In recent weeks, I have been inundated with email messages from Boalt Hall (the law school at the University of California), the FBI, Sweden, and elsewhere, announcing that I have a new password, that I have been visiting illegal websites, and the like. Each of these was infected with the Sober worm, W32.Sober.Kmm, and each of these, thankfully, either was cleansed by the antivirus software running on the ABA mail server or my own antivirus software. The IT press also has reported a new variant of Bagle, the BagleDI-L Trojan horse that disables your security applications if you are so naive as to open the ZIP-file attachment and run the embedded executable file. In addition, malware writers recently have taken to using .rar archives to sneak viruses past filters. The .rar compression algorithm is 30 percent more efficient than .zip technology and generally is used to transmit very large music or video files. In late January, the Netsky.p worm was infecting about 2,500 PCs a day.
All this malicious activity prompts me to ask if any of you aren’t running antivirus software automatically updated with the most current definitions. Did you disable your antivirus software because it conflicted with another program? Did you get tired of upgrading after Symantec discontinued support for the edition of Norton Antivirus you had installed on your system—or just defer buying and installing the newest version? Did your annual subscription for virus definition updates expire, and have you deferred renewing? If so, you’re in good company. These things happen and are no cause for shame—but they may result in chagrin, because your computer either already is infected or soon will be, without your knowing it, unless you take immediate action.
Modern malware, viruses, worms, and so-called bots—all of which are designed to convert your PC into a zombie tool of the hacker to do evil (such as mass‑mailing spam)—will not announce their presence. Real malware isn’t like the virus in the film Independence Day that shut down alien spacecraft. Real malware operates stealthily in the background, quietly altering data, stealing private operations, or using your PC for the illegal ends of the miscreants. They can be extremely hard to spot if you’re not well protected.
If your PC is behaving oddly, however, that does not necessarily mean that it is infected. It could simply be that your Windows operating system is misbehaving (again), or that other legitimate software is poorly written and causing problems. Email warnings of infections also may be innocuous. I can’t count the number of times I’ve received a frantic note from a friend, claiming to have been infected, and therefore so have I. These notes typically announce that the virus can’t be detected, but that I can get rid of it by deleting one simple file. Don't be fooled, and don’t delete that file, unless you verify that it indeed is malicious.
How do you check? I visit the Symantec Antivirus Research Center website at http://www.symantec.com/avcenter and search for the alleged malware file. It either will tell me that the message is a hoax or that the threat is real—in which case it will tell me how to get rid of the offending malware. Another approach would be to copy the subject line of the warning message or the name of the alleged malware file, paste the character string into your favorite search engine, and see what information is out there on the Net. A security site may have already pegged the message as a hoax.
Even though malware is stealthy, it will indirectly disclose its presence. Is your computer conducting a lot of network activity when you aren’t? A good software firewall (and none of them come from Microsoft) will ask your permission before letting anything leave your PC and will give you enough information to allow you to assess whether the outgoing data is legitimate. That said, the network activity could just be one of your software applications (or Windows itself) automatically updating itself in the background.
If you have the time and inclination to do some detecting, you can check for malware yourself.
Open the Task Manager (CTRL-ALT-DEL) and look at the processes that are running. If you see a file name that looks suspicious, write down the name and search your computer for the file. When you find it, right-click on the file name and click on properties. A legitimate file will announce its source (such as Microsoft). If you can't satisfy yourself that way, plug the file name into your favorite search engine and see what turns up.
Click Start, Run, and type “msconfig” in the box. That will bring up a tabbed window, which will show the services your PC is running and (on the startup tab) the programs that your system is launching at startup. Check for anything strange the same way you did using the Task Manager information.
If it turns out that your system is infected, antivirus software publishers typically have a knowledge base that will tell you how to purge the infection from your system—either manually or with a removal tool from the publisher. Look at Eset’s Virus Descriptions, GriSOFT’s Virus Encyclopedia, McAfee’s Virus Glossary, Symantec’s Virus Encyclopedia, or Trend Micro’s Virus Encyclopedia.
If you don’t have any antivirus software on your system, or your definitions aren’t current, or the software has stopped working, you can get a free scan at the website of any major antivirus publisher. You can use McAfee’s FreeScan, Symantec’s Security Check, or Trend Micro’s HouseCall. If one of them doesn’t find anything, try another. Once you’re done, buy a real, current, antivirus program (either on CD from a brick-and-mortar store or downloaded from the Web), install it, and download the most current definitions. Once it is installed and updated, immediately perform a full system scan—even though it is a “belt-and-suspenders” approach.
Once your system is clean, make sure it stays that way. An ounce of prevention is worth a pound of cure, especially if you factor in the market value of the time wasted on diagnosing and curing an infection, and the potential cost of disclosure of client confidences from your system. Prevention does not have to be costly—although my experience is that you get what you pay for. You can implement system security with free downloads, such as AVG AntiVirus Free Edition, ZoneAlarm (a personal firewall), and AdAware SE (an antispyware tool).
Whatever solution you select, it should include antivirus software, a firewall, and an antispyware tool (or two or three, one of which should be running in the background)—and make sure that your security software is completely up to date at all times. It’s not enough to have software that regularly updates itself automatically. If you have been offline for any period of time (such as vacation or business travel), the first thing you should do after booting up your computer is to download updates for all your security software. Restrain yourself from checking email or otherwise getting on the Web until you do so.
There also are some other steps you can take to protect yourself:
Exercise extreme caution with email. Set your email software security settings to high. Don’t open any message with a generic‑sounding subject, any message that doesn’t apply specifically to you, especially from someone you don’t know. Never open an attachment unless you’re expecting it.
If you have broadband Internet access (DSL or cable), install a router (preferably with a built-in hardware firewall), even if you only have one PC. This will add an extra layer of protection for your system, because your PC will not be not connecting directly to the Internet.
Check your network ports to see what is open, what is closed, and what is visible to people outside your network. The fewer ports open and listening on a computer, the less exposure there is to attack and potential compromise of the system. Visit Gibson Research’s website (www.grc.com) and run the free ShieldsUP test to see your ports’ status. Download and run Gibson’s LeakTest. You also can use the netstat program (part of Windows) to see which ports are open on your system and identify current connections. To do so, open a command console (click Start, Run, type “command” into the dialog box, and press ENTER, which will open a DOS-type window). In that window, type netstat and press ENTER, which will list active connections but not listening ports. To list all open ports, use the netstat -a command.
With these simple steps, you can keep your systems free of infection and have time to play instead of spending it nursing a sick computer back to health. Just remember “safe” computing is like “safe” sex; there is no substitute for prophylaxis if abstinence is an unacceptable alternative.
J. Anthony Vittal ( firstname.lastname@example.org), is the General Counsel of Credit.Com, Inc., and Identity Theft 911, LLC, both based in San Francisco, California. A former member of the ABA Standing Committee on Technology and Information Systems and a member of various technology-oriented committees of ABA Sections, he speaks and writes frequently on legal technology topics.