Computer Parasitology.Seven steps for protection. COMPUTER VIRUSES HAVE PROGRESSED PROM URBAN MYTH TO major threat; yet, even with all the damage they have done, they pale in comparison to what we have seen and have yet to see from the dreaded computer worm A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. . While viruses are computer programs designed to spread themselves from one file to another on a single computer, computer worms Name Alias(es) Type Subtype Isolation Date Isolation Origin Author Notes Badtrans Bagle Blaster Brontok Code Red Code Red II Dabber Doomjuice ExploreZip Father Christmas HI. multiply exponentially by spreading themselves from one computer to another. Either strain can spell disaster for computers and computer systems. Velocity of viruses A virus might rapidly infect every application file on an individual computer, or slowly infect the documents on that computer, but it does not intentionally try to spread itself from that computer to other computers. In most cases, that's where humans come in. We send e-mail document attachments, trade programs on diskettes, or copy files to file servers. When the next unsuspecting users receive the infected file or disk, they spread the virus to their computers, and so on. Most people exchange information in time intervals on the order of minutes, hours, or days. Furthermore, information is sent to a relatively small group of people. Looking in my own e-mail outbox An area in memory or on the disk that holds messages or files that have not yet been sent to their destination. Contrast with inbox. , I send messages with attachments (usually documents) to an average of three people roughly every 33 minutes during business hours BUSINESS HOURS. The time of the day during which business is transacted. In respect to the time of presentment and demand of bills and notes, business hours generally range through the whole day down to the hours of rest in the evening, except when the paper is payable it a bank or by a . While these figures may not be typical of most users, they're certainly plausible and are corroborated cor·rob·o·rate tr.v. cor·rob·o·rat·ed, cor·rob·o·rat·ing, cor·rob·o·rates To strengthen or support with other evidence; make more certain. See Synonyms at confirm. by the (relatively) slow spread of most computer viruses. Workings of worms Computer worms, on the other hand, are insidious because they rely less (or not at all) upon human behavior in order to spread themselves from one computer to others. The computer worm is a program that is designed to copy itself from one computer to another by leveraging some network medium such as e-mail. The worm is more interested in infecting as many machines as possible on the network, and less interested in spreading many copies of itself on a single computer (as a computer virus tries to do). The prototypical worm infects (or causes its code to run on) a target system only once; after the initial infection, the worm attempts to spread to other machines on the network. Studies have shown that some people who launch self-replicating computer programs may often do so without realizing the devastating dev·as·tate tr.v. dev·as·tat·ed, dev·as·tat·ing, dev·as·tates 1. To lay waste; destroy. 2. To overwhelm; confound; stun: was devastated by the rude remark. impact that these programs can have on the enterprise (go to www.research.ibm.com/antivirus/index.htm for more information). Others, however, know full well the possibilities introduced by worms, and intenti onally seek to use them to facilitate compromises of various types, including the unauthorized export of confidential data and denial of service A condition in which a system can no longer respond to normal requests. See denial of service attack. (DOS) attacks. The infamous Melissa worm only required a user to open a single infected document to spread itself to hundreds of thousands of users. Similarly, Internet relay chat See IRC. (chat, messaging) Internet Relay Chat - (IRC) /I-R-C/, occasionally /*rk/ A client-server chat system of large (often worldwide) networks. IRC is structured as networks of Internet servers, each accepting connections from client programs, one per user. worms require a simple user login to the IRC (Internet Relay Chat) Computer conferencing on the Internet. There are hundreds of IRC channels on numerous subjects that are hosted on IRC servers around the world. After joining a channel, your messages are broadcast to everyone listening to that channel. online chat system to spread themselves, while the recent Explore.Zip worm--first detected in June 1999 and causing tens of millions of dollars in damage to computer systems--could gain hold of thousands of machines with the launch of a single program. While humans exchange information at large time intervals to small groups of people, computer worms have no such restrictions. Computer worms pose a great threat to both consumer and corporate computer systems during the next decade. As we will undoubtedly see, they will change the nature of antivirus software See antivirus program. (tool) antivirus software - Programs to detect and remove computer viruses. The simplest kind scans executable files and boot blocks for a list of known viruses. and require paradigm shifts in enterprise security and infrastructure. Suggested immunization strategy Immunization strategy A bond portfolio strategy whose goal is to eliminate the portfolio's risk, in case of a general change in the rate of interest, through the use of duration. Here are seven steps your organization can take now to protect against computer worms. 1. Run antivirus software on servers, gateways, and desktops. While this may seem obvious, some organizations neglect even these basics. Providers of antivirus solutions update virus definitions frequently--sometimes more than once per week. Pay close attention to these alerts, which are routinely sent out, and visit your vendor's Web site to install the latest patches recommended for your software. 2. Remove all-company or all-staff addresses from your list. Computer users rarely have the need to send emails to the entire organization, and such a facility is extremely vulnerable to e-mail-based computer worms. E-mail administrators should limit public e-mail lists to small functional groups and eliminate all organizationwide lists. Should users need to send such an e-mail message (this should be rare), they can forward the e-mail to an administrator for associationwide posting. 3. Lock down all peer-to-peer networking See peer-to-peer network. . In a peer-to-peer network (1) A network of computers configured to allow certain files and folders to be shared with everyone or with selected users. Peer-to-peer networks are quite common in small offices that do not use a dedicated file server. , each workstation has equivalent capabilities and responsibilities. This differs from client/server architectures, in which some computers are dedicated to serving the others. Peer-to-peer networks are a huge security risk for network-aware worms and viruses. We recommend that administrators lock down peer-to-peer networked drives on all computers where this is not absolutely required. Administrators may also want to establish an official policy against peer-to-peer volumes and distribute this to users. At the very least, the administrator should maintain a special computer grouping or domain in the network management software (or antivirus console) for all peer-to-peer networked computers. This will enable quick deployment of antivirus definitions to these particularly vulnerable machines. 4. Deploy internal firewalls. Corporate firewalls are fairly effective at preventing malicious attacks from outside sources; however, they provide no benefit once a worm has entered the corporate network. As we have seen with Explore.Zip, the vast majority of computers that were actually penetrated by Explore.Zip were attacked from within the organization--from other peer-to-peer networked computers. Deploying internal firewalls could prevent such intranetwork infections. Administrators should consider deploying internal firewalls around central servers, such as file servers, e-mail servers, and organization database/SQL servers. In addition, personal firewalls are effective at preventing attacks on desktop personal computers running any Windows operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. . While this may be a more expensive option, it could seriously neutralize many backdoor See trapdoor. worms and Trojan horses It may never be fully completed or, depending on its its nature, it may be that it can never be completed. However, new and revised entries in the list are always welcome.
5. Disable e-mail script capabilities. If your groupware product supports email scripting, this should be disabled for all but a few users (most likely those in the information technology department). By disabling these facilities, you can protect your corporation from internal e-mail threats. 6. Strip executable content from incoming e-mail. Some groupware and gateway-based antivirus products have options to allow the administrator to strip executable content from either incoming or outgoing e-mail messages. Administrators should take advantage of these facilities if they are available. For example, while some employees use macros in the corporation, it is rarely the case that users need to exchange macros between companies. By configuring your antivirus solution to automatically strip all macros from document attachments entering or leaving the enterprise, you can protect your users and business partners from inadvertent worm or virus infection. If such a measure is too obtrusive ob·tru·sive adj. 1. Thrusting out; protruding: an obtrusive rock formation. 2. Tending to push self-assertively forward; brash: a spoiled child's obtrusive behavior. for your work environment, the same facility can be used only in the event of a worm outbreak (or impending im·pend intr.v. im·pend·ed, im·pend·ing, im·pends 1. To be about to occur: Her retirement is impending. 2. outbreak). 7. Use heuristics and, if possible, digital immune system immune system Cells, cell products, organs, and structures of the body involved in the detection and destruction of foreign invaders, such as bacteria, viruses, and cancer cells. Immunity is based on the system's ability to launch a defense against such invaders. technology. Antivirus heuristics are self-learning programs that search your computer for unusual processes that might be virus-related. They are very effective at detecting new and unknown viruses; depending on the type of virus, heuristics can detect more than 90 percent of all new and unknown strains. By coupling strong heuristics on the desktop, the server, and the gateway with a digital immune system, the antivirus offering can be made even more powerful. Computer worms have become the fastest spreading and most costly malicious code threats of this decade. Relatively speaking, computer viruses spread slowly when compared to the computer worm. While a virus might move from one association department to another, the computer worm can often blitzkrieg blitzkrieg (German: “lightning war”) Military tactic used by Germany in World War II, designed to create psychological shock and resultant disorganization in enemy forces through the use of surprise, speed, and superiority in matériel or firepower. through an organization in hours or even minutes. This makes worms, especially those with destructive payloads or data-export capabilities, extremely ruthless attackers. Organizations of all sizes and types need to seriously consider containment plans and emergency responses to deal with emergencies and special cases. Cutting-edge antivirus solutions, digital immune systems, firewalls, content filtering, and e-mail authentication systems will help to control the worm problem now and in the future. Good luck, and may you never need a parasitologist parasitologist a person skilled in parasitology. . Robert Clyde is chief technologist, Symantec Enterprise Solutions Division, Cupertino, California. E-mail: cdemitz@symantec.com. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion