|
The Concept of
Malware
Malware is a blanket industry term used to describe the variety
of "malicious software" that is in circulation around
the world. The definition includes viruses, worms, Trojans,
computer "bombs", and other forms of intentionally destructive software, as well as annoying but generally
non destructive software pranks. Laypeople, misinformed network
administrators, and the mainstream press often describe various
types of malware as "computer viruses", with little
regard as to whether the code really is a virus. To
them, the distinction between the various forms of destructive
software means little, and the general term of "computer
virus" is simple and easy to understand.
However, to the
network administrator and the computer industry in general,
being able to accurately identify and classify the type of
malicious software spreading across global networks is a crucial
step in developing strategies to contain and eradicate it.
Not
all viruses are destructive, and not every piece of destructive
software on your network will be a virus. Malicious software is used to spread mayhem, enact political revenge on a
corporate target, steal data, increase access to network
resources, hijack networks, deny companies use of their
networks, or sometimes simply gain bragging rights. Malware is also rapidly
evolving beyond the PC to include handheld PDA's and embedded
devices, wireless networks, and cell phones. To understand and combat malware, you'll need to understand the various types of
malware, how they function, and how they
spread.
Classifications
of malware
For the sake of naming and categorizing threats, malware is
classified into a number of categories depending on its method of
replication, trigger, and payload. Although these categories are
useful, they are still artificial and many of the more recent
varieties of malicious software use a combination of tactics
that blur the lines between these classifications. Still,
it's important to understand the terms used by the
antivirus industry in order to quickly assessing new threats.
The Classic
Virus
The formal definition of a virus is simply a self replicating computer
program that can "infect" other computer programs.
Note that the definition doesn't actually require a virus to cause any damage, and many don't. In fact, a
virus's ability to
replicate itself and spread to other computers often relies on its ability to stay
undetected. The more malicious and destructive it is, the more
attention it draws to itself, and the more likely it is to be
discovered and eradicated. Successful viruses try to stay
undetected and replicate themselves as much as possible before
actually delivering their final payload. Newer forms of malware that spread rapidly via e-mail and the internet may be
configured to disable its host system immediately to prevent
the user from warning the people on their contact list not to open
the e-mail that triggered their infection.
Components of a Virus
-
Method of Infection - The
only component a program needs to be classified as a virus
is a method of infection which allows it to replicate.
This could involve infecting the boot sector, modifying an
existing program or lines of code, inserting itself into
Microsoft Office documents, or attaching itself to network
resources.
-
Trigger - The trigger is
the component of a virus that launches its payload - if
it has one. The trigger could be a specific date or time,
an action by the user (opening a file), a sequence of
events or keystrokes, or a repetition of events. The longer the trigger is
delayed, the more opportunity the virus will have to
spread if it has an efficient infection mechanism. But if
it waits too long, it risks detection by an antivirus
scan.
-
Payload/Warhead - The
"payload" or "warhead" is the final
component of many viruses. The payload can be anything
from a simple screen message that taunts the user, to a
more destructive package that scrambles data, deletes
files, creates backdoors into systems, or causes system crashes. Not all viruses have
triggers and payloads, and the first clue that you may
ever have that your system is infected is when you run
antivirus software and actually scan your system.
Types of Viruses
The majority of viruses fall into one of four categories:
Boot sector viruses, file infectors, macro viruses, and
multi-partite (which combine infection mechanisms). While this
generality is fine for the home user, the network administrator
working in a larger environment is more likely to actually
encounter an infection (the rate is typically 40 per 1,000
computers per year) and needs to be familiar with a broader
category of industry terms.
-
Armored
Virus - A virus which has been "hardened" to
make to make disassembly of its source code or reverse engineering by
antivirus analysts more difficult.
-
Boot Sector Virus -
These were common in the mid 1990's when floppy disks were
the primary method for sharing files. A boot sector virus
infects the master boot record (MBR) of a floppy disk, and
then spreads to a users hard drive whenever the floppy
disk is accessed, or if the system is booted from the
infected disk. Once the users hard drive is infected, the
virus will attempt to infect every floppy disk that is
inserted into the PC and continue spreading itself until
it is discovered.
-
Companion (Spawning) Viruses
- Companion viruses take advantage of a quirk in MS DOS
based operating systems, and use malicious files with .COM extension,
instead of actually infecting .EXE or executable files. When you
type in a command by referencing its filename without
specifying the extension, the operating system "fills
in" the extension for you and executes any .COM file before
using it's equivalent .EXE file. A companion viruses
creates copies of itself using the
names of real .EXE files found on the PC (for
example PROGRAM.EXE), and renames the infected file
PROGRAM.COM. This tactic has
also been used to create other forms of non-viral (non
replicating) malware.
-
File Infecting/Parasitic
Viruses - These viruses infect programs files
such as those with .EXE, .SYS, .PRG, .BAT, and other
extensions. Virus writers may insert code at either the
beginning or the end of a program so that it is launched
whenever the program is executed, or simply overwrite code
in an executable to avoid changing the size of the original
file and hopefully escape detection. Cavity viruses
attempt to use the "empty space" in a program to
modify and infect the file without breaking its
functionality or changing the file size. Although most up
to date antivirus software can easily catch files that are
replaced or modified by a virus, it is more difficult to
repair or replace these files.
-
Germ - The first initial
programmed form of a virus (generation zero).
-
Intended - These are
programs that are written to be viruses, but don't
actually replicate. Contrary to the popular myth, many
virus writers are rank amateurs as well as some of the
worst coders in the world. Their attempts at
virus writing are often dismal failures and they don't receive
much press.
-
Latent Viruses -
These are full fledged viruses that simply have not been
executed. For example, a virus written for the Windows
platform that was sent via e-mail to a Mac user (or stored
on a UNIX server), is relatively benign to that system. In
fact, antivirus scanners that check only for viruses
native to those platforms may miss the file entirely.
However if that file is shared and a Windows user attempts
to open or execute it, the virus can rapidly become an active threat
on your network.
-
Macro and scripting
viruses - Macro
Viruses exploit the scripting functionality that Microsoft
built into its Office productivity suite, including the
popular Outlook mail program. Macros are small
scripts imbedded into Word or Excel that allow routine
tasks to be automated. Once an infected file is launched,
the macro replicates itself to all similar documents and
spreads rapidly through the network. Variants have been
known to infect the document templates used to create new
documents, or make subtle (and hard to detect) changes in
spreadsheets and other data fields. Although the vast
majority of macro viruses are written for Microsoft Office, a few
"proof of
concept" viruses have also been written for AutoCAD and Corel
Office Suites. Scripting Viruses use the same programming
languages that are seen in Macro Viruses (Visual Basic for
Applications, JavaScript), however they are not embedded
into a file and may be used as Trojan.
-
Multi-partite - Also
called dual infectors, these viruses use more than one
mechanism to spread themselves and infect other systems.
Earlier versions infected both the data on a disk as well
as the Master Boot Record. Modern versions (such as MTX)
spread as a Trojan, a file virus, and a non parasitic
worm.
-
Polymorphic - Definition
based antivirus software identifies viruses by searching
for small unique strings of code (known as signatures)
that only exist in known viruses. A polymorphic virus
alters its code and produces a functional variation of itself in the hope of
escaping detection. Although initially successful, these
viruses have not been a huge threat and are easily
detectable by most modern antivirus programs. The
polymorphism concept has also been used by modern e-mail
worms (such as LoveBug) that use variable subject lines
and filenames in order to foil attempts to block them at
mail gateways.
-
Proof of concept viruses
- These are viruses that were created with an academic
purpose rather than malicious intent. A researcher may
simply wish to prove a theoretical point about a
vulnerability or method of attack, and publish his source
code to the security community so that the vulnerability
can be addressed and closed. In most cases, proof of
concept viruses are confined to labs and never make it
into the wild, although some malicious programmers may
create variants based on the concept.
-
Retrovirus - A virus
that attacks or disables antivirus programs.
-
Stealth Viruses - Stealth
is a technology, rather than an actual virus type, and
many viruses implement some form of stealth. Stealth viruses attempt to hide themselves from
antivirus programs, often by intercepting or trapping disk
access requests. Whenever an antivirus program attempts to
read and analyze infected files, the virus returns
information that the original, uninfected program would
have returned.
-
Sparse Infectors -
These viruses attempt to avoid detection by only infecting
files intermittently. There are a number of mechanisms
that are used to accomplish this, including counters and
environmental variables such as date and time.
Worms
Worms are computer programs that replicate themselves across
network connections, without modifying or attaching themselves
to a host program. Some experts consider worms as a special type
of virus instead of giving them their own category, however the
classifications that traditionally separate worms and viruses
are beginning to blur. Many of the more modern variants that are
commonly described as worms, can also be classified as viruses
or worm/virus hybrids.
Trojans
Trojans are programs that claim to be one
thing (usually appearing harmless), but carry
an undesirable and often destructive payload. Just like the original
wooden horse, Trojans are a delivery vehicle for other forms of
malware and often rely on a bit of social engineering to
trick a user into actually launching the program. Despite
mainstream news media coverage warning computer users not to
simply click on e-mail attachments (especially executables), the
Trojan is still an effective tool for spreading malware. In the past,
Trojan programs were considered "non replicating
malware" because they simply launched their payload and
that was it. Modern variants blur this distinction and are used to launch worms and worm/virus hybrids that can
quickly overwhelm corporate e-mail systems.
Other forms of
Malware
As mentioned earlier, viruses, worms, and Trojans aren't the
only forms of malicious software. There are a number of
non-replicating forms of malware that are designed to destroy or
steal data, open backdoors into systems, disable networks, or
hijack remote systems. Many of the following bits of malware are
used as the payload for a Trojan program, but may also be
distributed manually by individuals with physical access to a PC
or network, or inserted into an unprotected PC that operates with a full time
internet connection.
- DDoS Agents - A denial
of service attack attempts to overwhelm a network or system
resource in order to deny legitimate users access to that
resource. In order to accomplish this goal on a large target
(such as mainstream website), hundreds or even thousands of
computers are required in what is known as a distributed
denial of service attack or DDoS. Hackers
"recruit" computer systems to help them in their
attacks by sending out Trojan programs that install agents
on the affected PC. These agents lay relatively dormant
until they receive further instructions from the hacker's
computer (usually a very small bit of code), and then begin
flooding the network (or a specific target) with garbage
traffic.
- Logic Bombs - This type
of malware waits for a specific trigger (such as a date or
sequence of events) to launch and has been a common tactic
of virus writers for years. For hackers and disgruntled
employees, it is an effective way of delivering a
destructive payload long after they've left and cleaned up
their tracks. In one famous case, an administrator buried a
program on his company's server that checked for the existence
of his user account. If his account was deleted or disabled,
the program would launch and begin deleting files on servers
across the network. Unfortunately, this type of logic bomb
is usually a custom program or script that is difficult to
detect and would not be identified by anti-virus software.
- Mines - Like the
physical military mines, malicious programs can be seeded
onto a file server or placed on innocent looking disks that
are left lying about a server room. These are usually custom
programs written and spread by disgruntled employees or
contractors with an axe to grind, and are almost impossible
to defend against. They may also be named to entice a
user or curious administrator to open them. You can guard
against disk based threats by disabling auto-run for the
CD-ROM drive on workstations and servers, as well as the
ability to boot from a floppy disk.
- Password Stealers and
Keystroke Loggers - There are a number of third party
programs that are written to capture a users keystrokes,
write the data to a log and then send the log to a remote
location or e-mail address. These are often difficult to
locate, and may not be detected by anti-virus software
(although many are).
- Parasite Software -
Some shareware, freeware, and adware programs are being
packaged with additional software that can monitor your
browsing habits, and even sell your unused CPU time and
unused disk space to other vendors which in the process also
consumes your network resources. Of course the legal tools
that allow these vendors to do this are buried in the end
user license agreement that no one actually reads. For more
information, check out the CIAC
Advisory
- Remote Access Tools (RATs)
- Also known as "backdoor agents", these tools
give hackers a way into a trusted system that exists on a
network. In the malware category, we are not talking about
popular products such as LapLink or PCAnywhere (although
they can present a security risk if not configured
correctly), but programs that are activated whenever a
computer is turned on and run silently in the background
without the owner's knowledge. In addition, these programs
often notify the controlling computer when they're active,
provide information on what processes are running, and allow
the intruder to install other malware such as password
stealers.
- Unlicensed software -
If you think a virus outbreak is expensive, try unlicensed
software. Okay, while not technically "malware"
because it's not malicious by design, unlicensed or pirated software can cost your company $20,000
per incident if your company is ever audited, and has
bankrupted more than a few. Since most audits are triggered
by phone calls from disgruntled former employees, your
company can't afford to ignore this threat. Poorly written freeware and shareware programs can
crash operating systems, flood networks with unwanted
traffic, and cause conflicts with other software. Unless you
lock down your company's workstations and audit regularly,
you may never know what your users are installing on your
network until it's too late. And it's
not just software that can cost your company. MP3
files or other forms of copyrighted material that are stored
on your servers can result in stiff fines. One
company paid the RIAA 1 million dollars in an out of
court settlement for hosting MP3 files on an internal
server for it's employees. Very few viruses can rack up
this amount of damage while essentially remaining
"undetected" on a network.
Annoyances
Not all malware is destructive, and some of it is not even
intentional. Nevertheless, these annoyances still present a
threat to your network because they consume resources. Some of
these include:
- False positives -
Intentional or not, some bits of poorly written software can
set off popular antivirus programs, raising alarms, panicking
users, and consuming valuable technical support resources
troubleshooting the problem. In some cases, the antivirus
software itself is the culprit if
shortcuts were taken when creating the definitions database.
This can create a environment where virus warnings go
unheeded or unreported, potentially allowing
"real" viruses to spread unchecked across a
network.
- Hoaxes - While not a
program in itself, the hoax relies on a gullible user to
spread an e-mail message to their gullible friends who
continue the tradition like a band of crazed cyber lemmings. Hoax
messages vary from fake charity messages to bogus virus
warnings, all coaxing users to "tell everyone you
know" and overwhelming mail systems and network
infrastructure in a modified form of a denial of service
attack. Corporations and ISP's are getting better at
identifying these threats early and blocking these messages
using e-mail filtering at the server level, but they still
persist.
- Hype - Sometimes a real
virus has the same effect as a hoax because of intense
mainstream media hype. Well meaning employees flood mail
servers with the virus warning, which creates panic among
the user community, and distracts management who now have to
focus on addressing the issue and calming fears. Having a single source for
virus information in your company, as well as sending out
regular internal e-mail virus warnings, should help minimize this
practice.
- Jokes and Pranks -
Although their payload isn't typically destructive, jokes and pranks
can be an annoying distraction for the user trying to work
around the problem as well as the support staff trying to
clean up the mess. The obvious pranks are usually easy to
identify and clean up. More subtle pranks that
intermittently re-map keyboard functions, change language or
display settings,
or randomize every 108th keystroke are much harder to
detect. These pranks are available from any number of
web sites. E-mail jokes and various attachments (pictures,
movies, etc.,) can consume bandwidth and employee
productivity.
- Mail Bombs - This is a
variation of a denial of service attack that involves bombarding
a victims mailbox (or a corporate mail server) with so much
mail, it overwhelms the system. These can include a variety
of large attachments, or in a variant of the distributed
denial of service attack, a "subscription bomb"
that subscribes a users e-mail address to hundreds or even
thousands of mailing lists. We've seen this used a number of
times by disgruntled employees who were getting even with an
unpopular boss (and in one case, the entire senior
management!)
Identifying
Threats
Feeling a little overwhelmed? Not sure where to begin securing
your network? Luckily, a little diligence and common sense go a
long way to combating malware. According to the AntiVirus
vendors, there are thousands of known viruses and other
forms of malware that can threaten your network. While
these figures help sell software and increase awareness
of the threat, it's not a completely accurate picture of
the battlefield. A large percentage of identified
viruses are platform dependent (they only affect UNIX,
Apple, or Windows systems), and the vast majority of
these are antiquated, dormant, or so poorly written that
there not even a credible threat. In the virus
community, a small variation of an existing virus (even
if it's one insignificant byte of code) is classified as
a separate virus.
A more balanced way of
looking at the virus threats is to examine what is
actually circulating around the world, or "in the
wild". The industry standard reference is at wildlist.org,
which compiles a global list of active viruses (and
other forms of malware) that
is updated monthly. On average, the number of viruses
actually circulating in the wild is around 600 - a
far cry from the 15,000 to 25,000 viruses often claimed
by vendors. A number of antivirus vendors provide
e-mail notifications of new virus threats (and hoaxes)
to help keep administrators informed and head off
infections before they become wide spread. Trend Micro
takes this one step further by providing a global
virus tracking center that allows you to identify
which viruses are more prevalent in your part of the
world. You can also view a list of most common virus and
malware threats on our home
page and our antivirus
page.
Virus
Naming Conventions and the CARO Standard
This process of identifying threats is complicated by
the lack of a formal standard for anti-virus and malware
naming conventions. In some cases the virus writer
includes the name of the virus in the code itself (Code
Red, Nimda). In other cases, antivirus vendors name the
virus whatever they want without consulting each other,
resulting in 4
or 5 different names for the same virus. In 1991 a
group of researchers from the Computer Antivirus
Researcher Organization (CARO) attempted to standardize
antivirus naming conventions and produce a list of guidelines
that have been adopted by many of the leading antivirus
vendors. Although several major vendors utilize these
guidelines, adherence to these standards is strictly
voluntary.
The basic CARO formula
for virus naming is
Family_Name.Group_Name.Major_Variant.Minor_Variant[:Modifier]
Virus names don't have to use all of the parts of the
convention, but they must appear in this order and can
include a prefix or suffix to further clarify the definition.
Components of the
CARO naming convention
- Prefix - The
prefix helps to quickly identify what type of
virus or malware it is. A sample of commonly used
prefixes include:
| W95 |
Viruses
written for Windows 95 |
| W32 |
Viruses
written for all 32 bit Windows Platforms |
| WNT |
Viruses
written for Windows NT/2000 |
| Linux |
Viruses
written for the Linux Platform |
| WM |
Word
Macro Viruses. These may include version
numbers such a W97M for Word 97 |
| XM |
Excel
Macro Viruses. These may include version
numbers such a X97M for Excel 97 |
| PPT |
PowerPoint
Viruses. |
| AM |
Microsoft
Access Viruses. These may include version
numbers such a A97M for Access 97 |
| VBS |
Viruses
utilizing Visual Basic Script |
| JAVA |
Java
Viruses |
| Trojan |
Trojan
programs, sometimes abbreviated as TROJ |
| Worm |
A
Worm. The prefix I-Worm is used to denote
Internet Worms |
| JOKE |
A
joke or prank |
| An
expanded prefix list can be found here |
- Family Name -
Represents the family to which the virus belongs
based on the structural similarities of the virus,
but sometimes a formal definition of a family is
impossible. It may also be found in the code
itself, essentially giving the author the chance
to name the virus.
- Group Name -
A subcategory of family, but is rarely used.
- Major Variant
- Almost always a number, which is the
infective length of the virus (if known)
- Minor Variant - Small
variants of an existing virus, usually having the
same infective length and structure. The minor variant
is usually identified by a single letter (A, B, C,
etc.)
- :Modifier -
Modifiers are used to describe polymorphic
viruses, and are identified by which polymorphic
engine they use. If more than one polymorphic
engine is used, the definition may include more
than one modifier.
- Suffix - Suffixes
are used to describe specific how the virus
spreads, such as e-mail or mass mailers which are
abbreviated @M and @MM
So the next time you
come across a virus names such as W32.Nimda.A@MM,
W32.Klez.H@MM
you'll have an immediate understanding of what
platforms the virus attacks, what type of
virus/malware it is, and how it's spread.
Of course this all goes
out the window when the virus naming conventions are
ignored by the mainstream media which refer to various
viruses by whatever name makes a better headline. In
the case of the "VBS/VBSWG.J" virus
appeared, the mainstream media dubbed it the "AnnaKournikova"
based on the JPEG image that was supposed to appear in
the e-mail.
Combating
Malware
Fighting malware and maintaining the integrity of your
network involves more than just running antivirus
software on every computer and keeping the definitions
up to date. (Although it's a good place to start) Malware
management is a full time job, however this function is often neglected or ignored altogether
until an outbreak actually occurs forcing the IT staff to drop everything
in order to contain it while
business grinds to a halt. When the dust settles, the blame game
starts and it's the network administrators who will be stuck
without a chair when the music stops.
Despite the losses,
many companies still gamble with the security of their
networks. Antivirus software is only the first step in
preventing the spread of outbreaks, but it is still a
largely reactive approach that requires updates
to be distribute for every new vulnerability that is
discovered. Effective malware management requires
administrators to be proactive.
To
protect your environment, consider the following
recommendations:
- Hire a full time
antivirus administrator - With malware
incidents approaching 35-50 per 1,000 machines,
any mid sized (or larger) environment can't afford to be
without one. As we've stated earlier, protecting your environment
requires a proactive approach, not reactive
"firefighting" every time an outbreak occurs.
Malware
security is a full time job, and the rest of this
list is the job description.
- Subscribe to
antivirus vendors e-mail lists - Almost all of
the major antivirus vendors offer e-mail
notification of new threats. Today's viruses
spread rapidly over the internet and can become
global in under 24 hours, often before antivirus
vendors have a chance to issue an update. Use the
rules wizard within in Outlook to flag the e-mails
in red so you don't miss them, and make sure you
get a copy at home so you can respond to new
threats 24x7.
- Establish a
single point of contact - New threats and
outbreaks need to be reported and tracked as soon
as they occur, and analyzed for trends. Are your
outbreaks coming through via mail, the web, or
from rogue software? Is there a particular user or
group of users that tend to be the source of
outbreaks? Your users and help desk personnel need
an expert who is aware of the most recent threats
and can prevent infections, contain outbreaks,
answer questions, evaluate software, test new
virus definitions, update software and e-mail
filters, and educate both users and support staff.
Even if you can't afford a full time AV Administrator,
assign a regular administrator to this task and
give him/her the time they need to complete these
tasks.
- Install e-mail
filtering - Businesses claim that the e-mail
worms of 2000 -2001 alone cost them billions of
dollars, however a simple and inexpensive
e-mail filtering program would have stopped the
outbreak cold. Most e-mail worms and Trojans can be
stopped dead in their tracks by using simple
content filtering on your e-mail servers. And
since this is rapidly becoming the most common
method of spreading modern viruses, your company
simply can't afford not to have it. Filtering allows
you to block risky attachments such as .EXE, .VBS,
and .JS files, but can be used to prevent misuse
of corporate resources by blocking movie files (.MOV,
MPEG, AVI, etc.,), audio files (.AU, WAV, .MP3),
and graphics files (BMP, JPEG, GIF, TIFF, etc.,).
In addition to content filtering, your mail server
should also be capable of scanning all of your
incoming and outgoing e-mail for
potential viruses and should be kept as up to date
as possible.
- Establish strict
e-mail policies - In addition to filtering
e-mail content, some companies block any incoming
mail from sources such as AOL, Hotmail, Yahoo
mail, MSN, or other ISP's (as well as their web
mail sites) that are commonly used by employees as
a personal e-mail account. These accounts are
frequent entry points for chain letters, Trojans,
or viruses. In addition, you should consider
limiting how many people can be included in a
distribution list to prevent the rapid spread of
viruses that utilize the e-mail clients address
book. You may wish to start this limit at 10, and
require managers to work with the e-mail
administrator when sending out bulk messages to
large groups of employees.
- Internet policies
- Not only is e-mail a common entry point for
malware, but so is the Internet. Blocking sites
that may contain malicious script (which can be
run via a browser) and prevent users from
downloading software from questionable sites can
go a long way to protecting the integrity of your
network. Some environments have elected to block
all script from running in a browser windows,
which wrecks havoc on some of the more complex
sites that utilize it for legitimate reasons. Work
closely with your business managers to find a
balance of usability and security.
- Lock down your
workstations - It's hard for malware to spread
or delete files if the user that launched the file
doesn't have permission to do it themselves. Use
the security templates that come with Windows 2000
and XP to lock down your workstations so that
regular users have a very limited ability to
modify their systems.
- Secure your
servers - As Microsoft
found out recently, hackers that compromise
servers often implant malware to expand their
access or to launch a "scorched earth"
type of attack if their efforts to increase their
access to additional resources are unsuccessful.
Servers need to be locked down, audited regularly,
have strong password policies, be protected by
firewalls, and have real physical security.
- Update systems
for security vulnerabilities - It's not just
hackers who love to exploit recent security
vulnerabilities, but virus and malware writers as
well. Some of the most "successful"
(from a black hat perspective) virus and malware
programs have taken advantage of commonly known
system vulnerabilities in web servers, operating
systems, e-mail clients, and other applications
within a few weeks of the announcement. And in
almost every case, a patch was available at the
time of the announcement that could have prevented
the outbreak. Keeping your systems up to date is
as important as keeping your antivirus software up
to date.
- Disable WSH -
Unless you use a lot of scripting on your network,
you can greatly reduce your vulnerability to
malware by disabling
Windows Script Host on your workstations. You
may also wish to disable scripting in Outlook and
Internet Explorer.
- Use safer file
formats - When exchanging documents with
clients and vendors, you can reduce your risk of
forwarding or receiving macro infected documents
by using the Rich Text Format (.RTF) for Word
documents and .CSV format for Excel spreadsheets.
- Use a
multi-tiered approach with AV software -
Antivirus vendors love to sell corporations on the
idea of a single solution for your entire
enterprise. While this may be cost effective and
reduce administration, it may also increase your
risks having a real infection go unnoticed. By
using two different vendors for the server and
workstation level, you improve your chances of
rapidly detecting a new outbreak.
- Don't rely on
Antivirus software alone - Even up to date
antivirus software can miss a virus or other
malicious software, and for many companies
antivirus software is their only protection from
malware. New threats can go from zero
to global in hours before vendors even have a chance to
respond. And there is also the possibility that
the virus writer works within, or may have direct
access to your network. Many virus packages may
also attempt to disable common antivirus software
packages, meaning you could be infected and never
know it. Secure your network from internal and
external attacks in order to head off a hacker
that seeks to "seed" your environment
with malware. And follow the recommendations
in this document.
- Scan proactively
- Although most AV software is configured to scan
documents as they're opened, they're also quite
capable of running an "on demand scan"
of every file
stored on your network. Unfortunately, this
is rarely done in corporate environments. You may not be able to scan every
desktop, but you need to scan every server at
least once a week, and critical servers daily. Especially servers that contain
users home directories, e-mail, and critical
business files.
- Backup
aggressively - If a virus or other piece
of malware gets loose on your network and starts
deleting files (or worse, subtly modifying data),
how much data could you recover? If your company
only backs up data once a week, you could be in
for a nasty surprise. If a virus goes undetected
and slowly spreads across your servers subtly
modifying data or seeding a logic bomb set to go
off on a specific date, you could lose weeks or
even months of data. Be sure to include a malware infection
recovery plan as part of your company's
disaster recovery policy.
- Monitor your power
users - Users with administrator access and
other privileged accounts with broad network
access are at risk for spreading malware across
multiple systems if they
encounter an infected file. Server administrators
and developers are also a risk group that may be
likely to write
custom scripts and logic bombs that could be used
to avenge perceived injustices in the workplace.
Limiting accounts with broad based network privileges
is the
first step, but you also need to monitor all
accounts that have the ability to access and
modify your company's critical data. It's not just
malware that can misuse these accounts, but
hackers as well - if they manage to crack a privileged
users account using a password stealer or backdoor
program.
- Monitor your laptop
users - Laptop users are more likely to be
higher tier employees that have access to your
company's most sensitive data, often without a
healthy respect for computer security and the risk
from hackers, laptop thieves, and malware. Laptop
users that access the web from DSL and Cable
modems from home or wireless networks in coffee
shops and hotel lobbies are at high risk for data
theft, or having malware implanted onto their open
shares. Password stealers, backdoor programs, and
DDoS agents can all be surreptitiously installed
on a exposed laptop which then becomes a type of
Trojan horse when it logs onto a network that
trusts it. All corporate laptops need to have a
higher level of security than their desktop
counterparts and laptop users need to receive
training on the risks associated with being a
mobile user. In addition high level executives
should have a technical contact within the support
staff to answer security questions as they come up
and insure security measures aren't
circumvented.
- Secure your wireless
networks - Forget hacking the firewall,
intruders have a new favorite access point to your
company's data - your wireless network. Locating
and tagging wireless networks has become a popular
past time for hackers who often share (or
sometimes sell) this data to others. Not only do
you need to secure (and regularly audit) your
company's wireless network, you need to educate
your users to the dangers of logging into wireless
networks in hotel and airport lobbies, coffee
shops, and other public networks.
- Educate your
users - Information is the best weapon in the
fight against malware. Educate your users to the
risks. Set up an internal virus and malware
information web page for your users and administrators.
Send out virus alerts to your users so they are
aware of new threats, and so they don't flood the
mail system with their own messages and warnings.
- Educate
management - If you want to have the resources
necessary to be proactive with your efforts to
combat malware, keep management
informed of your ongoing efforts and your
successes. Make sure
management also knows what the consequences have been
for other companies that haven't been protected.
When the media is hyping a new threat, inform
management what you've done proactively to head it
off and why the threat won't be an issue for your
company. This doesn't always have to be a
formal report. Bring it up in the hall, at lunch,
or at a break in a meeting. Have management see
the correct dollar figure associated with
your efforts. Turn "fighting malware
proactively costs us X dollars a
year." to "Fighting malware saves
us X dollars a year."
Parting
Thoughts
The week we published
this article (Sept 8, 2002), a rash of malware related
vulnerabilities surfaced that provided excellent real world
examples of principals we cited. Early in the week,
Microsoft discovered that the source of mysterious hack attacks
on their network came as a result of poor password security on
their servers, which then lead to the implantation of backdoor and
remote access software on those servers. Then a virus writer's
buggy attempt at creating a September 11 worm becomes noteworthy
for only for it's ineptness. Also, a little known but critical flaw in XP
was quietly patched in XP SP1 without any explanation of the
vulnerability, or a patch that protects users who do not wish to
install SP1. The vulnerability allows a simple redirected URL
that can be sent via e-mail or featured on a web site or
newsgroup to delete files on a local system, and was considered
so dangerous and easy to implement, it was kept under wraps on
security forums. By Thursday, a new vulnerability was found in Microsoft Word that allows hackers to steal files
from a PC, and (as if all that wasn't enough) an exploit was discovered in Outlook Express
that allows hackers to potentially misuse it's "message
fragmentation and re-assembly" (MFR) feature to send viruses in
fragments that can bypass SNMP filters and theoretically antivirus
software.. Oddly, Friday the 13th was quiet. It didn't last
long. Bernie
Klinder
bernie@labmice.net
|
