| Virus damage estimated at $55 billion in | | | | servers. This service is invaluable and |
| 2003. "SINGAPORE - Trend Micro Inc, the | | | | should always be included as the first line |
| world's third-largest anti-virus software | | | | of defense.Many companies house an internal |
| maker, said Friday that computer virus | | | | email server that downloads all of the email |
| attacks cost global businesses an estimated | | | | from several external email accounts and then |
| $55 billion in damages in 2003, a sum that | | | | runs an internal virus filter. Combining an |
| would rise this year. Companies lost roughly | | | | internal email server with the ISP protection |
| $20 billion to $30 billion in 2002 from the | | | | is a perfect for a company with an IT staff. |
| virus attacks, up from about $13 billion in | | | | This option adds an extra layer of control, |
| 2001, according to various industry | | | | but also adds more administration time. |
| estimates." This was the story across | | | | |
| thousands of news agencies desk January 2004. | | | | Sample specs for an internal email server |
| Out of $55 billion, how much did it cost your | | | | are:Setup #1 |
| company? How much did it cost someone you | | | | |
| know?I. The Why | | | | * Linux: OS |
| | | | |
| There is an average of 10-20 viruses | | | | * Sendmail: mail server |
| released every day. Very few of these | | | | |
| viruses actually make ?Wild? stage. Viruses | | | | * Fetchmail: Grabs email from external email |
| are designed to take advantage of security | | | | addresses |
| flaws in software or operating systems. | | | | |
| These flaws can be as blatant as Microsoft | | | | * F-prot: Antivirus |
| Windows NetBIOS shares to exploits using | | | | |
| buffer overflows. Buffer overflows happen | | | | * SpamAssassin: Spam FilterSetup #2 |
| when an attacker sends responses to a program | | | | |
| longer then what is expected. If the victim | | | | * Win 2003 Server: OS |
| software is not designed well, then the | | | | |
| attacker can overwrite the memory allocated | | | | * Exchange: Email server |
| to the software and execute malicious | | | | |
| code.People make viruses for various reasons. | | | | * Symantec antivirus: Antivirus |
| These reasons range from political to | | | | |
| financial to notoriety to hacking tools to | | | | * Exchange Intelligent Message Filter: Spam |
| plain malicious intent.Political: Mydoom is | | | | FilterSoftware Updates |
| a good example of a virus that was spread | | | | |
| with a political agenda. The two targets of | | | | Keep you software up to date. Some worms and |
| this virus were Microsoft and The SCO Group. | | | | viruses replicate through vulnerabilities in |
| The SCO Group claims that they own a large | | | | services and software on the target system. |
| portion of the Linux source code threatened | | | | Code red is a classic example. In august |
| to sue everyone using Linux operating systems | | | | 2001, the worm used a known buffer overflow |
| (with "stolen" programming source). The | | | | vulnerability in Microsoft's IIS 4.0 and 5.0 |
| virus was very effective knocking down SCO's | | | | contained in the Idq.dll file. This would |
| website. However, Microsoft had enough time | | | | allow an attacker to run any program they |
| to prepare for the second attack and | | | | wanted to on the affected system. Another |
| efficiently sidestepped | | | | famous worm called Slammer targeted Microsoft |
| disaster.Financial: Some virus writers are | | | | SQL Server 2000 and Microsoft Desktop Engine |
| hired by other parties to either leach | | | | (MSDE) 2000.When updating your software, make |
| financial data from a competitor or make the | | | | sure to disable features and services that |
| competitor look bad in the public eye. | | | | are not needed. Some versions of WinNT had a |
| Industrial espionage is a high risk/high | | | | web server called IIS installed by default. |
| payout field that can land a person in prison | | | | If you do not need the service, make sure it |
| for life.Notoriety: There are some that write | | | | is turned off (Code red is a perfect |
| viruses for the sole purpose of getting their | | | | example). By only enabling services you need, |
| name out. This is great when the virus | | | | you decrease the risk of |
| writers are script kiddies because this helps | | | | attack.Telecommunications Security |
| the authorities track them down. There are | | | | |
| several famous viruses that have the author's | | | | Install a firewall on the network. A |
| email in the source code or open | | | | firewall is a device or software that blocks |
| scriptHacking Hackers sometimes write | | | | unwanted traffic from going to or from the |
| controlled viruses to assist in the access of | | | | internal network. This gives you control of |
| a remote computer. They will add a payload | | | | the traffic coming in and going out of your |
| to the virus such as a Trojan horse to allow | | | | network. At minimum, block ports |
| easy access into the victims | | | | 135,137,139,445. This stops most network |
| system.Malious: These are the people that are | | | | aware viruses and worms from spreading from |
| the most dangerous. These are the blackhat | | | | the Internet. However, it is good practice to |
| hackers that code viruses for the sole | | | | block all traffic unless specifically |
| intention of destroying networks and systems | | | | needed.Security Policies |
| without prejudice. They get high on seeing | | | | |
| the utter destruction of their creation, and | | | | Implementing security policies that cover |
| are very rarely script kiddies.Many of the | | | | items such as acceptable use, email |
| viruses that are written and released are | | | | retention, and remote access can go a long |
| viruses altered by script kiddies. These | | | | way to protecting your information |
| viruses are known as generations of the | | | | infrastructure. With the addition of annual |
| original virus and are very rarely altered | | | | training, employees will be informed enough |
| enough to be noticeable from the original. | | | | to help keep the data reliable instead of |
| This stems back to the fact that script | | | | hinder it. Every individual that has access |
| kiddies do not understand what the original | | | | to your network or data needs to follow these |
| code does and only alters what they recognize | | | | rules. It only takes one incident to |
| (file extension or victim's website). This | | | | compromise the system. Only install proven |
| lack of knowledge makes script kiddies very | | | | and scanned software on the system. The most |
| dangerous.II. The How | | | | damaging viruses come from installing or even |
| | | | inserting a contaminated disk. Boot sector |
| Malicious code has been plaguing computer | | | | viruses can be some of the hardest malware to |
| systems since before computers became a | | | | defeat. Simply inserting a floppy disk with a |
| common household appliance. Viruses and worms | | | | boot sector virus can immediately transfer |
| are examples of malicious code designed to | | | | the virus to the hard drive.When surfing the |
| spread and cause a system to perform a | | | | Internet, do not download untrusted files. |
| function that it was not originally designed | | | | Many websites will install Spyware, Adware, |
| to do.Viruses are programs that need to be | | | | Parasites, or Trojans in the name of |
| activated or run before they are dangerous or | | | | "Marketing" on unsuspecting victims |
| spread. The computer system only becomes | | | | computers. Many prey on users that do not |
| infected once the program is run and the | | | | read popup windows or download freeware or |
| payload has bee deployed. This is why Hackers | | | | shareware software. Some sites even use code |
| and Crackers try to crash or restart a | | | | to take advantage of vulnerability in |
| computer system once they copy a virus onto | | | | Internet explorer to automatically download |
| it.There are four ways a virus can spread: | | | | and run unauthorized software without giving |
| | | | you a choice.Do not install or use P2P |
| 1.) Email | | | | programs like Kazaa, Morpheus, or Limewire. |
| | | | These programs install server software on |
| 2.) Network | | | | your system; essentially back dooring your |
| | | | system. There are also thousands of infected |
| 3.) Downloading or installing softwarev | | | | files floating on those networks that will |
| | | | activate when downloaded.Backups & Disaster |
| 4.) Inserting infected mediaSpreading | | | | Recovery Planning |
| through Email | | | | |
| | | | Keep daily backups offsite. These can be in |
| Many emails spread when a user receives an | | | | the form of tape, CD-R, DVD-R, removable hard |
| infected email. When the user opens this | | | | drives, or even secure file transfers. If |
| email or previews it, the virus is now active | | | | data becomes damaged, you would be able to |
| and starts to immediately spread.Spreading | | | | restore from the last known good backup. The |
| through Network | | | | most important step while following a backup |
| | | | procedure is to verify that the backup was a |
| Many viruses are network aware. This means | | | | success. Too many people just assume that the |
| that they look for unsecured systems on the | | | | backup is working only to find out that the |
| network and copy themselves to that system. | | | | drive or media was bad six |
| This behavior destroys network performance | | | | |
| and causes viruses to spread across your | | | | months earlier when they were infected by a |
| system like wildfire. Hackers and Crackers | | | | virus or lost a hard drive. If the data that |
| also use Internet and network connections to | | | | you are trying to archive is less then five |
| infect systems. They not only scan for | | | | gig, DVD-R drives are a great solution. Both |
| unprotected systems, but they also target | | | | the drives and disks have come down in price |
| systems that have known software | | | | and are now a viable option. This is also one |
| vulnerabilities. This is why keeping systems | | | | of the fastest backup methods to process and |
| up to date is so important.Spreading through | | | | verify. For larger backups, tape drives and |
| manual installation | | | | removable hard drives are the best option. If |
| | | | you choose this method, you will need to |
| Installing software from downloads or disks | | | | rotate the backup with five or seven |
| increase the risk of infection. Only install | | | | different media (tapes, CD/DVD, removable |
| trusted and scanned software that is known to | | | | drives) to get the most out of the process. |
| be safe. Stay away from freeware and | | | | It is also suggested to take a "master" |
| shareware products. These programs are known | | | | backup out of the rotation on a scheduled |
| to contain Spyware, Adware, and viruses. It | | | | basis and archive offsite in a fireproof |
| is also good policy to deny all Internet | | | | safe. This protects the data from fire, |
| software that attempts to install itself | | | | flood, and theft.In the Internet age, |
| unless explicitly needed.Spreading through | | | | understanding that you have to maintain these |
| boot sectors | | | | processes will help you become successful |
| | | | when preventing damage and minimizes the |
| Some viruses corrupt the boot sector of | | | | time, costs, and liabilities involved during |
| disks. This means that if another disks scans | | | | the disaster recovery phase if you are |
| the infected disk, the infection spreads. | | | | affected.ResourcesVirus Resources |
| Boot sector viruses are automatically run | | | | |
| immediately after the disk is inserted or | | | | F-PROT: |
| hard drive connected.III. Minimizing the | | | | |
| effect of viruses and worms | | | | McAfee : |
| | | | |
| We have all heard stories about the virus | | | | Symantec Norton: |
| that destroyed mission critical company data, | | | | |
| which cost companies months to recover and | | | | Trend Micro: |
| thousands of dollars and man-hours restoring | | | | |
| the information. In the end, there are still | | | | NIST GOV: software |
| many hours, costs, and would be profits that | | | | |
| remain unaccounted. Some companies never | | | | AVG Anti-Virus - Free |
| recover fully from a devastating attack. | | | | |
| Taking simple precautions can save your | | | | F-Prot - Free for home usersFree online |
| businessAnti-virus Software | | | | Virus scan |
| | | | |
| Another step is to run an antivirus program | | | | BitDefender - |
| on the local computer. Many antivirus | | | | |
| programs offer live update software and | | | | HouseCall - |
| automatically download the newest virus | | | | |
| definitions minutes after they are released | | | | McAffe - |
| (Very important that you verify these updates | | | | |
| weekly if not daily). Be careful of which | | | | Panda ActiveScan - |
| antivirus program you chose. Installing a PC | | | | |
| antivirus on a network can be more | | | | RAV Antivirus - online Trojan scan |
| destructive on performance than a virus at | | | | |
| work. Norton makes an effective corporate | | | | TrojanScan - online Security scan |
| edition specifically designed for Windows NT | | | | |
| Server and network environments. When using | | | | Symanted Security Check - |
| antivirus software on a network, configure it | | | | |
| to ignore network drives and partitions. Only | | | | Test my Firewall - Security Resources |
| scan the local system and turn off the auto | | | | |
| protection feature. The auto-protect | | | | Forum of Incident Response and Security |
| constantly scans your network traffic and | | | | Teams: |
| causes detrimental network issues. Corporate | | | | |
| editions usually have this disabled by | | | | Microsoft: |
| default. PC editions do not.Email Clients | | | | |
| | | | SANS Institute: |
| Do not open emails from unknown sources. If | | | | |
| you have a website for e-commerce | | | | Webopedia: |
| transactions or to act as a virtual business | | | | |
| card, make sure that the emails come up with | | | | DefinitionsAdware: *A form of spyware that |
| a preset subject. If the emails are being | | | | collects information about the user in order |
| sent through server side design instead of | | | | to display advertisements in the Web browser |
| the users email client, specify whom it is | | | | based on the information it collects from the |
| coming from so you know what emails to trust. | | | | user's browsing patterns.Software that is |
| Use common sense when looking at your email. | | | | given to the user with advertisements already |
| If you see a strange email with an | | | | embedded in the applicationMalware: *Short |
| attachment, do not open it until you verify | | | | for malicious software, software designed |
| whom it came from. This is how most MM worms | | | | specifically to damage or disrupt a system, |
| spread.Disable preview panes in email | | | | such as a virus or a Trojan horse.Script |
| clients. Email clients such as Outlook and | | | | Kiddie: *A person, normally someone who is |
| Outlook Express have a feature that will | | | | not technologically sophisticated, who |
| allow you to preview the message when the | | | | randomly seeks out a specific weakness over |
| email is highlighted. This is a Major | | | | the Internet in order to gain root access to |
| security flaw and will instantly unleash a | | | | a system without really understanding what it |
| virus if the email is infected.It is also a | | | | is s/he is exploiting because the weakness |
| good idea to turn off the feature that | | | | was discovered by someone else. A script |
| enables the client to view HTML formatted | | | | kiddie is not looking to target specific |
| emails. Most of these viruses and worms pass | | | | information or a specific company but rather |
| by using the html function "< i f r a m e s | | | | uses knowledge of a vulnerability to scan the |
| r c >" and run the attached file within the | | | | entire Internet for a victim that possesses |
| email header.We will take a quick look at an | | | | that vulnerability.Spyware: *Any software |
| email with the subject header of "You're now | | | | that covertly gathers user information |
| infected" that will open a file called | | | | through the user's Internet connection |
| readme.exe."Subject: You're now infected | | | | without his or her knowledge, usually for |
| | | | advertising purposes. Spyware applications |
| MIME-Version: 1.0 | | | | are typically bundled as a hidden component |
| | | | of freeware or shareware programs that can be |
| Content-Type: multipart | | | | downloaded from the Internet; however, it |
| related;type="multipart | | | | should be noted that the majority of |
| alternative";boundary="====_ABC1234567890DEF_ | | | | shareware and freeware applications do not |
| ====" | | | | come with spyware. Once installed, the |
| | | | spyware monitors user activity on the |
| X-Priority: 3 | | | | Internet and transmits that information in |
| | | | the background to someone else. Spyware can |
| X-MSMail-Priority: Normal | | | | also gather information about e-mail |
| | | | addresses and even passwords and credit card |
| X-Unsent: 1 | | | | numbers.Spyware is similar to a Trojan horse |
| | | | in that users unwittingly install the product |
| To: | | | | when they install something else. A common |
| undisclosed-recipients:;--====_ABC1234567890D | | | | way to become a victim of spyware is to |
| EF_==== | | | | download certain peer-to-peer file swapping |
| | | | products that are available today.Aside from |
| Content-Type: multipart | | | | the questions of ethics and privacy, spyware |
| alternative;boundary="====_ABC0987654321DEF_= | | | | steals from the user by using the computer's |
| ===" *** (This calls the | | | | memory resources and also by eating bandwidth |
| iframe)--====_ABC0987654321DEF_==== | | | | as it sends information back to the spyware's |
| | | | home base via the user's Internet connection. |
| Content-Type: text/html;charset="iso-8859-1" | | | | Because spyware is using memory and system |
| | | | resources, the applications running in the |
| Content-Transfer-Encoding: quoted-printable< | | | | background can lead to system crashes or |
| H T M L > < H E A D > < / H E A D > < B O D Y | | | | general system instability.Because spyware |
| b g C o l o r = 3 D # f f f f f f > | | | | exists as independent executable programs, |
| | | | they have the ability to monitor keystrokes, |
| < i f r a m e s r c = 3 D c i d : | | | | scan files on the hard drive, snoop other |
| EA4DMGBP9p height=3D0 width=3D0> *** (This | | | | applications, such as chat programs or word |
| calls readme.exe) | | | | processors, install other spyware programs, |
| | | | read cookies, change the default home page on |
| < / i f r a m e > < / B O D Y > < / H T M L | | | | the Web browser, consistently relaying this |
| >--====_ABC0987654321DEF_====----====_ABC1234 | | | | information back to the spyware author who |
| 567890DEF_==== | | | | will either use it for advertising/marketing |
| | | | purposes or sell the information to another |
| Content-Type: audio | | | | party. |
| x-wav;name="readme.exe" *** (This is the | | | | |
| virus/worm) | | | | Licensing agreements that accompany software |
| | | | downloads sometimes warn the user that a |
| Content-Transfer-Encoding: base64 | | | | spyware program will be installed along with |
| | | | the requested software, but the licensing |
| Content-ID: *** (Notice the < i f r a m e | | | | agreements may not always be read completely |
| s r c = ? | | | | because the notice of a spyware installation |
| >)PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0R | | | | is often couched in obtuse, hard-to-read |
| URCBIVE1MIDQuMCBUcmFuc2l0aW9u | | | | legal disclaimers.Trojan: *A destructive |
| | | | program that masquerades as a benign |
| | | | application. Unlike viruses, Trojan horses do |
| YWwvL0VOIj4NIDxodG1sPg08aGVhZD4NPHRpdGxlPldob | | | | not replicate themselves but they can be just |
| ydzIHRoZSBiZXN0LS0tLS0tPyAt | | | | as destructive. One of the most insidious |
| | | | types of Trojan horse is a program that |
| | | | claims to rid your computer of viruses but |
| IHd3dy5lemJvYXJkLmNvbTwvdGl0bGU+DQ0NDTxzY3Jpc | | | | instead introduces viruses onto your |
| HQgbGFuZ3VhZ2U9amF2YXNjcmlw | | | | computer.The term comes from a story in |
| | | | Homer's Iliad, in which the Greeks give a |
| | | | giant wooden horse to their foes, the |
| dCBzcmM9aHR0cDovL3d3dzEuZXpib2FyZC5jb20vc3Bja | | | | Trojans, ostensibly as a peace offering. But |
| C5qcz9jdXN0b21lcmlkPTExNDc0 | | | | after the Trojans drag the horse inside their |
| | | | city walls, Greek soldiers sneak out of the |
| | | | horse's hollow belly and open the city gates, |
| NTgwODI+PC9zY3JpcHQ+DTxzY3JpcHQgbGFuZ3VhZ2U9I | | | | allowing their compatriots to pour in and |
| mphdmFzY3JpcHQiPg08IS0tDWZ1 | | | | capture Troy.Virus: *A program or piece of |
| | | | code that is loaded onto your computer |
| | | | without your knowledge and runs against your |
| bmN0aW9uIE1NX29wZW5CcldpbmRvdyh0aGVVUkwsd2luT | | | | wishes. Viruses can also replicate |
| mFtZSxmZWF0dXJlcykgeyAvL3Yy*** Broken to | | | | themselves. All computer viruses are man |
| protect the innocent. (Worm is encoded in | | | | made. A simple virus that can make a copy of |
| Base64)aHJlZj1odHRwOi8vY2l0YWRlbDMuZXpib2FyZC | | | | itself over and over again is relatively easy |
| 5jb20vZmNhbGhpc3BvcnRzZnJtMT5Gb290 | | | | to produce. Even such a simple virus is |
| | | | dangerous because it will quickly use all |
| | | | available memory and bring the system to a |
| YmFsbDwvYT4NIA08Zm9udCBjb2xvcj0jRkYwMDAwPiAtI | | | | halt. An even more dangerous type of virus is |
| DwvZm9udD4NDTxicj48YnI+PGJy | | | | one capable of transmitting itself across |
| | | | networks and bypassing security systems.Since |
| | | | 1987, when a virus infected ARPANET, a large |
| Pjxicj5Qb3dlcmVkIEJ5IDxhIGhyZWY9aHR0cDovL3d3d | | | | network used by the Defense Department and |
| y5lemJvYXJkLmNvbS8+ZXpib2Fy | | | | many universities, many antivirus programs |
| | | | have become available. These programs |
| | | | periodically check your computer system for |
| ZK48L2E+IFZlci4gNi43LjE8YnI+Q29weXJpZ2h0IKkxO | | | | the best-known types of viruses.Some people |
| Tk5LTIwMDEgZXpib2FyZCwgSW5j | | | | distinguish between general viruses and |
| | | | worms. A worm is a special type of virus that |
| | | | can replicate itself and use memory, but |
| Lg08L2NlbnRlcj4NPC9ib2R5Pg08L2h0bWw+DQ0NDQoNC | | | | cannot attach itself to other programs.Worm: |
| j==--====_ABC1234567890DEF_====--"Email | | | | *A program or algorithm that replicates |
| Servers | | | | itself over a computer network and usually |
| | | | performs malicious actions, such as using up |
| The first step to minimizing the effect of | | | | the computer's resources and possibly |
| viruses is to use an email server that | | | | shutting the system down.* Definitions |
| filters incoming emails using antivirus | | | | provided by WebopediaA special thanks goes |
| software. If the server is kept up to date, | | | | out to the CISSP community, various Chief |
| it will catch the majority of Mass Mailer | | | | Information Security Officer (CISO)s, and to |
| (MM) worms. Ask your Internet Service | | | | those in the Risk assessment specialty of |
| Provider (ISP) if they offer antivirus | | | | Information Systems Security for their help |
| protection and spam filtering on their email | | | | in proof reading and suggestions. |