|
|||||||||||
PREVIOUS PAGE • SUBSCRIBE TO THE NEWSLETTER • CLIENT LOGIN Worms, viruses, and trojan horses3RD IN A SERIES OF 5 Are your computers at risk to worms, viruses, and trojans? According to Symantec, the FBI Computer Crime and Security Survey covering 1999 shows that 85% of nearly 600 large companies surveyed dealt with a virus attack during the year. Several general types of viruses exist, and several transport systems. The terminology has become blurred over the years. Fighting rogue code is easier if we all speak the same language, so let's start by getting the terms straight. VirusesA virus infects applications or documents by inserting or attaching a copy of itself or by entirely rewriting files without the knowledge of the computer user. When the user opens an infected file, the virus code runs - often without the user being aware of it. The virus depends on users to spread because it has no mechanism by which it can move from one computer to another. The virus must be passed on to other users through infected e-mail attachments, programs on diskettes, or shared files. A virus may allow the infected program to run normally, but many have a "payload" of some sort - acts that include displaying a message on the screen, damaging or deleting files, and formatting the user's hard drive. Another popular payload involves spawning network processes that in turn start other processes. As a result, the overburdened network fails. Some viruses are easy to locate and eradicate because they make exact copies of themselves. An antivirus scanner can identify the program's signature and warn the user. An encrypted virus makes things a bit more complex. By scrambling the signature, encryption makes it impossible for antivirus software to spot it. Instead, the scanner must look for a decryption routine that the virus uses. These viruses are fairly easy to detect. Polymorphic viruses raise the bar again by encrypting both the virus and the decryption routine. Every infection looks a bit different from every other infection. Companies that write antivirus software use generic decryption routines to find polymorphic viruses. Macro viruses have become increasingly popular because they're easy to create and, because programs such as Microsoft Word are in such widespread use, macro viruses spread quickly. Macro viruses are usually written in Visual Basic for Applications (VBA) or VBScript. They generally infect documents and templates. Unlike other viruses, these are "platform independent", meaning they can move from PC to Mac. Trojan horse programsSecurity experts are most concerned about trojan horse programs. These are malicious programs that are disguised as something the user would want - a screen saver, game, and sometimes even a program that claims to fight viruses. Instead of doing what it claims it will do (or in addition to doing what it claims it will do) the program actually performs other tasks. One of the most popular "other tasks" is installation of a spy program that sends the user's data to another computer or installation of software that allows a remote user to control the victim's computer. WormsWhen you hear the term "worm", it refers to a program that propagates itself, usually over a network via e-mail. A worm is not a virus, but it could carry a virus. The I love you incident was a worm, not a virus - but it also had a trojan horse component that attempted to steal passwords. Worms are dangerous to networks because they replicate quickly and, in the process of spreading, can bring network traffic to a halt. The I love you worm's virus component destroyed certain files on the victims' computers. Back Orifice, SubSeven, & QazThese applications are examples of trojan horses, each designed to steal information or computing resources from your system. In October 2000, Microsoft announced that an unknown hacker successfully compromised their corporate network using a trojan horse called Qaz. Qaz (pronounced "cause") appears to have originated in China. Qaz has been reported to e-mail stolen passwords to Russia. Microsoft says the security breach lasted for only a few days, but it might have been weeks. Microsoft says snoopers didn't gain access to any current applications, but reports say that Windows or Office software might have been compromised. Why is this a problem for us?The first response to a break-in a Microsoft might be "So what?" Allow me to suggest two reasons why you should care about this break-in. First, if this can happen to Microsoft, it can happen to anyone. Second, whether the crackers gained access to shipping products or products under development, the crackers now have a better understanding of how Microsoft's security procedures work. Despite Microsoft's robust security procedures, Qaz infected the corporate LAN and was undetected for an unknown period. For the Qaz infection to have started required a Microsoft employee (or family member) to open a file with an infected attachment. It might have been a family member of an employee because some Microsoft employees work at home or take work home. For this reason, employees' home computers effectively become part of the corporate LAN. They wanted code, not productsWhoever broke in was interested in intelligence, not products that could be sold. In other words, it wasn't a pirate who wanted to make illicit copies of Office 2000. Pirates just buy one copy of the software and duplicate it. The crackers were interested in seeing the source code for Microsoft products. They wanted to examine how the company's operating systems and applications deal with security issues. Bottom line: This break-in could turn out to be a huge security threat for Microsoft product users worldwide. Protection against trojansRemote administration is nothing new. Microsoft's SMS, Symantec's pcAnywhere, and the AT&T's VNC all make remote administration possible. A system administrator can work on a computer without having to go to that computer. The trojan variants, though, install themseleves without the user's knowledge and have larceny or destruction as their goal. Although a trojan horse program will try to remain invisible, it will make its presence known in three ways: 1. The trojan program must provide some way for the cracker to contact it. In other words, it needs to act as a server and it must open a port for the cracker to use. This will make the program visible to a firewall program such as ZoneAlarm. 2. The trojan program must be able to restart whenever the user boots the computer or logs in. This means that there will be a new icon in the Start Menu's StartUp directory (rare) or in the Registry, config.sys, autoexec.bat, or win.ini (more common because it's less likely to be noticed). This is why you should examine your computer as it's booting. Learn how long it normally takes and, if it suddenly starts taking longer or you see messages that you've never seen before, check it out. 3. The trojan installation program must write some new (or at least modified) files to the victim's system. An antivirus program that monitors new and modified files will often reveal the trojan's presence. Make sure that your antivirus definition files are up to date! Don't let a trojan move inPrevention is always better than cure. A trojan makes its way onto the victim's system by one of several routes. The most common are an e-mail attachment, a floppy disk, a file download, or through a rogue Web site that runs an ActiveX downloader when you connect to the site. If the security context set in Internet Explorer doesn't allow ActiveX downloads or the user's settings disallow adding values to the Registry, the trojan installation will fail. Don't let it phone homeShould a trojan successfully install itself, you need to discover it, keep it from communicating with the outside world, and remove it. One of the more common traits of trojan horse applications is the attempt to tell the sender that it has been successfully installed on the victim's system. To do this, the program must connect to the Internet. A software firewall program such as ZoneAlarm can act as a safety net in this situation. Unlike hardware firewalls, ZoneAlarm watches both inbound and outbound traffic and it monitors traffic on a program-by-program basis. When you first use a new or updated program, ZoneAlarm will ask if you want to allow that program to gain access to the Internet and, if the program is trying to act as a server, whether you want to allow that. After being installed, ZoneAlarm will ask about your Web browser and your e-mail program the first time you use them. In most cases, you'll tell ZoneAlarm to allow these programs to use the services of the Internet and, if you're on a LAN, the intranet. You'll tell ZoneAlarm to remember your decision so that you won't have to answer the same questions tomorrow. When you update your e-mail program, ZoneAlarm will notice the change and - before it will allow the new file to gain access to the Internet - it will ask again for your permission. If you haven't knowingly updated a program that used to have unlimited access to the Internet, this would be a clear sign of a problem. An even clearer sign occurs when Qaz or BackOrifice finds its way onto your system. Suddenly a new application will attempt to gain access to the Internet. If you don't recognize the program name, disallow all access! ZoneAlarm is available (free for personal use, $20 per year for corporate use) from http://www.zonelabs.com/. Evicting the trojanMooSoft has the answer to trojan horses with its program called The Cleaner, which detects and removes more than 500 trojan horses and their variants. The program may be downloaded and used without charge for 30 days. Those who continue using it after the trial period are expected to pay a $30 registration fee. For information on The Cleaner, see Moosoft's Web site at http://www.MooSoft.com/. |
|
William Blinn Communications - All Rights Reserved |
|||
 |
|
|
|