Why do I get viruses and how do they get installed?

There are a LOT of reasons and ways here but the most popular reason (right now) is money.  The folks writing the viruses are making a TON of money doing it.  How do they make money writing viruses?  Consider the little story below. 

We have a couple of players in our story.  We have Alice, who is the typical computer user.  We have Mallory, who is the bad guy who actually writes the virus.  Then, we have Trudy who has gotten a great deal on 100,000 Viagra pills that she wants to sell anonymously via email.  

Alice has a computer that she uses for day-to-day computer activities.  She doesn’t do her banking online and doesn’t store anything ‘sensitive’, so she doesn’t obsess (or really even think about) about security except when that weird computer guy starts harping on it.  She installed some free antivirus a while back and she hasn’t seen anything weird so she assumes it’s working.  Also, sometimes she gets a pop up that something needs to be updated and, if she’s not doing anything else, sometimes she will click it.  All in all though, everything just seems to work.

Mallory writes a virus that has two jobs.  Job one is to listen for new instructions from Mallory and do whatever she tells it to do.  Job two is to propagate (find other computers to infect).  Ideally, the virus will infect one computer, then two computers from that one, then two from each of those, etc., etc., etc. until Mallory has a large network of computers running her virus (a ‘botnet’) and just waiting for her instruction.

Now, we have Trudy.  Trudy just got a great deal on 100,000 pharmaceuticals and wants to sell them via email.  She obviously doesn’t want to send out 1,000,000 emails from her computer because her Internet Service Provider (‘ISP’) will quickly cut her off, so what to do?  She surfs around on the Internet and finds that Mallory has a network of 100,000 computers that she [Mallory] is renting access to.  Trudy contacts Mallory and offers $500 to rent the botnet, Mallory gladly accepts.  Trudy has Mallory install some quick and dirty email relay software on the 100,000 infected computers and the emails start to flow.  All of a sudden, 1,000,000 people start getting emails for really cheap Viagra.

Now, the only question remaining is *how* did Mallory get her virus installed onto all of those computers, and that’s where Alice comes in.  It’s important to remember that a virus is just a piece of software, not unlike MS Word, MS Excel, Quickbooks, etc.  The difference though is that those software programs get installed by you.  You put the disk in the drive, double click on an icon and follow the prompts to install and configure the software.  It’s unlikely that you’re going to intentionally download something called Really_Bad_Virus.exe and run it, so Mallory had to find some way to get it installed without your intervention.  Two ways that Mallory can do this are:

– Option 1 is through an email attachment.  This is probably the easiest but has the lowest chance of success (because everyone knows better than to open email attachments).  Mallory just sends Alice an email with her virus attached to it and hopes that Alice clicks on it.  Unfortunately for Mallory, Alice is pretty tech savvy and spots the malicious intent a mile a way.  The email is promptly deleted and the virus doesn’t get installed.

 – Option 2 is a little more sneaky and, as a result, has a much greater chance of success.  Mallory takes out a banner ad at the top of the www.acmeco.com website.  The marketing company that handles the advertising for www.acmeco.com takes a non-refundable $500 deposit from Mallory and reviews the link that she’s providing with her ad.  Everything checks out, the ad gets posted and 100,000 people per day see the ad.  Just before going live (but after the review), Mallory updates the link to point to a site that she’s either already compromised or that she has created specifically for spreading her virus.  A good example of this would be the attack on the Department of Labor website that we reported back on 2 May.  At any rate, all of the visitors that go to the infected website run a small program in the background that checks to see what web browser (and version) that they’re using, what version of Java they have, what version of Adobe they have, if they use Windows or Mac and tons of other information about the computer.  Based on that information, they run another small piece of code to exploit a vulnerability in one of the checked programs.  A few hours later, Alice is surfing the Internet a bit before going to bed.  When she logs on, she gets a notice that her Java or Adobe or Windows is out of date and it offers to install the update for her but she declines.  She’s only going to be online for a minute and she’s not going to use any of those programs anyway.  She clicks on a link to www.acmeco.com.  The site is a little slower than normal to load (there’s a 1 to 2 second delay) but it comes up and seems normal.  In the background though, the infected website noticed the outdated version of Windows, the outdated version of Java and the outdated version of Adobe and attempts to exploit one or all of them to install the virus.  The virus was installed with no problem in that 1 to 2 second delay and Alice’s computer has already phoned home (Mallory) to say that it’s ready and awaiting her instruction.  It’s also actively scanning for other computers that may be on Alice’s home network to infect.  Mallory’s botnet just became a little more valuable.

At the end of the day, Alice’s computer could have been protected with better or more up-to-date antivirus (it would have spotted the attack) or by having the updates that prevented the attacks (the updated versions of Windows, Java and / or Adobe).  In a commercial environment, a well configured firewall could have also blocked access to either the malicious site or could have blocked the malicious code from being downloaded.