IT'S VIRUS SEASON ALWAYS

Aug 1, 2001 12:00 PM, By George Partington

“If viruses are not stopped at the email server, a business could be in for a long day, because even informed workers are fooled by savvy hackers. Employees should know not to open attachments from untrustworthy sources, but sometimes they do it anyway.”

“Viruses can be stopped if the most important rule is followed: update anti-virus software regularly. The National Computer Security Association estimates if just 30 percent of computer owners regularly used up-to-date anti-viral software, the virus problem would virtually disappear.”

We tend to forget that behind every keystroke, every dazzling graphic and productive program, is code. So, too, behind every virus. It takes code to live among code. Read enough about viruses and they do seem to live — as organic as the pathogens that infect human bodies.

Viruses are smart enough to hide — they replicate, send themselves forth as an army, move around and, above all, insinuate themselves within that gray, humming box on your desk — they infect it, make it sick, hinder its performance, crash its system, erase its files.

Indications of infection, according to Clint Kreitner, president and CEO of the Center for Internet Security, include:

• the computer runs slower;
• the disk drive makes unusual noise;
• once-free disk space is consumed;
• file sizes change;
• unexplainable files appear out of nowhere;
• characters drop from the screen; or
• keystrokes change randomly while typing.

Biologically, a virus is a bit of genetic material that must infect a host organism to survive and reproduce. Likewise, in the computer world, a virus, a bit of code, causes a host to spread infection to other computers. Kreitner succinctly defines a computer virus as “a piece of parasitic code that is written so that it will execute on behalf of the user without the user's permission or knowledge.”

While an early and still-used way for viruses to spread is through infected floppy disks, email is currently the most popular and famous method, due to its ability to reach out and touch any machine connected to the Internet. Today, nearly 87 percent of all viruses are spread by email, according to Network Associates, a network security company. Ironically, the strength of the Internet — connectivity — is also its Achilles' heel. The phone or cable cord connected through the modem to a PC provides access to countless resources — but it is also a path for viruses. That's why email is such an easy and effective way for a virus to reach a host computer.

Viruses are more of a problem today than at any time in the past, according to Robert Vibert, anti-malware researcher and solution architect, Segura Solutions Inc. and moderator of the Anti-Virus Information Exchange Network (AVIEN).

“There are more of them, and they spread a lot faster due to the Internet,” he said.

So every time a new message lands in the in box, it has the potential of being hostile. Does that mean workers should cringe when they hear the new email chime? Not if they have taken the proper precautions, experts say.

“Make sure you have anti-virus (AV) software, and make sure it is updated as often as updates are provided,” says Vincent Gullotto, senior director, McAffe AVERT labs. McAfee is a division of Network Associates concentrating on anti-virus measures. Updates include signature files, which are a piece of the virus that anti-virus companies identify as the virus' signature — what the software looks for to detect the virus. And the scanning engine should also be updated. McAfee updates its scanning engine every three to six months, says Gullotto.

It is also important to be aware of every gateway into your network, so you can be sure they are protected. Gateways are typically through points where the LAN or WAN touches the Web and through the email infrastructure. All server and desktop computers should also have up-to-date anti-virus protection. Unfortunately, the best security can be compromised without proper use of anti-virus software.

“In our game, there are patches to fill vulnerability holes that people consistently fail to implement,” says Kreitner. For example, he states, last year, a maintenance engineer opened a gateway into a company network and 2,000 credit card numbers were stolen. Viruses can find and attack a hole within minutes, he says. “It's like leaving your door unlocked and inviting burglars in.”

That's why it is important for every person to be up-to-date on viruses and how to keep from catching them.

“Push educational emails with tips to each desktop,” advises Gullotto. “Make sure they know who their AV vendor is and the location of their vendor's Web site.” Another method of employee education is to have an internal Web site as a virus information resource, including a link to the AV vendor's Web site. And workers should also be informed of virus hoaxes — a problem not as detrimental as the real thing, but still a significant nuisance.

Another alternative is a service such as McAfee's EPO (for E Policy Orchestrator), which automatically tells the servers when they should update, and enforces anti-virus policy.

If viruses are not stopped at the email server, a business could be in for a long day, for even informed workers are fooled by savvy hackers. Employees should know not to open attachments from untrustworthy sources, but sometimes they do it anyway.

Often, hackers use basic human nature to fool the unwary, such as the titillation used in the Anna Kournikova virus, which looked like this:

Subject: Here you have, ;o)

Body: “Hi: Check This!”

Attachment: AnnaKournikova.jpg.vbs

Viruses can be stopped if the most important rule is followed: update anti-virus software regularly. The National Computer Security Association estimates if just 30 percent of computer owners regularly used up-to-date anti-viral software, the virus problem would virtually disappear.

But they don't — which is why viruses that are years-old and well-known still infect computers. More than 57,000 viruses exist today, by some estimates. Many are programmed to be released on certain dates. That's how the damaging CIH virus came to be named the Chernobyl virus — programmed to launch on the anniversary of the Chernobyl nuclear reactor meltdown.

The ILOVEYOU virus: A textbook example

It is only in the last few years that computer viruses have become notorious. The Melissa virus, released in March 1999, was the first virus to mail itself to people in the host computer's email address book, says Gullotto. Hence, it gained worldwide fame.

Following a year later was the ILOVEYOU virus, which caused more damage than any before it. Originating in the Philippines, the virus tricked people into thinking they had a secret admirer. The message, with a subject line reading, “ILOVEYOU,” was to “kindly check the attached LOVELETTER.” The attachment was “LOVE-LETTER-FOR-YOU.TXT.vbs.”

The virus wasn't terribly sophisticated, yet it caused more damage than most. Here's how:

The virus, which replicated through email attachments, Internet Relay Chat (IRC) file transfers, and through shared drives on a computer network, also wrote itself into three different locations — two under the Windows directory and one under the system directory.

Then, it modified the computer's registry keys, which normally contain configuration information telling the computer what programs to launch on start-up. The worm then modified the registry so that it would start running when the computer was restarted. When this occurred, it dropped copies of itself and wrote .HTM files in several places.

The worm searched all drives connected to the host system and replaced the files *.JPG and *.JPEG with copies of itself, adding the extension .VBS to the original file name. The worm also overwrote eight other file types with copies of itself and the *.VBS. Some of these could not be recovered.

It also located instances of *.MP3 and *.MP2 and renamed these with the .VBS extension. However, it only made these files hidden.

But that's not all. It got really insidious when it created a file called “LOVE-LETTER-FOR-YOU.HTM” that contained the worm and used the Microsoft Outlook program to send copies of itself to anyone in the host address book. It was then sent to the IRC if the application was open to infect other computers connected to the IRC channel.

Plus, the worm could download and install an executable file from the Internet that could steal passwords and email them to MAILME@SUPER.NET.PH.

So viruses can do more than infect and cause “illness” — they can also compromise security after the fact.

Vibert notes that damage caused by viruses is often more than the obvious trickery, which is usually recoverable. “There have been cases of major business deals (worth millions of dollars) lost because a potential supplier sent an infected proposal document to the customer,” he says.

For the record

About the author

George Partington is an Atlanta-based writer and regular contributor to iSecurity.

About the companies

Visit infoLink at www.securitysolutions.com for more information on companies featured in this article.

Center For Internet Security — 180
CERT Coordination Center — 181
Network Associates — 182
Segura Solutions — 183

Further resources on computer viruses

www.cert.org

The CERT Coordination Center (CERT/CC) is a center of Internet security expertise. It is located at the Software Engineering Institute, a federally-funded research and development center operated by Carnegie Mellon University. The CERT/CC studies Internet security vulnerabilities, handles computer security incidents, publishes a variety of security alerts, conducts research for long-term changes in networked systems, and develops information and training to assist user security.

www.cisecurity.org

The Center for Internet Security's mission is to help organizations around the world effectively manage the risks related to information security. CIS provides methods and tools to improve, measure, monitor and compare the security status of Internet-connected systems and appliances. CIS is not tied to any proprietary product or service. It manages a consensus process whereby members identify security threats of greatest concern, then participates in development of practical methods to reduce the threats. This consensus process has proved viable in creating Internet security benchmarks available for widespread adoption.

www.nai.com

With headquarters in Santa Clara Calif., Network Associates is the world's largest independent network security and management software company and the eighth largest independent software company overall. McAfee AVERT (Anti-Virus Emergency Response Team) a division of McAfee, a Network Associates business, is the top-ranked anti-virus research center in the world.

Dying to infect the world

The admonition “know your enemy” extends to understanding the mindset of a hacker bent on indiscriminate cyber-destruction. An essay, by alias VicondinES, illustrates hacker methods for spreading viruses. VicondinES is thought to be the author of the Melissa virus.

The essay, “Theory Of Better File Virus Distribution,” stipulates three rules for distributing viruses (all quotes are from the essay):

• Rule 1: Demand. “You must create demand or use a program that is in demand as a host. Without demand, your file will never be downloaded or run.”

• Rule 2: Deception. “You must be able to get your virus past most AV [anti-virus] products or you will never get a chance to infect. How is your code? Can you sneak by heuristics? You will need a way to sneak your virus past the most common AV programs, even if you're heuristically challenged. Can that be done? Yes, a clever dropper can do that.”

• Rule 3: Infection. “What good is a memory resident *.com infecting virus if it's run and then no .com files are run the entire time it's resident. Then *poof* someone shuts off the computer and never runs your dropper again? That would be fine if you had written a multipartite virus, but for this first example, we are concentrating on a beginners virus — a basic *.com memory resident file infector.”

VicodinES continues to give examples with step-by-step instructions for creating and spreading a virus. After the first example, which relies on downloading a bogus AOL security patch, the author states:

“So [in example number one], I demonstrated how some thought and ingenuity, combined with my theory of ‘Better Distribution,’ can increase your chances of infecting a new machine and spreading. Our mission was to increase the chances of infection and survival and we did that ten-fold.”

They're out there, and they're ready to prey on your computer network. Know your enemy.

The joke is on you

Is it real or a hoax? For viruses, the answer is often “hoax.” Virus hoaxes originated around 1988, and reached fame in 1994, coinciding with the new-found popularity of email.

The first famous virus transmitted in an email was called “Good Times.” It has since spawned a variety of imitators — even appearing in other languages — which are still circulating the Internet.

“Good Times” has simple features that are nonetheless effective and therefore common to the majority of hoaxes, including:

• A dire warning. In the case of “Good Times,” the hoax virus alert warned persons receiving the email that it would infect their computers simply because they opened it and read it.

• Technical sounding language, as in this snippet from “Good Times”: “…if the program is not stopped, the computer's processor will be placed in the nth-complexity infinite binary loop which can severely damage the processor…”

• Playing on the victims' need to help others, usually through a message to “forward this to all your friends.” Ironically, this makes the hoax very realistic, in that it is replicated and spread to other computers.

The request to send the virus alert to “everyone you know” should be a giveaway that the message is a hoax. No real warning message from a creditable source would make such a request.

What's the harm in a little joke? Many corporate and academic email servers crashed under the strain caused by the “Good Times” hoax. While today's systems and networks could handle such traffic without crashing, virus hoaxes still waste employee time, clog up mailboxes and consume corporate bandwidth. Some can even cause real damage by duping the truly gullible into deleting important files or programs.

Virus hoaxes have taken on the character of urban legends. In addition to “Good Times,” other famous hoaxes have included:

• The FCC modem tax

  In employing a dire warning, this hoax plays upon our desire for less federal taxation. It warns that the FCC is considering a tax on modems, and encourages the receivers to email their friends so that they can take political action.

• Make money fast

  One of the oldest hoaxes in circulation, it is an electronic version of a chain letter pyramid scheme, asking the receiving party to send money to 10 people in a list, add their name to the list and repost the letter.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue