Project On Virus
Project On Virus
Project On Virus
Note These are common signs of infection. However, these signs may also
be caused by hardware or software problems that have nothing to do with a
computer virus. Unless you run the Microsoft Malicious Software Removal
Tool, and then you install industry-standard, up-to-date antivirus software
on your computer, you cannot be certain whether a computer is infected
with a computer virus or not.
2
Symptoms of worms and trojan horse viruses in e-mail
messages
When a computer virus infects e-mail messages or infects other files on a
computer, you may notice the following symptoms:
The infected file may make copies of itself. This behavior may use up
all the free space on the hard disk.
A copy of the infected file may be sent to all the addresses in an e-
mail address list.
The computer virus may reformat the hard disk. This behavior will
delete files and programs.
The computer virus may install hidden programs, such as pirated
software. This pirated software may then be distributed and sold from
the computer.
The computer virus may reduce security. This could enable intruders
to remotely access the computer or the network.
You receive an e-mail message that has a strange attachment. When
you open the attachment, dialog boxes appear, or a sudden
degradation in system performance occurs.
Someone tells you that they have recently received e-mail messages
from you that contained attached files that you did not send. The files
that are attached to the e-mail messages have extensions such as
.exe, .bat, .scr, and .vbs extensions.
3
Symptoms that may be the result of ordinary Windows
functions
A computer virus infection may cause the following problems:
Windows does not start even though you have not made any system
changes or even though you have not installed or removed any
programs.
There is frequent modem activity. If you have an external modem,
you may notice the lights blinking frequently when the modem is not
being used. You may be unknowingly supplying pirated software.
Windows does not start because certain important system files are
missing. Additionally, you receive an error message that lists the
missing files.
The computer sometimes starts as expected. However, at other
times, the computer stops responding before the desktop icons and
the taskbar appear.
The computer runs very slowly. Additionally, the computer takes
longer than expected to start.
You receive out-of-memory error messages even though the
computer has sufficient RAM.
New programs are installed incorrectly.
Windows spontaneously restarts unexpectedly.
Programs that used to run stop responding frequently. Even if you
remove and reinstall the programs, the issue continues to occur.
4
A disk utility such as Scandisk reports multiple serious disk errors.
A partition disappears.
The computer always stops responding when you try to use Microsoft
Office products.
You cannot start Windows Task Manager.
Antivirus software indicates that a computer virus is present.
5
executable program, often just a script that relies on another application
sure to be running on a computer, like the macro viruses that infect
Microsoft Word. Like a biological virus, a computer virus replicates quickly.
A virus lives to create more viruses, and its secondary purpose is to do
some damage or cause embarrassment.
A virus cannot infect computer data because data files are not executed.
Users sometimes believe that document files carry viruses, but the macro
code hidden inside those files is actually the culprit.
Replicator
The code concerned with replication creates copies of the virus. If the virus
does nothing beyond this, it remains an irritation but does not cause
damage beyond consuming disk space, CPU (central processing unit) time,
and bandwidth.
Concealer
Concealment promotes the virus from being an irritation to being a real
problem. Viruses that take the trouble to hide generally plan to cause more
damage. Viruses began hiding in boot sectors -- that is, code files that are
activated when the computer starts up -- early in virus history, and this can
cause serious frustration. But viruses also use other tricks, such as
morphing Overwriting and nonoverwriting.
Payload
6
The payload delivers the pain in a virus to the end user. If the user is lucky,
a message appears, essentially laughing at the user's inability to protect his
or her computer. If the user is unlucky, the viruses causes commands to
execute, files to be trashed, data to be captured and sent to outsiders, or
hard drives to be completely reformatted.
Types of Viruses
Macro viruses
Most users are wary of unverified and unscreened .doc files because they
can carry viruses. A user doesn't energize a virus by opening and reading
the .doc file but by executing macros included in that file. Macro viruses
take advantage of the fact that Microsoft chose to enhance integration
across its Microsoft Office component applications by creating a method for
Visual Basic routines to execute inside Microsoft Word. Clever corporate
developers weave magical applications that flit in and out of desktop Word
and Excel files while tying them all to large databases. Clever virus
developers follow gleefully behind, tying desktops in knots.
The vast majority of viruses causing corporate grief today are macro
viruses. More than 73,000 viruses have been cataloged, and approximately
99 percent of them derive from one of a few hundred foundation viruses.
The majority of those, 75 percent or more, depending on the reference
source, are macro viruses.
Polymorphic Virus
7
A polymorphic virus aggravates people until the tracking tools become
refined enough to catch it. Hackers now circulate programming tools that
convert standard viruses into polymorphic viruses.
Stealth viruses
A sneaky way for a virus to remain undetected is to actually hide where it
exists in your computer memory or on the hard drive. It may do this by
coopting a function, such as examining memory locations or physical
locations on the disk drive. When antivirus programs or other tools search
these locations, the stealth virus redirects them to the original code, which
was copied during the infestation. The original code doesn't have a virus,
so the antivirus software reports that all is well. Still hidden thanks to the
redirection ruse, the stealth virus remains and continues to infest the
computer.
Stealth viruses, which intercept and redirect complete DOS calls to read
the hard drive sectors, must be fairly large. To avoid detection, they report
false file sizes so changes in executable files remain hidden.
Boot viruses
In today's world of hard disk drive boot processes, the MBR (master boot
record) is a target for virus writers. Because a boot virus grabs control of
the system early in the boot process, it can do great damage and remain
hidden.
Any disruption of the MBR turns your hard disk into a paperweight, and
even reformatting the drive can't get all the boot sector virus types still in
the wild.
Email viruses
8
Because the majority of viruses are spread via email in some form or
fashion, there really isn't a pure email virus limited to email transmission.
However, users forever fall into the trap of opening files attached to emails,
making this category a necessary one.
An executable file attached to an email wreaks havoc almost instantly after
someone clicks and opens it. You can yell all you want about not opening
attached files, but users often either forget the warnings or get fooled.
Miscreants are getting more adept at hiding their executable email
attachments. One of the early tricks was to show an extension on an
attached file that indicates a non-executable file, such as .txt or .doc, and
trusting that the user hadn't changed the Microsoft Windows default of
hiding extensions. A .txt file appears in the display, but when the user clicks
to open it, the real extension, .exe, kicks in and starts the devastation.
Today, virus attachments sometimes have a .vbs extension for Visual Basic
because many users don't recognize that extension. They also sometimes
have the obscure .shs extension, for Windows OLE (object linking and
embedding) scrap files. Some cleverly include an .lnk extension to trick the
user to click the link file and launch the .exe application described within.
Viruses are a tricky group of malicious software. There's more than one
way to contract a virus, and there's more than one way for a virus to make
your life miserable. However, viruses aren't the only threat out there. On
the next page, you'll learn about a type of malicious software called worms.
These nasty little bugs can quickly become major headaches, so keep
reading to learn more about how they work.
Malware
9
It refers to any malicious, unexpected, or parasitic macros, code, or
applications. It is sometimes difficult to classify code as strictly a virus,
worm, or Trojan -- and it often doesn't matter which particular variety you're
dealing with. The term malware is therefore used as a generic term for any
malicious software.
10
back at that type of worm with warm nostalgia. New worms are likely to
explode across the internet while disabling security programs in infected
systems.
Good worms
Programs that coordinate large numbers of connected systems by putting
and getting data points for individual processing are, technically, worms. In
fact, interactive technologies such as IRC (Internet Relay Chat) could be
called worms in some odd definitions.
The first and therefore most famous good worm is the SETI (Search for
Extraterrestrial Intelligence) project. Millions of computer users, through the
SETI screensaver, agreed to let the SETI group parse radio antenna data
for intelligent signals. (Other groups are doing the same type of operation in
their quest for drug development and the like.) Each user agreed to make
his or her system a host for this worm, which comes and goes with data,
without interaction from the user. We call this version a good worm
because people agreed to host the application on their systems and allow
data collection and transmission automatically.
But many worms are not good and in fact can create havoc in a matter of
minutes. Oftentimes, worms overwhelm email servers and choke
bandwidth rather than trashing hard disks or corrupting files. Some worms
double the number of infected systems every minute (yes, every minute),
so a worm with a destructive payload could do great damage. When you
read headlines saying that major Fortune 500 companies are paralyzed
because a worm infestation clogged their email servers, it's not a stretch to
11
think that the next attack could format the majority of desktop-housed hard
disks.
However, viruses and worms aren't the only threats you need to worry
about. Another threat, called a Trojan, can be equally devastating. On the
next page, you'll learn more about what Trojans are and how they can
affect your computersand your network.
After fighting with the Trojans for years, the ancient Greeks built a giant
wooden horse and offered it to the Trojans as a peace offering. The
Trojans didn't know, however, that the Trojan Horse held hidden Greek
soldiers. The Trojans allowed the horse to be brought inside the fortified
city walls and began to celebrate. While the Trojans were sleeping off the
party, the Greek soldiers crawled out of the horse and captured the city.
Trojans that infect your computer work the same way as the Trojan Horse:
They sneak in and catch you unaware. By the time you know there's
something wrong, the damage is already done, and it's usually not
reversible.
Trojan horse worms
A Trojan horse application actively emails copies of itself to addresses
found on infected computers. Often using the lure of an adult picture, a
Trojan becomes a virus in horse's clothing. Users may never get wise to
worms and viruses sending them malware from the infected computers of
their friends. Because Trojans can beat antivirus program checks while
masquerading as standard services, email attachments are assumed safe.
Trojans triggering DDoS attacks.
Some Trojan horse programs don't attempt any mischief until triggered to
launch DDoS attacks on specific targets. By launching these attacks from
12
thousands of computers on thousands of access points around the internet,
the attackers were more successful than they had been by using one or
two hidden sources for DDoS attacks. Trojan horse malware offers great
advantages to evildoers. The programs can be distributed in a number of
ways and can self-distribute via the worm modifications. As if viruses,
worms, and Trojans weren't enough, we also need to protect against
spyware, which is discussed next.
Spyware: a quiet, dangerous threat
Like Trojan horse malware, spyware sends information out across the
internet to some other location. However, spyware monitors user activity on
the system, down to keystrokes typed, and then it sends this logged
information to the originator. If the originator is a hacker, passwords,
account numbers, and other secrets will be secrets no longer. Messages
sent from spyware often escape undetected by using standard email
processes. Users collect spyware from many places, especially websites.
Spyware often hides in shareware applications that perform otherwise
useful functions. Oftentimes, the originator of spyware is the company that
owns the computer and employs the user. Legally, the company has a right
to operate such software because everything the employee does as a
matter of employment belongs to the company.
Although a company can monitor employees in this manner, it's not a good
idea. When employees find out, they get angry. If the company monitors a
nonemployee, such as a salesperson logging in to his or her own website
for a price update, the company breaks the law by capturing that person's
password. Besides these types of issues, having legitimate spyware on
systems makes it difficult to find and expunge outside spyware. Spyware is
13
becoming an increasingly dangerous threat. It's quiet, it's hard to detect,
and the results can be devastating.
14
type of spam control, you need to get some. Letting spam into your office
means trusting your users to properly handle attachments and messages
that have exploits hidden inside them. These are just the basics of security,
but there's much more. No single protection technology can keep your
organization safe. Instead, you need to have layers of security, each more
difficult to bypass than the previous. On the next page, you'll learn about
layering your security efforts.
Secure firewalls
Early firewalls blocked most port numbers against outsiders and did little
else.The world of firewalls has grown, matured, and grown some more.
Firewalls today deserve their reputation as the first, and perhaps strongest,
line of defense against malware. Early on, firewalls never checked the
content going through them. As long as incoming packets matched
requests, such as a web server response to a client request, and email
came with a proper address, the firewall let the packet through. Today, with
advanced firewall filtering and security functions, you can keep up to 90
percent of malware outside your network. Imagine that number again: You
can eliminate 9 out of 10 problems by implementing a strong firewall with
the proper configuration.
Implementing antispoofing
Spoofing occurs when an outsider modifies a packet header to make it
appear as though the packet really came from inside the network. This can
fool a firewall because the IP address has security clearance properties
that allow it inside the network. You need to turn on antispoofing in your
firewalls.
Clean up
15
You need to apply patches to your virus software, server software, and
desktop software. Major vendors normally issue patches after a major
outbreak just for this reason. You should also find and restore any
damaged files and go through affected servers, especially email servers,
and verify that email boxes and history files remain intact. Debrief the team
and affected users Team members and power users can help you decipher
what really happened and, possibly, why. You should discuss steps taken
during the attack and rationally decide which steps helped and which hurt.
Then you should do the same for your managers if they're not in the room.
17
scenario is right for you depends on your business needs. If you have
heavy internet or email traffic, you may prefer to have hourly or daily
updates, but if the traffic outside your network isn't that high, you might be
able to wait for weekly updates.
18
that doesn't contain a known signature, but it suddenly causes your email
program to begin sending out thousands of emails, the behavior-based
scanning tool will locate the problem more quickly than a signature-based
scan might.
19
Compared to signature-scanning tools, they have the following
disadvantages: They trigger more false alarms. They're more expensive.
They require more system processing power. They're slower when
checking large numbers of files. No program can yet emulate the
knowledge and experience of a well-trained virus detective. Scanners can
only identify code they think will cause some problem, such as file access
routines or code to create new files. Each instruction examined gets filed
into a "possible virus code" or "innocent code" bucket. When the scanning
finishes, the bucket with the most entries wins and makes the final
recommendation.
A scanner application must decide whether file access or file creation is a
result of virus activity or general application functions. Suspect behavior
and unknown code sequences trigger alarms in heuristic scanners. Some
of these suspect files turn out to be innocent, of course, and cause false
alarms. False alarms aren't good, but they're better than virus infections. In
many ways, heuristic scanners follow the patterns of artificial intelligence
software. They show great promise, but the reality has yet to catch up, and
the programs are complex. Heuristic scanners improve with time and with
each new code iteration. Most vendors offer configuration choices so you
can adjust your alarm threshold when necessary, dialing back the
sensitivity when you receive too many false alarms.
Staying up to date
Scanning applications using signature scanning must include newly
discovered virus patterns; therefore, you must keep those up to date.
Heuristic-scanning tools gradually improve their capabilities for determining
the difference between unseen code and potentially harmful virus code.
20
Therefore, you must keep those programs up to date as well. Viruses
change, as do antivirus measures, no matter whether they use signature
scanning or heuristics. Try to get volume discounts with vendors that offer
both virus and spam heuristics tools. In this way, you can leverage
advances in heuristic scanning for both areas. Stopping spam also stops
some viruses, so getting a volume discount by combining protection
purposes makes sense. Remember that heuristic scanners catch unknown
virus signatures, protecting you against new viruses as they appear in the
wild. After they've been in the wild for a few weeks, your signature-
scanning software database includes those new signatures. Lag times
between identification via heuristic means, verification by antivirus vendors,
and signature database updates shrink each month. So updating your
signature file today may well protect you against the virus launched just last
month and reaching your network tomorrow. You have antivirus software
protecting you, a firewall in place, and antispyware technologies working
overtime, so you're well protected, right? You may be, but even the most
protected computer networks in the world fall victim to human error from
time to time. Therefore, adding a layer of security at the email server level
is essential, not optional.
Protecting email servers and notebook computers
Many different types of programs are available to help protect email
servers, including antivirus programs that include additional modules,
firewalls, and other elements to help ensure that you're protected. If you
use these programs, you don't waste program resources by trying to keep
dozens of machines, or even your whole network, safe. It's to your
advantage to develop close relationships with your vendors to help ensure
21
your systems are protected and up to date. You shouldn't be afraid to lean
on your vendors to do their job. You need to get your information and
patches as regularly as possible. Once or twice a month is a patch. Once a
quarter or longer is an upgrade, and chances are, the vendor will try to
charge you for an upgrade. You need to get a vendor's updates as often as
possible, and you shouldn't pay a vendor to fix its company's own
problems. Holes in operating systems get the biggest spotlight, but holes
can exist in applications as well (for example, Microsoft Word and Excel
macro viruses). You shouldn't limit your security planning to just operating
systems. It's important to become very friendly with your Microsoft supplier.
If your company is big enough to buy directly from Microsoft, you might
have an in to the proper level of technical support to get updated virus
information. If your company is big enough to buy directly but not big
enough to get any real attention from the Microsoft support team, you
should make some contacts with local resellers and consultants. Third-
party groups can often fill in the Microsoft gaps.
Similarly, befriending other application vendors can work in your favor. If
you deal directly with a vendor, you should make contacts within that
company's technical support group. If you buy some applications through
resellers, it's a good idea to contact a reseller's technical support group
before you need help. Every bit of preparation you can do may help reduce
the duration of your emergency situation and clear up an infestation sooner
rather than later.
Plan your backup strategy
At some point, files will be trashed, systems will be trashed, and restoration
will become a priority. If infection spreads far and wide, you may find
22
yourself in disaster-recovery mode, which isn't a pleasant experience. Are
you ready? Is your backup and restoration plan ready? Your backup
hierarchy should be able to handle re-creating servers and desktops. With
luck and quick action, you may only have to replace some operating
system files on a few computers. On the other hand, you may have to
completely rebuild servers to rid them of a pernicious virus. To reach far
enough into the past to avoid reinfecting your systems with a dormant form
of a virus, you need backups from multiple dates. For operating system file
restorations, you should reach as far back as possible. The first backup
after operating system installation or after the last service patch upgrade is
your best bet. For applications, the first backup after verification of proper
working order is a good one. When restoring after a virus attack, you need
to consider your data. Even though data files, other than Microsoft Word
and Excel, rarely get infected, you should still scan all data files for viruses
and match your data to the application patch level. Making backups for
your routers, switches, and network servers is critical. These systems can
be destroyed during firewall probing and hacking, and you need them to be
ready before you go back online. In addition to enlisting the support of
vendors, getting training, and creating a backup and restoration plan,
another important part of proactive protection is forming an action team,
which is discussed on the next page.
Assign responsibilities
In a malware crisis, dividing the jobs and conquering the virus should be
your goal. Every infection requires work on multiple fronts. You therefore
need to select team members to cover each technical issue you're likely to
face, along with overlap to help or cover other areas, as needed. Figure 4-1
23
shows an example of a malware team structure. Figure 4-1: Every level of
the malware crisis team requires a manager or leader role.
Someone from the malware action team should be involved with your
corporate efforts to block and control spam. Malware uses spam as a major
transmission media, so your team must be up to date on spam control
technology in general and your company's efforts in particular. Outbreaks
often create outgoing spam by grabbing addresses and spreading via
email, so your spam control system may have to turn inward to block
outgoing traffic as well. A member of the action team should also be
involved with your backup procedures and plans for disaster recovery. Files
need to be restored, ranging from a few infected DLL files to complete
operating systems. Late at night during a crisis is no time to start learning
the tape storage nomenclature for restoring files. At least one member of
the action team needs to know the details of all backup and restoration
procedures and systems.
Someone from the action team should have a library of rescue disks
created and ready for use. Every operating system that clients, servers,
and support systems use should have a rescue disk ready to go. Copies of
the full operating systems for rebuilding systems are necessary as well, but
the rescue disks come into play first. You must have a way to boot a
system from a clean CDROM and start virus-cleaning operations. Having a
rescue disk for each operating system is one good option. Having a generic
boot, clean, and restoration disk for recovery situations is handy as well.
After a system is booted cleanly, virus tools can be put to work.
A member of the action team should be responsible for personal support,
including food and drink, during the emergency. Disaster planners
sometimes go so far as to buy military MRE (meals ready to eat) packets,
24
but that nourishment (hard to call it food) passes inspection only when
there's a general disaster in the area. For a virus attack on your network,
local pizza parlors and sandwich shops will still be open for business.
Someone must plan ahead and build procedures for ordering and
delivering food and drink during your virus exorcism. Yes, you can fight
viruses without a pizza coordinator, but feeding your crew will keep them
working longer and happier. Candy bars from the vending machines only
go so far, and some real sustenance becomes important by the 20th hour
working to recover. Even well-prepared organizations can be blind-sided by
malware.
Reacting to security problems
Despite all your well-laid plans, at some point, your company will have a
problem. Just as you can't close every hole in your building against mice,
ants, and cockroaches, you can't close every hole in your network against
worms, viruses, and Trojans. It isn't a question of if, but when, so you
shouldn't feel guilty, but you should get ready. Know when to sound the
alarm Every alarm system, including those on your network, includes a
threshold. You should set your network's alarms to allow a few anomalies
now and then to prevent unnecessary panic. Many odd application and
operating system occurrences look like viruses at times but aren't. You
must decide when an anomaly gets listed as a virus.
It's important that you keep your finger on the pulse of your network and
notice how many odd things happen regularly. You can check help desk
logs to learn the normal noise level of virus-like activity. When you know
the regular flow of mishaps, you can tell when a mishap really deserves to
be called out of the ordinary and worthy of a serious reaction.
25
Track what's normal so you know what's not. When you experience
anomalies, you should check known operating system and application
FAQs (frequently asked questions) and also watch whether
As with other technology problems, it's important to know what's changed.
You need to verify that nothing has changed in any of the following:
Operating system levels
Patch levels
New network devices
Application upgrades
New monitoring software
New applications
Directory structure
Any changes in these areas can create situations that look like virus
attacks. Can't find a server? Maybe a virus clobbered your drivers. Or
maybe a new DHCP (Dynamic Host Configuration Protocol) server isn't
supplying the right name server IP address, leaving a few clients blind as
they wander around the network. In most situations, thankfully, external
breakouts elsewhere on the internet reach you by news before an infected
message gets through your defenses. When you can see the storm coming
over the horizon, you can make a determination about whether it's hit you
by looking for the expected signs of infection inside your network.
With internal malware problems, you get no warning. With problems that
don't respond to normal troubleshooting processes and that start to multiply
and spread across the network, you may need to sound the alarm. You
should structure your responses so that you can call a halt to a virus
26
response if you find out it's a false alarm. Just like a fire truck sometimes
goes out but does not unroll the hoses and spray water, your team should
be able to stop before going into full-fledged crisis mode.
27
ensure that you have at least two contact methods for every action team
member.
Clean up and debrief
When a malware episode ends, your job continues. Someone must assess
what happened and why it happened and must clean up the remaining
damage. Before you dive into all that, however, you should rest for a day.
The action team needs its own restoration and a chance to recover from
the mental and physical exertion of reacting to the emergency. Tired teams
do lousy work, but rested teams have a chance to mentally sift through the
actions taken during the process. A period of reflection allows ideas to
bubble up and puts the mess into perspective. A full investigation --
tracking the who, what, where, when, and why of the episode -- must be
your first order of business when you reconvene the team.
Sometimes, an attack comes from a direction no one had ever considered,
and no one can be blamed for the mess. More often, however, some level
of human error caused the problem. In such a situation, you may know who
to blame, and you might want to hang the offending person in the public
square to make an example for the others. You shouldn't do that, even
though you think it might make you feel better. Placing blame will get you
nowhere, but doing a full investigation and recommending security
improvements can help you avoid a similar situation in the future.
After the team has gathered, discussed, and prioritized improvements, it
needs to implement them. Good ideas on paper don't protect systems from
viruses; good ideas put to work on your network do. After a crisis, you need
to amend your proactive virus protection activities. You need to patch new
holes and then watch them. You also need to manage new vendors to
28
improve their patch delivery. Finally, you must retrain new users (and
retrain them again, if necessary) to prevent future mistakes. If your action
team and accompanying plan don't get larger with each episode, something
is not right. However, at some point, you may get everything automated to
the point where you're sliding down the backside of the learning curve and
have your network protected as well as possible.
You've proactively planned for every possible malware attack, and you've
implemented all the protection techniques you can. But you're still at the
mercy of a dangerous security threat: the humans who use your network.
29
guidelines. You can also add a virus reminder page to a vendor training
packet and put virus warnings and security steps on the company's
intranet. You should take advantage of many opportunities to get your
messages across. If possible, you should schedule special security and
virus protection classes for every employee. If you can't cover everyone,
you should create a half-day training class for all department managers and
power users. The more they know, the more they can help teach their
users and coworkers.
30