LabMice.net - The Windows 2000\XP\.NET Resource Index
Home | About Us | Search |

Last Updated November 13, 2003

Computer Virus BioHazard Image

Computer Virus Primer for Network Administrators

Most administrators are familiar with the basic concepts of what a virus is, what potential effects it can have on a network, and what basic steps can be taken to prevent or contain outbreaks. Today's viruses and other forms of malicious software (dubbed Malware) can spread rapidly via e-mail and networked systems and circle the globe in a matter of hours, infecting thousands of computers before antivirus vendors have an updated definition available. To fight an outbreak, many administrators have to drop everything to update their companies AV software, isolate infected network segments and systems, and repair the damage. Despite this threat, many companies still rely on this reactive "firefighting" approach, rather than being proactive and employing a full time Anti-Virus administrator. This primer won't make you an expert overnight, but it will introduce you to the basic concept of malware, identify the various types of viruses and malware, explain common industry terminology, decipher the CARO virus naming convention, and provide additional information that will help you research, combat, and recover from a malware threat or outbreak. It also includes some proactive steps you can use to help prevent a major outbreak on your network.

HomeSecurity > AntiVirus
 

The Concept of Malware
Malware is a blanket industry term used to describe the variety of "malicious software" that is in circulation around the world. The definition includes viruses, worms, Trojans, computer "bombs", and other forms of intentionally destructive software, as well as annoying but generally non destructive software pranks. Laypeople, misinformed network administrators, and the mainstream press often describe various types of malware as "computer viruses", with little regard as to whether the code really is a virus. To them, the distinction between the various forms of destructive software means little, and the general term of "computer virus" is simple and easy to understand. 

However, to the network administrator and the computer industry in general, being able to accurately identify and classify the type of malicious software spreading across global networks is a crucial step in developing strategies to contain and eradicate it. Not all viruses are destructive, and not every piece of destructive software on your network will be a virus. Malicious software is used  to spread mayhem, enact political revenge on a corporate target, steal data, increase access to network resources, hijack networks, deny companies use of their networks, or sometimes simply gain bragging rights. Malware is also rapidly evolving beyond the PC to include handheld PDA's and embedded devices, wireless networks, and cell phones. To understand and combat malware, you'll need to understand the various types of malware, how they function, and how they spread.

Classifications of malware
For the sake of naming and categorizing threats, malware is classified into a number of categories depending on its method of replication, trigger, and payload. Although these categories are useful, they are still artificial and many of the more recent varieties of malicious software use a combination of tactics that blur the lines between these classifications. Still, it's important to understand the terms used by the antivirus industry in order to quickly assessing new threats.

The Classic Virus
The formal definition of a virus is simply a self replicating computer program that can "infect" other computer programs. Note that the definition doesn't actually require a virus to cause any damage, and many don't. In fact, a virus's ability to replicate itself and spread to other computers often relies on its ability to stay undetected. The more malicious and destructive it is, the more attention it draws to itself, and the more likely it is to be discovered and eradicated. Successful viruses try to stay undetected and replicate themselves as much as possible before actually delivering their final payload. Newer forms of malware that spread rapidly via e-mail and the internet may be configured to disable its host system immediately to prevent the user from warning the people on their contact list not to open the e-mail that triggered their infection.

Components of a Virus

  • Method of Infection - The only component a program needs to be classified as a virus is a method of infection which allows it to replicate. This could involve infecting the boot sector, modifying an existing program or lines of code, inserting itself into Microsoft Office documents, or attaching itself to network resources. 

  • Trigger - The trigger is the component of a virus that launches its payload - if it has one. The trigger could be a specific date or time, an action by the user (opening a file), a sequence of events or keystrokes, or a repetition of events. The longer the trigger is delayed, the more opportunity the virus will have to spread if it has an efficient infection mechanism. But if it waits too long, it risks detection by an antivirus scan.

  • Payload/Warhead - The "payload" or "warhead" is the final component of many viruses. The payload can be anything from a simple screen message that taunts the user, to a more destructive package that scrambles data, deletes files, creates backdoors into systems, or causes system crashes. Not all viruses have triggers and payloads, and the first clue that you may ever have that your system is infected is when you run antivirus software and actually scan your system.

Types of Viruses
The majority of viruses fall into one of four categories: Boot sector viruses, file infectors, macro viruses, and multi-partite (which combine infection mechanisms). While this generality is fine for the home user, the network administrator working in a larger environment is more likely to actually encounter an infection (the rate is typically 40 per 1,000 computers per year) and needs to be familiar with a broader category of industry terms.

  • Armored Virus - A virus which has been "hardened" to make to make disassembly of its source code or reverse engineering by antivirus analysts more difficult.

  • Boot Sector Virus - These were common in the mid 1990's when floppy disks were the primary method for sharing files. A boot sector virus infects the master boot record (MBR) of a floppy disk, and then spreads to a users hard drive whenever the floppy disk is accessed, or if the system is booted from the infected disk. Once the users hard drive is infected, the virus will attempt to infect every floppy disk that is inserted into the PC and continue spreading itself until it is discovered.

  • Companion (Spawning) Viruses - Companion viruses take advantage of a quirk in MS DOS based operating systems, and use malicious files with .COM extension, instead of actually infecting .EXE or executable files. When you type in a command by referencing its filename without specifying the extension, the operating system "fills in" the extension for you and executes any .COM file before using it's equivalent .EXE file. A companion viruses creates copies of itself using the names of real .EXE files  found on the PC (for example PROGRAM.EXE), and renames the infected file PROGRAM.COM. This tactic has also been used to create other forms of non-viral (non replicating) malware.

  • File Infecting/Parasitic Viruses - These viruses infect programs files such as those with .EXE, .SYS, .PRG, .BAT, and other extensions. Virus writers may insert code at either the beginning or the end of a program so that it is launched whenever the program is executed, or simply overwrite code in an executable to avoid changing the size of the original file and hopefully escape detection. Cavity viruses attempt to use the "empty space" in a program to modify and infect the file without breaking its functionality or changing the file size. Although most up to date antivirus software can easily catch files that are replaced or modified by a virus, it is more difficult to repair or replace these files.

  • Germ - The first initial programmed form of a virus (generation zero).

  • Intended - These are programs that are written to be viruses, but don't actually replicate.  Contrary to the popular myth, many virus writers are rank amateurs as well as some of the worst coders in the world. Their attempts at virus writing are often dismal failures and they don't receive much press. 

  • Latent Viruses -  These are full fledged viruses that simply have not been executed. For example, a virus written for the Windows platform that was sent via e-mail to a Mac user (or stored on a UNIX server), is relatively benign to that system. In fact, antivirus scanners that check only for viruses native to those platforms may miss the file entirely. However if that file is shared and a Windows user attempts to open or execute it, the virus can rapidly become an active threat on your network.

  • Macro and scripting viruses - Macro Viruses exploit the scripting functionality that Microsoft built into its Office productivity suite, including the popular Outlook mail program. Macros are small scripts imbedded into Word or Excel that allow routine tasks to be automated. Once an infected file is launched, the macro replicates itself to all similar documents and spreads rapidly through the network. Variants have been known to infect the document templates used to create new documents, or make subtle (and hard to detect) changes in spreadsheets and other data fields. Although the vast majority of macro viruses are written for Microsoft Office, a few "proof of concept" viruses have also been written for AutoCAD and Corel Office Suites. Scripting Viruses use the same programming languages that are seen in Macro Viruses (Visual Basic for Applications, JavaScript), however they are not embedded into a file and may be used as Trojan. 

  • Multi-partite - Also called dual infectors, these viruses use more than one mechanism to spread themselves and infect other systems. Earlier versions infected both the data on a disk as well as the Master Boot Record. Modern versions (such as MTX) spread as a Trojan, a file virus, and a non parasitic worm.

  • Polymorphic - Definition based antivirus software identifies viruses by searching for small unique strings of code (known as signatures) that only exist in known viruses. A polymorphic virus alters its code and produces a functional variation of itself in the hope of escaping detection. Although initially successful, these viruses have not been a huge threat and are easily detectable by most modern antivirus programs. The polymorphism concept has also been used by modern e-mail worms (such as LoveBug) that use variable subject lines and filenames in order to foil attempts to block them at mail gateways.

  • Proof of concept viruses - These are viruses that were created with an academic purpose rather than malicious intent. A researcher may simply wish to prove a theoretical point about a vulnerability or method of attack, and publish his source code to the security community so that the vulnerability can be addressed and closed. In most cases, proof of concept viruses are confined to labs and never make it into the wild, although some malicious programmers may create variants based on the concept. 

  • Retrovirus - A virus that attacks or disables antivirus programs.

  • Stealth Viruses - Stealth is a technology, rather than an actual virus type, and many viruses implement some form of stealth. Stealth viruses attempt to hide themselves from antivirus programs, often by intercepting or trapping disk access requests. Whenever an antivirus program attempts to read and analyze infected files, the virus returns information that the original, uninfected program would have returned.

  • Sparse Infectors - These viruses attempt to avoid detection by only infecting files intermittently. There are a number of mechanisms that are used to accomplish this, including counters and environmental variables such as date and time.

Worms
Worms are computer programs that replicate themselves across network connections, without modifying or attaching themselves to a host program. Some experts consider worms as a special type of virus instead of giving them their own category, however the classifications that traditionally separate worms and viruses are beginning to blur. Many of the more modern variants that are commonly described as worms, can also be classified as viruses or worm/virus hybrids. 

Trojans
Trojans are programs that claim to be one thing (usually appearing harmless), but carry an undesirable and often destructive payload. Just like the original wooden horse, Trojans are a delivery vehicle for other forms of malware and often rely on a bit of social engineering to trick a user into actually launching the program. Despite mainstream news media coverage warning computer users not to simply click on e-mail attachments (especially executables), the Trojan is still an effective tool for spreading malware. In the past, Trojan programs were considered "non replicating malware" because they simply launched their payload and that was it. Modern variants blur this distinction and are used to launch worms and worm/virus hybrids that can quickly overwhelm corporate e-mail systems.

Other forms of Malware
As mentioned earlier, viruses, worms, and Trojans aren't the only forms of malicious software. There are a number of non-replicating forms of malware that are designed to destroy or steal data, open backdoors into systems, disable networks, or hijack remote systems. Many of the following bits of malware are used as the payload for a Trojan program, but may also be distributed manually by individuals with physical access to a PC or network, or inserted into an unprotected PC that operates with a full time internet connection.

  • DDoS Agents - A denial of service attack attempts to overwhelm a network or system resource in order to deny legitimate users access to that resource. In order to accomplish this goal on a large target (such as mainstream website), hundreds or even thousands of computers are required in what is known as a distributed denial of service attack or DDoS. Hackers "recruit" computer systems to help them in their attacks by sending out Trojan programs that install agents on the affected PC. These agents lay relatively dormant until they receive further instructions from the hacker's computer (usually a very small bit of code), and then begin flooding the network (or a specific target) with garbage traffic. 
  • Logic Bombs - This type of malware waits for a specific trigger (such as a date or sequence of events) to launch and has been a common tactic of virus writers for years. For hackers and disgruntled employees, it is an effective way of delivering a destructive payload long after they've left and cleaned up their tracks. In one famous case, an administrator buried a program on his company's server that checked for the existence of his user account. If his account was deleted or disabled, the program would launch and begin deleting files on servers across the network. Unfortunately, this type of logic bomb is usually a custom program or script that is difficult to detect and would not be identified by anti-virus software.
  • Mines - Like the physical military mines, malicious programs can be seeded onto a file server or placed on innocent looking disks that are left lying about a server room. These are usually custom programs written and spread by disgruntled employees or contractors with an axe to grind, and are almost impossible to defend against. They may also be named to entice a user or curious administrator to open them. You can guard against disk based threats by disabling auto-run for the CD-ROM drive on workstations and servers, as well as the ability to boot from a floppy disk.
  • Password Stealers and Keystroke Loggers - There are a number of third party programs that are written to capture a users keystrokes, write the data to a log and then send the log to a remote location or e-mail address. These are often difficult to locate, and may not be detected by anti-virus software (although many are).
  • Parasite Software - Some shareware, freeware, and adware programs are being packaged with additional software that can monitor your browsing habits, and even sell your unused CPU time and unused disk space to other vendors which in the process also consumes your network resources. Of course the legal tools that allow these vendors to do this are buried in the end user license agreement that no one actually reads. For more information, check out the CIAC Advisory
  • Remote Access Tools (RATs) - Also known as "backdoor agents", these tools give hackers a way into a trusted system that exists on a network. In the malware category, we are not talking about popular products such as LapLink or PCAnywhere (although they can present a security risk if not configured correctly), but programs that are activated whenever a computer is turned on and run silently in the background without the owner's knowledge. In addition, these programs often notify the controlling computer when they're active, provide information on what processes are running, and allow the intruder to install other malware such as password stealers.
  • Unlicensed software - If you think a virus outbreak is expensive, try unlicensed software. Okay, while not technically "malware" because it's not malicious by design, unlicensed or pirated software can cost your company $20,000 per incident if your company is ever audited, and has bankrupted more than a few. Since most audits are triggered by phone calls from disgruntled former employees, your company can't afford to ignore this threat. Poorly written freeware and shareware programs can crash operating systems, flood networks with unwanted traffic, and cause conflicts with other software. Unless you lock down your company's workstations and audit regularly, you may never know what your users are installing on your network until it's too late. And it's not just software that can cost your company. MP3 files or other forms of copyrighted material that are stored on your servers can result in stiff fines. One company paid the RIAA 1 million dollars in an out of court settlement for hosting MP3 files on an internal server for it's employees. Very few viruses can rack up this amount of damage while essentially remaining "undetected" on a network.

Annoyances
Not all malware is destructive, and some of it is not even intentional. Nevertheless, these annoyances still present a threat to your network because they consume resources. Some of these include:

  • False positives - Intentional or not, some bits of poorly written software can set off popular antivirus programs, raising alarms, panicking users, and consuming valuable technical support resources troubleshooting the problem. In some cases, the antivirus software itself is the culprit if shortcuts were taken when creating the definitions database. This can create a environment where virus warnings go unheeded or unreported, potentially allowing "real" viruses to spread unchecked across a network. 
  • Hoaxes - While not a program in itself, the hoax relies on a gullible user to spread an e-mail message to their gullible friends who continue the tradition like a band of crazed cyber lemmings. Hoax messages vary from fake charity messages to bogus virus warnings, all coaxing users to "tell everyone you know" and overwhelming mail systems and network infrastructure in a modified form of a denial of service attack. Corporations and ISP's are getting better at identifying these threats early and blocking these messages using e-mail filtering at the server level, but they still persist. 
  • Hype - Sometimes a real virus has the same effect as a hoax because of intense mainstream media hype. Well meaning employees flood mail servers with the virus warning, which creates panic among the user community, and distracts management who now have to focus on addressing the issue and calming fears. Having a single source for virus information in your company, as well as sending out regular internal e-mail virus warnings, should help minimize this practice.
  • Jokes and Pranks - Although their payload isn't typically destructive, jokes and pranks can be an annoying distraction for the user trying to work around the problem as well as the support staff trying to clean up the mess. The obvious pranks are usually easy to identify and clean up. More subtle pranks that intermittently re-map keyboard functions, change language or display settings, or randomize every 108th keystroke are much harder to detect. These pranks are  available from any number of web sites. E-mail jokes and various attachments (pictures, movies, etc.,) can consume bandwidth and employee productivity.
  • Mail Bombs - This is a variation of a denial of service attack that involves bombarding a victims mailbox (or a corporate mail server) with so much mail, it overwhelms the system. These can include a variety of large attachments, or in a variant of the distributed denial of service attack, a "subscription bomb" that subscribes a users e-mail address to hundreds or even thousands of mailing lists. We've seen this used a number of times by disgruntled employees who were getting even with an unpopular boss (and in one case, the entire senior management!) 

Identifying Threats
Feeling a little overwhelmed? Not sure where to begin securing your network? Luckily, a little diligence and common sense go a long way to combating malware. According to the AntiVirus vendors, there are thousands of known viruses and other forms of malware that can threaten your network.
While these figures help sell software and increase awareness of the threat, it's not a completely accurate picture of the battlefield.  A large percentage of identified viruses are platform dependent (they only affect UNIX, Apple, or Windows systems), and the vast majority of these are antiquated, dormant, or so poorly written that there not even a credible threat. In the virus community, a small variation of an existing virus (even if it's one insignificant byte of code) is classified as a separate virus.

A more balanced way of looking at the virus threats is to examine what is actually circulating around the world, or "in the wild". The industry standard reference is at wildlist.org, which compiles a global list of active viruses (and other forms of malware) that is updated monthly. On average, the number of viruses actually circulating in the wild is around 600 -  a far cry from the 15,000 to 25,000 viruses often claimed by vendors. A number of antivirus vendors provide e-mail notifications of new virus threats (and hoaxes) to help keep administrators informed and head off infections before they become wide spread. Trend Micro takes this one step further by providing a global virus tracking center that allows you to identify which viruses are more prevalent in your part of the world. You can also view a list of most common virus and malware threats on our home page and our antivirus page.

Virus Naming Conventions and the CARO Standard
This process of identifying threats is complicated by the lack of a formal standard for anti-virus and malware naming conventions. In some cases the virus writer includes the name of the virus in the code itself (Code Red, Nimda). In other cases, antivirus vendors name the virus whatever they want without consulting each other, resulting in 4 or 5 different names for the same virus. In 1991 a group of researchers from the Computer Antivirus Researcher Organization (CARO) attempted to standardize antivirus naming conventions and produce a list of guidelines that have been adopted by many of the leading antivirus vendors. Although several major vendors utilize these guidelines, adherence to these standards is strictly voluntary.

The basic CARO formula for virus naming is Family_Name.Group_Name.Major_Variant.Minor_Variant[:Modifier]  Virus names don't have to use all of the parts of the convention, but they must appear in this order and can include a prefix or suffix to further clarify the definition.

Components of the CARO naming convention

  • Prefix - The prefix helps to quickly identify what type of virus or malware it is. A sample of commonly used prefixes include:
W95 Viruses written for Windows 95
W32 Viruses written for all 32 bit Windows Platforms
WNT Viruses written for Windows NT/2000
Linux Viruses written for the Linux Platform
WM Word Macro Viruses. These may include version numbers such a W97M for Word 97
XM Excel Macro Viruses. These may include version numbers such a X97M for Excel 97
PPT PowerPoint Viruses.
AM Microsoft Access Viruses. These may include version numbers such a A97M for Access 97
VBS Viruses utilizing Visual Basic Script
JAVA Java Viruses
Trojan Trojan programs, sometimes abbreviated as TROJ
Worm A Worm. The prefix I-Worm is used to denote Internet Worms
JOKE A joke or prank
An expanded prefix list can be found here
  • Family Name - Represents the family to which the virus belongs based on the structural similarities of the virus, but sometimes a formal definition of a family is impossible. It may also be found in the code itself, essentially giving the author the chance to name the virus. 
  • Group Name - A subcategory of family, but is rarely used.
  • Major Variant -  Almost always a number, which is the infective length of the virus (if known) 
  • Minor Variant - Small variants of an existing virus, usually having the same infective length and structure. The minor variant is usually identified by a single letter (A, B, C, etc.)
  • :Modifier - Modifiers are used to describe polymorphic viruses, and are identified by which polymorphic engine they use. If more than one polymorphic engine is used, the definition may include more than one modifier.
  • Suffix - Suffixes are used to describe specific how the virus spreads, such as e-mail or mass mailers which are abbreviated @M and @MM

So the next time you come across a virus names such as W32.Nimda.A@MM, W32.Klez.H@MM you'll have an immediate understanding of what platforms the virus attacks, what type of virus/malware it is, and how it's spread.

Of course this all goes out the window when the virus naming conventions are ignored by the mainstream media which refer to various viruses by whatever name makes a better headline. In the case of the "VBS/VBSWG.J" virus appeared, the mainstream media dubbed it the "AnnaKournikova" based on the JPEG image that was supposed to appear in the e-mail.

Combating Malware
Fighting malware and maintaining the integrity of your network involves more than just running antivirus software on every computer and keeping the definitions up to date. (Although it's a good place to start) Malware management is a full time job, however this function is often neglected or ignored altogether until an outbreak actually occurs forcing the IT staff to drop everything in order to contain it while business grinds to a halt. When the dust settles, the blame game starts and it's the network administrators who will be stuck without a chair when the music stops. 

Despite the losses, many companies still gamble with the security of their networks. Antivirus software is only the first step in preventing the spread of outbreaks, but it is still a largely reactive approach that requires updates to be distribute for every new vulnerability that is discovered. Effective malware management requires administrators to be proactive.

To protect your environment, consider the following recommendations:

  • Hire a full time antivirus administrator - With malware incidents approaching 35-50 per 1,000 machines, any mid sized (or larger) environment can't afford to be without one. As we've stated earlier, protecting your environment requires a proactive approach, not reactive "firefighting" every time an outbreak occurs. Malware security is a full time job, and the rest of this list is the job description.
  • Subscribe to antivirus vendors e-mail lists - Almost all of the major antivirus vendors offer e-mail notification of new threats. Today's viruses spread rapidly over the internet and can become global in under 24 hours, often before antivirus vendors have a chance to issue an update. Use the rules wizard within in Outlook to flag the e-mails in red so you don't miss them, and make sure you get a copy at home so you can respond to new threats 24x7.
  • Establish a single point of contact - New threats and outbreaks need to be reported and tracked as soon as they occur, and analyzed for trends. Are your outbreaks coming through via mail, the web, or from rogue software? Is there a particular user or group of users that tend to be the source of outbreaks? Your users and help desk personnel need an expert who is aware of the most recent threats and can prevent infections, contain outbreaks, answer questions, evaluate software, test new virus definitions, update software and e-mail filters, and educate both users and support staff. Even if you can't afford a full time AV Administrator, assign a regular administrator to this task and give him/her the time they need to complete these tasks.
  • Install e-mail filtering - Businesses claim that the e-mail worms of 2000 -2001 alone cost them billions of dollars, however a simple and inexpensive e-mail filtering program would have stopped the outbreak cold. Most e-mail worms and Trojans can be stopped dead in their tracks by using simple content filtering on your e-mail servers. And since this is rapidly becoming the most common method of spreading modern viruses, your company simply can't afford not to have it. Filtering allows you to block risky attachments such as .EXE, .VBS, and .JS files, but can be used to prevent misuse of corporate resources by blocking movie files (.MOV, MPEG, AVI, etc.,), audio files (.AU, WAV, .MP3), and graphics files (BMP, JPEG, GIF, TIFF, etc.,). In addition to content filtering, your mail server should also be capable of scanning all of your incoming and outgoing e-mail for potential viruses and should be kept as up to date as possible.
  • Establish strict e-mail policies - In addition to filtering e-mail content, some companies block any incoming mail from sources such as AOL, Hotmail, Yahoo mail, MSN, or other ISP's (as well as their web mail sites) that are commonly used by employees as a personal e-mail account. These accounts are frequent entry points for chain letters, Trojans, or viruses. In addition, you should consider limiting how many people can be included in a distribution list to prevent the rapid spread of viruses that utilize the e-mail clients address book. You may wish to start this limit at 10, and require managers to work with the e-mail administrator when sending out bulk messages to large groups of employees.
  • Internet policies - Not only is e-mail a common entry point for malware, but so is the Internet. Blocking sites that may contain malicious script (which can be run via a browser) and prevent users from downloading software from questionable sites can go a long way to protecting the integrity of your network. Some environments have elected to block all script from running in a browser windows, which wrecks havoc on some of the more complex sites that utilize it for legitimate reasons. Work closely with your business managers to find a balance of usability and security.
  • Lock down your workstations - It's hard for malware to spread or delete files if the user that launched the file doesn't have permission to do it themselves. Use the security templates that come with Windows 2000 and XP to lock down your workstations so that regular users have a very limited ability to modify their systems. 
  • Secure your servers - As Microsoft found out recently, hackers that compromise servers often implant malware to expand their access or to launch a "scorched earth" type of attack if their efforts to increase their access to additional resources are unsuccessful. Servers need to be locked down, audited regularly, have strong password policies, be protected by firewalls, and have real physical security.
  • Update systems for security vulnerabilities - It's not just hackers who love to exploit recent security vulnerabilities, but virus and malware writers as well. Some of the most "successful" (from a black hat perspective) virus and malware programs have taken advantage of commonly known system vulnerabilities in web servers, operating systems, e-mail clients, and other applications within a few weeks of the announcement. And in almost every case, a patch was available at the time of the announcement that could have prevented the outbreak. Keeping your systems up to date is as important as keeping your antivirus software up to date.  
  • Disable WSH - Unless you use a lot of scripting on your network, you can greatly reduce your vulnerability to malware by disabling Windows Script Host on your workstations. You may also wish to disable scripting in Outlook and Internet Explorer.
  • Use safer file formats - When exchanging documents with clients and vendors, you can reduce your risk of forwarding or receiving macro infected documents by using the Rich Text Format (.RTF) for Word documents and .CSV format for Excel spreadsheets.
  • Use a multi-tiered approach with AV software - Antivirus vendors love to sell corporations on the idea of a single solution for your entire enterprise. While this may be cost effective and reduce administration, it may also increase your risks having a real infection go unnoticed. By using two different vendors for the server and workstation level, you improve your chances of rapidly detecting a new outbreak.
  • Don't rely on Antivirus software alone - Even up to date antivirus software can miss a virus or other malicious software, and for many companies antivirus software is their only protection from malware. New threats can go from zero to global in hours before vendors even have a chance to respond. And there is also the possibility that the virus writer works within, or may have direct access to your network. Many virus packages may also attempt to disable common antivirus software packages, meaning you could be infected and never know it. Secure your network from internal and external attacks in order to head off a hacker that seeks to "seed" your environment with malware. And follow the recommendations in this document.
  • Scan proactively - Although most AV software is configured to scan documents as they're opened, they're also quite capable of running an "on demand scan" of every file stored on your network. Unfortunately, this is rarely done in corporate environments. You may not be able to scan every desktop, but you need to scan every server at least once a week, and critical servers daily. Especially servers that contain users home directories, e-mail, and critical business files.
  • Backup aggressively - If a virus or other piece of malware gets loose on your network and starts deleting files (or worse, subtly modifying data), how much data could you recover? If your company only backs up data once a week, you could be in for a nasty surprise. If a virus goes undetected and slowly spreads across your servers subtly modifying data or seeding a logic bomb set to go off on a specific date, you could lose weeks or even months of data. Be sure to include a malware infection recovery plan as part of your company's disaster recovery policy.
  • Monitor your power users - Users with administrator access and other privileged accounts with broad network access are at risk for spreading malware across multiple systems if they encounter an infected file. Server administrators and developers are also a risk group that may be likely to write custom scripts and logic bombs that could be used to avenge perceived injustices in the workplace. Limiting accounts with broad based network privileges is the first step, but you also need to monitor all accounts that have the ability to access and modify your company's critical data. It's not just malware that can misuse these accounts, but hackers as well - if they manage to crack a privileged users account using a password stealer or backdoor program.
  • Monitor your laptop users - Laptop users are more likely to be higher tier employees that have access to your company's most sensitive data, often without a healthy respect for computer security and the risk from hackers, laptop thieves, and malware. Laptop users that access the web from DSL and Cable modems from home or wireless networks in coffee shops and hotel lobbies are at high risk for data theft, or having malware implanted onto their open shares. Password stealers, backdoor programs, and DDoS agents can all be surreptitiously installed on a exposed laptop which then becomes a type of Trojan horse when it logs onto a network that trusts it. All corporate laptops need to have a higher level of security than their desktop counterparts and laptop users need to receive training on the risks associated with being a mobile user. In addition high level executives should have a technical contact within the support staff to answer security questions as they come up and insure security measures aren't circumvented. 
  • Secure your wireless networks - Forget hacking the firewall, intruders have a new favorite access point to your company's data - your wireless network. Locating and tagging wireless networks has become a popular past time for hackers who often share (or sometimes sell) this data to others. Not only do you need to secure (and regularly audit) your company's wireless network, you need to educate your users to the dangers of logging into wireless networks in hotel and airport lobbies, coffee shops, and other public networks.
  • Educate your users - Information is the best weapon in the fight against malware. Educate your users to the risks. Set up an internal virus and malware information web page for your users and administrators. Send out virus alerts to your users so they are aware of new threats, and so they don't flood the mail system with their own messages and warnings.
  • Educate management - If you want to have the resources necessary to be proactive with your efforts to combat malware, keep management informed of your ongoing efforts and your successes. Make sure management also knows what the consequences have been for other companies that haven't been protected. When the media is hyping a new threat, inform management what you've done proactively to head it off and why the threat won't be an issue for your company. This doesn't always have to be a formal report. Bring it up in the hall, at lunch, or at a break in a meeting. Have management see the correct dollar figure associated with your efforts. Turn "fighting malware proactively costs us X dollars a year." to "Fighting malware saves us X dollars a year."

Parting Thoughts
The week we published this article (Sept 8, 2002), a rash of malware related vulnerabilities surfaced that provided excellent real world examples of principals we cited. Early in the week, Microsoft discovered that the source of mysterious hack attacks on their network came as a result of poor password security on their servers, which then lead to the implantation of backdoor and remote access software on those servers. Then a virus writer's buggy attempt at creating a September 11 worm becomes noteworthy for only for it's ineptness. Also, a little known but critical flaw in XP was quietly patched in XP SP1 without any explanation of the vulnerability, or a patch that protects users who do not wish to install SP1. The vulnerability allows a simple redirected URL that can be sent via e-mail or featured on a web site or newsgroup to delete files on a local system, and was considered so dangerous and easy to implement, it was kept under wraps on security forums. By Thursday, a new vulnerability was found in Microsoft Word that allows hackers to steal files from a PC, and (as if all that wasn't enough) an exploit was discovered in Outlook Express that allows hackers to potentially misuse it's "message fragmentation and re-assembly" (MFR) feature to send viruses in fragments that can bypass SNMP filters and theoretically antivirus software.. Oddly, Friday the 13th was quiet. It didn't last long. 

Bernie Klinder
bernie@labmice.net 


Additional Reading

Know your enemy
A look at malware and viruses, and the changing threats facing users and administrators. Source: PCWorld (May 8, 2001)

"Buggy" Sept. 11 worm surfaces
A new e-mail worm has surfaced that uses the subject line "All people" and the terror attacks of last Sept. 11 to lure victims. But it's a minor threat, so far. Source: ZDnet (Sept 11, 2002)

Hidden viruses can circumvent server-based protection
E-mail viruses can circumvent server-based antivirus protection and attack users of certain Microsoft e-mail clients when part of the malicious code is hidden in the header of an e-mail message, a Dutch expert said Friday. Source: InfoWorld.com  (Feb 15, 2002)

Microsoft "solves" hacking mystery
The software giant claims new information in a mysterious mass hack shows the problem isn't faulty Windows 2000 server software--it's your bad passwords. Source: CNET (Sept 9, 2002)

Microsoft warns of thieving Word docs
The software giant says it is studying a security hole that could allow a Word document to steal files from any Windows PC on which it's opened. Source: CNET (Sept 12, 2002)

Outlook Express becomes attack platform, of sorts
For years, hackers have exploited vulnerabilities in Outlook Express to infect users. Now, a newly discovered exploit may allow hackers to use Outlook Express's 'message fragmentation and re-assembly' (MFR) capability to bypass SMTP filters, and possibly even antivirus software. Source: The Register (Sept 12, 2002)

Strategies & Issues: Thwarting Insider Attacks
Many organizations fail to adequately protect against internal threats-often with calamitous consequences. Here are some chilling numbers to help illustrate the problem: According to InterGov (www.intergov.org), an international organization that works with police agencies to combat cyber crime, insiders commit about 80 percent of all computer- and Internet-related crime, and these crimes cause an average loss of about $110,000 per corporate victim.
Source: Network Magazine (Sept 2002)

Warchalking a map for drive-by spammers
The proliferation of insecure corporate wireless networks is fuelling the growth of drive-by spamming, a security expert warned on Thursday. Source: ZDnet (Sept 6, 2002)

What's in a virus's name? Everything you need to know!
A look at how viruses get their name. Source: ZDnet (Jan 9, 2002)

Windows 2000 Security Checklist
Our guidelines for locking down Windows 2000 Server and Windows 2000 Professional installations.

Virus Naming Convention 1999
This document covers a update to the CARO virus naming convention defined on the meeting of 1991 formed by Alan Solomon, Fridirik Skularson and Vesselin Bontchev


Send us your feedback!
If you have any questions, comments, or suggestions that would help us improve this page, please drop us a line and let us know!

Dell Business Weekly Promo

Original publication date: Sept 8, 2002

This site and its contents are Copyright 1999-2003 by LabMice.net. Microsoft, NT, BackOffice, MCSE, and Windows are registered trademarks of Microsoft Corporation. Microsoft Corporation in no way endorses or is affiliated with LabMice.net. The products referenced in this site are provided by parties other than LabMice.net. LabMice.net makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be directed to the appropriate manufacturer or vendor.