One of the most important of all human activities is the process of using human language to share information with others. Today this information is generally shared by sharing documents either over the Internet in the form of attachments to emails or by visiting websites or by downloading documents to a USB drive. Sadly hackers abuse the process of sharing documents to transmit malware viruses such as ransomware. We will therefore take a closer look at how documents become infected in order to better understand why and how precautions should be taken before sharing your documents with others or accepting potentially infected documents from others.
How Computer Viruses are Like Human Viruses
Computer malware are computer software programs that can harm and even destroy your computer’s hard drive – which is the place where all of your programs and documents are kept inside of your computer. A more common term for malware is computer viruses. There are many kinds of computer viruses but in this article we will only be considering the latest and most harmful kind of computer virus called Windows Ransomware.
Computer viruses often act in ways similar to natural human viruses in the way that they are transmitted. Just as human viruses can be transmitted from person to person by an already infected person sneezing and those around him or her breathing in the virus and eventually passing it on to others around them.
Human Viruses can be transmitted from person to person
Just as people can die from certain powerful human viruses, computers can die from certain powerful computer viruses. To protect against human viruses, some people try to take precautions such as wearing masks which can provide some protection against inhaling viruses – but may not stop other ways that the virus is transmitted – such as when you open a door and touch a door knob that has been contaminated by an infected person.
The most common way people try to protect their computers against viruses is by using so-called anti-virus programs. The problem with anti-virus programs is that like wearing a mask, you are only stopping some methods of transmitting viruses. More powerful computer viruses are designed to detect and fool anti-virus programs. In 2019, hackers even used an anti-virus program to transmit ransomware! The ransomware attack begins with an email from Microsoft warning you that your computer appears to have problems and that you should download a file to fix these problems:
When you click on the Download link, your download a self extracting Windows file which is naturally called Defender.exe.
This file installs a real anti-virus program with instructions on how to use it. But it also installs a hidden malicious program that corrupts all of your files and then demands a ransomware payment to get your files back. The history of ransomware during the past 10 years has proven that:
#1 Using Anti-virus programs does not stop ransomware.
#2 Backing up your files does not stop ransomware (in fact, modern ransomware is designed to also infect your backup files).
#3 Installing Windows Updates does not stop ransomware (because ransomware uses security problems buried deep inside of the Windows operating system).
#4 Moving your documents to the Cloud does not stop ransomware (storing your documents on someone else’s server does not stop ransomware because the remote server and or server network can then be hacked).
Sadly, the reason people are still misled into believing all they need is to pay for anti-virus programs is that revenue from selling anti-virus programs has skyrocketed to more than $100 billion dollars per year.
Free Anti-virus programs make even more money selling data from hundreds of millions of customers. Below is a report on the latest data mining abuses from a free anti-virus program called Avast.
https://www.vice.com/en_us/article/qjdkq7/avast-antivirus-sells-user-browsing-data-investigation
At the same time, the cost of cyber crimes keeps rising and is now in the trillions of dollars annually. https://www.herjavecgroup.com/wp-content/uploads/2018/12/CV-HG-2019-Official-Annual-Cybercrime-Report.pdf
Why people really need is the truth about how ransomware works and what they can do to reduce their risk. We will therefore look at how ransomware really works.
How Ransomware Really Works
To understand how ransomware really works, you first need to understand some of the underlying weaknesses of the Windows operating system – as these weaknesses are used to transmit Windows ransomware.
The first question to ask is why ransomware only infects Windows computers and not Apple computers or Linux computers? The answer is that Windows computers suffer from several problems that do not exist on Apple or Linux computers. Let’s look at some of these problems.
#1 Web browsers in the core of the Windows operating system
The biggest and most dangerous of the Microsoft security problems is that, beginning in 1997, leaders at Microsoft decided to place their web browser called Internet Explorer inside the core of its operating system. This gave them the ability to remotely stop pirated versions of the operating system whenever a user went online if users did not have the correct authorization codes. The downside of putting the browser inside the core of the operating system is that this also gave hackers an open back door and thus the ability to remotely control Windows programs whenever a user goes online. Note that neither Linux or Apple suffer from this problem.
#2 Windows 8 and 10 have two different control panels
Up through Windows 7, the Windows operating system, like the Apple and Linux operating systems, had only one control panel (called the Control Panel). However, in 2010, leaders at Microsoft wanted to get into the mobile phone business and wanted a new control panel that would be more compatible with their mobile phones (which used a simple touch screen). So they came up with the hated Metro Interface which had its own control panel called System Settings. In the rush to get Windows 8 to market, only some of the control functions were ported from the old Control Panel to the new System Settings. This in turn led to a “dual” operating system that was so complex and unstable that it crashed during its first public demonstration – even before hackers got their hands on it.
To make matters worse, the second control panel required its own web browser in order to be remotely controlled by Microsoft. So a second web browser was added to the second control panel and this gave hackers a second back door into the Windows 8 and 10 operating systems! While Microsoft promised to fully migrate all functions from the old control panel to the new system settings, it never has been able to keep this promise. Instead, many functions have simply been duplicated and are present in both control panels -essentially doubling the code.
#3 Bloated Code Gives Hackers Plenty of Places to Hide
Look at the hard drive on a new Windows laptop that has gone through one round of Windows Updates and has installed a few programs such as Microsoft Office.
You will see that Windows and its programs and updates take up over 30 Gigabytes on the hard drive. By comparison, the Apple operating system or Linux operating system take up less than 6 Gigabytes on the hard drive. Assuming that each gigabyte represents about one hundred pages of code, to read the entire Apple or Linux code would require reading two 300 page books while reading the entire code on a Windows computer would require reading ten 300 page books – all the while knowing that any single line of changed code in any of these ten books can be a place where a hacker is hiding.
We will take a closer look at one example of this bloated code in just a moment.
#4 Windows Permission Escalation Problems that allow lateral movement from computer to computer
One of the tools used by ransomware to move laterally from one computer to another is a tool developed by our own National Security Agency (NSA) called Eternal Blue.
I have written a detailed article about the history and evolution of this Windows ransomware problem and posted it on this web page.
https://learnlinuxandlibreoffice.org/news/hidden-dangers-of-ryuk-ransomware
However this is not the only example of Windows actually adding an escalation problem to their operating system. In 2018, researchers discovered a new Windows Privilege escalation problem that was not present on the Windows 7 or 8 operating systems but is present on the latest Windows 10 operating system. See this link:
https://threatpost.com/windows-deletebug-zero-day-allows-privilege-escalation-destruction/138550/
The purpose of privilege escalation appears to be to give Microsoft and their friends (at the NSA) the ability to remotely control your computer. However, it is just a matter of time until hackers discover this and other back doors and use the same back door to take over your computer.
Obviously, no anti-virus program can stop hackers from exploiting holes in the Windows operating system – especially when Microsoft keeps adding new back doors! Windows user simply need to be aware that whenever you go online with a Windows 10 computer and download or share documents with other Windows 10 users, both your computer and their computer are being placed at risk of a ransomware attack.
Here are just a few of the recent Windows ransomware attack screens:
Here is another one:
And another:
And two that open inside the MS Word screen:
This one is harder to read but is basically the same:
Here’s one telling you to activate Word:
Finally, here is one that simply asks you to verify you are human:
All of these examples prove the point that it is impossible to expect people to just be cautious about clicking on links. Instead, what people need is software that is not susceptible to ransomware just because they happened to click on the wrong link or downloaded a document they thought was from their best friend.
Two Simple Examples of Bloated Windows Code
Complex concepts like Privilege Escalation, web browsers in the core of the operating system and dual control panels may be difficult for beginners to understand. We will therefore conduct two simple exercises so that you can visually see some of the problems of the inherent in Microsoft Word documents compared to Libre Writer documents.
First start Windows and create a new blank Word document. Type in the document Word Test Document 1.
Then click File, Save and save it to “This PC” in your Documents folder as a DOCX document with the name Word Test Document 1.
Then open the Windows version of Libre Writer and open a blank Writer document. Type in Writer Test Document 1.
Then click File Save and save it to your C drive as it as an ODT file with the file name Writer Test Document 1. You should now have two documents in your Documents folder:
Test 1: The Browser Test
Now open the Word Test document and click File SAVE AS. Then use the drop down arrow to save the document as an HTML document:
Close the document. Then open the Writer document with Libre Writer and click File SAVE AS and save it as an HTML document (which is a web page document).
Close the document. You should now have four test documents in your file manager:
Right click on the Word html document and open it with a web browser. Then right click on the screen and click View Page Source. Scroll down the page. Note that the document is 755 lines long.
Close the browser. Then right click on the Writer Test Document and open it with a browser. Then right click on the page and click View Page Source. You will see that the document is 33 lines long.
Close the browser. This simple exercise confirms that a hacker has more than 20 times the places to hide in the Word document compared to the Writer document.
Test 2: The Extraction Test
Go back to your File Manager and right click on your Word Test Document. Then click Rename and change the ending extension of the document from docx to zip. Then right click on the zipped folder and click Extract All, then Extract.
This will expose some of the internal structure of the Word docx document showing that it has three folders and one XML file.
Open the Word folder and you will see that there is a themes folder.
The themes folder has an xml file called theme1 with hundreds of lines and a file size of 10kb. The styles.xml file has hundreds of additional lines with a file size of 29 kb. The actual content is in the xml file called document2.xml. The total file size for this test Word document is nearly 50kb. Close this extracted file.
Next right click on the Writer test document and click Rename. Then change the ending extension from odt to zip. Then right click on the zipped folder and click Extract All, then Extract.
The actual content is in the content.xml file. The total file size is about 30 kb which is thousands of lines of code less than the Word document.
What’s Next?
Now that we have a better understanding of the dangers of sharing MS Word documents with the Windows operating system, in the next section, we will outline some steps to protect you and your computer from becoming the next victim of ransomware hackers..