| Virus damage estimated at $55 billion in 2003. | | | | This option adds an extra layer of control, but also |
| "SINGAPORE - Trend Micro Inc, the world's | | | | adds more administration time. |
| third-largest anti-virus software maker, said Friday that | | | | Sample specs for an internal email server are:Setup |
| computer virus attacks cost global businesses an | | | | #1 |
| estimated $55 billion in damages in 2003, a sum that | | | | * Linux: OS |
| would rise this year. Companies lost roughly $20 billion | | | | * Sendmail: mail server |
| to $30 billion in 2002 from the virus attacks, up from | | | | * Fetchmail: Grabs email from external email |
| about $13 billion in 2001, according to various industry | | | | addresses |
| estimates." This was the story across thousands of | | | | * F-prot: Antivirus |
| news agencies desk January 2004. Out of $55 billion, | | | | * SpamAssassin: Spam FilterSetup #2 |
| how much did it cost your company? How much did it | | | | * Win 2003 Server: OS |
| cost someone you know?I. The Why | | | | * Exchange: Email server |
| There is an average of 10-20 viruses released every | | | | * Symantec antivirus: Antivirus |
| day. Very few of these viruses actually make ?Wild? | | | | * Exchange Intelligent Message Filter: Spam |
| stage. Viruses are designed to take advantage of | | | | FilterSoftware Updates |
| security flaws in software or operating systems. | | | | Keep you software up to date. Some worms and |
| These flaws can be as blatant as Microsoft Windows | | | | viruses replicate through vulnerabilities in services and |
| NetBIOS shares to exploits using buffer overflows. | | | | software on the target system. Code red is a classic |
| Buffer overflows happen when an attacker sends | | | | example. In august 2001, the worm used a known |
| responses to a program longer then what is expected. | | | | buffer overflow vulnerability in Microsoft's IIS 4.0 and |
| If the victim software is not designed well, then the | | | | 5.0 contained in the Idq.dll file. This would allow an |
| attacker can overwrite the memory allocated to the | | | | attacker to run any program they wanted to on the |
| software and execute malicious code.People make | | | | affected system. Another famous worm called |
| viruses for various reasons. These reasons range | | | | Slammer targeted Microsoft SQL Server 2000 and |
| from political to financial to notoriety to hacking tools to | | | | Microsoft Desktop Engine (MSDE) 2000.When |
| plain malicious intent.Political: Mydoom is a good | | | | updating your software, make sure to disable features |
| example of a virus that was spread with a political | | | | and services that are not needed. Some versions of |
| agenda. The two targets of this virus were Microsoft | | | | WinNT had a web server called IIS installed by default. |
| and The SCO Group. The SCO Group claims that | | | | If you do not need the service, make sure it is turned |
| they own a large portion of the Linux source code | | | | off (Code red is a perfect example). By only enabling |
| threatened to sue everyone using Linux operating | | | | services you need, you decrease the risk of |
| systems (with "stolen" programming source). The virus | | | | attack.Telecommunications Security |
| was very effective knocking down SCO's website. | | | | Install a firewall on the network. A firewall is a device |
| However, Microsoft had enough time to prepare for | | | | or software that blocks unwanted traffic from going to |
| the second attack and efficiently sidestepped | | | | or from the internal network. This gives you control of |
| disaster.Financial: Some virus writers are hired by other | | | | the traffic coming in and going out of your network. At |
| parties to either leach financial data from a competitor | | | | minimum, block ports 135,137,139,445. This stops most |
| or make the competitor look bad in the public eye. | | | | network aware viruses and worms from spreading |
| Industrial espionage is a high risk/high payout field that | | | | from the Internet. However, it is good practice to block |
| can land a person in prison for life.Notoriety: There are | | | | all traffic unless specifically needed.Security Policies |
| some that write viruses for the sole purpose of getting | | | | Implementing security policies that cover items such |
| their name out. This is great when the virus writers are | | | | as acceptable use, email retention, and remote access |
| script kiddies because this helps the authorities track | | | | can go a long way to protecting your information |
| them down. There are several famous viruses that | | | | infrastructure. With the addition of annual training, |
| have the author's email in the source code or open | | | | employees will be informed enough to help keep the |
| scriptHacking Hackers sometimes write controlled | | | | data reliable instead of hinder it. Every individual that |
| viruses to assist in the access of a remote computer. | | | | has access to your network or data needs to follow |
| They will add a payload to the virus such as a Trojan | | | | these rules. It only takes one incident to compromise |
| horse to allow easy access into the victims | | | | the system. Only install proven and scanned software |
| system.Malious: These are the people that are the | | | | on the system. The most damaging viruses come |
| most dangerous. These are the blackhat hackers that | | | | from installing or even inserting a contaminated disk. |
| code viruses for the sole intention of destroying | | | | Boot sector viruses can be some of the hardest |
| networks and systems without prejudice. They get | | | | malware to defeat. Simply inserting a floppy disk with |
| high on seeing the utter destruction of their creation, | | | | a boot sector virus can immediately transfer the virus |
| and are very rarely script kiddies.Many of the viruses | | | | to the hard drive.When surfing the Internet, do not |
| that are written and released are viruses altered by | | | | download untrusted files. Many websites will install |
| script kiddies. These viruses are known as generations | | | | Spyware, Adware, Parasites, or Trojans in the name |
| of the original virus and are very rarely altered enough | | | | of "Marketing" on unsuspecting victims computers. |
| to be noticeable from the original. This stems back to | | | | Many prey on users that do not read popup windows |
| the fact that script kiddies do not understand what the | | | | or download freeware or shareware software. Some |
| original code does and only alters what they recognize | | | | sites even use code to take advantage of vulnerability |
| (file extension or victim's website). This lack of | | | | in Internet explorer to automatically download and run |
| knowledge makes script kiddies very dangerous.II. The | | | | unauthorized software without giving you a choice.Do |
| How | | | | not install or use P2P programs like Kazaa, Morpheus, |
| Malicious code has been plaguing computer systems | | | | or Limewire. These programs install server software |
| since before computers became a common | | | | on your system; essentially back dooring your system. |
| household appliance. Viruses and worms are | | | | There are also thousands of infected files floating on |
| examples of malicious code designed to spread and | | | | those networks that will activate when |
| cause a system to perform a function that it was not | | | | downloaded.Backups & Disaster Recovery Planning |
| originally designed to do.Viruses are programs that | | | | Keep daily backups offsite. These can be in the form |
| need to be activated or run before they are | | | | of tape, CD-R, DVD-R, removable hard drives, or even |
| dangerous or spread. The computer system only | | | | secure file transfers. If data becomes damaged, you |
| becomes infected once the program is run and the | | | | would be able to restore from the last known good |
| payload has bee deployed. This is why Hackers and | | | | backup. The most important step while following a |
| Crackers try to crash or restart a computer system | | | | backup procedure is to verify that the backup was a |
| once they copy a virus onto it.There are four ways a | | | | success. Too many people just assume that the |
| virus can spread: | | | | backup is working only to find out that the drive or |
| 1.) Email | | | | media was bad six |
| 2.) Network | | | | months earlier when they were infected by a virus or |
| 3.) Downloading or installing softwarev | | | | lost a hard drive. If the data that you are trying to |
| 4.) Inserting infected mediaSpreading through Email | | | | archive is less then five gig, DVD-R drives are a great |
| Many emails spread when a user receives an | | | | solution. Both the drives and disks have come down in |
| infected email. When the user opens this email or | | | | price and are now a viable option. This is also one of |
| previews it, the virus is now active and starts to | | | | the fastest backup methods to process and verify. |
| immediately spread.Spreading through Network | | | | For larger backups, tape drives and removable hard |
| Many viruses are network aware. This means that | | | | drives are the best option. If you choose this method, |
| they look for unsecured systems on the network and | | | | you will need to rotate the backup with five or seven |
| copy themselves to that system. This behavior | | | | different media (tapes, CD/DVD, removable drives) to |
| destroys network performance and causes viruses to | | | | get the most out of the process. It is also suggested to |
| spread across your system like wildfire. Hackers and | | | | take a "master" backup out of the rotation on a |
| Crackers also use Internet and network connections to | | | | scheduled basis and archive offsite in a fireproof safe. |
| infect systems. They not only scan for unprotected | | | | This protects the data from fire, flood, and theft.In the |
| systems, but they also target systems that have | | | | Internet age, understanding that you have to maintain |
| known software vulnerabilities. This is why keeping | | | | these processes will help you become successful |
| systems up to date is so important.Spreading through | | | | when preventing damage and minimizes the time, |
| manual installation | | | | costs, and liabilities involved during the disaster |
| Installing software from downloads or disks increase | | | | recovery phase if you are affected.ResourcesVirus |
| the risk of infection. Only install trusted and scanned | | | | Resources |
| software that is known to be safe. Stay away from | | | | F-PROT: |
| freeware and shareware products. These programs | | | | McAfee : |
| are known to contain Spyware, Adware, and viruses. It | | | | Symantec Norton: |
| is also good policy to deny all Internet software that | | | | Trend Micro: |
| attempts to install itself unless explicitly | | | | NIST GOV: software |
| needed.Spreading through boot sectors | | | | AVG Anti-Virus - Free |
| Some viruses corrupt the boot sector of disks. This | | | | F-Prot - Free for home usersFree online Virus scan |
| means that if another disks scans the infected disk, the | | | | BitDefender - |
| infection spreads. Boot sector viruses are | | | | HouseCall - |
| automatically run immediately after the disk is inserted | | | | McAffe - |
| or hard drive connected.III. Minimizing the effect of | | | | Panda ActiveScan - |
| viruses and worms | | | | RAV Antivirus - online Trojan scan |
| We have all heard stories about the virus that | | | | TrojanScan - online Security scan |
| destroyed mission critical company data, which cost | | | | Symanted Security Check - |
| companies months to recover and thousands of | | | | Test my Firewall - Security Resources |
| dollars and man-hours restoring the information. In the | | | | Forum of Incident Response and Security Teams: |
| end, there are still many hours, costs, and would be | | | | Microsoft: |
| profits that remain unaccounted. Some companies | | | | SANS Institute: |
| never recover fully from a devastating attack. Taking | | | | Webopedia: |
| simple precautions can save your businessAnti-virus | | | | DefinitionsAdware: *A form of spyware that collects |
| Software | | | | information about the user in order to display |
| Another step is to run an antivirus program on the | | | | advertisements in the Web browser based on the |
| local computer. Many antivirus programs offer live | | | | information it collects from the user's browsing |
| update software and automatically download the | | | | patterns.Software that is given to the user with |
| newest virus definitions minutes after they are | | | | advertisements already embedded in the |
| released (Very important that you verify these | | | | applicationMalware: *Short for malicious software, |
| updates weekly if not daily). Be careful of which | | | | software designed specifically to damage or disrupt a |
| antivirus program you chose. Installing a PC antivirus on | | | | system, such as a virus or a Trojan horse.Script Kiddie: |
| a network can be more destructive on performance | | | | *A person, normally someone who is not |
| than a virus at work. Norton makes an effective | | | | technologically sophisticated, who randomly seeks out |
| corporate edition specifically designed for Windows | | | | a specific weakness over the Internet in order to gain |
| NT Server and network environments. When using | | | | root access to a system without really understanding |
| antivirus software on a network, configure it to ignore | | | | what it is s/he is exploiting because the weakness |
| network drives and partitions. Only scan the local | | | | was discovered by someone else. A script kiddie is |
| system and turn off the auto protection feature. The | | | | not looking to target specific information or a specific |
| auto-protect constantly scans your network traffic and | | | | company but rather uses knowledge of a vulnerability |
| causes detrimental network issues. Corporate editions | | | | to scan the entire Internet for a victim that possesses |
| usually have this disabled by default. PC editions do | | | | that vulnerability.Spyware: *Any software that covertly |
| not.Email Clients | | | | gathers user information through the user's Internet |
| Do not open emails from unknown sources. If you | | | | connection without his or her knowledge, usually for |
| have a website for e-commerce transactions or to | | | | advertising purposes. Spyware applications are |
| act as a virtual business card, make sure that the | | | | typically bundled as a hidden component of freeware |
| emails come up with a preset subject. If the emails are | | | | or shareware programs that can be downloaded from |
| being sent through server side design instead of the | | | | the Internet; however, it should be noted that the |
| users email client, specify whom it is coming from so | | | | majority of shareware and freeware applications do |
| you know what emails to trust. Use common sense | | | | not come with spyware. Once installed, the spyware |
| when looking at your email. If you see a strange email | | | | monitors user activity on the Internet and transmits that |
| with an attachment, do not open it until you verify | | | | information in the background to someone else. |
| whom it came from. This is how most MM worms | | | | Spyware can also gather information about e-mail |
| spread.Disable preview panes in email clients. Email | | | | addresses and even passwords and credit card |
| clients such as Outlook and Outlook Express have a | | | | numbers.Spyware is similar to a Trojan horse in that |
| feature that will allow you to preview the message | | | | users unwittingly install the product when they install |
| when the email is highlighted. This is a Major security | | | | something else. A common way to become a victim |
| flaw and will instantly unleash a virus if the email is | | | | of spyware is to download certain peer-to-peer file |
| infected.It is also a good idea to turn off the feature | | | | swapping products that are available today.Aside from |
| that enables the client to view HTML formatted emails. | | | | the questions of ethics and privacy, spyware steals |
| Most of these viruses and worms pass by using the | | | | from the user by using the computer's memory |
| html function "< i f r a m e s r c >" and run the | | | | resources and also by eating bandwidth as it sends |
| attached file within the email header.We will take a | | | | information back to the spyware's home base via the |
| quick look at an email with the subject header of | | | | user's Internet connection. Because spyware is using |
| "You're now infected" that will open a file called | | | | memory and system resources, the applications |
| readme.exe."Subject: You're now infected | | | | running in the background can lead to system crashes |
| MIME-Version: 1.0 | | | | or general system instability.Because spyware exists |
| Content-Type: multipart/related;type="multipart | | | | as independent executable programs, they have the |
| =" | | | | ability to monitor keystrokes, scan files on the hard |
| X-Priority: 3 | | | | drive, snoop other applications, such as chat programs |
| X-MSMail-Priority: Normal | | | | or word processors, install other spyware programs, |
| X-Unsent: 1 | | | | read cookies, change the default home page on the |
| To: | | | | Web browser, consistently relaying this information |
| == | | | | back to the spyware author who will either use it for |
| Content-Type: multipart | | | | advertising/marketing purposes or sell the information |
| =" *** (This calls the | | | | to another party. |
| iframe)--====_ABC0987654321DEF_==== | | | | Licensing agreements that accompany software |
| Content-Type: text/html;charset="iso-8859-1" | | | | downloads sometimes warn the user that a spyware |
| Content-Transfer-Encoding: quoted-printable< H T M L | | | | program will be installed along with the requested |
| > < H E A D > < / H E A D > < B O D Y b g C o l o r | | | | software, but the licensing agreements may not |
| = 3 D # f f f f f f > | | | | always be read completely because the notice of a |
| < i f r a m e s r c = 3 D c i d : EA4DMGBP9p | | | | spyware installation is often couched in obtuse, |
| height=3D0 width=3D0> *** (This calls readme.exe) | | | | hard-to-read legal disclaimers.Trojan: *A destructive |
| < / i f r a m e > < / B O D Y > < / H T M L | | | | program that masquerades as a benign application. |
| 4567890DEF_==== | | | | Unlike viruses, Trojan horses do not replicate |
| Content-Type: audio/x-wav;name="readme.exe" *** | | | | themselves but they can be just as destructive. One |
| (This is the virus/worm) | | | | of the most insidious types of Trojan horse is a |
| Content-Transfer-Encoding: base64 | | | | program that claims to rid your computer of viruses |
| Content-ID: *** (Notice the < i f r a m e s r c = ? | | | | but instead introduces viruses onto your computer.The |
| vL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9u | | | | term comes from a story in Homer's Iliad, in which the |
| | | | Greeks give a giant wooden horse to their foes, the |
| ldobydzIHRoZSBiZXN0LS0tLS0tPyAt | | | | Trojans, ostensibly as a peace offering. But after the |
| | | | Trojans drag the horse inside their city walls, Greek |
| JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlw | | | | soldiers sneak out of the horse's hollow belly and open |
| | | | the city gates, allowing their compatriots to pour in and |
| jaC5qcz9jdXN0b21lcmlkPTExNDc0 | | | | capture Troy.Virus: *A program or piece of code that |
| | | | is loaded onto your computer without your knowledge |
| Z2U9ImphdmFzY3JpcHQiPg08IS0tDWZ1 | | | | and runs against your wishes. Viruses can also |
| | | | replicate themselves. All computer viruses are man |
| d2luTmFtZSxmZWF0dXJlcykgeyAvL3Yy*** Broken | | | | made. A simple virus that can make a copy of itself |
| to protect the innocent. (Worm is encoded in | | | | over and over again is relatively easy to produce. |
| C5jb20vZmNhbGhpc3BvcnRzZnJtMT5Gb290 | | | | Even such a simple virus is dangerous because it will |
| | | | quickly use all available memory and bring the system |
| iAtIDwvZm9udD4NDTxicj48YnI+PGJy | | | | to a halt. An even more dangerous type of virus is |
| | | | one capable of transmitting itself across networks and |
| y5lemJvYXJkLmNvbS8+ZXpib2Fy | | | | bypassing security systems.Since 1987, when a virus |
| | | | infected ARPANET, a large network used by the |
| k5LTIwMDEgZXpib2FyZCwgSW5j | | | | Defense Department and many universities, many |
| | | | antivirus programs have become available. These |
| NCj==--====_ABC1234567890DEF_====--"Email | | | | programs periodically check your computer system for |
| Servers | | | | the best-known types of viruses.Some people |
| The first step to minimizing the effect of viruses is to | | | | distinguish between general viruses and worms. A |
| use an email server that filters incoming emails using | | | | worm is a special type of virus that can replicate itself |
| antivirus software. If the server is kept up to date, it will | | | | and use memory, but cannot attach itself to other |
| catch the majority of Mass Mailer (MM) worms. Ask | | | | programs.Worm: *A program or algorithm that |
| your Internet Service Provider (ISP) if they offer | | | | replicates itself over a computer network and usually |
| antivirus protection and spam filtering on their email | | | | performs malicious actions, such as using up the |
| servers. This service is invaluable and should always | | | | computer's resources and possibly shutting the system |
| be included as the first line of defense.Many | | | | down.* Definitions provided by WebopediaA special |
| companies house an internal email server that | | | | thanks goes out to the CISSP community, various |
| downloads all of the email from several external email | | | | Chief Information Security Officer (CISO)s, and to |
| accounts and then runs an internal virus filter. | | | | those in the Risk assessment specialty of Information |
| Combining an internal email server with the ISP | | | | Systems Security for their help in proof reading and |
| protection is a perfect for a company with an IT staff. | | | | suggestions. |