| Virus damage estimated at $55 billion in
| |
| | invaluable and should always be included
|
| 2003. "SINGAPORE - Trend Micro Inc, the
| |
| | as the first line of defense.Many
|
| world's third-largest anti-virus software
| |
| | companies house an internal email server
|
| maker, said Friday that computer virus
| |
| | that downloads all of the email from
|
| attacks cost global businesses an
| |
| | several external email accounts and then
|
| estimated $55 billion in damages in 2003,
| |
| | runs an internal virus filter. Combining
|
| a sum that would rise this year.
| |
| | an internal email server with the ISP
|
| Companies lost roughly $20 billion to $30
| |
| | protection is a perfect for a company
|
| billion in 2002 from the virus attacks,
| |
| | with an IT staff. This option adds an
|
| up from about $13 billion in 2001,
| |
| | extra layer of control, but also adds
|
| according to various industry estimates."
| |
| | more administration time.
|
| This was the story across thousands of
| |
| | Sample specs for an internal email
|
| news agencies desk January 2004. Out of
| |
| | server are:Setup #1
|
| $55 billion, how much did it cost your
| |
| | * Linux: OS
|
| company? How much did it cost someone you
| |
| | * Sendmail: mail server
|
| know?I. The Why
| |
| | * Fetchmail: Grabs email from external
|
| There is an average of 10-20 viruses
| |
| | email addresses
|
| released every day. Very few of these
| |
| | * F-prot: Antivirus
|
| viruses actually make ?Wild? stage.
| |
| | * SpamAssassin: Spam FilterSetup #2
|
| Viruses are designed to take advantage of
| |
| | * Win 2003 Server: OS
|
| security flaws in software or operating
| |
| | * Exchange: Email server
|
| systems. These flaws can be as blatant
| |
| | * Symantec antivirus: Antivirus
|
| as Microsoft Windows NetBIOS shares to
| |
| | * Exchange Intelligent Message Filter:
|
| exploits using buffer overflows. Buffer
| |
| | Spam FilterSoftware Updates
|
| overflows happen when an attacker sends
| |
| | Keep you software up to date. Some worms
|
| responses to a program longer then what
| |
| | and viruses replicate through
|
| is expected. If the victim software is
| |
| | vulnerabilities in services and software
|
| not designed well, then the attacker can
| |
| | on the target system. Code red is a
|
| overwrite the memory allocated to the
| |
| | classic example. In august 2001, the worm
|
| software and execute malicious
| |
| | used a known buffer overflow
|
| code.People make viruses for various
| |
| | vulnerability in Microsoft's IIS 4.0 and
|
| reasons. These reasons range from
| |
| | 5.0 contained in the Idq.dll file. This
|
| political to financial to notoriety to
| |
| | would allow an attacker to run any
|
| hacking tools to plain malicious
| |
| | program they wanted to on the affected
|
| intent.Political: Mydoom is a good
| |
| | system. Another famous worm called
|
| example of a virus that was spread with a
| |
| | Slammer targeted Microsoft SQL Server
|
| political agenda. The two targets of
| |
| | 2000 and Microsoft Desktop Engine (MSDE)
|
| this virus were Microsoft and The SCO
| |
| | 2000.When updating your software, make
|
| Group. The SCO Group claims that they
| |
| | sure to disable features and services
|
| own a large portion of the Linux source
| |
| | that are not needed. Some versions of
|
| code threatened to sue everyone using
| |
| | WinNT had a web server called IIS
|
| Linux operating systems (with "stolen"
| |
| | installed by default. If you do not need
|
| programming source). The virus was very
| |
| | the service, make sure it is turned off
|
| effective knocking down SCO's website.
| |
| | (Code red is a perfect example). By only
|
| However, Microsoft had enough time to
| |
| | enabling services you need, you decrease
|
| prepare for the second attack and
| |
| | the risk of attack.Telecommunications
|
| efficiently sidestepped
| |
| | Security
|
| disaster.Financial: Some virus writers
| |
| | Install a firewall on the network. A
|
| are hired by other parties to either
| |
| | firewall is a device or software that
|
| leach financial data from a competitor or
| |
| | blocks unwanted traffic from going to or
|
| make the competitor look bad in the
| |
| | from the internal network. This gives you
|
| public eye. Industrial espionage is a
| |
| | control of the traffic coming in and
|
| high risk/high payout field that can land
| |
| | going out of your network. At minimum,
|
| a person in prison for
| |
| | block ports 135,137,139,445. This stops
|
| life.Notoriety: There are some that write
| |
| | most network aware viruses and worms from
|
| viruses for the sole purpose of getting
| |
| | spreading from the Internet. However, it
|
| their name out. This is great when the
| |
| | is good practice to block all traffic
|
| virus writers are script kiddies because
| |
| | unless specifically needed.Security
|
| this helps the authorities track them
| |
| | Policies
|
| down. There are several famous viruses
| |
| | Implementing security policies that
|
| that have the author's email in the
| |
| | cover items such as acceptable use, email
|
| source code or open scriptHacking Hackers
| |
| | retention, and remote access can go a
|
| sometimes write controlled viruses to
| |
| | long way to protecting your information
|
| assist in the access of a remote
| |
| | infrastructure. With the addition of
|
| computer. They will add a payload to the
| |
| | annual training, employees will be
|
| virus such as a Trojan horse to allow
| |
| | informed enough to help keep the data
|
| easy access into the victims
| |
| | reliable instead of hinder it. Every
|
| system.Malious: These are the people that
| |
| | individual that has access to your
|
| are the most dangerous. These are the
| |
| | network or data needs to follow these
|
| blackhat hackers that code viruses for
| |
| | rules. It only takes one incident to
|
| the sole intention of destroying networks
| |
| | compromise the system. Only install
|
| and systems without prejudice. They get
| |
| | proven and scanned software on the
|
| high on seeing the utter destruction of
| |
| | system. The most damaging viruses come
|
| their creation, and are very rarely
| |
| | from installing or even inserting a
|
| script kiddies.Many of the viruses that
| |
| | contaminated disk. Boot sector viruses
|
| are written and released are viruses
| |
| | can be some of the hardest malware to
|
| altered by script kiddies. These viruses
| |
| | defeat. Simply inserting a floppy disk
|
| are known as generations of the original
| |
| | with a boot sector virus can immediately
|
| virus and are very rarely altered enough
| |
| | transfer the virus to the hard drive.When
|
| to be noticeable from the original.
| |
| | surfing the Internet, do not download
|
| This stems back to the fact that script
| |
| | untrusted files. Many websites will
|
| kiddies do not understand what the
| |
| | install Spyware, Adware, Parasites, or
|
| original code does and only alters what
| |
| | Trojans in the name of "Marketing" on
|
| they recognize (file extension or
| |
| | unsuspecting victims computers. Many prey
|
| victim's website). This lack of
| |
| | on users that do not read popup windows
|
| knowledge makes script kiddies very
| |
| | or download freeware or shareware
|
| dangerous.II. The How
| |
| | software. Some sites even use code to
|
| Malicious code has been plaguing
| |
| | take advantage of vulnerability in
|
| computer systems since before computers
| |
| | Internet explorer to automatically
|
| became a common household appliance.
| |
| | download and run unauthorized software
|
| Viruses and worms are examples of
| |
| | without giving you a choice.Do not
|
| malicious code designed to spread and
| |
| | install or use P2P programs like Kazaa,
|
| cause a system to perform a function that
| |
| | Morpheus, or Limewire. These programs
|
| it was not originally designed to
| |
| | install server software on your system;
|
| do.Viruses are programs that need to be
| |
| | essentially back dooring your system.
|
| activated or run before they are
| |
| | There are also thousands of infected
|
| dangerous or spread. The computer system
| |
| | files floating on those networks that
|
| only becomes infected once the program is
| |
| | will activate when downloaded.Backups &
|
| run and the payload has bee deployed.
| |
| | Disaster Recovery Planning
|
| This is why Hackers and Crackers try to
| |
| | Keep daily backups offsite. These can be
|
| crash or restart a computer system once
| |
| | in the form of tape, CD-R, DVD-R,
|
| they copy a virus onto it.There are four
| |
| | removable hard drives, or even secure
|
| ways a virus can spread:
| |
| | file transfers. If data becomes damaged,
|
| 1.) Email
| |
| | you would be able to restore from the
|
| 2.) Network
| |
| | last known good backup. The most
|
| 3.) Downloading or installing softwarev
| |
| | important step while following a backup
|
| 4.) Inserting infected mediaSpreading
| |
| | procedure is to verify that the backup
|
| through Email
| |
| | was a success. Too many people just
|
| Many emails spread when a user receives
| |
| | assume that the backup is working only to
|
| an infected email. When the user opens
| |
| | find out that the drive or media was bad
|
| this email or previews it, the virus is
| |
| | six
|
| now active and starts to immediately
| |
| | months earlier when they were infected
|
| spread.Spreading through Network
| |
| | by a virus or lost a hard drive. If the
|
| Many viruses are network aware. This
| |
| | data that you are trying to archive is
|
| means that they look for unsecured
| |
| | less then five gig, DVD-R drives are a
|
| systems on the network and copy
| |
| | great solution. Both the drives and disks
|
| themselves to that system. This behavior
| |
| | have come down in price and are now a
|
| destroys network performance and causes
| |
| | viable option. This is also one of the
|
| viruses to spread across your system like
| |
| | fastest backup methods to process and
|
| wildfire. Hackers and Crackers also use
| |
| | verify. For larger backups, tape drives
|
| Internet and network connections to
| |
| | and removable hard drives are the best
|
| infect systems. They not only scan for
| |
| | option. If you choose this method, you
|
| unprotected systems, but they also target
| |
| | will need to rotate the backup with five
|
| systems that have known software
| |
| | or seven different media (tapes, CD/DVD,
|
| vulnerabilities. This is why keeping
| |
| | removable drives) to get the most out of
|
| systems up to date is so
| |
| | the process. It is also suggested to take
|
| important.Spreading through manual
| |
| | a "master" backup out of the rotation on
|
| installation
| |
| | a scheduled basis and archive offsite in
|
| Installing software from downloads or
| |
| | a fireproof safe. This protects the data
|
| disks increase the risk of infection.
| |
| | from fire, flood, and theft.In the
|
| Only install trusted and scanned software
| |
| | Internet age, understanding that you have
|
| that is known to be safe. Stay away from
| |
| | to maintain these processes will help you
|
| freeware and shareware products. These
| |
| | become successful when preventing damage
|
| programs are known to contain Spyware,
| |
| | and minimizes the time, costs, and
|
| Adware, and viruses. It is also good
| |
| | liabilities involved during the disaster
|
| policy to deny all Internet software that
| |
| | recovery phase if you are
|
| attempts to install itself unless
| |
| | affected.ResourcesVirus Resources
|
| explicitly needed.Spreading through boot
| |
| | F-PROT:
|
| sectors
| |
| | McAfee :
|
| Some viruses corrupt the boot sector of
| |
| | Symantec Norton:
|
| disks. This means that if another disks
| |
| | Trend Micro:
|
| scans the infected disk, the infection
| |
| | NIST GOV: software
|
| spreads. Boot sector viruses are
| |
| | AVG Anti-Virus - Free
|
| automatically run immediately after the
| |
| | F-Prot - Free for home usersFree online
|
| disk is inserted or hard drive
| |
| | Virus scan
|
| connected.III. Minimizing the effect of
| |
| | BitDefender -
|
| viruses and worms
| |
| | HouseCall -
|
| We have all heard stories about the
| |
| | McAffe -
|
| virus that destroyed mission critical
| |
| | Panda ActiveScan -
|
| company data, which cost companies months
| |
| | RAV Antivirus - online Trojan scan
|
| to recover and thousands of dollars and
| |
| | TrojanScan - online Security scan
|
| man-hours restoring the information. In
| |
| | Symanted Security Check -
|
| the end, there are still many hours,
| |
| | Test my Firewall - Security Resources
|
| costs, and would be profits that remain
| |
| | Forum of Incident Response and Security
|
| unaccounted. Some companies never recover
| |
| | Teams:
|
| fully from a devastating attack. Taking
| |
| | Microsoft:
|
| simple precautions can save your
| |
| | SANS Institute:
|
| businessAnti-virus Software
| |
| | Webopedia:
|
| Another step is to run an antivirus
| |
| | DefinitionsAdware: *A form of spyware
|
| program on the local computer. Many
| |
| | that collects information about the user
|
| antivirus programs offer live update
| |
| | in order to display advertisements in the
|
| software and automatically download the
| |
| | Web browser based on the information it
|
| newest virus definitions minutes after
| |
| | collects from the user's browsing
|
| they are released (Very important that
| |
| | patterns.Software that is given to the
|
| you verify these updates weekly if not
| |
| | user with advertisements already embedded
|
| daily). Be careful of which antivirus
| |
| | in the applicationMalware: *Short for
|
| program you chose. Installing a PC
| |
| | malicious software, software designed
|
| antivirus on a network can be more
| |
| | specifically to damage or disrupt a
|
| destructive on performance than a virus
| |
| | system, such as a virus or a Trojan
|
| at work. Norton makes an effective
| |
| | horse.Script Kiddie: *A person, normally
|
| corporate edition specifically designed
| |
| | someone who is not technologically
|
| for Windows NT Server and network
| |
| | sophisticated, who randomly seeks out a
|
| environments. When using antivirus
| |
| | specific weakness over the Internet in
|
| software on a network, configure it to
| |
| | order to gain root access to a system
|
| ignore network drives and partitions.
| |
| | without really understanding what it is s
|
| Only scan the local system and turn off
| |
| | he is exploiting because the weakness was
|
| the auto protection feature. The
| |
| | discovered by someone else. A script
|
| auto-protect constantly scans your
| |
| | kiddie is not looking to target specific
|
| network traffic and causes detrimental
| |
| | information or a specific company but
|
| network issues. Corporate editions
| |
| | rather uses knowledge of a vulnerability
|
| usually have this disabled by default. PC
| |
| | to scan the entire Internet for a victim
|
| editions do not.Email Clients
| |
| | that possesses that
|
| Do not open emails from unknown sources.
| |
| | vulnerability.Spyware: *Any software that
|
| If you have a website for e-commerce
| |
| | covertly gathers user information through
|
| transactions or to act as a virtual
| |
| | the user's Internet connection without
|
| business card, make sure that the emails
| |
| | his or her knowledge, usually for
|
| come up with a preset subject. If the
| |
| | advertising purposes. Spyware
|
| emails are being sent through server side
| |
| | applications are typically bundled as a
|
| design instead of the users email client,
| |
| | hidden component of freeware or shareware
|
| specify whom it is coming from so you
| |
| | programs that can be downloaded from the
|
| know what emails to trust. Use common
| |
| | Internet; however, it should be noted
|
| sense when looking at your email. If you
| |
| | that the majority of shareware and
|
| see a strange email with an attachment,
| |
| | freeware applications do not come with
|
| do not open it until you verify whom it
| |
| | spyware. Once installed, the spyware
|
| came from. This is how most MM worms
| |
| | monitors user activity on the Internet
|
| spread.Disable preview panes in email
| |
| | and transmits that information in the
|
| clients. Email clients such as Outlook
| |
| | background to someone else. Spyware can
|
| and Outlook Express have a feature that
| |
| | also gather information about e-mail
|
| will allow you to preview the message
| |
| | addresses and even passwords and credit
|
| when the email is highlighted. This is a
| |
| | card numbers.Spyware is similar to a
|
| Major security flaw and will instantly
| |
| | Trojan horse in that users unwittingly
|
| unleash a virus if the email is
| |
| | install the product when they install
|
| infected.It is also a good idea to turn
| |
| | something else. A common way to become a
|
| off the feature that enables the client
| |
| | victim of spyware is to download certain
|
| to view HTML formatted emails. Most of
| |
| | peer-to-peer file swapping products that
|
| these viruses and worms pass by using the
| |
| | are available today.Aside from the
|
| html function "< i f r a m e s r c >"
| |
| | questions of ethics and privacy, spyware
|
| and run the attached file within the
| |
| | steals from the user by using the
|
| email header.We will take a quick look at
| |
| | computer's memory resources and also by
|
| an email with the subject header of
| |
| | eating bandwidth as it sends information
|
| "You're now infected" that will open a
| |
| | back to the spyware's home base via the
|
| file called readme.exe."Subject: You're
| |
| | user's Internet connection. Because
|
| now infected
| |
| | spyware is using memory and system
|
| MIME-Version: 1.0
| |
| | resources, the applications running in
|
| Content-Type: multipart
| |
| | the background can lead to system crashes
|
| related;type="multipart
| |
| | or general system instability.Because
|
| alternative";boundary="====_ABC1234567890
| |
| | spyware exists as independent executable
|
| DEF_===="
| |
| | programs, they have the ability to
|
| X-Priority: 3
| |
| | monitor keystrokes, scan files on the
|
| X-MSMail-Priority: Normal
| |
| | hard drive, snoop other applications,
|
| X-Unsent: 1
| |
| | such as chat programs or word processors,
|
| To:
| |
| | install other spyware programs, read
|
| undisclosed-recipients:;--====_ABC1234567
| |
| | cookies, change the default home page on
|
| 890DEF_====
| |
| | the Web browser, consistently relaying
|
| Content-Type: multipart
| |
| | this information back to the spyware
|
| alternative;boundary="====_ABC0987654321D
| |
| | author who will either use it for
|
| EF_====" *** (This calls the
| |
| | advertising/marketing purposes or sell
|
| iframe)--====_ABC0987654321DEF_====
| |
| | the information to another party.
|
| Content-Type: text
| |
| | Licensing agreements that accompany
|
| html;charset="iso-8859-1"
| |
| | software downloads sometimes warn the
|
| Content-Transfer-Encoding:
| |
| | user that a spyware program will be
|
| quoted-printable< H T M L > < H E A D > <
| |
| | installed along with the requested
|
| / H E A D > < B O D Y b g C o l o r = 3
| |
| | software, but the licensing agreements
|
| D # f f f f f f >
| |
| | may not always be read completely because
|
| < i f r a m e s r c = 3 D c i d :
| |
| | the notice of a spyware installation is
|
| EA4DMGBP9p height=3D0 width=3D0> ***
| |
| | often couched in obtuse, hard-to-read
|
| (This calls readme.exe)
| |
| | legal disclaimers.Trojan: *A destructive
|
| < / i f r a m e > < / B O D Y > < / H T
| |
| | program that masquerades as a benign
|
| M L
| |
| | application. Unlike viruses, Trojan
|
| >--====_ABC0987654321DEF_====----====_ABC
| |
| | horses do not replicate themselves but
|
| 1234567890DEF_====
| |
| | they can be just as destructive. One of
|
| Content-Type: audio
| |
| | the most insidious types of Trojan horse
|
| x-wav;name="readme.exe" *** (This is the
| |
| | is a program that claims to rid your
|
| virus/worm)
| |
| | computer of viruses but instead
|
| Content-Transfer-Encoding: base64
| |
| | introduces viruses onto your computer.The
|
| Content-ID: *** (Notice the < i f r a m
| |
| | term comes from a story in Homer's Iliad,
|
| e s r c = ?
| |
| | in which the Greeks give a giant wooden
|
| >)PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0M
| |
| | horse to their foes, the Trojans,
|
| vL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9u
| |
| | ostensibly as a peace offering. But after
|
|
| |
| | the Trojans drag the horse inside their
|
| YWwvL0VOIj4NIDxodG1sPg08aGVhZD4NPHRpdGxlP
| |
| | city walls, Greek soldiers sneak out of
|
| ldobydzIHRoZSBiZXN0LS0tLS0tPyAt
| |
| | the horse's hollow belly and open the
|
|
| |
| | city gates, allowing their compatriots to
|
| IHd3dy5lemJvYXJkLmNvbTwvdGl0bGU+DQ0NDTxzY
| |
| | pour in and capture Troy.Virus: *A
|
| 3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlw
| |
| | program or piece of code that is loaded
|
|
| |
| | onto your computer without your knowledge
|
| dCBzcmM9aHR0cDovL3d3dzEuZXpib2FyZC5jb20vc
| |
| | and runs against your wishes. Viruses can
|
| 3BjaC5qcz9jdXN0b21lcmlkPTExNDc0
| |
| | also replicate themselves. All computer
|
|
| |
| | viruses are man made. A simple virus that
|
| NTgwODI+PC9zY3JpcHQ+DTxzY3JpcHQgbGFuZ3VhZ
| |
| | can make a copy of itself over and over
|
| 2U9ImphdmFzY3JpcHQiPg08IS0tDWZ1
| |
| | again is relatively easy to produce. Even
|
|
| |
| | such a simple virus is dangerous because
|
| bmN0aW9uIE1NX29wZW5CcldpbmRvdyh0aGVVUkwsd
| |
| | it will quickly use all available memory
|
| 2luTmFtZSxmZWF0dXJlcykgeyAvL3Yy*** Broken
| |
| | and bring the system to a halt. An even
|
| to protect the innocent. (Worm is
| |
| | more dangerous type of virus is one
|
| encoded in
| |
| | capable of transmitting itself across
|
| Base64)aHJlZj1odHRwOi8vY2l0YWRlbDMuZXpib2
| |
| | networks and bypassing security
|
| FyZC5jb20vZmNhbGhpc3BvcnRzZnJtMT5Gb290
| |
| | systems.Since 1987, when a virus infected
|
|
| |
| | ARPANET, a large network used by the
|
| YmFsbDwvYT4NIA08Zm9udCBjb2xvcj0jRkYwMDAwP
| |
| | Defense Department and many universities,
|
| iAtIDwvZm9udD4NDTxicj48YnI+PGJy
| |
| | many antivirus programs have become
|
|
| |
| | available. These programs periodically
|
| Pjxicj5Qb3dlcmVkIEJ5IDxhIGhyZWY9aHR0cDovL
| |
| | check your computer system for the
|
| 3d3dy5lemJvYXJkLmNvbS8+ZXpib2Fy
| |
| | best-known types of viruses.Some people
|
|
| |
| | distinguish between general viruses and
|
| ZK48L2E+IFZlci4gNi43LjE8YnI+Q29weXJpZ2h0I
| |
| | worms. A worm is a special type of virus
|
| KkxOTk5LTIwMDEgZXpib2FyZCwgSW5j
| |
| | that can replicate itself and use memory,
|
|
| |
| | but cannot attach itself to other
|
| Lg08L2NlbnRlcj4NPC9ib2R5Pg08L2h0bWw+DQ0ND
| |
| | programs.Worm: *A program or algorithm
|
| QoNCj==--====_ABC1234567890DEF_====--"Ema
| |
| | that replicates itself over a computer
|
| il Servers
| |
| | network and usually performs malicious
|
| The first step to minimizing the effect
| |
| | actions, such as using up the computer's
|
| of viruses is to use an email server that
| |
| | resources and possibly shutting the
|
| filters incoming emails using antivirus
| |
| | system down.* Definitions provided by
|
| software. If the server is kept up to
| |
| | WebopediaA special thanks goes out to the
|
| date, it will catch the majority of Mass
| |
| | CISSP community, various Chief
|
| Mailer (MM) worms. Ask your Internet
| |
| | Information Security Officer (CISO)s, and
|
| Service Provider (ISP) if they offer
| |
| | to those in the Risk assessment specialty
|
| antivirus protection and spam filtering
| |
| | of Information Systems Security for their
|
| on their email servers. This service is
| |
| | help in proof reading and suggestions.
|
