You may have heard of computer firewalls. If you’ve been watching the news recently, you may have heard of the WannaCry ransomware incident or the NotPetya virus which infected hundreds of thousands of computers worldwide. These are just two of the many recent examples of viruses and spam which used exploits (i.e., security vulnerabilities) in software to infect computers worldwide. If your PC is connected to the internet, it’s very likely that it is already infected with malware (i.e., virus, Trojan, spyware, or rootkit). Malware is a derogatory term which describes programs or malware that are harmful or invasive, or otherwise violate a computer user’s rights. Malware is often classified as a type of computer virus, but it can also live in other locations like flash drives or RAM (i.e., memory). Because there are so many types of malware and computer firewalls protect against them all, it’s very important to understand what they are and how they work.
A computer firewall generally prevents incoming threats (e.g., malware, etc.) by stopping them before they reach your computer. It accomplishes this by examining all the packets (i.e., small bundles of data that are exchanged between your computer and another computer or device over the internet) which flows past (i.e., into or out of) your computer. A firewall can be configured to inspect packets either according to a specific source and destination port (source-based firewall) or according to any packet header (packet-based firewall). If a firewall is set up to inspect packets according to a specific IP (i.e., internet protocol) address, it is know as an IP firewall.
There are several different types of malware, each with its own distinguishing features. Some examples of malware include:
- worm binaries (e.g., Mydoom)
- data miners (e.g., gh0st)
Each type of malware has different methods of operation, but they all have one thing in common: they all depend on a computer to operate. When a computer is infected with malware, the attacker usually gains complete control over it. This means they can perform any number of malicious tasks (e.g., send spam email, launch denial-of-service attacks, access private data, etc.) While the computer is under the attacker’s control, they can also use it to send spam, distribute viruses, or perform other malicious functions which could damage or defraud other computers or entities.
To prevent malware from harming your computer, you must take several steps including:
- install a reputable anti-virus program
- update your anti-virus program regularly (at least once per month)
- change your phone number and email address (if you use email)
- set up a firewall and monitor its activity
An anti-virus program will scan your computer for malware and notify you of any infections it finds. It’s also a good idea to install other security software such as a host-based firewall, VPN (virtual private network), or a router with firewall features.
A firewall is an important part of any security system. It can protect your computer in a number of different ways which include:
- preventing spam
- blocking dangerous sites/urls
- protecting your computer against malware
- reducing the amount of time spent fixing computers which have been infected by malware (i.e., minimizes the damage caused by malware)
- keeping your computer secure
Spam is unsolicited email which is sold, traded, or considered valuable by the market place. It tends to focus on mundane or irrelevant topics and makes up a significant portion of email traffic. Viruses are a type of malware which can infect your computer and alter its functionality. Once a computer is infected with a virus, it becomes a potential threat which must be eliminated.
Here are some examples of viruses and the type of damage which they can cause:
- SARS (Severe Acute Respiratory Syndrome) – A global pandemic which claimed over 800 lives and caused billions of dollars of damage until a vaccine was found in 2006
- Norovirus – which originated in China and was first detected in 2010. This virus causes mild to severe diarrhea and vomiting. It is spread through contaminated food and water
- ExoYvirus – Also known as Pandemic, this virus was first observed in 2013 and is estimated to have the potential to infect over 100 million computers. It spreads through corrupted or hacked files which are attached to email
- Rustock – This Russian-owned malware has been observed distributing spam, ransomware, and stealing online banking credentials
- Odnyansei – This worm was first observed in 2014 and is considered one of the most dangerous viruses ever discovered. It is estimated to be able to infect over 700 million computers and has a very high rate of propagation. It is also highly adaptive and can spread through almost any type of file.
- WannaCry Virus – This ransomware epidemic which began in early May 2017 was caused by a publicly disclosed vulnerability in the Windows operating system. The vulnerability (i.e., ‘kill switch’ vulnerability) was identified by a Microsoft employee who wished to remain anonymous. The vulnerability allowed hackers to take control of a victim’s computer. Once a computer was locked down by the ransomware, the victim was faced with a choice: pay the money to the cybercriminals in order to regain access to their files or do nothing and lose access to all the files forever.
- Conficker – Another Russian-owned worm which was observed between 2012 and 2016. This worm was a significant threat because it could create and deploy custom malware which could be harmful to anything from individual files to the entire network.
- Soberworm – Also known as DroidDream, this malware was first observed in 2015 and can infect your computer through a variety of means including websites which you navigate to accidently or on purpose as part of a phishing attack.
- Tiny Banker – This fake antivirus software was first observed in 2015 and is considered one of the most significant viruses ever seen. It is estimated to have infected over 1.9 million computers and has impacted their owners financially through the deployment of fake anti-virus software and the deployment of ransomware.
- Mega-D – This malware was first observed in 2017 and is considered to be one of the most dangerous viruses ever seen due to its high rate of infection (i.e., over 99% of computers infected). It is able to steal online banking credentials as well as credit card data. It is also considered one of the most difficult viruses to remove because it is highly adaptive and can infiltrate almost any system. The damage done by this virus is estimated at over 14 billion dollars.
- Nimda – This virus was first observed in 2019 and is considered to be one of the most dangerous viruses ever seen. It is estimated to be able to infiltrate almost any system and hide itself in such a way that even the most sophisticated user will not be able to tell. Once this virus is on a computer, it cannot be removed except through a reformat and reinstallation of the entire operating system.
Ransomware is a type of malware which will encrypt your computer’s files and then demand money in exchange for the ability to decrypt them. This is different from a virus in that a virus will simply attempt to alter your existing files, while ransomware will encrypt them. In the following examples, we’ll use Cryptolocker to demonstrate how ransomware works.