| Virus damage estimated at $55 billion in 2003. | | | | * Exchange: Email server |
| "SINGAPORE - Trend Micro Inc, the world's | | | | * Symantec antivirus: Antivirus |
| third-largest anti-virus software maker, said Friday | | | | * Exchange Intelligent Message Filter: Spam Filter |
| that computer virus attacks cost global businesses an | | | | Software Updates |
| estimated $55 billion in damages in 2003, a sum that | | | | Keep you software up to date. Some worms and |
| would rise this year. Companies lost roughly $20 billion | | | | viruses replicate through vulnerabilities in services and |
| to $30 billion in 2002 from the virus attacks, up from | | | | software on the target system. Code red is a classic |
| about $13 billion in 2001, according to various industry | | | | example. In august 2001, the worm used a known |
| estimates." This was the story across thousands of | | | | buffer overflow vulnerability in Microsoft's IIS 4.0 and |
| news agencies desk January 2004. Out of $55 billion, | | | | 5.0 contained in the Idq.dll file. This would allow an |
| how much did it cost your company? How much did | | | | attacker to run any program they wanted to on the |
| it cost someone you know? | | | | affected system. Another famous worm called |
| I. The Why | | | | Slammer targeted Microsoft SQL Server 2000 and |
| There is an average of 10-20 viruses released every | | | | Microsoft Desktop Engine (MSDE) 2000. |
| day. Very few of these viruses actually make ?Wild? | | | | When updating your software, make sure to disable |
| stage. Viruses are designed to take advantage of | | | | features and services that are not needed. Some |
| security flaws in software or operating systems. | | | | versions of WinNT had a web server called IIS |
| These flaws can be as blatant as Microsoft Windows | | | | installed by default. If you do not need the service, |
| NetBIOS shares to exploits using buffer overflows. | | | | make sure it is turned off (Code red is a perfect |
| Buffer overflows happen when an attacker sends | | | | example). By only enabling services you need, you |
| responses to a program longer then what is | | | | decrease the risk of attack. |
| expected. If the victim software is not designed well, | | | | Telecommunications Security |
| then the attacker can overwrite the memory | | | | Install a firewall on the network. A firewall is a device |
| allocated to the software and execute malicious | | | | or software that blocks unwanted traffic from going |
| code. | | | | to or from the internal network. This gives you |
| People make viruses for various reasons. These | | | | control of the traffic coming in and going out of your |
| reasons range from political to financial to notoriety | | | | network. At minimum, block ports 135,137,139,445. |
| to hacking tools to plain malicious intent. | | | | This stops most network aware viruses and worms |
| Political: Mydoom is a good example of a virus that | | | | from spreading from the Internet. However, it is |
| was spread with a political agenda. The two targets | | | | good practice to block all traffic unless specifically |
| of this virus were Microsoft and The SCO Group. | | | | needed. |
| The SCO Group claims that they own a large portion | | | | Security Policies |
| of the Linux source code threatened to sue | | | | Implementing security policies that cover items such |
| everyone using Linux operating systems (with | | | | as acceptable use, email retention, and remote |
| "stolen" programming source). The virus was very | | | | access can go a long way to protecting your |
| effective knocking down SCO's website. However, | | | | information infrastructure. With the addition of annual |
| Microsoft had enough time to prepare for the second | | | | training, employees will be informed enough to help |
| attack and efficiently sidestepped disaster. | | | | keep the data reliable instead of hinder it. Every |
| Financial: Some virus writers are hired by other parties | | | | individual that has access to your network or data |
| to either leach financial data from a competitor or | | | | needs to follow these rules. It only takes one incident |
| make the competitor look bad in the public eye. | | | | to compromise the system. Only install proven and |
| Industrial espionage is a high risk/high payout field | | | | scanned software on the system. The most |
| that can land a person in prison for life. | | | | damaging viruses come from installing or even |
| Notoriety: There are some that write viruses for the | | | | inserting a contaminated disk. Boot sector viruses can |
| sole purpose of getting their name out. This is great | | | | be some of the hardest malware to defeat. Simply |
| when the virus writers are script kiddies because this | | | | inserting a floppy disk with a boot sector virus can |
| helps the authorities track them down. There are | | | | immediately transfer the virus to the hard drive. |
| several famous viruses that have the author's email in | | | | When surfing the Internet, do not download |
| the source code or open script | | | | untrusted files. Many websites will install Spyware, |
| Hacking Hackers sometimes write controlled viruses | | | | Adware, Parasites, or Trojans in the name of |
| to assist in the access of a remote computer. They | | | | "Marketing" on unsuspecting victims computers. Many |
| will add a payload to the virus such as a Trojan horse | | | | prey on users that do not read popup windows or |
| to allow easy access into the victims system. | | | | download freeware or shareware software. Some |
| Malious: These are the people that are the most | | | | sites even use code to take advantage of |
| dangerous. These are the blackhat hackers that code | | | | vulnerability in Internet explorer to automatically |
| viruses for the sole intention of destroying networks | | | | download and run unauthorized software without |
| and systems without prejudice. They get high on | | | | giving you a choice. |
| seeing the utter destruction of their creation, and are | | | | Do not install or use P2P programs like Kazaa, |
| very rarely script kiddies. | | | | Morpheus, or Limewire. These programs install server |
| Many of the viruses that are written and released | | | | software on your system; essentially back dooring |
| are viruses altered by script kiddies. These viruses | | | | your system. There are also thousands of infected |
| are known as generations of the original virus and are | | | | files floating on those networks that will activate |
| very rarely altered enough to be noticeable from the | | | | when downloaded. |
| original. This stems back to the fact that script | | | | Backups & Disaster Recovery Planning |
| kiddies do not understand what the original code | | | | Keep daily backups offsite. These can be in the form |
| does and only alters what they recognize (file | | | | of tape, CD-R, DVD-R, removable hard drives, or |
| extension or victim's website). This lack of knowledge | | | | even secure file transfers. If data becomes damaged, |
| makes script kiddies very dangerous. | | | | you would be able to restore from the last known |
| II. The How | | | | good backup. The most important step while |
| Malicious code has been plaguing computer systems | | | | following a backup procedure is to verify that the |
| since before computers became a common | | | | backup was a success. Too many people just |
| household appliance. Viruses and worms are examples | | | | assume that the backup is working only to find out |
| of malicious code designed to spread and cause a | | | | that the drive or media was bad sixmonths earlier |
| system to perform a function that it was not | | | | when they were infected by a virus or lost a hard |
| originally designed to do. | | | | drive. If the data that you are trying to archive is |
| Viruses are programs that need to be activated or | | | | less then five gig, DVD-R drives are a great solution. |
| run before they are dangerous or spread. The | | | | Both the drives and disks have come down in price |
| computer system only becomes infected once the | | | | and are now a viable option. This is also one of the |
| program is run and the payload has bee deployed. | | | | fastest backup methods to process and verify. For |
| This is why Hackers and Crackers try to crash or | | | | larger backups, tape drives and removable hard |
| restart a computer system once they copy a virus | | | | drives are the best option. If you choose this |
| onto it. | | | | method, you will need to rotate the backup with five |
| There are four ways a virus can spread: | | | | or seven different media (tapes, CD/DVD, removable |
| 1.) Email | | | | drives) to get the most out of the process. It is also |
| 2.) Network | | | | suggested to take a "master" backup out of the |
| 3.) Downloading or installing software | | | | rotation on a scheduled basis and archive offsite in a |
| 4.) Inserting infected media | | | | fireproof safe. This protects the data from fire, |
| Spreading through Email | | | | flood, and theft. |
| Many emails spread when a user receives an infected | | | | In the Internet age, understanding that you have to |
| email. When the user opens this email or previews it, | | | | maintain these processes will help you become |
| the virus is now active and starts to immediately | | | | successful when preventing damage and minimizes |
| spread. | | | | the time, costs, and liabilities involved during the |
| Spreading through Network | | | | disaster recovery phase if you are affected. |
| Many viruses are network aware. This means that | | | | Resources |
| they look for unsecured systems on the network | | | | Virus Resources |
| and copy themselves to that system. This behavior | | | | F-PROT: |
| destroys network performance and causes viruses | | | | McAfee : |
| to spread across your system like wildfire. Hackers | | | | Symantec Norton: |
| and Crackers also use Internet and network | | | | Trend Micro: |
| connections to infect systems. They not only scan | | | | NIST GOV: |
| for unprotected systems, but they also target | | | | Free software |
| systems that have known software vulnerabilities. | | | | AVG Anti-Virus - Free |
| This is why keeping systems up to date is so | | | | F-Prot - Free for home users |
| important. | | | | Free online Virus scan |
| Spreading through manual installation | | | | BitDefender - |
| Installing software from downloads or disks increase | | | | HouseCall - |
| the risk of infection. Only install trusted and scanned | | | | McAffe - |
| software that is known to be safe. Stay away from | | | | Panda ActiveScan - |
| freeware and shareware products. These programs | | | | RAV Antivirus - [ |
| are known to contain Spyware, Adware, and viruses. | | | | Free online Trojan scan |
| It is also good policy to deny all Internet software | | | | TrojanScan - |
| that attempts to install itself unless explicitly needed. | | | | Free online Security scan |
| Spreading through boot sectors | | | | Symanted Security Check - |
| Some viruses corrupt the boot sector of disks. This | | | | Test my Firewall - |
| means that if another disks scans the infected disk, | | | | More Security Resources |
| the infection spreads. Boot sector viruses are | | | | Forum of Incident Response and Security Teams: |
| automatically run immediately after the disk is | | | | Microsoft: |
| inserted or hard drive connected. | | | | SANS Institute: |
| III. Minimizing the effect of viruses and worms | | | | Webopedia: |
| We have all heard stories about the virus that | | | | Definitions |
| destroyed mission critical company data, which cost | | | | Adware: *A form of spyware that collects |
| companies months to recover and thousands of | | | | information about the user in order to display |
| dollars and man-hours restoring the information. In the | | | | advertisements in the Web browser based on the |
| end, there are still many hours, costs, and would be | | | | information it collects from the user's browsing |
| profits that remain unaccounted. Some companies | | | | patterns. |
| never recover fully from a devastating attack. Taking | | | | Software that is given to the user with |
| simple precautions can save your business | | | | advertisements already embedded in the application |
| Anti-virus Software | | | | Malware: *Short for malicious software, software |
| Another step is to run an antivirus program on the | | | | designed specifically to damage or disrupt a system, |
| local computer. Many antivirus programs offer live | | | | such as a virus or a Trojan horse. |
| update software and automatically download the | | | | Script Kiddie: *A person, normally someone who is |
| newest virus definitions minutes after they are | | | | not technologically sophisticated, who randomly seeks |
| released (Very important that you verify these | | | | out a specific weakness over the Internet in order to |
| updates weekly if not daily). Be careful of which | | | | gain root access to a system without really |
| antivirus program you chose. Installing a PC antivirus | | | | understanding what it is s/he is exploiting because |
| on a network can be more destructive on | | | | the weakness was discovered by someone else. A |
| performance than a virus at work. Norton makes an | | | | script kiddie is not looking to target specific |
| effective corporate edition specifically designed for | | | | information or a specific company but rather uses |
| Windows NT Server and network environments. | | | | knowledge of a vulnerability to scan the entire |
| When using antivirus software on a network, | | | | Internet for a victim that possesses that vulnerability. |
| configure it to ignore network drives and partitions. | | | | Spyware: *Any software that covertly gathers user |
| Only scan the local system and turn off the auto | | | | information through the user's Internet connection |
| protection feature. The auto-protect constantly | | | | without his or her knowledge, usually for advertising |
| scans your network traffic and causes detrimental | | | | purposes. Spyware applications are typically bundled |
| network issues. Corporate editions usually have this | | | | as a hidden component of freeware or shareware |
| disabled by default. PC editions do not. | | | | programs that can be downloaded from the Internet; |
| Email Clients | | | | however, it should be noted that the majority of |
| Do not open emails from unknown sources. If you | | | | shareware and freeware applications do not come |
| have a website for e-commerce transactions or to | | | | with spyware. Once installed, the spyware monitors |
| act as a virtual business card, make sure that the | | | | user activity on the Internet and transmits that |
| emails come up with a preset subject. If the emails | | | | information in the background to someone else. |
| are being sent through server side design instead of | | | | Spyware can also gather information about e-mail |
| the users email client, specify whom it is coming from | | | | addresses and even passwords and credit card |
| so you know what emails to trust. Use common | | | | numbers. |
| sense when looking at your email. If you see a | | | | Spyware is similar to a Trojan horse in that users |
| strange email with an attachment, do not open it until | | | | unwittingly install the product when they install |
| you verify whom it came from. This is how most MM | | | | something else. A common way to become a victim |
| worms spread. | | | | of spyware is to download certain peer-to-peer file |
| Disable preview panes in email clients. Email clients | | | | swapping products that are available today. |
| such as Outlook and Outlook Express have a feature | | | | Aside from the questions of ethics and privacy, |
| that will allow you to preview the message when the | | | | spyware steals from the user by using the |
| email is highlighted. This is a Major security flaw and | | | | computer's memory resources and also by eating |
| will instantly unleash a virus if the email is infected. | | | | bandwidth as it sends information back to the |
| It is also a good idea to turn off the feature that | | | | spyware's home base via the user's Internet |
| enables the client to view HTML formatted emails. | | | | connection. Because spyware is using memory and |
| Most of these viruses and worms pass by using the | | | | system resources, the applications running in the |
| html function "" and run the attached file within the | | | | background can lead to system crashes or general |
| email header. | | | | system instability. |
| We will take a quick look at an email with the subject | | | | Because spyware exists as independent executable |
| header of "You're now infected" that will open a file | | | | programs, they have the ability to monitor |
| called readme.exe. | | | | keystrokes, scan files on the hard drive, snoop other |
| "Subject: You're now infected | | | | applications, such as chat programs or word |
| MIME-Version: 1.0 | | | | processors, install other spyware programs, read |
| Content-Type: multipart/related;type="multipart | | | | cookies, change the default home page on the Web |
| ==" | | | | browser, consistently relaying this information back to |
| X-Priority: 3 | | | | the spyware author who will either use it for |
| X-MSMail-Priority: Normal | | | | advertising/marketing purposes or sell the information |
| X-Unsent: 1 | | | | to another party. |
| To: undisclosed-recipients:; | | | | Licensing agreements that accompany software |
| --====_ABC1234567890DEF_==== | | | | downloads sometimes warn the user that a spyware |
| Content-Type: multipart | | | | program will be installed along with the requested |
| ==" *** (This calls the iframe) | | | | software, but the licensing agreements may not |
| --====_ABC0987654321DEF_==== | | | | always be read completely because the notice of a |
| Content-Type: text/html;charset="iso-8859-1" | | | | spyware installation is often couched in obtuse, |
| Content-Transfer-Encoding: quoted-printable | | | | hard-to-read legal disclaimers. |
| *** (This calls readme.exe) | | | | Trojan: *A destructive program that masquerades as |
| --====_ABC0987654321DEF_====-- | | | | a benign application. Unlike viruses, Trojan horses do |
| --====_ABC1234567890DEF_==== | | | | not replicate themselves but they can be just as |
| Content-Type: audio/x-wav;name="readme.exe" *** | | | | destructive. One of the most insidious types of |
| (This is the virus/worm) | | | | Trojan horse is a program that claims to rid your |
| Content-Transfer-Encoding: base64 | | | | computer of viruses but instead introduces viruses |
| Content-ID: *** (Notice the ) | | | | onto your computer. |
| RURCBIVE1MIDQuMCBUcmFuc2l0aW9u | | | | The term comes from a story in Homer's Iliad, in |
| obydzIHRoZSBiZXN0LS0tLS0tPyAt | | | | which the Greeks give a giant wooden horse to their |
| 1lcmlkPTExNDc0 | | | | foes, the Trojans, ostensibly as a peace offering. But |
| WF0dXJlcykgeyAvL3Yy | | | | after the Trojans drag the horse inside their city |
| *** Broken to protect the innocent. (Worm is | | | | walls, Greek soldiers sneak out of the horse's hollow |
| encoded in | | | | belly and open the city gates, allowing their |
| jb20vZmNhbGhpc3BvcnRzZnJtMT5Gb290 | | | | compatriots to pour in and capture Troy. |
| PiAtIDwvZm9udD4NDTxicj48YnI+PGJy | | | | Virus: *A program or piece of code that is loaded |
| y5lemJvYXJkLmNvbS8+ZXpib2Fy | | | | onto your computer without your knowledge and |
| k5LTIwMDEgZXpib2FyZCwgSW5j | | | | runs against your wishes. Viruses can also replicate |
| Cj== | | | | themselves. All computer viruses are man made. A |
| --====_ABC1234567890DEF_====--" | | | | simple virus that can make a copy of itself over and |
| Email Servers | | | | over again is relatively easy to produce. Even such a |
| The first step to minimizing the effect of viruses is | | | | simple virus is dangerous because it will quickly use all |
| to use an email server that filters incoming emails | | | | available memory and bring the system to a halt. An |
| using antivirus software. If the server is kept up to | | | | even more dangerous type of virus is one capable of |
| date, it will catch the majority of Mass Mailer (MM) | | | | transmitting itself across networks and bypassing |
| worms. Ask your Internet Service Provider (ISP) if | | | | security systems. |
| they offer antivirus protection and spam filtering on | | | | Since 1987, when a virus infected ARPANET, a large |
| their email servers. This service is invaluable and | | | | network used by the Defense Department and many |
| should always be included as the first line of defense. | | | | universities, many antivirus programs have become |
| Many companies house an internal email server that | | | | available. These programs periodically check your |
| downloads all of the email from several external email | | | | computer system for the best-known types of |
| accounts and then runs an internal virus filter. | | | | viruses. |
| Combining an internal email server with the ISP | | | | Some people distinguish between general viruses and |
| protection is a perfect for a company with an IT | | | | worms. A worm is a special type of virus that can |
| staff. This option adds an extra layer of control, but | | | | replicate itself and use memory, but cannot attach |
| also adds more administration time. | | | | itself to other programs. |
| Sample specs for an internal email server are: | | | | Worm: *A program or algorithm that replicates itself |
| Setup #1 | | | | over a computer network and usually performs |
| * Linux: OS | | | | malicious actions, such as using up the computer's |
| * Sendmail: mail server | | | | resources and possibly shutting the system down. |
| * Fetchmail: Grabs email from external email | | | | * Definitions provided by Webopedia |
| addresses | | | | A special thanks goes out to the CISSP community, |
| * F-prot: Antivirus | | | | various Chief Information Security Officer (CISO)s, |
| * SpamAssassin: Spam Filter | | | | and to those in the Risk assessment specialty of |
| Setup #2 | | | | Information Systems Security for their help in proof |
| * Win 2003 Server: OS | | | | reading and suggestions. |