What Is Malware and Why Should I Worry About It?

MDNG Primary Care, April 2009, Volume 11, Issue 4

What should you know about malware, what can you do to protect your computer, and what should you do if your computer becomes infected?

Viruses and other malicious software can quickly and easily ruin a computer’s program and files. What should you know about malware, what can you do to protect your computer, and what should you do if your computer becomes infected?

Healthcare providers spend their professional lives fighting attacks on the human body. Do they need to worry about attacks on the computers they use in day-to-day practice? Unfortunately, the answer is yes. The dangers to computers today are greater than ever.

The good news is that protective technologies provide ever-better methods for safeguarding computer systems. Those tools are complex, and applying them appropriately as part of an overall security strategy requires some technical expertise. Although large groups and institutions have professional IT staffs to worry about all this, physicians in small groups or solo practice have to be more self-reliant.

The malware problem really is worse than ever

The threat from malicious software continues to grow at an explosive rate. The number of new viruses, worms, and other types of “malware” detected in 2007 was double that for 2006; new variations detected in 2008 were triple the 2007 numbers. Indeed, there were more malware variations discovered in 2008 than in all the previous years for which records are available combined.

Do lots of variations translate into lots of actual threats? Indeed, yes, and the threat is nearer than you probably think. You may have heard that countries like Russia and China were What Is Malware and Viruses and other malicious software can quickly and the sources of most of the Internet’s plagues. Those may be among the more popular points of origin, but more malware is actually hosted on American websites, and more spam is relayed from American computers, than in any other country.

This doesn’t mean the US is full of Internet criminals. It means it’s full of computers that have been infected and hijacked by Internet criminals to do their nefarious work. It’s estimated that 10-15% of all computers worldwide are infected.

What is malware, and how do infections occur?

Malware is an umbrella term for destructive entities, such as viruses, worms, Trojan horses, and spyware. The common factor is that these digital invaders alter the way a computer operates, without the permission or knowledge of the user.

In a simpler time, the primary way a computer got infected with malware was by physical contact—sharing files on portable storage media like floppy disks. Today, malware more commonly arrives in e-mail messages, either in an infected file attached to the e-mail or via an enticing Web link within the message.

Malware can also be embedded in a downloaded file (eg, an image or music file from a peer-to-peer service). Or it can enter through an open network connection, without any inadvertent abetting action by a human user, if a computer does not have appropriate security protections.

What are the symptoms of infection?

Some malware inflicts damage directly on the computer that has become its host, by altering data files or programs. Particularly vicious malware can destroy the contents of a computer’s hard disk entirely, or other wise render the system unusable.

Other varieties commandeer the infected system to use for reproduction. Destructive possibilities include using the compromised system as a “bot”— also sometimes called a “zombie host”—with the collection of such infected systems forming a massive “botnet” of infected computers. The infected bot systems can be used for launches of denial-of-service attacks (flooding a target website with requests) or for mass export of questionable materials (such as pornography or spam).

In addition to wreaking obvious havoc with files and programs, malware may announce its presence by displaying text, graphics, or audio (some creators like to brag). Alternatively, malware may operate entirely in silence unless/until discovered or an internal “sunset” clock shuts it down. Lack of obvious symptoms is no guarantee of a clean bill of health.

Source: www.f-secure.com/en_EMEA/security/security-lab/latest-threats/security-threat-summaries/2008-4.html

Can protective software prevent malware infection?

The traditional method of defense is to rely on detecting the “signature” of malicious software—that is, the unique bit pattern of the computer code that constitutes the malware. Protective software should be set to check all incoming e-mail and e-mail attachments, all files downloaded from websites, and all files transferred from removable media (floppies, CDs/DVDs, flash drives). It should also be set to scan a system’s entire hard drive regularly, to detect malware that has made it past the initial scans.

Most anti-malware software now also looks for the suspicious network communications and traffic patterns typical of malware—sometimes called “behavioral” detection. New malware variations disperse through the Internet so fast that it is not possible to rely on signatures alone, even if those signatures are continually updated. Hence, the reliance on behavioral tools as well.

Other forms of protection, like “intrusion detection/prevention systems” and “firewalls,” rely on varying combinations of signature and communications pattern approaches. Here, as in so many other areas of information security, it’s usually necessary to have more than one form of defensive strategy, so that all is not lost if one barrier is compromised.

In a large corporate network, antimalware software (and hardware) is deployed in multiple layers: on the network routing devices, on the server computers providing shared services, and on each individual personal computer connecting to the network. In a small office, you need to worry mainly about the personal devices. “Firewall” software (or hardware) to detect intrusions over network connections is also highly recommended for small office networks and at-home systems.

As noted at the outset, putting these pieces together appropriately requires some technical skill. It’s recommended that you consider contracting out for this, unless you are confident in your own skills. Security is one area of computing life in which it does not pay to pinch pennies.

Do human choices matter?

When appropriately deployed, the combinations of automated defenses are quite robust. But human behavior is still the key. By clicking on a link in an e-mail or on a website, you can instantly infect your computer—and very quickly possibly infect other computers in the same part of the network— before the pattern and signature defenses have had time to react and isolate the infection.

Fortunately, the human behaviors to prevent this are relatively easy to list: don’t click on a link unless you have complete confidence in the e-mail or website containing that link. Make a habit of checking where a link is actually going; the address will typically display when you hover your cursor over the link. And never provide your user ID and password to a website unless you are sure it is a site authorized to ask for those credentials.

What do I do if my computer gets infected?

Anti-malware software will intercept and isolate any problems it detects and attempt to un-do any associated damage to critical system files. But not all infections can be reversed, and some data files may not be recoverable. In extreme cases, you may be required to re-install your computer’s operating system, which will erase all your data files. You will need to re-install other software as well.

For this reason—as well as the ever present risk of hard drive failure—I strongly recommend that you have secure backup copies of your files. If the files relate to something critical, like your clinical operations, you can’t have too many backups. The countervailing constraint is the expense of storing those backups in a secure place. It is fine to keep some of the backups close by, but some should also be transferred to a physically distant location safe from both human and environmental threats. The latter are particularly important to consider; fire and water hazards show up much more in the insurance claim statistics than you might imagine.

Most people, in my experience, plan to make adequate regular backups— the reason to do so is obvious, after all—but nearly nobody does. Your best bet is to install software that automates the process.

6 Rules for “Safe Computing”

#1 Be cautious about e-mail attachments. Unless you are sure the e-mail is from a reliable source, don’t open the attachment. Scanning with anti-malware software is a good safety step, but the newest viruses may still get through. Be conservative about your own use of attachments. Cut and paste plain text into e-mails whenever possible.

#2 Be cautious about file downloads. Even files from seemingly reliable places can contain malware. Downloads from malware havens like peer-to- peer networks are practically guaranteed to produce an infection sooner or later.

#3 Be cautious about links in e-mails and online. Links can trigger file downloads or start up executable files.

#4 Use appropriate security settings. Your computer’s operating system, browser, and e-mail software can be set to protect you against the most common forms of attack (eg, by disabling macros and scripting languages).

#5 Keep your anti-malware software up to date. Protective software must be regularly updated with new “signatures” in order to be effective at detecting the newest infestations. Fortunately, most products can be set to install updates automatically.

#6 Keep up with upgrades for your computer’s operating system, Internet browser, and e-mail software. Malware designers target software vulnerabilities, particularly those for which “patches” have recently been issued. Use whatever automatic update features are available for these, too.

Varieties of Malware

It is common to refer to all malware as “viruses”—and protective software is still sometimes called “anti-virus”—but there are also worms, Trojan horses, spyware, and other virtual life forms with which to contend. Today’s malware writers build increasingly complex hybrid beasts that blur the traditional categories. The formal differences are these:

Viruses require a host for survival and reproduction, just like their biological namesakes. Viruses must insert their code into an application like Word or Excel, or a data file for such programs, particularly ones that have macros or a scripting language capability. Worms, by contrast, are self-replicating programs that do not need a separate software host.

Worms are generally “network-aware” creatures that can propagate by seeking out other connected computers within adequate defenses.

Trojan horses are programs or data files that appear benign but carry a malicious payload, like a virus. The term owes its origin to the famous wooden horse from Homer’s Iliad, doing to the host computer what the Greeks did to Troy.

Spy ware is any software that aims primarily to extract information, either by harvesting data stored on computers or by monitoring a user’s computer activities. Companies that promulgate the less-invasive forms of spyware—designed primarily to track your behavior for marketing purposes—prefer the term “adware.” However, since spyware is generally installed without users’ knowledge, and does things that most users do not desire, it probably deserves to be labeled as malicious, too. Spyware once required different protective software, but most “anti-virus” software can detect it now.

Do you maintain up-to-date anti-virus protection and other safeguards for your office computer systems? Has your system ever been infected with a virus or other form of malware? Have you ever hired an outside IT consultant for your practice?

Dr. Cushman is the director of operations and user support in the Medical Information Technology department of the University of Miami Health System and School of Medicine.