| Virus damage estimated at $55 billion in 2003. | | | | Sample specs for an internal email server |
| "SINGAPORE - Trend Micro Inc, the world's | | | | are:Setup #1 |
| third-largest anti-virus software maker, said Friday | | | | * Linux: OS |
| that computer virus attacks cost global | | | | * Sendmail: mail server |
| businesses an estimated $55 billion in damages in | | | | * Fetchmail: Grabs email from external email |
| 2003, a sum that would rise this year. Companies | | | | addresses |
| lost roughly $20 billion to $30 billion in 2002 from | | | | * F-prot: Antivirus |
| the virus attacks, up from about $13 billion in | | | | * SpamAssassin: Spam FilterSetup #2 |
| 2001, according to various industry estimates." | | | | * Win 2003 Server: OS |
| This was the story across thousands of news | | | | * Exchange: Email server |
| agencies desk January 2004. Out of $55 billion, | | | | * Symantec antivirus: Antivirus |
| how much did it cost your company? How much | | | | * Exchange Intelligent Message Filter: Spam |
| did it cost someone you know?I. The Why | | | | FilterSoftware Updates |
| There is an average of 10-20 viruses released | | | | Keep you software up to date. Some worms |
| every day. Very few of these viruses actually | | | | and viruses replicate through vulnerabilities in |
| make ?Wild? stage. Viruses are designed to take | | | | services and software on the target system. |
| advantage of security flaws in software or | | | | Code red is a classic example. In august 2001, the |
| operating systems. These flaws can be as blatant | | | | worm used a known buffer overflow vulnerability |
| as Microsoft Windows NetBIOS shares to exploits | | | | in Microsoft's IIS 4.0 and 5.0 contained in the Idq.dll |
| using buffer overflows. Buffer overflows happen | | | | file. This would allow an attacker to run any |
| when an attacker sends responses to a program | | | | program they wanted to on the affected system. |
| longer then what is expected. If the victim | | | | Another famous worm called Slammer targeted |
| software is not designed well, then the attacker | | | | Microsoft SQL Server 2000 and Microsoft |
| can overwrite the memory allocated to the | | | | Desktop Engine (MSDE) 2000.When updating your |
| software and execute malicious code.People make | | | | software, make sure to disable features and |
| viruses for various reasons. These reasons range | | | | services that are not needed. Some versions of |
| from political to financial to notoriety to hacking | | | | WinNT had a web server called IIS installed by |
| tools to plain malicious intent.Political: Mydoom is a | | | | default. If you do not need the service, make |
| good example of a virus that was spread with a | | | | sure it is turned off (Code red is a perfect |
| political agenda. The two targets of this virus | | | | example). By only enabling services you need, you |
| were Microsoft and The SCO Group. The SCO | | | | decrease the risk of attack.Telecommunications |
| Group claims that they own a large portion of the | | | | Security |
| Linux source code threatened to sue everyone | | | | Install a firewall on the network. A firewall is a |
| using Linux operating systems (with "stolen" | | | | device or software that blocks unwanted traffic |
| programming source). The virus was very | | | | from going to or from the internal network. This |
| effective knocking down SCO's website. | | | | gives you control of the traffic coming in and |
| However, Microsoft had enough time to prepare | | | | going out of your network. At minimum, block |
| for the second attack and efficiently sidestepped | | | | ports 135,137,139,445. This stops most network |
| disaster.Financial: Some virus writers are hired by | | | | aware viruses and worms from spreading from |
| other parties to either leach financial data from a | | | | the Internet. However, it is good practice to block |
| competitor or make the competitor look bad in | | | | all traffic unless specifically needed.Security Policies |
| the public eye. Industrial espionage is a high risk | | | | Implementing security policies that cover items |
| high payout field that can land a person in prison | | | | such as acceptable use, email retention, and |
| for life.Notoriety: There are some that write | | | | remote access can go a long way to protecting |
| viruses for the sole purpose of getting their name | | | | your information infrastructure. With the addition |
| out. This is great when the virus writers are script | | | | of annual training, employees will be informed |
| kiddies because this helps the authorities track | | | | enough to help keep the data reliable instead of |
| them down. There are several famous viruses | | | | hinder it. Every individual that has access to your |
| that have the author's email in the source code or | | | | network or data needs to follow these rules. It |
| open scriptHacking Hackers sometimes write | | | | only takes one incident to compromise the |
| controlled viruses to assist in the access of a | | | | system. Only install proven and scanned software |
| remote computer. They will add a payload to the | | | | on the system. The most damaging viruses come |
| virus such as a Trojan horse to allow easy access | | | | from installing or even inserting a contaminated |
| into the victims system.Malious: These are the | | | | disk. Boot sector viruses can be some of the |
| people that are the most dangerous. These are | | | | hardest malware to defeat. Simply inserting a |
| the blackhat hackers that code viruses for the | | | | floppy disk with a boot sector virus can |
| sole intention of destroying networks and | | | | immediately transfer the virus to the hard |
| systems without prejudice. They get high on | | | | drive.When surfing the Internet, do not download |
| seeing the utter destruction of their creation, and | | | | untrusted files. Many websites will install Spyware, |
| are very rarely script kiddies.Many of the viruses | | | | Adware, Parasites, or Trojans in the name of |
| that are written and released are viruses altered | | | | "Marketing" on unsuspecting victims computers. |
| by script kiddies. These viruses are known as | | | | Many prey on users that do not read popup |
| generations of the original virus and are very | | | | windows or download freeware or shareware |
| rarely altered enough to be noticeable from the | | | | software. Some sites even use code to take |
| original. This stems back to the fact that script | | | | advantage of vulnerability in Internet explorer to |
| kiddies do not understand what the original code | | | | automatically download and run unauthorized |
| does and only alters what they recognize (file | | | | software without giving you a choice.Do not install |
| extension or victim's website). This lack of | | | | or use P2P programs like Kazaa, Morpheus, or |
| knowledge makes script kiddies very dangerous.II. | | | | Limewire. These programs install server software |
| The How | | | | on your system; essentially back dooring your |
| Malicious code has been plaguing computer | | | | system. There are also thousands of infected files |
| systems since before computers became a | | | | floating on those networks that will activate when |
| common household appliance. Viruses and worms | | | | downloaded.Backups & Disaster Recovery Planning |
| are examples of malicious code designed to | | | | Keep daily backups offsite. These can be in the |
| spread and cause a system to perform a function | | | | form of tape, CD-R, DVD-R, removable hard |
| that it was not originally designed to do.Viruses | | | | drives, or even secure file transfers. If data |
| are programs that need to be activated or run | | | | becomes damaged, you would be able to restore |
| before they are dangerous or spread. The | | | | from the last known good backup. The most |
| computer system only becomes infected once | | | | important step while following a backup procedure |
| the program is run and the payload has bee | | | | is to verify that the backup was a success. Too |
| deployed. This is why Hackers and Crackers try | | | | many people just assume that the backup is |
| to crash or restart a computer system once | | | | working only to find out that the drive or media |
| they copy a virus onto it.There are four ways a | | | | was bad six |
| virus can spread: | | | | months earlier when they were infected by a |
| 1.) Email | | | | virus or lost a hard drive. If the data that you are |
| 2.) Network | | | | trying to archive is less then five gig, DVD-R |
| 3.) Downloading or installing softwarev | | | | drives are a great solution. Both the drives and |
| 4.) Inserting infected mediaSpreading through | | | | disks have come down in price and are now a |
| Email | | | | viable option. This is also one of the fastest |
| Many emails spread when a user receives an | | | | backup methods to process and verify. For larger |
| infected email. When the user opens this email or | | | | backups, tape drives and removable hard drives |
| previews it, the virus is now active and starts to | | | | are the best option. If you choose this method, |
| immediately spread.Spreading through Network | | | | you will need to rotate the backup with five or |
| Many viruses are network aware. This means | | | | seven different media (tapes, CD/DVD, |
| that they look for unsecured systems on the | | | | removable drives) to get the most out of the |
| network and copy themselves to that system. | | | | process. It is also suggested to take a "master" |
| This behavior destroys network performance and | | | | backup out of the rotation on a scheduled basis |
| causes viruses to spread across your system like | | | | and archive offsite in a fireproof safe. This |
| wildfire. Hackers and Crackers also use Internet | | | | protects the data from fire, flood, and theft.In the |
| and network connections to infect systems. They | | | | Internet age, understanding that you have to |
| not only scan for unprotected systems, but they | | | | maintain these processes will help you become |
| also target systems that have known software | | | | successful when preventing damage and |
| vulnerabilities. This is why keeping systems up to | | | | minimizes the time, costs, and liabilities involved |
| date is so important.Spreading through manual | | | | during the disaster recovery phase if you are |
| installation | | | | affected.ResourcesVirus Resources |
| Installing software from downloads or disks | | | | F-PROT: |
| increase the risk of infection. Only install trusted | | | | McAfee : |
| and scanned software that is known to be safe. | | | | Symantec Norton: |
| Stay away from freeware and shareware | | | | Trend Micro: |
| products. These programs are known to contain | | | | NIST GOV: software |
| Spyware, Adware, and viruses. It is also good | | | | AVG Anti-Virus - Free |
| policy to deny all Internet software that attempts | | | | F-Prot - Free for home usersFree online Virus |
| to install itself unless explicitly needed.Spreading | | | | scan |
| through boot sectors | | | | BitDefender - |
| Some viruses corrupt the boot sector of disks. | | | | HouseCall - |
| This means that if another disks scans the | | | | McAffe - |
| infected disk, the infection spreads. Boot sector | | | | Panda ActiveScan - |
| viruses are automatically run immediately after | | | | RAV Antivirus - online Trojan scan |
| the disk is inserted or hard drive connected.III. | | | | TrojanScan - online Security scan |
| Minimizing the effect of viruses and worms | | | | Symanted Security Check - |
| We have all heard stories about the virus that | | | | Test my Firewall - Security Resources |
| destroyed mission critical company data, which | | | | Forum of Incident Response and Security |
| cost companies months to recover and thousands | | | | Teams: |
| of dollars and man-hours restoring the information. | | | | Microsoft: |
| In the end, there are still many hours, costs, and | | | | SANS Institute: |
| would be profits that remain unaccounted. Some | | | | Webopedia: |
| companies never recover fully from a devastating | | | | DefinitionsAdware: *A form of spyware that |
| attack. Taking simple precautions can save your | | | | collects information about the user in order to |
| businessAnti-virus Software | | | | display advertisements in the Web browser based |
| Another step is to run an antivirus program on | | | | on the information it collects from the user's |
| the local computer. Many antivirus programs offer | | | | browsing patterns.Software that is given to the |
| live update software and automatically download | | | | user with advertisements already embedded in |
| the newest virus definitions minutes after they | | | | the applicationMalware: *Short for malicious |
| are released (Very important that you verify | | | | software, software designed specifically to |
| these updates weekly if not daily). Be careful of | | | | damage or disrupt a system, such as a virus or a |
| which antivirus program you chose. Installing a PC | | | | Trojan horse.Script Kiddie: *A person, normally |
| antivirus on a network can be more destructive | | | | someone who is not technologically sophisticated, |
| on performance than a virus at work. Norton | | | | who randomly seeks out a specific weakness |
| makes an effective corporate edition specifically | | | | over the Internet in order to gain root access to |
| designed for Windows NT Server and network | | | | a system without really understanding what it is s |
| environments. When using antivirus software on a | | | | he is exploiting because the weakness was |
| network, configure it to ignore network drives | | | | discovered by someone else. A script kiddie is not |
| and partitions. Only scan the local system and turn | | | | looking to target specific information or a specific |
| off the auto protection feature. The auto-protect | | | | company but rather uses knowledge of a |
| constantly scans your network traffic and causes | | | | vulnerability to scan the entire Internet for a |
| detrimental network issues. Corporate editions | | | | victim that possesses that vulnerability.Spyware: |
| usually have this disabled by default. PC editions | | | | *Any software that covertly gathers user |
| do not.Email Clients | | | | information through the user's Internet connection |
| Do not open emails from unknown sources. If | | | | without his or her knowledge, usually for |
| you have a website for e-commerce transactions | | | | advertising purposes. Spyware applications are |
| or to act as a virtual business card, make sure | | | | typically bundled as a hidden component of |
| that the emails come up with a preset subject. If | | | | freeware or shareware programs that can be |
| the emails are being sent through server side | | | | downloaded from the Internet; however, it should |
| design instead of the users email client, specify | | | | be noted that the majority of shareware and |
| whom it is coming from so you know what | | | | freeware applications do not come with spyware. |
| emails to trust. Use common sense when looking | | | | Once installed, the spyware monitors user activity |
| at your email. If you see a strange email with an | | | | on the Internet and transmits that information in |
| attachment, do not open it until you verify whom | | | | the background to someone else. Spyware can |
| it came from. This is how most MM worms | | | | also gather information about e-mail addresses |
| spread.Disable preview panes in email clients. Email | | | | and even passwords and credit card |
| clients such as Outlook and Outlook Express have | | | | numbers.Spyware is similar to a Trojan horse in |
| a feature that will allow you to preview the | | | | that users unwittingly install the product when |
| message when the email is highlighted. This is a | | | | they install something else. A common way to |
| Major security flaw and will instantly unleash a | | | | become a victim of spyware is to download |
| virus if the email is infected.It is also a good idea | | | | certain peer-to-peer file swapping products that |
| to turn off the feature that enables the client to | | | | are available today.Aside from the questions of |
| view HTML formatted emails. Most of these | | | | ethics and privacy, spyware steals from the user |
| viruses and worms pass by using the html | | | | by using the computer's memory resources and |
| function "< i f r a m e s r c >" and run the | | | | also by eating bandwidth as it sends information |
| attached file within the email header.We will take a | | | | back to the spyware's home base via the user's |
| quick look at an email with the subject header of | | | | Internet connection. Because spyware is using |
| "You're now infected" that will open a file called | | | | memory and system resources, the applications |
| readme.exe."Subject: You're now infected | | | | running in the background can lead to system |
| MIME-Version: 1.0 | | | | crashes or general system instability.Because |
| Content-Type: multipart/related;type="multipart | | | | spyware exists as independent executable |
| _====" | | | | programs, they have the ability to monitor |
| X-Priority: 3 | | | | keystrokes, scan files on the hard drive, snoop |
| X-MSMail-Priority: Normal | | | | other applications, such as chat programs or word |
| X-Unsent: 1 | | | | processors, install other spyware programs, read |
| To: | | | | cookies, change the default home page on the |
| _==== | | | | Web browser, consistently relaying this |
| Content-Type: multipart | | | | information back to the spyware author who will |
| ====" *** (This calls the | | | | either use it for advertising/marketing purposes |
| iframe)--====_ABC0987654321DEF_==== | | | | or sell the information to another party. |
| Content-Type: text/html;charset="iso-8859-1" | | | | Licensing agreements that accompany software |
| Content-Transfer-Encoding: quoted-printable< H T | | | | downloads sometimes warn the user that a |
| M L > < H E A D > < / H E A D > < B O D Y b | | | | spyware program will be installed along with the |
| g C o l o r = 3 D # f f f f f f > | | | | requested software, but the licensing agreements |
| < i f r a m e s r c = 3 D c i d : EA4DMGBP9p | | | | may not always be read completely because the |
| height=3D0 width=3D0> *** (This calls | | | | notice of a spyware installation is often couched in |
| readme.exe) | | | | obtuse, hard-to-read legal disclaimers.Trojan: *A |
| < / i f r a m e > < / B O D Y > < / H T M L | | | | destructive program that masquerades as a |
| C1234567890DEF_==== | | | | benign application. Unlike viruses, Trojan horses do |
| Content-Type: audio/x-wav;name="readme.exe" | | | | not replicate themselves but they can be just as |
| *** (This is the virus/worm) | | | | destructive. One of the most insidious types of |
| Content-Transfer-Encoding: base64 | | | | Trojan horse is a program that claims to rid your |
| Content-ID: *** (Notice the < i f r a m e s r c = | | | | computer of viruses but instead introduces |
| ? | | | | viruses onto your computer.The term comes |
| MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9u | | | | from a story in Homer's Iliad, in which the Greeks |
| | | | give a giant wooden horse to their foes, the |
| lPldobydzIHRoZSBiZXN0LS0tLS0tPyAt | | | | Trojans, ostensibly as a peace offering. But after |
| | | | the Trojans drag the horse inside their city walls, |
| Y3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlw | | | | Greek soldiers sneak out of the horse's hollow |
| | | | belly and open the city gates, allowing their |
| 3BjaC5qcz9jdXN0b21lcmlkPTExNDc0 | | | | compatriots to pour in and capture Troy.Virus: *A |
| | | | program or piece of code that is loaded onto |
| hZ2U9ImphdmFzY3JpcHQiPg08IS0tDWZ1 | | | | your computer without your knowledge and runs |
| | | | against your wishes. Viruses can also replicate |
| wsd2luTmFtZSxmZWF0dXJlcykgeyAvL3Yy*** | | | | themselves. All computer viruses are man made. |
| Broken to protect the innocent. (Worm is | | | | A simple virus that can make a copy of itself |
| encoded in | | | | over and over again is relatively easy to produce. |
| ZC5jb20vZmNhbGhpc3BvcnRzZnJtMT5Gb290 | | | | Even such a simple virus is dangerous because it |
| | | | will quickly use all available memory and bring the |
| wPiAtIDwvZm9udD4NDTxicj48YnI+PGJy | | | | system to a halt. An even more dangerous type |
| | | | of virus is one capable of transmitting itself across |
| 3dy5lemJvYXJkLmNvbS8+ZXpib2Fy | | | | networks and bypassing security systems.Since |
| | | | 1987, when a virus infected ARPANET, a large |
| OTk5LTIwMDEgZXpib2FyZCwgSW5j | | | | network used by the Defense Department and |
| | | | many universities, many antivirus programs have |
| il Servers | | | | become available. These programs periodically |
| The first step to minimizing the effect of viruses | | | | check your computer system for the best-known |
| is to use an email server that filters incoming | | | | types of viruses.Some people distinguish between |
| emails using antivirus software. If the server is | | | | general viruses and worms. A worm is a special |
| kept up to date, it will catch the majority of Mass | | | | type of virus that can replicate itself and use |
| Mailer (MM) worms. Ask your Internet Service | | | | memory, but cannot attach itself to other |
| Provider (ISP) if they offer antivirus protection | | | | programs.Worm: *A program or algorithm that |
| and spam filtering on their email servers. This | | | | replicates itself over a computer network and |
| service is invaluable and should always be included | | | | usually performs malicious actions, such as using |
| as the first line of defense.Many companies house | | | | up the computer's resources and possibly shutting |
| an internal email server that downloads all of the | | | | the system down.* Definitions provided by |
| email from several external email accounts and | | | | WebopediaA special thanks goes out to the |
| then runs an internal virus filter. Combining an | | | | CISSP community, various Chief Information |
| internal email server with the ISP protection is a | | | | Security Officer (CISO)s, and to those in the Risk |
| perfect for a company with an IT staff. This | | | | assessment specialty of Information Systems |
| option adds an extra layer of control, but also | | | | Security for their help in proof reading and |
| adds more administration time. | | | | suggestions. |