| Virus damage estimated at $55 billion in 2003. | | | | #1 |
| "SINGAPORE - Trend Micro Inc, the world's | | | | * Linux: OS |
| third-largest anti-virus software maker, said Friday | | | | * Sendmail: mail server |
| that computer virus attacks cost global businesses an | | | | * Fetchmail: Grabs email from external email |
| estimated $55 billion in damages in 2003, a sum that | | | | addresses |
| would rise this year. Companies lost roughly $20 billion | | | | * F-prot: Antivirus |
| to $30 billion in 2002 from the virus attacks, up from | | | | * SpamAssassin: Spam FilterSetup #2 |
| about $13 billion in 2001, according to various industry | | | | * Win 2003 Server: OS |
| estimates." This was the story across thousands of | | | | * Exchange: Email server |
| news agencies desk January 2004. Out of $55 billion, | | | | * Symantec antivirus: Antivirus |
| how much did it cost your company? How much did | | | | * Exchange Intelligent Message Filter: Spam |
| it cost someone you know?I. The Why | | | | FilterSoftware Updates |
| There is an average of 10-20 viruses released every | | | | Keep you software up to date. Some worms and |
| day. Very few of these viruses actually make ?Wild? | | | | viruses replicate through vulnerabilities in services and |
| stage. Viruses are designed to take advantage of | | | | software on the target system. Code red is a classic |
| security flaws in software or operating systems. | | | | example. In august 2001, the worm used a known |
| These flaws can be as blatant as Microsoft Windows | | | | buffer overflow vulnerability in Microsoft's IIS 4.0 and |
| NetBIOS shares to exploits using buffer overflows. | | | | 5.0 contained in the Idq.dll file. This would allow an |
| Buffer overflows happen when an attacker sends | | | | attacker to run any program they wanted to on the |
| responses to a program longer then what is | | | | affected system. Another famous worm called |
| expected. If the victim software is not designed well, | | | | Slammer targeted Microsoft SQL Server 2000 and |
| then the attacker can overwrite the memory | | | | Microsoft Desktop Engine (MSDE) 2000.When |
| allocated to the software and execute malicious | | | | updating your software, make sure to disable |
| code.People make viruses for various reasons. These | | | | features and services that are not needed. Some |
| reasons range from political to financial to notoriety | | | | versions of WinNT had a web server called IIS |
| to hacking tools to plain malicious intent.Political: | | | | installed by default. If you do not need the service, |
| Mydoom is a good example of a virus that was | | | | make sure it is turned off (Code red is a perfect |
| spread with a political agenda. The two targets of | | | | example). By only enabling services you need, you |
| this virus were Microsoft and The SCO Group. The | | | | decrease the risk of attack.Telecommunications |
| SCO Group claims that they own a large portion of | | | | Security |
| the Linux source code threatened to sue everyone | | | | Install a firewall on the network. A firewall is a |
| using Linux operating systems (with "stolen" | | | | device or software that blocks unwanted traffic |
| programming source). The virus was very effective | | | | from going to or from the internal network. This |
| knocking down SCO's website. However, Microsoft | | | | gives you control of the traffic coming in and going |
| had enough time to prepare for the second attack | | | | out of your network. At minimum, block ports |
| and efficiently sidestepped disaster.Financial: Some | | | | 135,137,139,445. This stops most network aware |
| virus writers are hired by other parties to either leach | | | | viruses and worms from spreading from the Internet. |
| financial data from a competitor or make the | | | | However, it is good practice to block all traffic unless |
| competitor look bad in the public eye. Industrial | | | | specifically needed.Security Policies |
| espionage is a high risk/high payout field that can land | | | | Implementing security policies that cover items such |
| a person in prison for life.Notoriety: There are some | | | | as acceptable use, email retention, and remote |
| that write viruses for the sole purpose of getting | | | | access can go a long way to protecting your |
| their name out. This is great when the virus writers | | | | information infrastructure. With the addition of annual |
| are script kiddies because this helps the authorities | | | | training, employees will be informed enough to help |
| track them down. There are several famous viruses | | | | keep the data reliable instead of hinder it. Every |
| that have the author's email in the source code or | | | | individual that has access to your network or data |
| open scriptHacking Hackers sometimes write | | | | needs to follow these rules. It only takes one incident |
| controlled viruses to assist in the access of a remote | | | | to compromise the system. Only install proven and |
| computer. They will add a payload to the virus such | | | | scanned software on the system. The most |
| as a Trojan horse to allow easy access into the | | | | damaging viruses come from installing or even |
| victims system.Malious: These are the people that are | | | | inserting a contaminated disk. Boot sector viruses can |
| the most dangerous. These are the blackhat hackers | | | | be some of the hardest malware to defeat. Simply |
| that code viruses for the sole intention of destroying | | | | inserting a floppy disk with a boot sector virus can |
| networks and systems without prejudice. They get | | | | immediately transfer the virus to the hard drive.When |
| high on seeing the utter destruction of their creation, | | | | surfing the Internet, do not download untrusted files. |
| and are very rarely script kiddies.Many of the viruses | | | | Many websites will install Spyware, Adware, Parasites, |
| that are written and released are viruses altered by | | | | or Trojans in the name of "Marketing" on |
| script kiddies. These viruses are known as | | | | unsuspecting victims computers. Many prey on users |
| generations of the original virus and are very rarely | | | | that do not read popup windows or download |
| altered enough to be noticeable from the original. This | | | | freeware or shareware software. Some sites even |
| stems back to the fact that script kiddies do not | | | | use code to take advantage of vulnerability in |
| understand what the original code does and only | | | | Internet explorer to automatically download and run |
| alters what they recognize (file extension or victim's | | | | unauthorized software without giving you a choice.Do |
| website). This lack of knowledge makes script kiddies | | | | not install or use P2P programs like Kazaa, Morpheus, |
| very dangerous.II. The How | | | | or Limewire. These programs install server software |
| Malicious code has been plaguing computer systems | | | | on your system; essentially back dooring your |
| since before computers became a common | | | | system. There are also thousands of infected files |
| household appliance. Viruses and worms are examples | | | | floating on those networks that will activate when |
| of malicious code designed to spread and cause a | | | | downloaded.Backups & Disaster Recovery Planning |
| system to perform a function that it was not | | | | Keep daily backups offsite. These can be in the |
| originally designed to do.Viruses are programs that | | | | form of tape, CD-R, DVD-R, removable hard drives, |
| need to be activated or run before they are | | | | or even secure file transfers. If data becomes |
| dangerous or spread. The computer system only | | | | damaged, you would be able to restore from the last |
| becomes infected once the program is run and the | | | | known good backup. The most important step while |
| payload has bee deployed. This is why Hackers and | | | | following a backup procedure is to verify that the |
| Crackers try to crash or restart a computer system | | | | backup was a success. Too many people just |
| once they copy a virus onto it.There are four ways | | | | assume that the backup is working only to find out |
| a virus can spread: | | | | that the drive or media was bad six |
| 1.) Email | | | | months earlier when they were infected by a virus |
| 2.) Network | | | | or lost a hard drive. If the data that you are trying |
| 3.) Downloading or installing softwarev | | | | to archive is less then five gig, DVD-R drives are a |
| 4.) Inserting infected mediaSpreading through Email | | | | great solution. Both the drives and disks have come |
| Many emails spread when a user receives an | | | | down in price and are now a viable option. This is also |
| infected email. When the user opens this email or | | | | one of the fastest backup methods to process and |
| previews it, the virus is now active and starts to | | | | verify. For larger backups, tape drives and removable |
| immediately spread.Spreading through Network | | | | hard drives are the best option. If you choose this |
| Many viruses are network aware. This means that | | | | method, you will need to rotate the backup with five |
| they look for unsecured systems on the network | | | | or seven different media (tapes, CD/DVD, removable |
| and copy themselves to that system. This behavior | | | | drives) to get the most out of the process. It is also |
| destroys network performance and causes viruses | | | | suggested to take a "master" backup out of the |
| to spread across your system like wildfire. Hackers | | | | rotation on a scheduled basis and archive offsite in a |
| and Crackers also use Internet and network | | | | fireproof safe. This protects the data from fire, |
| connections to infect systems. They not only scan | | | | flood, and theft.In the Internet age, understanding |
| for unprotected systems, but they also target | | | | that you have to maintain these processes will help |
| systems that have known software vulnerabilities. | | | | you become successful when preventing damage and |
| This is why keeping systems up to date is so | | | | minimizes the time, costs, and liabilities involved during |
| important.Spreading through manual installation | | | | the disaster recovery phase if you are |
| Installing software from downloads or disks increase | | | | affected.ResourcesVirus Resources |
| the risk of infection. Only install trusted and scanned | | | | F-PROT: |
| software that is known to be safe. Stay away from | | | | McAfee : |
| freeware and shareware products. These programs | | | | Symantec Norton: |
| are known to contain Spyware, Adware, and viruses. | | | | Trend Micro: |
| It is also good policy to deny all Internet software | | | | NIST GOV: software |
| that attempts to install itself unless explicitly | | | | AVG Anti-Virus - Free |
| needed.Spreading through boot sectors | | | | F-Prot - Free for home usersFree online Virus scan |
| Some viruses corrupt the boot sector of disks. This | | | | BitDefender - |
| means that if another disks scans the infected disk, | | | | HouseCall - |
| the infection spreads. Boot sector viruses are | | | | McAffe - |
| automatically run immediately after the disk is | | | | Panda ActiveScan - |
| inserted or hard drive connected.III. Minimizing the | | | | RAV Antivirus - online Trojan scan |
| effect of viruses and worms | | | | TrojanScan - online Security scan |
| We have all heard stories about the virus that | | | | Symanted Security Check - |
| destroyed mission critical company data, which cost | | | | Test my Firewall - Security Resources |
| companies months to recover and thousands of | | | | Forum of Incident Response and Security Teams: |
| dollars and man-hours restoring the information. In the | | | | Microsoft: |
| end, there are still many hours, costs, and would be | | | | SANS Institute: |
| profits that remain unaccounted. Some companies | | | | Webopedia: |
| never recover fully from a devastating attack. Taking | | | | DefinitionsAdware: *A form of spyware that collects |
| simple precautions can save your businessAnti-virus | | | | information about the user in order to display |
| Software | | | | advertisements in the Web browser based on the |
| Another step is to run an antivirus program on the | | | | information it collects from the user's browsing |
| local computer. Many antivirus programs offer live | | | | patterns.Software that is given to the user with |
| update software and automatically download the | | | | advertisements already embedded in the |
| newest virus definitions minutes after they are | | | | applicationMalware: *Short for malicious software, |
| released (Very important that you verify these | | | | software designed specifically to damage or disrupt a |
| updates weekly if not daily). Be careful of which | | | | system, such as a virus or a Trojan horse.Script |
| antivirus program you chose. Installing a PC antivirus | | | | Kiddie: *A person, normally someone who is not |
| on a network can be more destructive on | | | | technologically sophisticated, who randomly seeks out |
| performance than a virus at work. Norton makes an | | | | a specific weakness over the Internet in order to |
| effective corporate edition specifically designed for | | | | gain root access to a system without really |
| Windows NT Server and network environments. | | | | understanding what it is s/he is exploiting because |
| When using antivirus software on a network, | | | | the weakness was discovered by someone else. A |
| configure it to ignore network drives and partitions. | | | | script kiddie is not looking to target specific |
| Only scan the local system and turn off the auto | | | | information or a specific company but rather uses |
| protection feature. The auto-protect constantly | | | | knowledge of a vulnerability to scan the entire |
| scans your network traffic and causes detrimental | | | | Internet for a victim that possesses that |
| network issues. Corporate editions usually have this | | | | vulnerability.Spyware: *Any software that covertly |
| disabled by default. PC editions do not.Email Clients | | | | gathers user information through the user's Internet |
| Do not open emails from unknown sources. If you | | | | connection without his or her knowledge, usually for |
| have a website for e-commerce transactions or to | | | | advertising purposes. Spyware applications are |
| act as a virtual business card, make sure that the | | | | typically bundled as a hidden component of freeware |
| emails come up with a preset subject. If the emails | | | | or shareware programs that can be downloaded |
| are being sent through server side design instead of | | | | from the Internet; however, it should be noted that |
| the users email client, specify whom it is coming from | | | | the majority of shareware and freeware applications |
| so you know what emails to trust. Use common | | | | do not come with spyware. Once installed, the |
| sense when looking at your email. If you see a | | | | spyware monitors user activity on the Internet and |
| strange email with an attachment, do not open it until | | | | transmits that information in the background to |
| you verify whom it came from. This is how most MM | | | | someone else. Spyware can also gather information |
| worms spread.Disable preview panes in email clients. | | | | about e-mail addresses and even passwords and |
| Email clients such as Outlook and Outlook Express | | | | credit card numbers.Spyware is similar to a Trojan |
| have a feature that will allow you to preview the | | | | horse in that users unwittingly install the product |
| message when the email is highlighted. This is a Major | | | | when they install something else. A common way to |
| security flaw and will instantly unleash a virus if the | | | | become a victim of spyware is to download certain |
| email is infected.It is also a good idea to turn off the | | | | peer-to-peer file swapping products that are available |
| feature that enables the client to view HTML | | | | today.Aside from the questions of ethics and privacy, |
| formatted emails. Most of these viruses and worms | | | | spyware steals from the user by using the |
| pass by using the html function "< i f r a m e s r c >" | | | | computer's memory resources and also by eating |
| and run the attached file within the email header.We | | | | bandwidth as it sends information back to the |
| will take a quick look at an email with the subject | | | | spyware's home base via the user's Internet |
| header of "You're now infected" that will open a file | | | | connection. Because spyware is using memory and |
| called readme.exe."Subject: You're now infected | | | | system resources, the applications running in the |
| MIME-Version: 1.0 | | | | background can lead to system crashes or general |
| Content-Type: multipart/related;type="multipart | | | | system instability.Because spyware exists as |
| ==" | | | | independent executable programs, they have the |
| X-Priority: 3 | | | | ability to monitor keystrokes, scan files on the hard |
| X-MSMail-Priority: Normal | | | | drive, snoop other applications, such as chat |
| X-Unsent: 1 | | | | programs or word processors, install other spyware |
| To: | | | | programs, read cookies, change the default home |
| == | | | | page on the Web browser, consistently relaying this |
| Content-Type: multipart | | | | information back to the spyware author who will |
| ==" *** (This calls the | | | | either use it for advertising/marketing purposes or |
| iframe)--====_ABC0987654321DEF_==== | | | | sell the information to another party. |
| Content-Type: text/html;charset="iso-8859-1" | | | | Licensing agreements that accompany software |
| Content-Transfer-Encoding: quoted-printable< H T M | | | | downloads sometimes warn the user that a spyware |
| L > < H E A D > < / H E A D > < B O D Y b g C o l | | | | program will be installed along with the requested |
| o r = 3 D # f f f f f f > | | | | software, but the licensing agreements may not |
| < i f r a m e s r c = 3 D c i d : EA4DMGBP9p | | | | always be read completely because the notice of a |
| height=3D0 width=3D0> *** (This calls readme.exe) | | | | spyware installation is often couched in obtuse, |
| < / i f r a m e > < / B O D Y > < / H T M L | | | | hard-to-read legal disclaimers.Trojan: *A destructive |
| 34567890DEF_==== | | | | program that masquerades as a benign application. |
| Content-Type: audio/x-wav;name="readme.exe" *** | | | | Unlike viruses, Trojan horses do not replicate |
| (This is the virus/worm) | | | | themselves but they can be just as destructive. One |
| Content-Transfer-Encoding: base64 | | | | of the most insidious types of Trojan horse is a |
| Content-ID: *** (Notice the < i f r a m e s r c = ? | | | | program that claims to rid your computer of viruses |
| L0RURCBIVE1MIDQuMCBUcmFuc2l0aW9u | | | | but instead introduces viruses onto your |
| | | | computer.The term comes from a story in Homer's |
| obydzIHRoZSBiZXN0LS0tLS0tPyAt | | | | Iliad, in which the Greeks give a giant wooden horse |
| | | | to their foes, the Trojans, ostensibly as a peace |
| JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlw | | | | offering. But after the Trojans drag the horse inside |
| | | | their city walls, Greek soldiers sneak out of the |
| C5qcz9jdXN0b21lcmlkPTExNDc0 | | | | horse's hollow belly and open the city gates, allowing |
| | | | their compatriots to pour in and capture Troy.Virus: |
| U9ImphdmFzY3JpcHQiPg08IS0tDWZ1 | | | | *A program or piece of code that is loaded onto |
| | | | your computer without your knowledge and runs |
| 2luTmFtZSxmZWF0dXJlcykgeyAvL3Yy*** Broken to | | | | against your wishes. Viruses can also replicate |
| protect the innocent. (Worm is encoded in | | | | themselves. All computer viruses are man made. A |
| jb20vZmNhbGhpc3BvcnRzZnJtMT5Gb290 | | | | simple virus that can make a copy of itself over and |
| | | | over again is relatively easy to produce. Even such a |
| iAtIDwvZm9udD4NDTxicj48YnI+PGJy | | | | simple virus is dangerous because it will quickly use all |
| | | | available memory and bring the system to a halt. An |
| 5lemJvYXJkLmNvbS8+ZXpib2Fy | | | | even more dangerous type of virus is one capable of |
| | | | transmitting itself across networks and bypassing |
| k5LTIwMDEgZXpib2FyZCwgSW5j | | | | security systems.Since 1987, when a virus infected |
| | | | ARPANET, a large network used by the Defense |
| Cj==--====_ABC1234567890DEF_====--"Email | | | | Department and many universities, many antivirus |
| Servers | | | | programs have become available. These programs |
| The first step to minimizing the effect of viruses is | | | | periodically check your computer system for the |
| to use an email server that filters incoming emails | | | | best-known types of viruses.Some people distinguish |
| using antivirus software. If the server is kept up to | | | | between general viruses and worms. A worm is a |
| date, it will catch the majority of Mass Mailer (MM) | | | | special type of virus that can replicate itself and use |
| worms. Ask your Internet Service Provider (ISP) if | | | | memory, but cannot attach itself to other |
| they offer antivirus protection and spam filtering on | | | | programs.Worm: *A program or algorithm that |
| their email servers. This service is invaluable and | | | | replicates itself over a computer network and usually |
| should always be included as the first line of | | | | performs malicious actions, such as using up the |
| defense.Many companies house an internal email | | | | computer's resources and possibly shutting the |
| server that downloads all of the email from several | | | | system down.* Definitions provided by WebopediaA |
| external email accounts and then runs an internal virus | | | | special thanks goes out to the CISSP community, |
| filter. Combining an internal email server with the ISP | | | | various Chief Information Security Officer (CISO)s, |
| protection is a perfect for a company with an IT | | | | and to those in the Risk assessment specialty of |
| staff. This option adds an extra layer of control, but | | | | Information Systems Security for their help in proof |
| also adds more administration time. | | | | reading and suggestions. |
| Sample specs for an internal email server are:Setup | | | | |