|
|
||
 
|
Virus Countermeasures OverviewVirus Hoaxes and Chain Letters What a virus countermeasure won’t do? Virus Countermeasures Products IntroductionTwo3five had a number of request around viruses, virus checkers and hoaxes. As a result we now display the fantastic newsfeeds from Sophos, however that isn’t enough so here is an insight into viruses, some links to products and some reviews. What is a virus?A virus is a program which has the ability to replicate itself, ie to copy itself to other computers or disks, without being asked to do so by the computer user. A virus generally comprises three components: a mission component, a trigger component, and a self-replicating component. Note that a virus doesn't have to do any damage to be called a virus - it simply has to attempt to copy itself. DefinitionsBoot Sector Virus (BSV)POST stands for 'Power On Self Test', a set of diagnostic routines set in ROM or Read Only Memory which checks that the hardware is functioning correctly at boot stage. The boot sector is the area the computer moves to after the 'POST' has been successfully completed in ROM. There are subtle differences between the hard and floppy disks. On a hard disk, the starting point is referred to as the MBR or Master Boot Record. The MBR not only contains code necessary to the boot sequence but also information known as the partition table. Hard disks can be divided into different partitions, one of which must be bootable. The partition table contains information on what partitions exist and whether they contain a suitable boot sector. This boot sector is known as the DBR or DOS Boot Record. Once the code in the MBR has located the DBR, control is passed to it and the boot sequence continues from there. By default, PCs attempt to boot from drive A: to begin with. If no disk is present in the floppy drive, then the boot sequence continues from the hard disk. A non-system floppy disk may only contain enough code to display the message "Non-System disk or disk error - Replace and press any key when ready" if an attempt is made to boot from this disk. The virus will have moved the original boot sector to another area of the floppy disk during the initial infection of that disk. The act of then booting from this disk results in the virus code being executed first, causing the virus to go resident in memory. Once active, the virus can move the original Master Boot Record on the hard disk to another location, and then replace the existing code in the MBR with a copy of itself. Once this has been completed, the virus can pass control back to the original boot sector on the floppy disk to continue the boot process as if nothing had happened. It is important to appreciate that even if the infected floppy disk is not a system or bootable disk, and the boot process was halted with the "Non-System disk" message, the BSV may already have got into memory and infected the hard disk (if there is one). Subsequent boots from the hard disk ensure that the virus goes resident in memory every time, and - depending on the virus code itself - is then in a position to continue infection of the hard disk and also to infect the boot sector of any other floppy disk accessed. A simple read of the floppy disk can be enough to cause infection, with the virus replacing the original boot code with its own. An experienced user may notice a slight delay in accessing a floppy disk if a boot sector virus is resident, as it attempts to infect the floppy being accessed.
Polymorphic These viruses are more difficult to detect by scanning because each copy of the virus looks different than the other copies. One virus author even created a tool kit called the "Dark Avenger's Mutation Engine" (also known as MTE or DAME) for other virus writers to use. This allows someone who has a normal virus to use the mutation engine with their virus code. If they use the mutation engine, each file infected by their virus will have what appears to be totally different virus code attached to it. Fortunately, the code isn't totally different and now anyone foolish enough to use the mutation engine with their virus will be creating a virus that will be immediately detected by most of the existing scanners. Eicar – The eicar virus is a not a real virus, it is purely a large string of characters that all virus checkers look for and if found should report as a test virus. It enables systems to be tested without the need to store real viruses. http://www.sophos.com/virusinfo/articles/eicar.html WormA Worm is a self-reproducing program that does not infect other programs, but simply copies itself. As a worm creates new copies of itself, each copy is executed, and then creates more copies which are in turn executed, soon using up processing capacity. The result is normally an overloaded system which eventually grinds to a halt. Macro Virus definitionApplications such as Microsoft Word and Excel have a macro language facility. A macro is a series of commands or instructions which can be recorded and saved and then used to automate functions or repetitive tasks. Once written, a macro can be assigned to a particular keystroke combination, menu item or a button on the toolbar. If an infected document is opened, the virus is automatically executed. Usually, the macros will be written to the global template NORMAL.DOT. This ensures that the virus is run every time Word is loaded and as a result every document that is created or modified becomes infected. From there, depending on the macro virus code, various routines could be run to alter the contents of documents, write new lines to system files or changes settings in the Word environment itself. Script/Worm definitionThe development of malware such as LoveLetter which uses Visual Basic Scripting and the JS/Kak.worm which utilizes Java Script, coupled with their reliance on exploiting e-mail to spread, has brought the term Worm to the fore. However, definitions are made more complicated by the tricks and techniques that these latest examples employ. The W32/Pretty.worm for example, can appear as an e-mail attachment ‘pretty park.exe’ and relies on the user executing the attachment. When run, the program installs itself to the users hard drive and makes changes to the registry to ensure that it is run whenever another executable is run. On the face of it this appears to be similar behaviour to the Dos classic virus. On the other hand, if we consider that the attachment appears as a South Park cartoon character, the term Trojan springs to mind. However, this ‘virus’ spreads by automatically e-mailing copies of itself every thirty minutes to everyone listed in the address book of Outlook Express – worm techniques in action. Going back to LoveLetter, it deletes files with .jpg files and leaves copies of itself with the same filename with a .vbs extension and hides .mp3 files while creating new copies of itself with the same name as the files it has hidden (DOS classic virus traits). LoveLetter also attempts to download a password stealing Trojan. Both ‘viruses’ also attempt to make use of the mIRC channels. Indeed, on the Network Associates virus information library, the LoveLetter is described as a VBScript worm with virus qualities. MalwareEssentially malware is any software or macro/script code which has been designed with the intention of performing unauthorized, undesirable actions – whether harmful or not - on a computer without the knowledge of the user. Joke Programs Trojan HorseA Trojan Horse is a program which appear to be legitimate software, but carries a hidden payload. An example might be an FTP program, which not only transfers data to the chosen location but also sends a second copy to a public FTP server without the knowledge of the user or formats the hard drive. Logic BombA Logic Bomb executes after a trigger event, this could be a date, the hard disk becoming more than 50% full, the running of a program or command or a program being run a specific number of times. Example of this can be seen in ‘Try before you buy’ software where a user may get a 30 day evaluation after which time the program no longer operates. Spy Ware – Traditionally this has not be considered as a virus, but recent trends for hijacking PCs to change modem settings to use high charge phone connections, create Zombies, etc places this as a trojan. Content Vectoring Protocol (CVP) - This protocol is used by some firewalls to pass content queries to a virus checker or separate content scanning service. With the introduction of appliance based solutions it is now more usual to add a software plug in. Internet Content Adaptation Protocol (ICAP) www.i-cap.org - This protocol is used by some firewalls and appliances to pass content queries (port 1344) to a virus checker or separate content scanning service. It has taken over from CVP in most cases. ICAP is flexible enough to either run as a separate service thus removing the need for a second server as required with CVP or use a separate server in the same configuration as a CVP system. Virus Storm – A virus storm is the significant increase in traffic appearing on a network, this can impact the performance of the Internet as seen with CodeRed when everything ran really slowly. Motivation – The motivation of virus creation has changed over a number of years. Initially there was an intellectual challenge of creating self replicating programs. Many ‘virus writers’ then became IT vandals creating new versions of old viruses or using documented. The hard core virus writers started producing sophisticated viruses to set up zombie networks for future vandalism or services to hire (viruses to spread spam/DDoS blackmail threats), and the trends pointing to ever more organised crime. Virus Hoaxes and Chain LettersVirus Hoax Messages – These types of message waste everyone’s time and in some case people delete useful files. Check out the hoax feed here. Vmyths.com - www.vmyths.com is a site that explores viruses and virus hoaxes and places the real risk in context. The site has Rob Rosenberger is its full time editor; he is one of the "original" virus experts from the 1980s, and the first to focus on virus hysteria. Rosenberger was one of only a dozen industry experts invited to the White House's first-ever antivirus summit meeting. Chain Letters - These types of message not only waste time and resources, but in some cases are distasteful and can cause offence. Most hoax sites also include chain letters as part of their service listings. What a virus countermeasure won’t do?Virus countermeasures cannot provide a complete security solution; they have to be configured, maintained and allow the user to undertake their normal business activities. Any countermeasure can only protect against the things it understands or has been configured to inspect. DR planning and good backup and recovery routines are still necessary. Countermeasure TypesVirus Checker – These products sit in on the PC or server and scan for viruses and malicious code. As each new virus is discovered the supplier produces an update file that allows the checker to identify the virus and remove it. Email Server protection – These products sit in on the email server and scan emails as they enter the users account. They break the emails into the various components and then processing for viruses, malicious code. Images, lexical analysis, various file formats, etc may also be controllable depending on the product. The engine normally has a rulebase of how to react to the results of the process, this could be to block the traffic, quarantine, allow, trigger an alarm, etc Content Interception Engine – These products sit in on the network intercepting network traffic (typically SMTP or HTTP) and break the requests into components that can then have further processing or checks conducted against them. This processing could be for viruses, malicious code, images, lexical analysis, etc. The engine normally has a rulebase of how to react to the results of the process, this could be to block the traffic, quarantine, allow, trigger an alarm, etc. These engines are particularly useful if the business does not require a file format or type as it maybe rejected before entering the company. Where possible users should be grouped and only given rights to receive appropriate formats for their role(s). Many of these engines also include SPAM blocking facilities. Internet Based Content Interception Engine – Quite a recent development in the virus countermeasure field. It has all of the benefits of standard content checker, but because the interception is done on the Internet it can have all SPAM and virus traffic removed BEFORE it reaches the user’s ISP connection therefore saving on network traffic and reducing congestion. A business decision must be undertaken to whether it is appropriate for a third party to potentially have access to company emails passing through these systems. Patching Services – Few of the modern viruses are ground breaking. Most make use of a known weakness in an operating system or application that has already been highlighted and in most cases patches have been developed to address. However the time between a vulnerability being identified and a virus that exploits the weakness has drastically decreased. Most modern virus infects could be limited or prevented by applying patches in a timely fashion. Note : As with all patches or updates, testing should be conducted to ensure that the patch has no negative impact. Where such an impact exists the business should take a risk decision and plan how to manage that risk. Firewall – Firewalls can help in two main ways, firstly a firewall should if configured correctly prevent virus probes from the Internet entering the network, and secondly if a virus does get onto the network the firewall monitoring should detect either an increase in outward bound ports being rejected or an increase in traffic using enabled ports. Network equipment like switches can be configured to block certain ports. The use of this technique should be used with caution as it can cause applications to fail and may cause excessive network loading. This technique is normally reserved for fire fighting during a virus storm. Intrusion detection Systems (IDS) can identify virus traffic and can be useful as part of an overall monitoring strategy but is out of scope for this document. Backup – Should all of the other countermeasures fail or be circumvented it may be that a good backup is the only way to recover a system. If the virus has been able to go undetected for any period of time it may be that the backup is also infected. It is important to always have a full backup routine going back over a few days if not weeks or months and virus check the system as soon as the system has been recovered. Virus Countermeasures Products
Product ChoiceIt is important to understand how virus checkers work, Sophos operate very much around producing no false positives where as McAfee is about ensuring that nothing that ‘appears to be a known virus gets through. Some of the product disadvantages can be an advantage; Norman for example appear to be one of the slower companies for releasing updates, however their product is extremely stable and if coupled with the Sybari product can be extremely useful in a recovery scenario. Update and maintenanceAll countermeasures should be set up to allow updates to be deployed as quickly as possible. In the case of User Training this might be preformatted virus warning emails or it might be to install Virus Checker signatures within one hour using an automated distribution service. All technical countermeasures should be tested at least weekly using the Eicar test signature. Logging and AlertingThe use of external virus activity can prove to be very useful. The following sites provide useful analysis and can provide early warnings of potential problems
|
This site was last updated 01/29/05