Defense–Stopping Malicious Software
Businesses are vulnerable to attacks related to malicious software, such as viruses, worms and Trojan horses. These attacks may take place from multiple points of entry, including network servers, e-mail gateways, corporate firewalls and employee workstations. These points of entry are typically well connected to the rest of the network infrastructure, and this only makes it easier to spread malicious software. For example, the Nimda worm infected more than 2.2 million servers and PCs within 24 hours—this resulted in $531 million in downtime and subsequent cleanup costs.
Security practitioners and the security officer must deploy multiple layers of defense to ensure that vital information and systems are not compromised or access denied as a result of such attacks. Businesses must be prepared to implement procedures for guarding against, detecting and reporting malicious software.
A virus is a program that attaches itself to files on the target system. A virus is a self-replicating program that spreads by infecting other programs. During attachment, the original code from the virus is appended to victim files. This is referred to as infection. At this point when the file is infected, it is converted from an ordinary file to a carrier. This infected file can infect other files, referred to as “replication.” The replication of files can spread to the hard disk, leading to systemic infection.
Once the virus attaches itself to an executable file, such as files that end in .exe or .com, then each time the file is executed it will infect other files. Macro viruses infect data files such as documents generated in Microsoft Word or PowerPoint. These viruses typically attack your global document templates, ultimately damaging each and every document type opened with the application. Examples of viruses include Melissa, Babylonia and Loveletter. Virus attacks are significant because they cause substantial damage and can be costly.
There are three types of viruses: Master boot sector viruses, boot sector viruses and file viruses. File viruses can spread system-wide, while boot sector viruses attack a small portion of the disk.
Viruses can also be stealth viruses or polymorphic viruses. Stealth viruses use a number of techniques to conceal the fact that a drive has been infected. Polymorphic viruses are much more complex—these viruses can change, or “mutate,” making them extremely difficult to identify. In mutation, the virus may change its size and composition, thus evading detection by virus-detection software. To address this challenge, virus-detection software creates scanners that can identify encryption and other patterns.
A worm is a self-contained program that uses security flaws, such as a buffer overflow, to remotely compromise a system and then replicate itself to that system. Unlike viruses, worms do not infect other executable programs, but instead install themselves on the victim system as a stand-alone entity that does not require the execution of an infected application. Examples of worm attacks include Code Red, Code Red II and Nimda.
The Code Red worm exploited a known vulnerability in Microsoft IIS 4.0 and 5.0. The worm operated by creating a random list of IP addresses, which it then scanned for the IIS vulnerability. If the worm found a target system with the vulnerability, it executed the buffer overflow exploit, which resulted in the worm’s code being loaded onto and executed by the victim system. The worm then began to propagate itself from the just-compromised system. After two hours, the worm changed the server’s Web page.
Worms exploit known vulnerabilities in systems and applications. They then spread themselves. To protect against worm attacks, a comprehensive solution that includes antivirus software as well as an intrusion detection system (IDS) is required.
A recent example of a worm threat is the Sasser worm. This is a worm that spreads by scanning randomly selected IP addresses for vulnerable systems. The worm spreads with the filename avserve.exe. Unlike other worms, Sasser does not spread by e-mail. Instead, it instructs vulnerable systems to download and execute the viral code.
A Trojan horse program is unauthorized code contained within a legitimate program that performs functions unknown to the end user. It may also be a legitimate program that has been altered by the placement of unauthorized code within it that performs functions unknown to the end user. The Trojan horse program typically results in some damage or transmission of information that is sensitive, such as sending e-mail containing the password file. Examples include ILOVEYOU, StuffIt 4.5 Trojan (deletes key system files) and AOL Password Trojan.
A logic bomb is a virus or Trojan horse that is triggered when a specific event takes place or after a period of time. For example, an employee may create a logic bomb to erase all files from the server at some future date. It is important to make sure that employees who are terminated are not permitted to return to their desks or systems unescorted and that their access is immediately removed. Failure to do so may result in planting of logic bombs in systems.
Getting Started: Malicious Software Policy
Security practitioners should get started by developing a policy on malicious software. This policy provides the framework for the use of malicious-software-checking programs. The policy should include specific information on how malicious- software-checking programs are to be used. For example:
- The business will deploy malicious-software-checking programs at the perimeter and on individual end-user systems.
- The business will subscribe to receive updates to malicious-software-checking programs.
- The business will conduct security training that will include information on the potential harm that can be caused by malicious software, prevention of malicious software and steps to take if malicious software is detected.
- Failure to comply with this or any other security policy will result in disciplinary action.
Security Awareness Program: Train All Employees
Employees of the organization must be trained to not configure or introduce any modifications to systems or applications to prevent the execution of malicious- software-checking programs. Businesses are especially vulnerable to malicious software introduced to the environment through mobile devices such as laptops. Members of the workforce who suspect any malicious software infection must immediately contact the security officer or their manager by phone or walk-in—not by e-mail—about the suspected threat.
Security practitioners must work closely with employees and require their participation in all security awareness training programs. This knowledge will be valuable in preventing, detecting, containing and eradicating malicious software.
Network Associates’ McAfee Active Virus Defense, Symantec’s AntiVirus Enterprise Edition and Trend Micro’s Antivirus products are examples of solutions deployed to prevent the threats from malicious software. Microsoft’s Web site also provides information on malicious code and downloads to make end systems more secure. The bottom line is to ensure that all critical systems have up-to-date patches to protect them from the latest malicious code threats.
Security practitioners must ensure that malicious-software-checking programs are installed both on the perimeter of the network and on individual end-user systems. Security practitioners must further identify all critical systems and network components that are vulnerable to malicious s