The Comprehensive Virus/Malware Thread- How exactly are they activated?

How EXACTLY are viruses/malware activated?

*Mal-ware: Any form of malicious code (virus, trojan, spyware, worm, script etc)

Okay. so its "common knowledge" in that viruses / malware can infect your computer by going to the wrong websites or opening an email attachment that contains malware.

*this is *Only because your running other programs that will automatically open malicious processes or files that are mal-ware, *THUS activating it "automatically."


1. Mal-ware ONLY can compromise your system *if it has been activated and is running in your memory or whatever.

2. This means that "inactive" Mal-ware can exist on your hard-drive if you have downloaded mal-ware to your hard drive without opening it.

(Please correct me If my points 1 & 2 are incorrect)


3. Now, this leads me to the following questions in regards to how to deal with "inactive mal-ware" that exists on your harddrive:


A. How Exactly is Mal-ware activated?

B. What actions / activities are safe? And which ones will *activate mal-ware?


Safe Activities:
(Assuming that your explorer doesn't automatically open the file when carrying out the following actions)
1. Moving the file
2. Uploading that file
3. Right clicking on the file and checking its properties
4. Highlighting the file without opening it
5. File proximity: Whether you install a program that is right "next to" the "inactive" malware, or in a seperate folder, the malware will not be able to attach itself to the program *unless it has already been activated. *OR unless if the file has disguised itself as one of the setup files (which it can't do on its own on a clean pc!)

Dangerous activities:
1. Opening the file
2. Using a program that opens the file

Am I correct in the classifications of these actions / activities? Please correct me of any errors I have stated.


Now, I am uncertain about the following activities:

Which of the following activites/actions are safe? and which ones can activate the mal-ware?

1. Using programs or functions that analyze your files (including "inactive malware")
(Such as CDCheck, or De-fragging, or diskcheck)
2. Changing the "inactive malware's" file property (To Read-Only or Read-able, etc)
3. Changing the File Permission of the "inactive malware" ex: changing the file owner to Admin or LimitedUser etc etc
4. What about running a Windows Search that will search your files including the "inactive malware"?

Does any of these actions in fact, activate mal-ware?

And which ones are "safe?"





Note:
1. I'm assuming that downloading a file, in and of itself, *without opening the file, will not activate mal-ware.
For example, if you use P2P, or a web browser to download to c:\Downloaded Files\Virus.exe, that the malware called "Virus.exe" will *only sit there, and will remain harmless until it is activated.
Please correct me if I am wrong here.
2. Also, we're assuming that your computer is clean of any other mal-ware that can't activate "inactive" malware that you have downloaded.

 

A generic answer to your question is to observe what happens when you do a certain activity - does it actually start programs? For example, when you do a defragment, do Microsoft Word, Excel, or any other program that you have on your computer start? In this case, the answer is no.

All 4 of your questionable activities should be ok. One exception, though, is that some analysis activities do cause part of a program to run. For example, some unpackers of packed malware will run the program to initiate the unpacking.

 

Re: How EXACTLY are viruses/malware activated?

This happens because of a zero-day vulnerability (rare), or much more commonly because the user has not kept his system and other software up to date with the latest patches. Infection happens because a visit to that wrong website allows an attacker to automatically execute a malicious script (for example) that takes advantage of holes (that the user would have been wise to patch) in software - the browser, a plugin, the OS, etc., in order to download malware.

If your system is always up-to-date with the latest patches, you will probably not get compromised when visiting that wrong website.

Zero-day vulnerabilities, however, can let malware infect you even if you're completely patched. Because these are rare, they generally make headlines in the news, and serious ones are usually fixed quickly. Not running as admin helps protect your OS from these greatly, but your limited account can still become infected. Many here on Wilders disable scripts and plugins by default, such as can be done w/NoScript, to add more protection from this attack vector.

Deliberately downloading files that you may not know contain malware is another story.

 

Hi Mike,

you have found more or less the right approach. In general: Malware has to be executed, to do it's dirty tasks. Stored on a storage medium (hard drive, cd, usb stick) it does nothing ... as long, as nobody / nothing awakens the devil.

Example: You have a scorpion in your apartment, caught in a cage. As long, as nobody gives him a chance to get out or to go inside, the scorpion will be harmless. But there might always be a chance, that he gets free by some mistake. Well, I am not as friendly with scorpions to give them a home, and the same goes for malware.

One addition has to be made to your post:
It seems to me, as if you only was thinking of EXE-files. Besides the fact, that there are some more file-types that may (at least indirectly) get executed (e.g. msi, cmd, bat, vbs), there may be also malware inside some "document" file type. HTML, JPG, PDF files and others have been and will be used to exploit some vulnerabilities. Dosgbiscuit mentioned rightly, that those risks arise, if your system - but also the related software, e.g. PDF-Viewer, Image-apps and so on) - are not up-to-date. Updating the system on a regular or automated basis is an important approach to harden the system.

Another point (and also mentioned above) are the settings of your Internet browser. I have in Internet options all active content disabled in the Internet Zone. If a site does not work correctly I at first ask myself, if this site is important for me and if the usage of active content is plausible. Only if I am sure about this and after having made some investigation about the site owner (in case I do not know him already) I place this site to the trusted zone. By doing so the majority of attacks are impossible.

Not to forget (although I know that you know) the LUA approach. If (in the really very unlikely case there does something get on my machine - it did not happen in the last 15 years), it has to get started, it has to add itself to startup (I reboot my machine once a day because of energy saving over night and executing some programs automated every day), it cannot do anything on the system, only on the account. And if at the end such an aggressor would have corrupted this account totally, I create a new account and delete the old one after copying my document files (hopefully not altered by the beast, otherwise my backups).

Regarding the last 4 numbered actions / questions:
With 2 and 3 I see no problems, 1 depends, how the analyze tool works; if this tool has been written with responsibility it will not let the aggressor do his task; otherwise this "analyze tool" would be useless in the meaning, that if after analyzing the malware is active you know, that it is malware, this is not my understanding of analyze. So here it comes to the question of trust to this analyze software.To point 4: Searching for filenames is no problem, searching for content is a question, how the search engine works, again a matter of trust.

Not to forget my credo at the end: There is no 100% security. That is, to many people are involved with computing: At first the user, the authors of the used programs, the authors of the used documents, probably others. The goal is (IMHO) to reduce the risk as much as possible and to be prepared (e.g. with backups) that the worst case may happen. Reducing the remaining risk to some few percent of the average users gives you a real great chance, that your system does never get infected during it's lifetime. (Where I have to add, that the lifetime of computer systems are only a fraction of the average lifetime of a human being.)

 

Hello,

In general, malware is activated in two ways:

1. Double-click on a file.
2. Single-click on a file (select it), then hit Enter.

Since your fingers get accidentally click the mouse too many times, it is best to be careful when playing with suspicious files on your system.

Since Windows is extension sensitive rather than type sensitive, try changing the extension to .txt or .bak or something before manipulating.

Mrk

 

Ok that helps a lot. Thanks Cosmo, Mrkvonic and everyone for very informative responses. I think it's answered all my questions regarding Mal-ware. I've been working with your responses and answers to come to the following conclusions...

It seems that the common denominator is:
1.That mal-ware is "harmless" in and of itself, and that
2. its only in the vulnerability of programs and your OS that mal-ware can exploit.

So that means that I should download the most secure programs and keep them updated *in addition to keeping the configuration most secure (Hardening). (In addition to all the other security strategies: LUA / SuRun / SRP / Sandboxing etc

Ok. So that leads me to the following question:

So what about WinRAR? This is the file compressor program I use. Is there one that is more secure / hardened ? (Some other popular ones are 7Zip and WinZip)

Also, I asked about programs analyzing "inactive" malware possibly activating it upon analysis.

*What about compressing "inactive malware" in regards to "accidentally" activating it? I forgot to ask about that...

Another area I forgot to ask is using NERO to burn my files into a DVD. Can this activate any "inactive" malware?

And lastly,

What about a list of all the most secure programs?
For example, the most secure Media Players, DVD Burner, File Compression Program etc etc



whew... soo exhausted trying to cover all my bases to protect myself from damn malware. I think this Post should wrap up all my questions, at least in regards to malware... I hope

-Mike

 

Any of the software you mentioned can have vulnerabilities that may cause content to execute. However the most attacked will be programs that regularly interface with other computers. This includes web browsers (and popular plugins such as java, flash, pdf readers) and the email client.

I dont know enough about the windows API and the Nero and WinRAR design to give an educated answer on those questions.

Also regarding 'secure' software, it is very hard to know because for each class of software, you wont know the security design features behind each of the products on the market. So most answers you get on this area will just be speculation.

 

This is true for "drive-by" downloads (i.e., a visit to a malicious website).

If you deliberately download a file and that file contains malware, once the file is executed, it can compromise your system regardless of whether there are vulnerabilites in software to exploit or not.

 

Make sure you are not using a known insecure version of whatever programs you're using; use Secunia PSI. Also, I run WinRAR and other programs that might come into contact with malicious content with SRP level 'Basic User' (not necessary if you run as limited user).

This isn't something you would usually probably need to worry about. I just mentioned it to be complete. An example of a program that does partially run malware is some of the plugins for PeID.

No, unless you run it from the program's file viewer.

 

you are correct. I forgot to add the basics. Opening & Executing mal-ware will activate it.

Thanks for the info MrBrian. But one quick question:

For example: If I used WinRAR to compress "inactive malware", it *Won't activate it? So I can safely use WinRAR to archive *any file, whether it is "inactive malware" or not?







and also:
Thanks everyone for contributing to this thread. Lots of good information here.



Also, I wanted to add some information that I've found on other Wilderssecurity threads:


https://www.wilderssecurity.com/showthread.php?t=210628
http://www.malwarehelp.org/methods-of-infection.html
http://www.microsoft.com/downloads/...93-147A-4481-9346-F93A4081EEA8&displaylang=en http://wiki.castlecops.com/Malware_Threats

My favorites:
http://wiki.castlecops.com/Understanding_Computer_Infections
http://wiki.castlecops.com/Understanding_Computer_Infections_-_Part_two http://wiki.castlecops.com/Understanding_Computer_Infections_-_Part_three

(Courtesy of Lucas1985 & Hyperflow)

 

i just thought up another questionable action.


What about cutting / copy and pasting a file that is "inactive malware", as from what I understand, this *shouldn't activate malware, but am I correct here also?

 

Yup, you're only dealing with filesystem actions.

 

It's safe to do this. For example, if you compress a directory of 50 games, you won't see 50 games launch when you compress them.

 

In addition to what MrBrian said, it is common to zip a file before submitting it to be analyzed by anti-malware/virus etc. companies. It is also important to keep the zipping application up to date. I'm not sure how that would effect zipping an infected file though. If you go to the Secunia site or a similar one, it should list the current and past advisories for WinRAR and other programs. Here is the one for WinRAR 3.x. http://secunia.com/product/890/

Here is the one vulnerability that WinRAR 3.x had in 2007. http://secunia.com/advisories/24077/ If you read the description on that page it will tell you what needs to happen in order for the buffer overflow to work. A lot of times you may have a vulnerable program running on your computer, but you may not use a certain feature that the malware requires to activate.

 

To exploit an archiver, you need a specially crafted archive (ZIP, RAR, 7Z, etc) and handle/open it with the vulnerable application (WinRAR, 7-Zip, Windows built-in ZIP utility?). So, I'd say that manipulating an infected file would be no different than manipulating a clean file. I would not expect an infected file to be aware of the file explorer/archiver being used to handle it.

 

Lucas, Thanks for the explanation. I didn't think it was possible, but I wasn't sure.