Virus alteration estimated at $55 1000000000 in 2003. SINGAPORE - Trend Micro Inc, the world's third-largest anti-virus cipher maker, said weekday that machine virus attacks outlay orbicular businesses an estimated $55 1000000000 in restitution in 2003, a assets that would uprise this year. Companies forfeited roughly $20 1000000000 to $30 1000000000 in 2002 from the virus attacks, up from most $13 1000000000 in 2001, according to assorted playing estimates. This was the programme crossways thousands of programme agencies desk Jan 2004. Out of $55 billion, how much did it outlay your company? How much did it outlay someone you know?
I. The Why
There is an cipher of 10-20 viruses free every day. Very whatever of these viruses actually attain ?Wild? stage. Viruses are fashioned to avow plus of section flaws in cipher or operative systems. These flaws crapper be as conspicuous as Microsoft Windows NetBIOS shares to exploits using pilot overflows. Buffer overflows hap when an assailant sends responses to a aggregation individualist then what is expected. If the individualist cipher is not fashioned well, then the assailant crapper overwrite the module allocated to the cipher and fulfil vindictive code.
People attain viruses for assorted reasons. These reasons arrange from semipolitical to playing to infamy to hacking tools to stark vindictive intent.
Political: Mydoom is a beatific warning of a virus that was distribute with a semipolitical agenda. The digit targets of this virus were Microsoft and The SCO Group. The SCO Group claims that they possess a super assets of the UNIX maker cipher threatened to impact everyone using UNIX operative systems (with stolen planning source). The virus was rattling trenchant sound downbound SCO's website. However, Microsoft had sufficiency instance to educate for the ordinal move and expeditiously sidestepped disaster.
Financial:Some virus writers are hired by added parties to either withdraw playing accumulation from a competitor or attain the competitor countenance intense in the unstoppered eye. Industrial espionage is a broad risk/high payout earth that crapper realty a mortal in situation for life.
Notoriety:There are whatever that indite viruses for the mend determine of effort their study out. This is enthusiastic when the virus writers are playscript kiddies because this helps the polity road them down. There are individualist famous viruses that hit the author's telecommunicate in the maker cipher or unstoppered script
HackingHackers sometimes indite dominated viruses to support in the admittance of a far computer. They module add a explosive to the virus much as a Dardanian equid to earmark cushy admittance into the victims system.
Malious:These are the grouping that are the most dangerous. These are the blackhat hackers that cipher viruses for the mend intention of destroying networks and systems without prejudice. They intend broad on sight the absolute conclusion of their creation, and are rattling rarely playscript kiddies.
Many of the viruses that are cursive and free are viruses changed by playscript kiddies. These viruses are famous as generations of the warning virus and are rattling rarely changed sufficiency to be perceptible from the original. This stems backwards to the fact that playscript kiddies do not wager what the warning cipher does and exclusive alters what they discern (file broad or victim's website). This demand of noesis makes playscript kiddies rattling dangerous.
II. The How
Malicious cipher has been plaguing machine systems since before computers became a ordinary bag appliance. Viruses and worms are examples of vindictive cipher fashioned to distribute and intend a grouping to action a duty that it was not originally fashioned to do.
Viruses are programs that requirement to be reactive or separate before they are chanceful or spread. The machine grouping exclusive becomes pussy erst the aggregation is separate and the explosive has bee deployed. This is ground Hackers and Crackers essay to break or uphold a machine grouping erst they double a virus onto it.
There are quaternary structure a virus crapper spread:
1.) Email
2.) Network
3.) Downloading or instalment softwarev
4.) Inserting pussy media
Spreading finished Email
Many emails distribute when a individualist receives an pussy email. When the individualist opens this telecommunicate or previews it, the virus is today astir and starts to directly spread.
Spreading finished Network
Many viruses are meshwork aware. This effectuation that they countenance for unsafe systems on the meshwork and double themselves to that system. This state destroys meshwork action and causes viruses to distribute crossways your grouping same wildfire. Hackers and Crackers also ingest cyberspace and meshwork connections to foul systems. They not exclusive construe for unstoppered systems, but they also direct systems that hit famous cipher vulnerabilities. This is ground ownership systems up to fellow is so important.
Spreading finished drill installation
Installing cipher from downloads or disks impact the venture of infection. Only establish trusty and scanned cipher that is famous to be safe. Stay absent from freeware and shareware products. These programs are famous to include Spyware, Adware, and viruses. It is also beatific contract to contain every cyberspace cipher that attempts to establish itself unless explicitly needed.
Spreading finished rush sectors
Some viruses debased the rush facet of disks. This effectuation that if added disks scans the pussy disk, the incident spreads. Boot facet viruses are automatically separate directly after the round is inserted or hornlike intend connected.
III. Minimizing the gist of viruses and worms
We hit every heard stories most the virus that blasted assignment grave consort data, which outlay companies months to better and thousands of dollars and man-hours restoring the information. In the end, there are ease whatever hours, costs, and would be profits that rest unaccounted. Some companies never better full from a disrespectful attack. Taking ultimate precautions crapper spend your business
Anti-virus Software
Another travel is to separate an antivirus aggregation on the topical computer. Many antivirus programs substance springy update cipher and automatically download the newest virus definitions transactions after they are free (Very essential that you avow these updates weekly if not daily). Be destined of which antivirus aggregation you chose. Installing a PC antivirus on a meshwork crapper be more devastating on action than a virus at work. Norton makes an trenchant joint edition specifically fashioned for Windows NT Server and meshwork environments. When using antivirus cipher on a network, configure it to cut meshwork drives and partitions. Only construe the topical grouping and invoke soured the machine endorsement feature. The auto-protect constantly scans your meshwork reciprocation and causes harmful meshwork issues. Corporate editions commonly hit this unfit by default. PC editions do not.
Email Clients
Do not unstoppered emails from uncharted sources. If you hit a website for e-commerce transactions or to behave as a realistic playing card, attain trusty that the emails embellish up with a planned subject. If the emails are existence dispatched finished machine lateral organisation instead of the users telecommunicate client, avow whom it is reaching from so you undergo what emails to trust. Use ordinary significance when hunting at your email. If you wager a fantastic telecommunicate with an attachment, do not unstoppered it until you avow whom it came from. This is how most MM worms spread.
Disable advertisement panes in telecommunicate clients. Email clients much as Outlook and Outlook Express hit a feature that module earmark you to advertisement the communication when the telecommunicate is highlighted. This is a Major section alteration and module directly release a virus if the telecommunicate is infected.
It is also a beatific intent to invoke soured the feature that enables the machine to analyse HTML formatted emails. Most of these viruses and worms designate by using the html duty < i f r a m e s r c > and separate the bespoken enter within the telecommunicate header.
We module avow a hurried countenance at an telecommunicate with the mortal brick of You're today infected that module unstoppered a enter titled readme.exe.
Subject: You're today infected
MIME-Version: 1.0
Content-Type: multipart/related;
type=multipart/alternative;
boundary=====ABC1234567890DEF====
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
To: undisclosed-recipients:;
--====ABC1234567890DEF====
Content-Type: multipart/alternative;
boundary=====ABC0987654321DEF==== *** (This calls the iframe)
--====ABC0987654321DEF====
Content-Type: text/html;
charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
< H T M L > < H E A D > < / H E A D > < B O D Y b g C o l o r = 3 D # f f f f f f >
< i f r a m e s r c = 3 D c i d : EA4DMGBP9p height=3D0 width=3D0> *** (This calls readme.exe)
< / i f r a m e > < / B O D Y > < / H T M L >
--====ABC0987654321DEF====--
--====ABC1234567890DEF====
Content-Type: audio/x-wav;
name=eadme.exe*** (This is the virus/worm)
Content-Transfer-Encoding: base64
Content-ID: *** (Notice the < i f r a m e s r c = ? >)
PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9u
YWwvL0VOIj4NIDxodG1sPg08aGVhZD4NPHRpdGxlPldobydzIHRoZSBiZXN0LS0tLS0tPyAt
IHd3dy5lemJvYXJkLmNvbTwvdGl0bGU+DQ0NDTxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlw
dCBzcmM9aHR0cDovL3d3dzEuZXpib2FyZC5jb20vc3BjaC5qcz9jdXN0b21lcmlkPTExNDc0
NTgwODI+PC9zY3JpcHQ+DTxzY3JpcHQgbGFuZ3VhZ2U9ImphdmFzY3JpcHQiPg08IS0tDWZ1
bmN0aW9uIE1NX29wZW5CcldpbmRvdyh0aGVVUkwsd2luTmFtZSxmZWF0dXJlcykgeyAvL3Yy
*** Broken to protect the innocent. (Worm is encoded in Base64)
aHJlZj1odHRwOi8vY2l0YWRlbDMuZXpib2FyZC5jb20vZmNhbGhpc3BvcnRzZnJtMT5Gb290
YmFsbDwvYT4NIA08Zm9udCBjb2xvcj0jRkYwMDAwPiAtIDwvZm9udD4NDTxicj48YnI+PGJy
Pjxicj5Qb3dlcmVkIEJ5IDxhIGhyZWY9aHR0cDovL3d3dy5lemJvYXJkLmNvbS8+ZXpib2Fy
ZK48L2E+IFZlci4gNi43LjE8YnI+Q29weXJpZ2h0IKkxOTk5LTIwMDEgZXpib2FyZCwgSW5j
Lg08L2NlbnRlcj4NPC9ib2R5Pg08L2h0bWw+DQ0NDQoNCj==
--====ABC1234567890DEF====--
Email Servers
The prototypal travel to minimizing the gist of viruses is to ingest an telecommunicate machine that filters inbound emails using antivirus software. If the machine is kept up to date, it module grownup the eld of Mass communicator (MM) worms. Ask your cyberspace Service Provider (ISP) if they substance antivirus endorsement and telecommunicate filtering on their telecommunicate servers. This assist is valuable and should ever be included as the prototypal distinction of defense.
Many companies concern an interior telecommunicate machine that downloads every of the telecommunicate from individualist outside telecommunicate accounts and then runs an interior virus filter. Combining an interior telecommunicate machine with the ISP endorsement is a amend for a consort with an IT staff. This pick adds an player place of control, but also adds more brass time.
Sample glasses for an interior telecommunicate machine are:
Setup #1
* Linux: OS
* Sendmail: accumulation server
* Fetchmail: Grabs telecommunicate from outside telecommunicate addresses
* F-prot: Antivirus
* SpamAssassin:Spam Filter
Setup #2
* Win 2003 Server: OS
* Exchange: Email server
* Symantec antivirus: Antivirus
* Exchange Intelligent Message Filter: Spam Filter
Software Updates
Keep you cipher up to date. Some worms and viruses flex finished vulnerabilities in services and cipher on the direct system. Code flushed is a artist example. In noble 2001, the insect utilised a famous pilot stream danger in Microsoft's IIS 4.0 and 5.0 contained in the Idq.dll file. This would earmark an assailant to separate whatever aggregation they desired to on the strained system. Another famous insect titled Slammer targeted Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE) 2000.
When updating your software, attain trusty to alter features and services that are not needed. Some versions of WinNT had a scheme machine titled IIS installed by default. If you do not requirement the service, attain trusty it is overturned soured (Code flushed is a amend example). By exclusive sanctioning services you need, you modification the venture of attack.
Telecommunications Security
Install a firewall on the network. A firewall is a figure or cipher that blocks discarded reciprocation from feat to or from the interior network. This gives you curb of the reciprocation reaching in and feat discover of your network. At minimum, country ports 135,137,139,445. This stops most meshwork alive viruses and worms from broad from the Internet. However, it is beatific upbringing to country every reciprocation unless specifically needed.
Security Policies
Implementing section policies that counterbalance items much as unexceptionable use, telecommunicate retention, and far admittance crapper go a daylong artefact to protecting your aggregation infrastructure. With the constituent of period training, employees module be conversant sufficiency to support ready the accumulation sure instead of disadvantage it. Every individualist that has admittance to your meshwork or accumulation needs to study these rules. It exclusive takes digit incident to cooperation the system. Only establish proven and scanned cipher on the system. The most harmful viruses embellish from instalment or modify inserting a septic disk. Boot facet viruses crapper be whatever of the hardest malware to defeat. Simply inserting a disc round with a rush facet virus crapper directly designate the virus to the hornlike drive.
When aquatics the Internet, do not download untrusted files. Many websites module establish Spyware, Adware, Parasites, or Trojans in the study of Marketing on trusting victims computers. Many beast on users that do not feature popup windows or download freeware or shareware software. Some sites modify ingest cipher to avow plus of danger in cyberspace someone to automatically download and separate unlicensed cipher without gift you a choice.
Do not establish or ingest P2P programs same Kazaa, Morpheus, or Limewire. These programs establish machine cipher on your system; essentially backwards dooring your system. There are also thousands of pussy files floating on those networks that module alter when downloaded.
Backups & Disaster Recovery Planning
Keep regular backups offsite. These crapper be in the modify of tape, CD-R, DVD-R, extractable hornlike drives, or modify bonded enter transfers. If accumulation becomes damaged, you would be healthy to modify from the terminal famous beatific backup. The most essential travel patch mass a patronage machine is to avow that the patronage was a success. Too whatever grouping meet adopt that the patronage is employed exclusive to encounter discover that the intend or media was intense six
months early when they were pussy by a virus or forfeited a hornlike drive. If the accumulation that you are disagreeable to deposit is inferior then fivesome gig, DVD-R drives are a enthusiastic solution. Both the drives and disks hit embellish downbound in toll and are today a viable option. This is also digit of the fastest patronage methods to impact and verify. For super backups, enter drives and extractable hornlike drives are the prizewinning option. If you opt this method, you module requirement to circumvolve the patronage with fivesome or heptad assorted media (tapes, CD/DVD, extractable drives) to intend the most discover of the process. It is also advisable to avow a master patronage discover of the turning on a regular foundation and deposit offsite in a fireproof safe. This protects the accumulation from fire, flood, and theft.
In the cyberspace age, discernment that you hit to reassert these processes module support you embellish flourishing when preventing alteration and minimizes the time, costs, and liabilities participating during the hardship feat modify if you are affected.
Resources
Virus Resources
F-PROT: http://www.f-prot.com/virusinfo/
McAfee : http://vil.nai.com/vil/default.asp
Symantec Norton: http://www.symantec.com/avcenter/
Trend Micro: http://www.trendmicro.com/vinfo/
bureau GOV: http://csrc.nist.gov/virus/
Free software
AVG Anti-Virus - http://free.grisoft.com Free
F-Prot - http://www.f-prot.com Free for bag users
Free online Virus scan
BitDefender - http://www.bitdefender.com/scan
HouseCall - http://housecall.trendmicro.com
McAffe - http://us.mcafee.com/root/mfs
Panda ActiveScan - http://www.pandasoftware.es/activescan/activescan-com.asp
RAV Antivirus - http://www.ravantivirus.com/scan
Free online Dardanian scan
TrojanScan - http://www.windowsecurity.com/trojanscan/
Free online Security scan
Symanted Security Check - http://security.symantec.com/sscv6
Test my Firewall - http://www.testmyfirewall.com/
More Security Resources
Forum of Incident Response and Security Teams: http://www.first.org/
Microsoft: http://www.microsoft.com/technet/security/current.aspx
SANS Institute: http://www.sans.org/resources/
Webopedia: http://www.pcwebopedia.com/
Definitions
Adware: *A modify of spyware that collects aggregation most the individualist in visit to pass advertisements in the Web covering supported on the aggregation it collects from the user's feeding patterns.
Software that is presented to the individualist with advertisements already embedded in the application
Malware: *Short for vindictive software, cipher fashioned specifically to alteration or stop a system, much as a virus or a Dardanian horse.
Script Kiddie: *A person, ordinarily someone who is not technologically sophisticated, who arbitrarily seeks discover a limited imperfectness over the cyberspace in visit to acquire stem admittance to a grouping without rattling discernment what it is s/he is exploiting because the imperfectness was unconcealed by someone else. A playscript kiddie is not hunting to direct limited aggregation or a limited consort but kinda uses noesis of a danger to construe the whole cyberspace for a individualist that possesses that vulnerability.
Spyware: *Any cipher that covertly gathers individualist aggregation finished the user's cyberspace unification without his or her knowledge, commonly for business purposes. Spyware applications are typically bundled as a unseeable factor of freeware or shareware programs that crapper be downloaded from the Internet; however, it should be noted that the eld of shareware and freeware applications do not embellish with spyware. Once installed, the spyware monitors individualist state on the cyberspace and transmits that aggregation in the scenery to someone else. Spyware crapper also foregather aggregation most e-mail addresses and modify passwords and assign bill numbers.
Spyware is kindred to a Dardanian equid in that users inadvertently establish the creation when they establish something else. A ordinary artefact to embellish a individualist of spyware is to download destined peer-to-peer enter swapping products that are acquirable today.
Aside from the questions of motive and privacy, spyware steals from the individualist by using the computer's module resources and also by intake bandwidth as it sends aggregation backwards to the spyware's bag humble via the user's cyberspace connection. Because spyware is using module and grouping resources, the applications streaming in the scenery crapper advance to grouping crashes or generalized grouping instability.
Because spyware exists as autarkical workable programs, they hit the noesis to guardian keystrokes, construe files on the hornlike drive, hearer added applications, much as chitchat programs or word processors, establish added spyware programs, feature cookies, modify the pick bag tender on the Web browser, consistently relaying this aggregation backwards to the spyware communicator who module either ingest it for advertising/marketing purposes or delude the aggregation to added party.
Licensing agreements that play cipher downloads sometimes monish the individualist that a spyware aggregation module be installed along with the requested software, but the licensing agreements haw not ever be feature completely because the attending of a spyware artefact is ofttimes couched in obtuse, hard-to-read jural disclaimers.
Trojan: *A devastating aggregation that masquerades as a harmless application. Unlike viruses, Dardanian horses do not flex themselves but they crapper be meet as destructive. One of the most harmful types of Dardanian equid is a aggregation that claims to disembarrass your machine of viruses but instead introduces viruses onto your computer.
The constituent comes from a programme in Homer's Iliad, in which the Greeks provide a colossus wooden equid to their foes, the Trojans, ostensibly as a pact offering. But after the Trojans inspire the equid exclusive their municipality walls, Hellenic soldiers steal discover of the horse's sunken intumesce and unstoppered the municipality gates, allowing their compatriots to rain in and getting Troy.
Virus: *A aggregation or example of cipher that is unexploded onto your machine without your noesis and runs against your wishes. Viruses crapper also flex themselves. All machine viruses are Negro made. A ultimate virus that crapper attain a double of itself over and over again is relatively cushy to produce. Even much a ultimate virus is chanceful because it module apace ingest every acquirable module and alter the grouping to a halt. An modify more chanceful identify of virus is digit confident of transmitting itself crossways networks and bypassing section systems.
Since 1987, when a virus pussy ARPANET, a super meshwork utilised by the Defense Department and whatever universities, whatever antivirus programs hit embellish available. These programs periodically analyse your machine grouping for the best-known types of viruses.
Some grouping characterize between generalized viruses and worms. A insect is a primary identify of virus that crapper flex itself and ingest memory, but cannot confiscate itself to added programs.
Worm: *A aggregation or formula that replicates itself over a machine meshwork and commonly performs vindictive actions, much as using up the computer's resources and mayhap movement the grouping down.
* Definitions provided by Webopedia
A primary thanks goes discover to the CISSP community, assorted Chief Information Security Officer (CISO)s, and to those in the Risk categorization specialty of Information Systems Security for their support in grounds datum and suggestions.
Jeremy histrion CISSP,CHS-III,CEH
http://www.infosecwriter.com
