Computer Systems Security in an Internet Age–Viruses and Hostile Content

Viruses have grown over the last few years from an occasional annoyance to probably the most significant threat to network uptime. Viruses have become such a common and significant threat that it is almost impossible to go through a week without seeing some evidence of computer viruses in the news and mass media.

The damage that is caused by modern viruses is truly stunning, and the pace continues to accelerate. The I Love You (also known as the Loveletter) virus is the most damaging virus to date, having infected more than 50 million computers worldwide and caused more than $8 billion in damage since its proliferation in May 2000. It took this virus only five hours to reach “number one” status, and, amazingly, it still continues to do damage. In recent months we have seen SirCam, Code Red, Code Blue and NIMDA achieve even more attention, and the damage figures are still mounting.

Many businesses have a false sense of security about viruses. I often find that businesses think they are secure simply because they have antivirus software on most PCs or on a server. Many businesses do not have any virus protection, which they justify through saying their staff rarely uses the Internet. These attitudes and approaches are dangerous in that they expose businesses to unnecessary risk and, by allowing infection, risk spreading the danger to other systems.

Before we discuss what is needed to protect computer systems from viruses (and their close relatives, including vandals, scripts, worms and Trojan horses), it would help if we further defined the threats, even if the term ‘virus’ is often used to categorize them.

A virus is a program that replicates itself by infecting another program, boot sector, partition sector, or a document that supports macros, through attaching itself to the file or sector. Viruses actively copy themselves, infecting computers in the same way that a biological virus infects the human body. Many viruses are harmless or merely annoying. However, some viruses infect systems in a way that seriously damages the files needed to start and load operating systems or erases files or entire hard disks.

Vandals are malicious programs that are written into the code of Java applets or Microsoft ActiveX objects (web programs activated when you visit a website). They automatically run when you access a web page that has the program, without your knowing what they are doing. Because they are programs, vandals can cause considerable damage, ranging from opening security holes to damaging your system.

Scripts are programs, much like macros, that are often built into the HTML code of a web page. They are used to automate functions, such as looking up information in a database, but can also be used for negative purposes, such as infecting a system, modifying files or attacking another system.

A Trojan horse is a malicious file hidden inside a different type of file. This allows the malicious code to conceal itself while it replicates.

A worm is a program that makes copies of itself to move between systems. This is often done using e-mail, but can also occur through other means (shared disk drives on a network, diskettes, or even probing over the Internet). A worm may cause damage and compromise the security of the computer. Recent examples of worms are Code Red and NIMDA.

The nature of the threat continues to expand, as malicious code now can take on elements of any of the above. The NIMDA virus (“admin” spelled backwards) actually attacks networks using multiple vulnerabilities, and is hard to clean once it gets in. NIMDA spreads from web server to web server in the same way as the Code Red worm, but also infects systems using scripts attached to e-mail and via browser vulnerabilities. Virus creators are becoming increasingly creative and resourceful.

A complete virus defense consists of active protection for all computers on a network—PCs, servers and gateways. One often-overlooked component is e-mail-specific antivirus software, such as agents for Microsoft Exchange. Since Microsoft Outlook and Exchange constitute the most frequently used e-mail programs, they are the biggest targets for virus authors, and those systems require extra protection. An Exchange-specific agent can find virus code that standard antivirus software would miss, since standard antivirus software can’t look “inside” the post office. Adding protection at the gateway or firewall, so all content is scanned as it comes into or goes out of the network, provides optimal protection.

Traditional antivirus software utilizes “pattern matching” technology to find viruses, by comparing scanned files and computer memory against a table of virus “signature” samples. These signature or pattern files are of critical importance, since old signature files don’t know about new viruses. Since there are currently more than 20,000 known viruses and new ones are coming out at a rate of roughly three per day, keeping these signature files current is the key to protecting your network. Although early attempts at auto-update technology for these signatures were often problematic, these systems work well now, and current versions of the major vendors’ products allow for automatic update of signature files to all PCs across a network.

Recently, many products have introduced “heuristic” scanning techniques, whereby the antivirus software can attempt to detect viruses by behavior. Some products can go as far as to set up a “sandbox” for code to execute in, to see what the virus does and to trap it. These techniques are quite effective, and particularly help when new viruses are released that do not yet have a signature. In the days that it may take to create a signature and a cure, viruses can spread and cause considerable damage. This is why user training is important—users need to understand that opening e-mail attachments from unknown senders and visiting unnecessary websites can cause damage that antivirus software may not be able to fix. All of these elements come into play in a corporate security policy, which will be discussed in a future column.

Some of the leading antivirus vendors include Symantec (Norton Antivirus), Network Associates (the McAfee antivirus product line) and Trend Micro, though many other players are also in this field. Aladdin Knowledge Systems, Symantec and Trend Micro also extend their offerings into more thorough malicious code management products. Although common logic says to use one vendors’ product exclusively for ease of management, an alternative is to use one vendor for internal network antivirus and another vendor for the Internet gateway or firewall, to provide two chances to catch a virus or malicious code. This “defense in depth” approach takes more work to configure, but is more thorough.

In next month’s column, we will focus on password security, and then begin to explore issues surrounding authentication.