No longer your mothers computer virus. (Security).Use an antivirus scanner See antivirus program. with an updated signature data base and you've done your best to protect your computer against malicious mobile code. At least thats the advice most experts give. Well, as the LoveLetter worm proved recently, the status quo [Latin, The existing state of things at any given date.] Status quo ante bellum means the state of things before the war. The status quo to be preserved by a preliminary injunction is the last actual, peaceable, uncontested status which preceded the pending controversy. isn't working anymore. The email worm first hit the US in the early morning hours, and before lunch companies were dealing with thousands of deleted files and shutdown email services. Before antivirus companies could release an updated solution, the worm had slipped past defences and done its dirty work. Downloading a new signature database was almost futile, because leading antivirus sites were besieged be·siege tr.v. be·sieged, be·sieg·ing, be·sieg·es 1. To surround with hostile forces. 2. To crowd around; hem in. 3. by traffic. An antivirus scanner isn't enough any more. It isn't the fault of the antivirus industry. Technology has changed faster than it could keep pace with. Everything is now connected to the Internet and new technologies make it easier than ever to send rogue code. This article covers the new threats presented by malicious mobile code and offers ten steps you can take to limit its effectiveness on Wintel based systems. Malicious mobile code includes viruses, worms, trojans, and rogue Internet content. Viruses are malicious programs which use other files (or boot sectors) to do their dirty work. In most cases, they 'infect' a host file, forever modifying it so that with every execution more copies are spread. File and boot sector viruses are quickly taking a back seat to macro viruses. Macro viruses use an underlying application's macro language (1) A special-purpose command language used to automate sequences within an application such as a spreadsheet or word processor. Macro languages often include programming controls (IF THEN, GOTO, WHILE, etc.), but rarely have the capabilities of a full-blown programming language. (in most cases in Microsoft Office Microsoft's primary desktop applications for Windows and Mac. Depending on the package, it includes some combination of Word, Excel, PowerPoint, Access and Outlook along with various Internet and other utilities. ) to copy itself from data file to data file. The spread of file viruses was initially slow because most people rarely traded executable program See executable code. files. Now however everyone sends and receives documents and spreadsheets. Hence, macro viruses have become the most popular type of malicious mobile code reported today. Worms are malicious programs that use other programs as a conduit to spread, but they don't infect program files. For example, an email worm uses the clients email program See e-mail program. to spread to users in the clients email address See Internet address. book. Other types of worms may exploit a weakness in a particular login in screen or try to guess passwords. The latest types of worms have been found in emails with hostile code written in Visual Basic. One click and the Visual Basic code can do anything to the system invaded. A close relative of the worm, the trojan masquerades as a legitimate file. While the user thinks one thing is happening, the trojan is busy taking control of their computer system, deleting or formatting hard drives. Often, like the LoveLetter bug. the malicious mobile code is part worm and part virus. The worm was the emailing portion that allowed it to travel over the world in hours. It then overwrote selected files with a virus written in Visual Basic. Remote access trojans, like 'Back Orifice' are one of the most serious threats on the Internet today. These trojans usually arrive in emails as joke programs, but when executed allow a hacker complete access to everything on the compromised system. The hacker can download files, delete files, manipulate the users system (e.g., make beeping noises, false error messages DOS and Windows error messages are listed individually in this database by the message that is displayed when they occur. See also DOS error messages and Application Error.  , open and close the CD-ROM drive A device that holds and reads CD-ROM discs. CD-ROM drives generally also play audio CD discs by sending analog sound to the sound card via a 4-pin cable. For specifications of 10x, 20x, etc. drives, see CD-ROM drives. See CD-ROM, CD-ROM changer, CD-ROM server and CD-ROM audio cable. tray), see
everything the user types and record video and sound if the user has the
appropriate hardware.
With other forms of malicious mobile code, you can eradicate the rogue program and any corrupted files from backups. But remote access trojans can be used to record business secrets, download financial information, and monitor personal communication. Their effect can be felt long after the malicious program is cleaned up. Malicious backers have even established their own online trading Online Trading Making trades via the Internet. Notes: The use of online trading increased dramatically in the mid to late 1990's with the advent of high-speed computers and Internet connections. Stocks, bonds, options, futures, and currencies can all be traded online. channels to exchange the IP addresses of thousands of compromised machines. Using Internet Relay Chat See IRC. (chat, messaging) Internet Relay Chat - (IRC) /I-R-C/, occasionally /*rk/ A client-server chat system of large (often worldwide) networks. IRC is structured as networks of Internet servers, each accepting connections from client programs, one per user. (IRC (Internet Relay Chat) Computer conferencing on the Internet. There are hundreds of IRC channels on numerous subjects that are hosted on IRC servers around the world. After joining a channel, your messages are broadcast to everyone listening to that channel. ) channels, hackers trade the identity and locations of compromised computers for pirated software or pornographic passwords. The maturing development of the Internet browser See Web browser. has made randomly surfing the Web a risk. Any type of active content, whether from Java, ActiveX, Visual Basic, or other scripting language A high-level programming, or command, language that is interpreted (translated on the fly) rather than compiled ahead of time. A scripting, or script, language may be a general-purpose programming language or it may be limited to specific functions used to augment the running of an , can pose a real threat to your system. You can go to a new Website, or click on an HTML HTML in full HyperText Markup Language Markup language derived from SGML that is used to prepare hypertext documents. Relatively easy for nonprogrammers to master, HTML is the language used for documents on the World Wide Web. Link and completely kill your system. You can visit an innocent Web site that tracks your every move(cross-frame exploit) or downloads files from your system. As new software versions and operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. become popular, malicious code writers get busy. MS-Office 2000 had its first multi-application virus before it was out of beta. Internets growing popularity is shadowed by Linux viruses, trojans, and worms. Windows NT has viruses that wait for administrators to log on, and then steal their security credentials to attack networks. Today's world of interconnectedness links businesses-to-consumers by pager, and Internet-to-cell phone. The LoveLetter bug caused pager and cellular disruptions throughout the world. The Chode worm uses PC modems to jam up 911 emergency lines. Clearly, malicious mobile code is much more of a threat today than ever. Although Microsoft and computer security vendors are working to close the known security holes, there are general steps you can take to protect your system right now. Ten Best Steps to Protect Yourself Against Malicious Mobile Code 1. Don't Run Untrusted Code. If everyone followed this advice, malicious code writers would be out of business. So don't run that joke program attached to a friend's email. Dont click on Internet links sent to you in email. Don't run programs from untrusted Web sites. Just because your friend ran the program without a problem isn't reason enough to trust the code. 2. Disable booting from DriveA. Go into your BIOS setup and disable Drive A:. This will prevent pure boot sector viruses from taking control of your computer 3. Keep Antivirus Software Current. Regardless of my opening argument, generalized antivirus software is still a great way to protect your system. Make sure your antivirus software definitions are frequently updated and if possible, automate the process. 4. Keep Your Browser Current. Both Microsoft and Netscape are constantly issuing interim bug fixes every few months. Most updates close the security holes found during the preceding weeks. Check your browser vendors website and install new patches. 5. Disable/Remove Windows Scripting Host The original name of Windows Script Host. (WSH See Windows Script Host. ). Microsoft have added added WSH to the latest versions of Windows and Office to bring a DOS-like macro language to its GUI (Graphical User Interface) A graphics-based user interface that incorporates movable windows, icons and a mouse. The ability to resize application windows and change style and size of fonts are the significant advantages of a GUI vs. a character-based interface. (Graphical User Interface graphical user interface (GUI) Computer display format that allows the user to select commands, call up files, start programs, and do other routine tasks by using a mouse to point to pictorial symbols (icons) or lists of menu choices on the screen as opposed to having to ) platforms, (a functionality that has been sorely missed since the days of Windows 3.x). Unfortunately, WSH has no security, and a virus containing scripting commands could potentially damage your system (e.g. LoveLetter worm). Simply renaming WSCRIPT.EXE Exe (ĕks), river, c.55 mi (90 km) long, rising in the Exmoor, Somerset, SW England, and flowing S across the Cornwall peninsula, past Exeter to the English Channel at Exmouth. to WSCRIPT.EXX EXX Examples EXX Exchange All is one way to disable WSH. 6. Don't Open Files With Embedded Macros. Most new versions of Microsoft warn you if the file you are attempting to open contains a macro. Unless you absolutely expected the document to contain macros, choose to disable the macros as you open. 7. Decrease the Effects of Active Content in Your Browser. Both Netscape and Microsoft browsers allow you to configure the extent to which active content scripting can modify your system. For untrusted Internet sites, restrict what content scripting can do to your system. At the very least make sure your browser prompts you if the Web site tries to run executable content, or manipulate your file system. 8. Make File Extensions Visible. It is safe to run non-executable file content JPGs, MPGs, GIFS GIFS Guggenheim Institute of Flight Structures , WAVs, etc. You just need to make sure they aren't exe files in disguise. Most Windows versions will hide known file extensions. Thus, an innocuously-named file, PICTURE.JPG See JPEG. jpg - JPEG , may he PICTURE.JPG.EXE. In Microsoft Explorer, look for the file extension hiding option under Folder Options. 9. Learn Your System. Take the time to understand what programs, processing, TCP/IP ports, and drivers are active in your system. Learn what is normal for your system, what takes up the most resources, and what TSRs are running in the background. If you've got Windows 98, try DRWATSON.EXE. You'll he surprised to learn hundreds of programs and processes are active right now. Get a baseline understanding so that the next time your system seems sluggish or is having problems you'll he able to spot the culprit quicker. 10. Nothing Beats a Good Backup. Make sure important data and programs exist in two places at once. Often by the time you notice malicious mobile code, the damage is done. A good backup takes away a lot of stress. Following these guidelines is a gigantic step in protecting your system against malicious mobile code. The Future The rapid pace of malicious mobile code is starting to make conventional antivirus protection tools ineffective. The best antivirus companies have been awaiting this day for a decade and new companies with new ideas are forming everyday. The most successful protective products will not rely on signature databases but will instead prevent potentially damaging code from ever executing. Personal computer operating systems will become more security conscious, and the initial Internet tenets of complete privacy and default trust will give, protection concerns. Because the Internet is now considered a vital infrastructure (like electricity grids, waterworks waterworks: see water supply. , and telephone networks), increased government regular overview is guaranteed. With that said, malicious mobile code will never disappear. No matter what defences we put up. the incredible human spirit, and the hacker subculture, will be challenged to push the envelope. Personal computer users and network administrators will he tasked with making sure intrusion prevention underlies every application within their perimeter of control RELATED ARTICLE: RELEVENT DEFINITIONS Signature Database Antivirus scanners work by searching files and disks for previously identified code segments, a signature, that is likely associated with a particular bad program.Each antivirus program has a large database storing tens of thousands of signatures used for comparison. Wintel-based System Wintel refers to a computer based on a Windows operating system and an Intel microprocessor. Malicious Mobile Code Malicious mobile code is a new term to describe all sorts of bad programs: worms, viruses, trojans, etc. The terms virus and worm are too limiting to cover all sorts of rogue traveling programs. To be considered malicious mobile code an ill program must intentionally modify a users system without their permission and contain coding to facilitate its transfer between different computers. It doesn't include events like hackers directly trying to break into a Web site, or causing a denial of-service attack. Macro Language A macro is a predefined shortcut (1) In Windows, a shortcut is an icon that points to a program or data file. Shortcuts can be placed on the desktop or stored in other folders, and double clicking a shortcut is the same as double clicking the original file. used to automate a particular series of key operations, to automate a program feature. For example, in most Windows programs, hitting Cntrl S will save a file just as choosing File, Save and Enter from the program's Menu Bar. Macro languages allow very sophisticated macros, and entire other applications to be developed. Executable Program In the DOS/Windows world, program files are files with EXE and COM (1) (Computer Output Microfilm) Creating microfilm or microfiche from the computer. A COM machine receives print-image output from the computer either online or via tape or disk and creates a film image of each page. extensions. Internet Relay Chat Internet Relay Chat allows two or more computers to send instant messages to each other. There are tens of thousands of IRC channels, each dedicated to a particular topic. Hackers use IRC to communicate to other hackers, to trade programs and announce the latest system invasions. Active Content Active content refers to any program coding or scripting that can manipulate a users system. Most often, active content is initialized from within an Internet browser and can be started in other applications (i.e. email). www.oreilly.com Roger A. Grimes is the author of an upcoming O'Reilly book Malicious Mobile Code: Protect Your Windows System. |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion