Web page mutant nifty viruses
1 April 2005 | 0
The threat of malicious code — virus, worm or Trojan horse — infecting a company’s computer network is as real as ever. But it would seem that system administrators are more aware of the threat than ever. But are they aware enough.
‘In terms of the overall situation, things are improving, although it might not seem so at the moment,’ says Grellan Larkin, head of security consulting at Sysnet. ‘If you look at the overall statistics, the last time we were caught with our pants down was the Love Bug. That prepared people for what came after. So even though they were caught out by Sircam and Code Red, the weren’t caught out so much.’ According to Larkin, the damage done by Code Red and Sircam was on the order of $1bn. That’s a lot of money but is only a tenth of the damage done by Love Bug. And the more recent outbreak of NIMDA did only about $365m worth of damage.
There is no room for complacency, however. ‘Viruses always pose a dangerous threat even those that do not successfully spread,’ says Ian Hammeroff, Business Manager , Antivirus Solutions, Computer Associates. ‘They cause panic and unproductive cycles to occur by distracting people from their jobs, especially IT managers. Viruses sill pose a threat. They are not going away; there is no predicted death notice. It’s just a matter of how we deal with them and make it more difficult for them to be successful. That’s a combination of different avenues and techniques.’
According to Hammeroff, virus writers are changing their tactics. ‘Over the last 12 months, we’ve noticed fewer Visual Basic viruses coming out,’ he says. ‘More and more are written in higher level languages like C++ and other languages that are not interpreted.’ This, says Hammeroff, indicates an evolution or increase in sophistication in the people writing viruses.
However, John Mooney of Renaissance Contingency Services suggests that the real danger of new viruses is not in their complexity but their subtlety. ‘The viruses themselves are not becoming more complicated,’ he says, ‘but the methods by which their creators will try to tempt you into running them are. Virus writers are increasingly attempting to manipulate the weaknesses in human nature in order to get you to double-click on that attachment.’
‘The LoveBug pulled on users’ heartstrings and the Anna Kournikova worm headed straight for the groin. They are both among the many recent viruses to appeal to our basic urges. Not only does the antivirus software need to keep up with new virus trends, but so does user savvy. One of the most effective ways of combating the virus threat is through user education and by people using their common sense.’
Another evolutionary trait that has emerged is that of the virus that has several attack vectors. In the early days of computer virus the principal infection vector was the floppy disk. With the coming of the Internet this changed and e-mail has now become the most common vector. Hammeroff points out that 90 per cent of virus infections last year came through e-mail. But some of the more recent viruses are ready to use any means possible.
‘If you look at the NIMDA worm it used several different methods of propagation,’ says Mark Cooper, Security Architect with HP. ‘It could come as an e-mail attachment, it could infect Web servers so when you browsed an infected page it was downloaded and it could scan a local area network and look for open windows shares and if those shares were Web servers, it would infect every Web page in it. On the e-mail side, it would harvest addresses from the user’s computer and propagate itself every ten days.’
One chilling aspect of the NIMDA worm is that it now makes browsing the Web a potentially dangerous activity. As Cooper explains, the worm adds a piece of Java script to each Web page. ‘When the infected page is viewed by a browser, the browser downloads what it thinks is an e-mail file. An unpatched Outlook or Outlook Express would execute it.’
Fortunately, Web-based viruses are the exception. ‘We’ve seen examples of virus writers taking advantage of vulnerabilities in browsers,’ says Hammeroff, citing the example of the JSCool site virus. ‘This sends out an MSN messenger note inviting the recipient to visit a “cool site.” Active code on the Website then allows it to reach out and spread again. So Web viruses are not a myth but they are not yet as common as other viruses.’
Enterprises must therefore secure their systems on a number of fronts. ‘Policy, technology and education,’ says Hammeroff must be the three pillars of any attempt to secure against virus infection .
Seamus Aylward, security consultant with Compaq Global Services agrees. ‘In general companies need to go beyond point solutions,’ he says. ‘We would recommend customers have a policy approach. They need to sit back, assess risks, identify weaknesses at desktop, application, or services level; they need to strategise and investigate technologies that are out there to protect each individual component of network.
‘We would recommend that any approach be at a multiple-tier level. Each aspect of the network needs to be examined individually for independent risks. These can be broken down to a more simplistic view of a three-tier approach: perimeter, back office systems, desktop clients (PDAs etc).’
A perimeter protection approach, says Aylward, should address all entry points. This would typically take the form of a firewall that would control access to and from the network. Perimeter protection should also include some form of content scanning. ‘While the firewall is good at assessing the type of traffic allowed, typically it cannot scan the data passing through to check for malicious code or content.’
One issue that companies face is that whereas it is easy to scan mail traffic, scanning Web traffic can be more difficult. ‘The main problem,’ says Aylward, ‘is the latency of degradation of performance associated with running content scanning on Web traffic. With SMTP the performance degradation is seamless to the user while degradation of browsing performance can be very noticeable.’
For back-office server protection Aylward advises there are two strategies that must be considered. ‘The first is protecting application servers and the second is protecting database servers. Most fileservers will require standard antivirus software to be loaded to protect the system. However, mail servers such as MS Exchange or Lotus Domino will not allow traditional antivirus software to actually scan within the database. It is important to protect files and databases. If there is a perimeter breach due to a new virus penetrating the network and it infects the mail server, it is important to have a mechanism to remove the virus once the breach has been detected.’
The third level, according to Aylward is the end user. ‘Most major antivirus vendors make products geared to the end-user workstation,’ he says. ‘The key aspects to look for here are administration and control of antivirus software deployment and updates and monitoring.’
One weakness of antivirus software is that it is reactive. It can only protect against known viruses. According to Mark Cooper, however, this is not as big a problem as it sounds. ‘The antivirus companies work very closely together,’ he says. ‘Turnaround times for new signatures is remarkably short and new signatures can be out within hours.’ A case in point is the FBound-C worm that appeared in mid-march. The worm appeared to originate in Japan and the first reports were made at 0200 GMT. By the start of the working day in Europe and the US, many of the major vendors had already distributed updates to their products.
Technology, however, is only one part of the protection equation. Educating end users is vital. Although the newest generation of viruses such as NIMDA exploit known security holes and bugs, in many instances it is the end user who is the weakest link. Who among us (at least among the male user community) cannot honestly say that they were not tempted by the arrival in their inbox of mail from a mysterious female who purported to say ‘I love you’ or a missive promising pictures of a delightful Russian tennis player?
As for the future of viruses, Mooney predicts that as other devices such as mobile phones and PDAs will become targets for virus writers particularly as the two technologies converge. At the moment there are no viruses capable of infecting mobile phones, although there are viruses that can send SMS messages, they cannot damage the phone per se. Similarly WAP viruses are not possible as the phones in their present form have no capacity to store the applications they use and thus cannot spread viruses to other phone users.
As of yet there have been no reports of viruses for PocketPC or EPOC operating systems. There is one virus for PalmOS in existence, the Palm/Phage, however this does not exist in the wild and does not pose a threat. A Trojan for the Palm OS , Palm/Liberty-A, does exist but is quite rare. Nevertheless, antivirus vendors continue to keep this area under careful observation.