google or banks will be okay but sites such as The Pirate Bay will not be.  As mentioned above, high-quality firewall products can enforce site filtering.  Blacklisting blocks known bad websites filtered by category such as social networking or advertising (the key is known there may be websites allowed that have malicious content i.e. a false negative).  There is also a filtering technology called Whitelisting (which is much more reliable) which blocks all websites unless they are specifically allowed.  Again, this will take quite a lot of time to properly manage but it again comes back to: do you want usability or security?

Do not allow administrative access to the PC being used:

To ensure a smooth user experience, users will ultimately be allowed to change configuration settings on their computer.  To do this, you need what's called local administrator rights or elevated privileges.  This allows the user to change various settings on the computer, access different sections of the computer and allow programs to be installed.  It is the allowing of programs to be installed that causes the most problem when talking about contracting an infection by malware or virus.  Installation of programs (including viruses and malware) contracted by surfing the web or following a malicious link often require elevated privileges.  If these privileges are turned off then the attack surface shrinks as some of the attack vectors become redundant.  Doing this however, will lead to a more restricted user experience and may result in more support calls in order to perform daily tasks.

Enable User Account Control on Windows Vista and above:

User Account Control is the pop-up message you will often see after you try to install a program or open a section of the computer that requires elevated privileges.  This is a warning to say something that will affect the system is about to occur.  If this message pops up and you have not started a program or do not know what could have caused it, press cancel to deny privileges to install on your system.  This is the final safeguard to prevent a virus getting in to your computer.  If you permit the unknown program to run then your system may become compromised by a virus or malware.

Now that you understand how viruses make their way on to your computer and the methods of virus prevention, please don't hesitate to contact us to help you develop a security strategy for your business.

More technical information

References:

Attack vectors http://searchsecurity.techtarget.com/definition/attack-vector

Types of viruses https://www.securelist.com/en/threats/detect?chapter=125

How antivirus products detect viruses http://www.howtogeek.com/125650/htg-explains-how-antivirus-software-works/

Why do people write viruses http://www.techrepublic.com/blog/it-security/why-do-people-write-viruses/

Virus evolution http://computer.howstuffworks.com/virus3.htm