Add to collection(s) Add to saved
  1. Science
  2. Biology
  3. Virology

Assessing and Eliminating Virus Threats in Distributed Networks

advertisement 
Previous screen
51-30-22 Assessing and Eliminating Virus Threats in
Distributed Networks
Frank Horwitz
Payoff
Computer viruses cost users billions of dollars per year in lost data, lost productivity, and
clean-up costs. This article examines the problem by defining viruses, why they matter,
how they infect systems, and how to discover whether they have infected a system.
Standard approaches to fighting viruses are explained, weaknesses in some commonly
used virus-fighting techniques are illustrated, and the ideal virus defense system is
discussed.
Problems Addressed
Technically speaking, a computer virus is similar to a biological virus: it wants to
reproduce itself. A virus does not necessarily inflict any damage. Industry experts define
viruses differently. A virus can be described as a piece of code that attaches itself to a file,
critical disk sector, or memory location for the purpose of replicating. Another definition
describes a virus as a program designed to replicate and spread, generally with the victim
being oblivious to its existence. A more complete definition says that a virus is a program
that replicates itself, attaches itself to other programs, and performs unsolicited, if not
malicious, actions. By any definition, reproduction is the common theme.
Unless it is deflected or killed, a virus usually spells difficulty and expense for
network administrators, whose task is to eliminate them. This article provides practical
information for preventing, discovering, and eliminating viruses.
How Pervasive Is the Viral Threat?
One of the most damaging effects a virus can have on a corporate LAN or WAN is a drain
on system resources. A very destructive virus, such as the Byway Virus, can reproduce
rapidly enough to fill a multi-gigabyte hard drive overnight and can cause an entire system
to crash. Others, such as Junkie Virus, fill memory and cause system response times to
slow drastically. In either situation, the best case is a loss of productivity; the worst case is
the systemwide loss of data.
Loss of data is another specter of the viral threat. One of the most common DOS
viruses, Jerusalem, is designed to erase any program executed using the DOS execute
program call. All of the programs users try to run suddenly cease to exist. A variant of this
virus (known as the 1704-Format), when activated, attempts to reformat part of the hard
drive. Another common virus, Disk Killer, attempts to scramble all data on an infected
disk or diskette. These and many other viruses can cost days of clean-up and restoration in
a well-maintained network, or wipe out months of productivity in a poorly backed-up
network.
Another problem created by viruses is the cost of cleaning them off infected
systems. A survey of corporations with more than 1,000 PCs reported that the average cost
of clean up can be as high as $254,000, a figure that includes only the direct labor expense
for system recovery and data back-up. The indirect expense of lost productivity is much
higher. One estimate states that viruses cost American businesses $2.7 billion in 1994. In
addition, the average recovery time required to clean up an organization having more than
Previous screen
25 PCs is four days. Even worse, 25% of those experiencing a virus attack suffered a
reinfection by the same virus within 30 days.
Even one virus incident can potentially cost a company millions of dollars.
Although budgets often place computer security low on the priority list, the cost of
prevention seems almost negligible when compared to the potential loss of time and
money.
The odds of being infected with a virus are getting worse every day. Consider this
progression of averages:
·
In 1986, one new virus came into existence every one and a half months (there were
eight known viruses; four of them existed only in computer laboratories).
·
In 1989, one new virus came into existence every week.
·
In 1990, one new virus came into existence every two days.
·
In 1991, six new viruses came into existence every day.
·
In 1994, approximately 7,000 known viruses existed.
·
In 1995, approximately 15,000 known viruses existed.
Currently, the number of viruses doubles every eight to eight and a half months. Hackers
and virus authors are working cooperatively. Electronic bulletin boards allow them to share
not only new viruses, but virus-creating engines. A would-be virus author can learn from
books, virus kits, the Internet, and even CD-ROM. However, antivirus companies, in order
to maintain profitability, work alone, unwilling to share source code. The result is that there
are 1,200 known virus authors but only 200 virus researchers. At that 6:1 ratio, the virus
authors are getting more done than the researchers. Only 38% of corporate users
consistently apply workstation anti-virus products. As a result, more than 40% of all
networks have viruses.
How Viruses Infect Systems
Usually, a virus enters a system through an intrusion point such as floppy drives on user
workstations. On a network, intrusion points include E-mail, modem pools, and gateways
to other networks. Approximately 87% of viruses enter systems from floppies, and 43%
of those are brought from home by unsuspecting users. Once on a system, a virus usually
either attaches itself to an executable file so that whenever that file is executed, the virus is
too, or the virus infects the boot sector of the PC so that from there it can travel to other
floppies or logical disks.
Major Types of Viruses
The following sections discuss the most prevalent types of viruses, including file, boot
sector, multi-partite, file overwrite, stealth, polymorphic, and macro-based.
File
File viruses usually attach themselves to an executable file, such as .EXE and .COM on
DOS machines. The virus can insert its code into the host program's code so that when the
Previous screen
program executes, the virus executes first. Most of the thousands of viruses known to exist
are file viruses. Windows 3.1 barely runs in the presence of a file virus. If a file virus is
resident in the memory of a DOS system (which is exactly where file viruses like to
reside), in many cases Windows cannot even start. This generally causes the user running
Windows to eliminate the virus, perhaps unwittingly, as they attempt to fix their system. A
growing trend toward Windows 95 and 32-bit operating systems may signal a resurgence
of file viruses.
Boot
Boot sector viruses cause the vast majority of actual attack incidents. Each of the top 12
viruses reported last year were boot sector viruses. Whenever a computer is booted up, it
looks for instructions about how to operate and what to do. It finds those instructions in the
boot sector of a hard drive or floppy disk. Boot viruses insert themselves into boot sectors
so that the virus executes first and gains control of the system, even before the operating
system is loaded.
Boot viruses are especially dangerous because they can spread from anything that
has a boot sector. Any floppy disk--even an allegedly blank one--can spread boot viruses.
If a boot virus on a floppy disk is inserted into a computer, the virus goes into RAM and
infects every disk that computer accesses until the computer is rebooted, which wipes the
boot virus from memory.
Multi-partite
Multi-partite viruses combine characteristics of file and boot viruses. Multi-partite viruses
can spread as easily as a file virus, yet still insert an infection into a boot sector, making
them very difficult to eradicate.
File Overwriters
File overwriters are file viruses that link themselves to an executable program but keep the
program intact. Executing the program also executes the virus, which attempts to add itself
to as many files as possible. File overwriters often have no purpose other than to replicate,
but even then they take up space and slow performance. They may damage or destroy files
inadvertently.
Stealth
Stealth viruses are engineered to elude detection by traditional antivirus checkers. The virus
may target and eliminate the detection function of a commercial antivirus product. Stealth
viruses reside in memory, intercepting the system's MS-DOS calls in order to make
infected files appear uninfected. The stealth virus can then infect every floppy diskette and
logical drive the system accesses. Some anti-virus scanners help propagate stealth viruses
because they open and close files to scan them, giving the virus additional chances to
spread.
Polymorphic
Polymorphic viruses include a mutation engine that makes the virus change minor parts of
its code each time the virus is executed. Different encryption algorithm are nested within a
polymorphic virus to help it hide from scanners. A decryption routine included in the virus
Previous screen
allows it to return to a normal state when it executes. The stable bytes (the decryption
algorithm) become shorter with repeated executions of the virus. This defeats firstgeneration virus scanners, which operate by checking code for any matches with virus
code.
Virus authors can access polymorphic engines, which can take a non-polymorphic
virus as input and output the virus with polymorphic qualities. The availability of such
engines has made the authoring of polymorphic viruses a simple, straightforward task. As
a result, the number of polymorphics has doubled about every eight months. Today, more
than 200 polymorphic viruses produced by these engines exist, and another 50
polymorphic viruses are known to exist that do not use the engines. The latest generation,
the superfast polymorphic infector, can lay waste to every executable in every directory on
a PC's hard disk without requiring that .COM and .EXE files launch first. Running a
directory listing is enough to trigger the virus.
Macro-based
Macro-based viruses are the newest innovation. A macro virus is unusual because it can
infect documents instead of programs. It is the first virus that can cross platforms, infecting
both PCs and Macintoshes. The one known form of the virus, written in Word Basic and
referred to by Microsoft as the Prank Virus, infects only Microsoft Word 6.0 files. The
virus is not destructive; it simply adds nonsense Word macros to documents that end with
.DOC or .DOT. Although Prank is not really destructive, its implications for the future are
disturbing because it has introduced an entirely new method for viruses to spread.
Common Spread Scenarios
Viruses spread through organizations several ways, including through the use of shared
machines, shared diskettes, popular programs, and LAN servers.
Shared Machines
Viruses spread throughout an organization most commonly through shared machines. A
computer used by many different people can serve as a center of infection. If a user runs an
infected program on the machine, the infection has probably spread to programs on the
machine's hard disk. If other users bring their own diskettes to run on the machine, the
diskettes and any programs on them are likely to become infected. The diskette will
probably carry the infection to other machines.
Shared Diskettes
Many diskettes, such as diagnostic diskettes, product demos, or company manuals, are
routinely carried from machine to machine. If such a diskette becomes infected, the
infection can quickly spread to many machines.
Popular Programs
Popular games, demos, or animations often cause the user who obtains a copy to want to
pass it on to other people. If one of these programs becomes infected, the infection can
spread quickly to many machines.
LAN Servers
Previous screen
If a program on a LAN server used by many workstations becomes infected, a large
percentage of the LAN workstations can become infected very quickly(sometimes within
an hour or two). One common mistake is to have the LAN log-on program in a place
where anyone on the LAN can write to it. This setup means that if any workstation on the
LAN becomes infected, the logon program quickly becomes infected, and then every
workstation that logs on to the LAN immediately becomes infected.
How to Discover a Virus
Viruses can continue replicating until they are detected. The most well-crafted viruses show
no symptoms to reveal their presence. However, many viruses are flawed and betray their
presence with some of these indications:
·
Changes in the length of programs.
·
Changes in the file date or time stamp.
·
Longer program load times.
·
Slower system operation.
·
Reduced memory or disk space.
·
Bad sectors on a floppy diskette.
·
Unusual error messages.
·
Unusual screen activity.
·
Failed program execution.
·
Failed system bootups when booting or accidentally booting from the A: drive.
·
Unexpected writes to a drive.
Instead of waiting for a sign, network managers should use the appropriate tools to
seek out viruses before they get far enough to compound problems. The ideal is to repel
them before they infect the system.
Standard Approaches to Fighting Viruses
There are several ways to combat viruses. Computer viruses have become increasingly
cunning in their programming and ability to avoid detection or eradication. However, virusfighting tools have also grown through several generations to meet the challenge. Some of
the various approaches are described in the following sections.
Signature-based Scanners
Traditionally, virus scanners look for known virus code and when they find a match, they
alert the user. The leading scanners are signature-based. Signatures are strands of code
Previous screen
unique to a single virus, analogous to DNA strands in a biological virus. Virus researchers
and antivirus product developers catalog known viruses and their signatures. Scanners use
these catalogs to search for viruses on a user's system. The best scanners have an
exhaustive inventory of all viruses known to exist and examine all possible locations for
infection, including boot sectors, system memory, and files.
Multilevel Generic Detection
Generic detectors are used to eliminate unknown viruses. This method performs integrity
checking using checksums.
A checksum is created when an algorithm reads a file's bytes sequentially, creating
a unique numeric code based on the file itself. Generic antivirus detectors then compare
checksums recorded when the system was in a known, clean state with checksums
recalculated subsequently. If a virus has attached itself to a file, the bytes will add up
differently and the new checksum will no longer match the old (i.e., clean) checksum.
Using this method, it is not necessary to know anything about a virus; instead, the
system focuses on what the clean file should look like. The Secret Service uses the same
method when teaching agents how to spot counterfeit currency. New agents receive
extremely detailed training on what a real dollar should look like rather than on what
various counterfeits look like.
The other techniques used in generic detection enable antivirus programs to
distinguish between normal, legitimate writes to a file in contrast to viral additions. expert
system test a system's software by examining code flows, calls, and executions, and other
functions to spot viral activity. Sophisticated versions of this approach not only spot
viruses, but clean them automatically.
TSR Monitoring
Terminate and stay resident (TSR) programs stay in memory but operate in the
background while other programs run. Because most viruses are essentially Terminate and
Stay Resident, it makes sense to combat them with a TSRs. Antivirus TSRs programs can
provide real-time monitoring of disks and files, Expert systems analysis of virus-like
behavior and code, and may even detect stealth and polymorphic activity. Rather than only
working when invoked, TSRs stay on in automatic mode whenever the workstation is in
use. Instead of looking for code that matches memorized patterns, as scanners do, antivirus
TSRs attempt to catch viruses “in the act.” On a network, antivirus TSRs can download
from a server to each client as it logs on so that users do not need to remember to activate
antivirus tools.
Behavior Blocking
This is the only defense that can prevent viral infection, rather than merely detecting viruses
after they have infected. Behavior blocking performs on-the-fly code analysis, monitoring
the sequence of code behavior until it can distinguish whether the code is safe or harmful.
Harmful code is not permitted to execute. Instead, the behavior blocker notifies the user.
Behavior blocking programs use some or all of the following techniques.
File Attribute Monitors
A virus cannot infect (i.e., write to) an executable that is marked read-only. Many viruses
work around this by first modifying the file's attributes so that the file is now a read-write
Previous screen
file. Behavior blockers can intercept code that attempts to change or delete the attributes of
files.
Intercept Reboot
Some behavior blocking intercepts Ctrol+Alt+Del warm reboots and checks any inserted
floppy for viruses before allowing the computer to warm-boot off that floppy. If the floppy
has a virus, the behavior blocker warns the user that the floppy is infected. This technique
can halt boot viruses.
Smart Blocking
This term refers to very sophisticated behavior blockers that are able to distinguish
complex virus behaviors from the complex behaviors of a user running complex software.
Smart behavior blockers can analyze detailed sequences of behavior, using statistical
analysis to determine the probability that a particular sequence is a virus.
Rescue Disks
Rescue disks are used to salvage data once a virus has infected a PC. It is important that
each PC have its own rescue disk. During the installation, an operator must be present to
put in the diskette--there is no automatic installation. Users must keep track of their rescue
disks. If the disk is lost, there is no way to rescue the PC from the virus infection.
Physical Access to PCs
One simple but important technique for defeating viruses is to control who is able to use
the computers. Despite the rise of the Internet, most viruses still enter machines through
floppy disks. Although the majority of infections come through the hands of unwitting
employees, a percentage of attacks emanate from hostile intent. Therefore, some viral
attacks can be deflected simply by deterring unauthorized personnel from using machines.
Besides taking measures such as securing physical access to computer rooms, a manager
can also use security products that render physical and logical drives invisible to certain
users or user groups on a network. Thus, fewer personnel have the opportunity to hack
those drives.
Drawbacks of Signature Scanning
Despite the existence of sophisticated antivirus tools, many organizations rely almost
entirely on signature scanning to detect viruses. In light of the virus boom, signature
scanning alone is a mediocre defense, at best. Some of the drawbacks of this commonlyused approach are described in the following sections.
Passivity
The most profound flaw in relying on signature scanners is that they are reactive, or
passive. The goal of scanning is to detect a virus that has already infected a file or a boot
sector. The ideal method is to prevent viruses from infecting the system at all, not merely
to be informed of the problem after the fact.
Incomplete Checking
Previous screen
A polymorphic virus, which produces varied but fully operational copies of itself, can
deceive signature scanners by altering or encrypting its signature. Signature scanners have
attempted to address this by including several signatures for a given virus, one for each
possible encryption method or iteration of the signature. As polymorphic viruses become
increasingly sophisticated, the brute force method of including more signatures in the
scanner will not be able to keep up with all the possible variants of all the polymorphic
viruses. Many polymorphs already evade detection by interspersing noise instructions or
by interchanging mutually independent instructions within the code to continually modify
the signature. A simple signature-based scanner cannot reliably identify this type of code.
Failure to Scan for Newer Viruses
Scan strings can only be extracted and cataloged if the antivirus vendor has a sample of the
virus. In the recent past, it took the most common viruses six months to three years to
become prevalent, giving vendors enough time to send out regular updates of known
viruses and head them off. The exponential growth in viruses has increased the likelihood
of a new virus reaching the LAN or PC before the update from the antivirus company
does. Besides creating a chance of missing an unknown virus, signature-based scanners
require constant updating. If the signature scanner is not centrally administrated, it slows
productivity and drains resources because of the management tasks needed to install each
successive enterprisewide update.
Insufficient Scanning Frequency
In theory, a virus infecting a system at 8:59 a.m. could be caught one minute later if the
network is routinely scanned at 9:00 a.m. However, the opposite scenario is just as likely.
A network may be scanned at 9:00 am and become infected at 9:05 am. If the virus is a
fast infector such as Dark Avenger or Frodo, once it is in memory it can infect not only
executed programs, but even those that are merely opened. Such a virus has almost 24
hours of free time to wreak havoc in the network. Even worse, because many signature
scanners open files in order to scan them, the very act of using the scanner can allow the
virus to infect all programs at once.
Slow Scanning
Any scanner takes a finite amount of time to scan a machine for viruses--perhaps five
minutes or more. If the 70 million US employees who use PCs spend five minutes a day
scanning, and earn $15 an hour, the annual cost of scanning(260 days a year) is more than
$22 billion. The costs of scanning exceed the purchase price of antivirus software after just
a few weeks of scanning. More sophisticated tools can cut this time drastically by scanning
checksums instead of the entire contents of every file. The more viruses a scanner must
search for, the more places within a file it must search, and the more files it must search
across, the slower the search must be. Because strings must be stored in memory, and
memory is limited, there will soon be two-pass products that load one set of strings, scan,
then load a second set and scan. Although computers are faster now, hard drives are also
getting larger.
Dependence on User Compliance
Previous screen
Traditional scanners do not work unless employees remember to use them. Some users are
inclined to value their own productivity and convenience more than their employer's
security concerns, and thus are not motivated to consistently scan. Even diligent users tend
to get lax if scanning every day for a month produces no alarms.
Recommended Course of Action
As long as there are hackers inventing new forms of maliciousness, no antivirus vendor
can guarantee that their products will completely eliminate viruses. However, there are
advanced products that come very close to providing the ideal defense. Knowledgeable
implementation of advanced protection strategies and products can prove an effective
deterrent to viruses in the short and long term.
Strategies for Virus Prevention
The first priority for an antivirus strategy is that any defenses put in place must be used.
Many approaches emphasize end-user convenience to the point of rendering defenses
useless. A company can, however, set up antivirus software on its LAN servers so that
each time a user logs in, the program checks for its own presence on the user's
workstation. If such antivirus software is not present on the workstation, the program loads
itself onto the PC and scans the PC's hard drive before allowing the user to continue. If the
program finds an earlier version of itself, or a modified version of itself on the workstation,
it loads the newer, clean version onto that workstation and scan. The entire process happens
rapidly enough not to harm user productivity. Many users do not even notice it happening.
This approach is far preferable to that of programs that depend on users
remembering to scan periodically. Such programs leave holes in a system's defenses every
time even one user forgets to scan. Users are often tempted to skip scanning, especially if
the scanning process is slow. This adds an even more haphazard quality to network
defense. Antivirus software should offer an unobtrusive way of forcing users to keep their
machines clean.
Repelling Viruses Proactively
An antivirus strategy should be proactive. It should detect and repel viruses before they
infect anything on the system. A signature scanner working as the sole defense of a
network can do nothing more than occasionally report bad news. The ideal system must be
able to stop boot viruses before they infect and must be able to remove all viruses without
necessarily knowing the virus. Proactive antivirus software provides signature scanning as
well as multilevel generic detection, a Terminate and Stay Resident approach, and behavior
blocking to remove viruses that are known and unknown.
Comprehensive Security
Some antivirus software scans only for the 200 most common viruses, which account for
the majority of infections. Protecting a system from these common viruses may offer
sufficient protection, because the likelihood of infection by another virus is quite slim.
However, the ideal system is not one that usually works, or hardly ever misses a virus, but
one that seals off every conceivable intrusion point.
Previous screen
In addition, viruses tend to spread in a regional fashion, turning up much more
frequently in one particular country or geographical area than other areas. If a virus
common in a particular region is one that the software perceives as uncommon, the scanner
could miss the virus. This is especially threatening in companies that have international
offices. Effective antivirus software uses a combination of traditional and proprietary
heuristic techniques to ferret out even the trickiest viruses, Trojan Horses, and logic bombs.
Scanning alone is not sufficient. The most effective antivirus system should use the latest
generation of defenses in concert.
Automatic Logging
Antivirus systems should document any security events that occur so that managers can
stay informed about threats to their defense system. Documentation should include log-ins,
log-offs, program execution, and a separate log of failed log-in attempts. Effective antivirus
software should also require password entry upon any boot-up and prevent access to hard
disks any other way. After a period of inactivity at the keyboard, a time-out feature should
inhibit input from the keyboard and mouse. Documentation and automatic logging
requirements help management restrict physical access to workstations, which is vital to
maintaining a protected environment.
Author Biographies
Frank Horwitz
Frank Horwitz is the founder and CEO of SecureNet Technologies, Inc. located in
Lynnwood WA.
© Secure Net Technologies.
Related documents
Understanding Viruses Video Notes Integrated Science 2
Understanding Viruses Video Notes Integrated Science 2
Viruses – Bacteria – Fungi – Protists – Multi-cellular – Prions -
Viruses – Bacteria – Fungi – Protists – Multi-cellular – Prions -
Plant virology
Plant virology
CYBERPROOFED? - Peel Regional Police
CYBERPROOFED? - Peel Regional Police
5-E Inquiry Plan
5-E Inquiry Plan
The Hot Zone - We Heart Science
The Hot Zone - We Heart Science
Outline
Outline
Download
advertisement