Sometimes even the best software can’t protect you.
We need to clear up a little terminology, but your question is a good one: how can malware get past anti-malware programs and infect your PC?
And more importantly, what can you do to protect yourself?
Let’s define some terms with what I’m thinking is my silliest metaphor ever, and then talk about how to stay safe.
Become a Patron of Ask Leo! and go ad-free!
Malware sneaking past security software
Malware can make its way to your machine any of several ways, including poor security software, out-of-date security software, un-patched and out-of-date system software, and user error. Avoid malware by using suitable tools, keeping everything up to date, and practicing safe computing. Once malware gets onto your machine, it can do anything.
Vulnerabilities and Exploits
A vulnerability in software isn’t a bad thing in and of itself. It’s kind of like a hole in a bathroom wall: as long as no one’s looking through it, there’s no damage done.
Naturally, you’d like to have the problem fixed and the hole repaired (i.e., you’d like your software to be updated to remove the vulnerability), but as long as the hole hasn’t been found by anyone, it’s not putting you at risk. It shouldn’t be there, but as long as no one knows about it, all is well.
An exploit is like someone finding the hole and looking in at whatever’s happening in your bathroom. If the hole is big enough, they can even reach in and steal personal things or flush your toilet when you’re not looking.
A software exploit can do things like look at the information on your computer, steal personal things like your passwords, or use your computer to send spam when you’re not looking.
And yes, I just compared spam to whatever you flush down your toilet.
Anti-malware tools
Now to factor in anti-malware tools.
The term anti-malware is really a catch-all for a couple of different approaches.
- Anti-spyware1 tools are kind of like security cops. They don’t know about the holes, but they have a list of all the other places from which you could be spied on. They monitor doors and windows and make sure no one has installed a video camera in the medicine cabinet. As soon as they see suspicious activity in those locations, they alert you and attempt to remove the threat.
- Anti-virus tools are more like security cops with a big book of mug shots of all the people who are known to look in holes in bathroom walls. As soon as they see someone from that book, they kick them out (or at least let you know they’re lurking about).
The problem, of course, is that these cops are only as good as the information they have. If the anti-spyware cop is unaware of the fact that video cameras can also be placed in the light fixture, they won’t check that. If the anti-virus cop doesn’t have the photo of the Peeping Tom discovered elsewhere this morning, he won’t recognize him.
That’s why I so often insist that you have not only up-to-date security software (cops who know all the important tricks of the trade), but you also make sure to update their databases of malware (the list of places to look and malcontents to look for) consistently (or let it happen automatically).
We can extend the metaphor further. Not all cops are the same; some are better at seeing certain kinds of things than others, others get better data from their head office, and so on, meaning that some anti-malware tools are better at catching certain things that others.
And some are just incompetent.
Ultimately, though, not having up-to-date tools with up-to-date information is one way malware makes it into your system.
Finding Holes
Unlike a bathroom wall, the vulnerabilities (or “holes”) in software are often not obvious or easy to discover. It’s not uncommon for a vulnerability to exist for years before someone stumbles across it and develops a way to exploit it.
To stretch the “computer software is like a bathroom” story even further, the holes in your wall are very difficult to find. Depending on the quality of the original builder, there may be easier-to-find holes, but those are often found and fixed relatively quickly.
And here’s the scary part: hackers are like someone who spends all day and all night looking at your bathroom wall from the outside, hoping to find a hole no one else has found before. It’s not a new hole — it was there all along — but it is a new discovery, and often termed a new vulnerability.
Or sometimes they’ll find a new way to use a previously known hole that hasn’t been patched yet.
Either way, as soon as they’re successful, they create malware that exploits the fact that your bathroom wall (the software on your computer) has an unpatched hole.
Fixing Holes
“So just plug the holes!” I hear you yelling.
Exactly. The problem is, as I mentioned above, the holes can be extremely hard to find.
But once they’re found, the hole is patched by updating the software on your machine to versions without those holes.
Usually. Some holes are fixed more quickly than others, and some may not be fixed at all. Some holes are harder to patch than others.
And some holes are worse than others. A hole that allows someone to see your toothbrush might be less important than a hole that allows someone to actually steal it.
Another issue is that fixing a hole can damage the wall, sometimes to the extent that a new hole is created elsewhere. By that I mean fixing a bug in software can unintentionally introduce other bugs. Thus, the benefit of fixing a known hole has to be weighed against the risk that doing so might create another hole we won’t know about.
The bottom line here, though, is that having out-of-date software — software with known holes fixed by updates you haven’t downloaded yet — is another way malware can find its way onto your machine.
Avoiding holes: extreme version
An experience with Java a few years ago is a great example of a widespread and (then) newly discovered vulnerability.
To continue our now-tortured comparison:
- Many, many people had this model of “bathroom”. (Many people had Java installed.)
- Many holes were found and repaired in this bathroom’s walls. (Java had a history of vulnerabilities.)
- A new hole was discovered, and new people were found looking in before the security cop’s mug book could be updated. (A new “zero day” exploit of a vulnerability in Java was found in the wild.)
- Until the hole was patched, everyone using this bathroom was vulnerable to having their toothbrush stolen or worse. (Everyone with Java on their machine was at risk.)
The common advice was to remove the bathroom completely (uninstall Java), use a different bathroom (use alternate tools that don’t use Java), or avoid using a bathroom altogether (don’t do whatever you were doing that required Java).
The metaphor breaks down at this point, because while most of us may not need Java (the advice remains to uninstall it unless you know you need it), we all need to a bathroom.
Avoiding holes: more common version
The advice for avoiding software exploits is the same as it’s always been.
- Keep your computer software up to date. (Keeps the holes we know about patched.)
- Keep your anti-malware tools up to date, and keep their databases up to date. (Keep the security cops sharp and equip them with current information of what to look for.)
- In some cases, uninstall software that is known to have issues. (Keeps you from doing things that a Peeping Tom might see or use against you.)
- And of course, don’t invite a crowd of Peeping Toms onto your computer by opening attachments you’re not certain are safe, running questionable downloads, or visiting questionable sites.
In other words, keep your bathroom clean and don’t invite strangers in.
And, yes, even after doing all that, there’s still the possibility of a hole you don’t know about being found and exploited before all the defenses are updated.
Do this
To answer your second question: what can malware do?
Malware can do anything it wants.
Naturally, the specifics depend on the size of the hole being exploited and what’s available on your computer, but it’s safest to assume that once a vulnerability on your machine is exploited and an infection occurs, all bets are off.
That’s one reason that I so strongly recommend regular backups. If your machine is infected today, restore to yesterday’s backup, and the infection is gone. Period.2
System Restore can sometimes help, but there are two problems with it:
- In my experience, System Restore is extremely unreliable. There’s nothing worse than counting on System Restore to save you, only to have it respond with things like “No restore points found” or the like.
- You’re still not sure the malware is gone. System Restore doesn’t restore everything, and those things it does not restore remain infected if they were, in fact, infected to begin with.
Try System Restore if you like — be sure to run full and updated anti-malware scans thereafter — but it’s not something I feel confident relying on.
As for me, I’m moving my toothbrush.
For more strange metaphors to help clarify technology, subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: Honestly, the distinction between “spyware” and “virus” has pretty much disappeared — we now refer to them collectively as malware, for malicious software. The two different approaches to detection, however, remain.
2: This is where the metaphor really breaks down. I mean, who keeps a daily backup of their bathroom?
Footnote #2, a backup is the last thing you want in your bathroom.
And I do keep a backup of my toothbrush.
Leo, you said “System Restore doesn’t restore everything”. Does it restore your old set of restore points, some of which may contain a malware? And if there is a malware in a restore point, is that malware essentially quarantined? In other words, can that malware do any harm just sitting there, even if I never use the restore point(s) in which the malware resides? Thanks…
System Restore is mainly a Registry backup, little more. Restoring from it won’t restore lost data, broken programs, and won’t remove malware.
There is something about laughing while reading an article that makes learning and understanding much easier:)
Yep – pretty soon the bad guys will figure out how to put bots in our water supply. Most bathroom sinks have filtersscreens (built into the aerators) that will keep them out, but bathtub faucets don’t usually have them, so they will sneak into your bathroom through that avenue. ;-) – thanks for that article. I am going to give it to my wife since it explains tech stuff in a way she would easily understand.
Leo I have tried for almost three yrs to understand what all that meant. Thank you for putting in a way us older, new computer user’s can understand.
Great explanation! Many thanks. At my first computer class decades ago, the instructor compared RAM, cache hard drives, processors, etc as cars with various sized trunk capacities, engines, speeds, gas tank size etc. I still use those descriptions today for newbies.
Leo:
I’m an IT professional with even more time in than you, and I must say, that was the best description of malware and the various protections that I’ve ever heard! I’m going to point several users to this wonderful posting!
Keep up the good work.
PS – I just stole your toilet seat – and I bet you don’t have a thing to go on!
Leo are you saying to just keep Java updated, rather than the recent rush to remove or disable it??
@Tony
Here’s Leo’s recommendation on Java, summed up in the update to the update:
Should I disable Java, and if so, how?
thanks to you I back up regularly,and it could not be simpler or more convenient,I hate to admit it,but I use backup when I screw something up,unrelated to malware. that drum you keep pounding caused me to not only back up regularly,but to donate because it has saved me time and again.thank you, thank you,ad infinitum.
“If your machine is infected today, restore to yesterday’s backup, and the infection is gone. Period.” – I’ve mentioned this before, but I’ll mention it again anyway…..
While this was a perfectly okay way to deal with infections a few years ago, it’s not okay today. This is because malware has become much more sophisticated than it used to be and you’ve now got no way of knowing when your machine became infected and, consequently, no way of knowing which, if any, of your backups can be safely restored. Current malware is often remote-controlled via a C&C server and that C&C server can instruct the malware to install other malware that serves a different purpose. So, here’s a scenario…..
Three months ago, your machine became infected with Trojan:W32/Leo. What Leo does is to create a hidden virtual desktop in which an instance of Internet Explorer is run and used to automatically browse specific websites in order to create fraudulent web traffic for ad revenue purposes. And that’s exactly what it’s been doing for the last three months. Silently surfing to fraudulently rack up AdSense buck . Leo has never detected by your antivirus program as he – oops, I mean *it* – is heavily obfuscated/encrypted and concealed by a rootkit. And its abilities aren’t limited to silent surfing: it can also install other malware onto your machine. Fast forward three months. Today, the bad guys behind Leo decide it’s time for something new and use Leo to install Trojan:W32/Mark onto your PC as well as onto the tens of thousands of other PCs that are also infected with Leo. Mark is a banking/credential-stealing Trojan but is not as well obfuscated/encrypted as Leo and so is detected and removed by your antivirus program. Even though your antivirus program removed Mark, you decide to err on the side of caution and restore an image backup from last week – a backup which, of course, contains good old Leo. So, while you’ve managed to eradicate Mark, you’ve still got your Leo problem. And Leo then installs Mark2 which is better obfuscated/encrypted version of the original Mark and able to avoid being detected by your antivirus program. Fast forward another week, and Leo installs W32/Connie: a particularly nasty crypto that’ll hold your data to a 10 bitcoin ransom – a ransom that you’ll be unable to pay because password-stealing Mark2 has already emptied your bank account!
Relying on removal tools – such antivirus programs, Malwarebytes or AdwCleaner – to clean up an infection is not a good strategy either as today’s malware is often well concealed and extremely difficult to remove. You may get Mark2 and Connie, but you may not get sneaky old Leo who’s still hidden behind his rootkit, silently browsing websites while waiting on the next instruction from his C&C server…..
The best option when it comes to cleaning malware infections is to reload your system using the recovery partition or disks, reinstall your programs and restore your data from a backup. It’s time consuming, but it’s the ONLY way you can be 100% sure that your system is clean.
While I agree with everything you posit (excepting, perhaps, the name of the malware in question :-) ), I try to be a tad more … pragmatic?
The fact is that malware as you describe does exist, but it’s still relatively rare. The majority (tempted to say “vast” majority) of folks who suffer a malware infection of some sort, would, today, be completely cleaned up by restoring to a backup taken prior to [detecting] the infection. Yes, there’s an explicit assumption – that infection and detection are relatively coincident. Today, IMO, that remains the most common case.
But it is an assumption, and it’s certainly not guaranteed. The only thing that is guaranteed is something I’ve also said before: once your machine is infected, it’s not your machine any more.
In an absolute sense, you are quite correct: reformat/reinstall is the only 100% guaranteed recovery. (Even relying on the recovery partition has potential issues.)
But for the majority of folks who encounter malware, restoring from a backup remains my first, best recovery step. Particularly if you’re on alert for malware (which most people are immediately after one of these scares), it’s not unreasonable to then make a determination at that point if it’s enough. Still, not 100% accurate, but very much close enough for most situations.
All that being said:
1) A lot of people can’t reinstall from scratch, because they don’t have the media, product key, whatever. (I try to educate to always get.)
2) A lot of people can’t restore from a backup image, because they’ve never taken one. (Again, I try to educate.)
Which leaves them with the least reliable approach of all: relying on malware removal tools. If the malware persists, such as the scenario you outline, they are well and truly out of luck.
“The fact is that malware as you describe does exist, but it’s still relatively rare.” – Unfortunately, it’s pretty common. Very common, actually. In fact, Trojan:W32/Leo was simply an alternative name for some of the real-world stuff that was pushed out a couple of months back during the massive malvertising campaign that ran across numerous major websites which are visited by millions of people each and every day: the New York Times, NFFL, BBC, MSN, AOL, etc., etc., etc. And in terms of functionality, Trojan:W32/Leo does exactly what the real-world stuff does. Interestingly, the exploit kit used in this attack was able to detect whether a 32- or 64-bit OS was being used and then auto-install the appropriate version of Trojan:W32/Leo. It’s far more advanced than it was in the past.
“Even relying on the recovery partition has potential issues.” – I’d say theoretical rather than potential. No current malware is capable of infecting a recovery partition.
“Yes, there’s an explicit assumption – that infection and detection are relatively coincident. Today, IMO, that remains the most common case.” – Yup, it’s definitely the most common. But it’s also not uncommon – not at all uncommon, in fact – for machines to be infected for months prior to detection. Remember, malware has changed drastically in recent years and the new stuff is designed to be invisible to both the user and antivirus programs – and it often succeeds at both.
“Still, not 100% accurate, but very much close enough for most situations.” – A few years ago, I’d have completely agreed with. Back then, most malware did relatively minor stuff such as changing your homepage. But things have changed. Today, most malware does far more serious stuff such as stealing your banking passwords or encrypting your data.
In the past, you could afford not to be 100% accurate; today, you need to be 100% accurate.
The closest you can get to 100% would be to follow safe surfing practices:
Internet Safety: 7 Steps to Keeping Your Computer Safe on the Internet
and perform regular system image backups with daily incrementals in case something slipped through the defenses. Not 100%, but very close.
Here’s the solution, Ray, and it’s absolutely guaranteed to work! You ready? Here it is:
Don’t use computers.
(MORAL: All of life has risks. And while those risks can be reduced, they cannot be avoided.)
Leo, you wrote:
“If the anti-spyware cop is unaware of the fact that video cameras can also be placed in the light fixture, they won’t check that.”
Oh. So, you’ve seen THAT television commercial, have you?
Harrumphk. :)
Excellent description of Security Software and how it needs to know about existing vulnerabilities in order to stop the intrusion. The bathroom comparison is a good one. And one comparison people can understand.
Another good comparison would be the water line and your internet connection. Turn off the water line/internet connection will stop the flow of water/data into the bathroom/computer. At least until you manually insert an infected flash-drive.