Feature

Jingle bells, networks down, file have gone astray…

If all you want for Christmas is a quiet life, you may be disappointed this year. Hackers across the world are sending greetings cards with muscle

The jargon surrounding viruses just serves to alarm users so, to keep it simple, let's start with the premise that there are two types of computer viruses in this world:

Viruses that are very irritating and which might cause your mail server to crash as they are sent round your company, but which don't cause much in the way of long term damage to data

Viruses that damage data and can carry out unauthorised actions that may prejudice the security of your information

The first type of virus may cause damage. They reduce productivity and increase the complacency of users because they receive "yet another virus alert". They also lead to a general attitude of fear and mistrust of attachments and email itself.

One of the latter types of virus is called a Trojan horse. These are viruses are those that have a hidden agenda. They sit innocuously on your PC, hiding behind another file and wait for the opportunity to deliver their payload. A Trojan can be thought of as a program that carries out actions determined by the programmer. The actions of which would not be permitted if the user were aware they were happening.

Recent examples of Trojans include Netbus and Back Orifice. The payload they deliver can vary from copying your address book and forwarding it to newsgroups. They can also "bug" your computer by taking control of your microphone (and camera if you have one) to keep an eye and an ear on what you are doing and then send transcripts back to their creator. Sounds like something from James Bond, doesn't it? Unfortunately, it's happening more and more often, and it's a threat for all businesses, not just governments.

The biggest hurdle that has faced those trying to counteract this threat is one of complacency. A company has good anti-virus software in place ergo they think that they are safe from attack. However, the only reason anti-virus software detects attacks is by recognising behaviour from the manufacturers' list. Even daily updated versions will not catch all viruses because it's not until the viruses have been analysed by the anti-virus companies, that they can issue a warning and a solution.

If we accept the presumption that it takes at least an hour for a virus to reach the anti-virus software labs, and another hour for them to identify and create a reference it, you have two potential hours (at least) of this virus running across the net and, potentially, across your network. How long do you think it would take in the average office for the entire office to be infected? If it comes by email, then it can be received and run in seconds.

Herein lies the major problem of anti-virus software: it's reactive, but not proactive. It requires a problem to be known about before it can act. So, until the virus has hit your company (and caused data or efficiency loss), it's not protected against and thus can escalate as it spreads causing problems related not just to one PC, but the entire company.

There is also an insidious threat to security coming from within companies and it's coming out through (and partly because of) the friendly nature of the net; instant messaging. Many staff now work in mobile environments. This includes teleworkers and those who travel for business. Many use instant messaging services such as AOL's Instant Messenger, Netscape Communicator etc. These are a great way for people to check where workers are (the sender can see whether the user is online) and send them quick messages while doing other things (talking on the phone, writing a document). They are also great for forwarding files between users. This is a great idea because it means team members can remotely collaborate on projects, forward drafts of documents to and from without waiting to download through an overloaded mail server.

What happens though, is that people download files and, because they come through the Internet and their PC has virus protection on, they think it's fine to run them. Except of course, it's not okay because they may have a nasty Trojan virus lurking in them, ready to steal information or turn your computer into a listening device. Instant messaging services provide no defence against viruses, they rely on your protection and if it's not up to scratch, you are granting malicious code and even quicker entrance to your PC.

For those dubious people out there, visit security software manufacturer Finjan's website, at www.finjan.com, and get them to send you a (benign) Trojan. It is frightening when you realise that someone can send you a lovely electronic greetings card that you enjoy and then delete, and then realise that they have copied vital documents and are now listening in at your business meetings.

Remember the e-sheep? The cute little sheep that ran across your desktop and entertained you? Many users received them and passed them on through email at work and at home and they were fantastic fun. However, version 2 of e-sheep had a nasty sting in the tail. Like the original program, e-sheep #2 looks identical, arrives by email and works in exactly the same way. Except after it's executed, it causes problems with dial-up networking and with modems by trying to send something without being asked to. Does this sound familiar?

Well, there is, of course, a simple cure: don't open the file and delete the sheep. However, because most of us were entertained by this, and still are entertained by other comic files we are sent, it is a challenge to stop workers opening them.

Which leaves us with two choices: the first is to make it a disciplinary offence to open such files and hope that fear of reprimand and effective anti-virus protection will protect us (this probably won't work); and the second is to ban and prevent (through mail set up or using software products that allow you to control what comes in via email and the internet) executables being brought into the organisation.

However, there is an information gap here in regards what an executable file actually consists of. If you ask most staff, they will correctly tell you it's a program (i.e. something that executes). However, ask them whether electronic greeting cards or streaming media are executables and they probably won't know. Unfortunately, virus makers do know, they can sandwich together an electronics greeting card with a Trojan, call it what they like and send it to a member of your staff. It'll probably go straight through your firewall and under the nose of your anti-virus software, ready to hatch when opened from the inbox.

Now you might think your company has no enemies that would want to damage you. But unless you have no competition and your staff are never disgruntled or sacked, you are probably wrong. Lets say you sack Fred. Fred, feeling particularly aggrieved, goes to his local Internet café. He logs onto AltaVista or any other search engine and searches for Trojan horses. Within seconds, he'll probably be able to find his choice of viruses, with a choice of cover programs (usually electronic greeting cards or amusing programs that he can use to front the virus). All he then has to do is name the file something innocuous and send it.

Perimeter defences simply aren't enough. You can put anti-virus, firewall, encryption, every line of defence you can think of, in place within your organisation, but as Bill Lyons, CEO of Finjan, puts it, "Why bother going through the attic window, if the front door is wide open". If internal or external hackers, virus makers or phreakers want to get into your organisation, they'll find a way.

To cope with this, Finjan has brought out First-Strike Security. This uses content inspection and monitoring to look for malicious code and stop users running damaging files. It also allows you to put an employee policy in place, blocking certain activities. This means that you can stop users that have no real reason to be running executable files from their email, from doing so. But moreover, it's not reliant on recognising particular viruses and so doesn't need constant updating. This gives you protection for the time period where most damage takes place. This is the period between the virus hitting your company and the anti-virus suppliers issuing a patch.

"Trojan horse attacks like ExploreZip caused the most damage and loss in the first hours of its proliferation," said Bill Lyons. He puts forward the analogy of being poisoned. By the time the antidote to the poison (or in this case virus) arrives, you have already suffered because of the effects of the poison.

While virus makers can send files into your organisation, there will be a need to manage those files. The problem of tackling innovative methods of infection, like electronic greeting cards and instant messaging, should be on the priority list for every IT administrator. Without effective management against executables and malicious code, you are bolting down the windows, without bothering to first shut the front door.

Rachel Hodgkins


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in November 1999

 

COMMENTS powered by Disqus  //  Commenting policy