Briefing Paper: Best Practice Report on Virus Management
by Paul Grosse - May 2000
The definition of a virus is a very simple one, being a piece of code that can replicate itself under its own control. If it cannot do this, it is not a virus. This ability usually takes the form of a code segment attaching itself to an executable file of some sort. The worms that have been attached to e-mails in recent outbreaks are also viruses as they are capable of replicating under their own control but a subtle difference between a worm and a normal virus is that the worm is completely self-contained and does not need a piece of host code, such as an executable file, to infect. However, all viruses, whether they are worms or not, need an environment in which to replicate and that is where they pose a threat to the security of individuals, organisations and companies alike.
Computer viruses display some of the epidemiological characteristics of biological infections although there are two key differences that are worthy of note:
There are some similarities between the way that biological infective agents and computer viruses propagate - an understanding of these can aid with strategies for defending computer systems:
Strains of Virus
For a virus to replicate and disperse, it must be able to take control of and exploit an environment that allows the execution of its code in full, otherwise it will not function correctly. Once this process is complete, control is returned and the user will suspect nothing unless the virus is designed to give away its presence. Dispersal is usually via the user copying infected files innocently to transfer onto other machines either using floppy discs or a network. However, some viruses are programmed to transmit copies of themselves by appropriating the user's e-mail address book and sending copies of itself as an attachment to the first twenty contacts. This strategy is limited by the proportion of the user population that uses a virus compatible e-mail program that is set up in its effectiveness the way that the virus needs it to be.
Viruses can be written on a number of levels, ranging from processor-specific machine code and assembler, through C, Java and Turbo-Pascal, to high level scripts that can be run in backward compatible programming environments that are supported on a number of different platforms - examples being word processors and spreadsheet programs. These are designed so that they can read documents or worksheets from previous versions and in this way, they can also read and execute the viruses that the files contain.
Some viruses take advantage of peculiarities of the operating system to trick the user into thinking that the file is not dangerous. For example, the I-LOVE-YOU worm was sent by itself to people as an e-mail attachment in a file that appeared to be a text file. The operating system allows the user to suppress file extensions that the system recognises and if the system is configured to recognise Visual Basic Script files, this extension is not displayed, leaving the .TXT extension and giving the user the impression that the file is nothing more than a plain text file. If the file is dragged and dropped into Notepad, the true nature of the file becomes apparent but if the user double clicks on the file, it executes. Users should always be wary of the implications of opening unsolicited attachments and he should ask himself why his manager appears to have sent them a mail saying that he loves him.
Apart from worms, computer viruses come in a variety of forms which can be divided up into six categories: Boot Sector Viruses; Parasitic Viruses; Multi-partite Viruses; Companion Viruses; Link Viruses; and, Macro Viruses.
In addition to these types, consideration should be given to polymorphic viruses and stealth viruses. Polymorphic viruses hide from virus scanners by encrypting themselves using a different key each time they infect a file and any of the above types have the potential for encryption somewhere in the code. Stealth Viruses take measures to ensure that once they are installed in the computer's memory, they will not be detected.
Symptoms of infection
Some symptoms of virus infection are:
Detecting and preventing infection
Anti-virus software packages have a number of strategies available and the better ones will give the administrator a choice of which ones to use. Each strategy has its own advantages and disadvantages:
Between 300 and 600 new viruses appear each month and there is also the occasional glitch when thousands of viruses are added to the list. As a result of this, the amount of time that it takes to scan for all known viruses increases as well - it is not a particularly good idea to scan only for those viruses found in the wild, ignoring the rest, as one could make it onto the list and be ignored. Taking this into consideration, scanning techniques are often used as: on-demand; or, on-access.
On-demand scanning relies upon the user to be vigilant, scanning any new files as they are loaded or downloaded onto the machine. Any unauthorised software or file attachments not being scanned in this way can therefore corrupt the integrity of the system. In contrast to this, on-access scanning looks at any file as it is used and as a result, this slows down the system if many files are used. The main advantage of on-access scanning is of course that it does not require the user to make any decisions. In order to minimise the impact upon system performance, some on-access scanners use checksums to determine whether or not a file has changed - this is based on the assumption that if it has not changed and it was clean before, it should still be clean. Like check summing itself, the weakness in the system is the state of the system when the original check summing was carried out.
A number of anti-virus products provide automated or optional removal of the virus from infected files. To do this, a file needs the virus code removing and the vectors that pointed to the virus code need pointing back to where they used to point. Although this can work well, the exact nature of the modifications that the virus originally made need to be known and in some cases, this cannot be known for sure. As some viruses damage files in such a way that they cannot be repaired automatically, a policy of not repairing but instead, replacing infected files should be adopted as this is the safest route.
Some virus checkers offer to inspect compressed files on a local machine or, at the firewall where decompression of a file before virus inspection would use up too much processor power, causing an unacceptable loss of performance whenever a large number of compressed files went through it. Sometimes, compression will hide viruses from the scanners and a situation arises where the user population is under the impression that a file is safe because it was scanned when compressed - this leads to a state of complacency that is potentially more dangerous than not scanning compressed files in the first place. In recognition of this, some virus scanner vendors have ceased to support the scanning of compressed files.
Breaking the chain
As has been stated earlier on, for a virus to be able to replicate and disperse, it needs to find an environment that allows it to do these two things - if you deny the virus either of these factors, it cannot infect your system.
With the size and speed of computer networks growing, the opportunity for code and data to make its way onto company systems has increased substantially. One of the best lines of defence against Internet-born viruses is a firewall but unfortunately, a recent study showed that around four out of every five UK companies does not use a firewall with the figure for the USA not being that much better. Internal and external network connection speeds approaching the Giga-bits per second range allow data to be transferred between workstations in ways that defy all sensibility with regard to security. To the end user on an unprotected system, with the obscurity of his IP address apparently offering enough security against directed attacks, the user has access to anything and everything in an instant. Unfortunately, this also allows everything else, including viruses, instant access to the resources on the network.
Where a firewall is used, advancements in technology have led to a situation where the hacker is finding it increasingly difficult either to break into a site or to sniff and spoof established sessions, substituting data packets with malicious code. It is, of course, possible that code that travels across the Internet intact may be infected with viruses - second generation firewalls check for this type of content and, when instructed to, third generation firewalls do is as well. However, firewalls can only look at the data that passes through them and, possibly due to the strength of firewalls, most attacks on systems now depend upon surprise or originate from within the firewall boundary.
Having direct, internal access to the system, the authorised user population poses the greater threat but this problem is difficult to define and control as it presents itself in so many ways:
As has been said before, a virus needs to have an environment in which it can replicate and a means of dispersing. Technologies that allow the user to interact with a network such as the Internet, processing and transmitting the user's information are already in use and subject to virus attacks. The usefulness of computers has been adapted to making them mobile with PCs taking on the form of the laptop and notebook, connected to the Internet using mobile phone technology. However, these are only slight variations of the PC and sooner or later, someone will write a virus aimed specifically at a PDA (Personal Digital Assistant).
One of the biggest markets is in mobile phones and using WAP (Wireless Application Protocol) technology, currently in its early stages of development, users can access e-mails and browse specially developed parts of the Internet to obtain access to share prices, sports results and so on. WAP phones use WML (Wireless Mark-up Language) which is to a WAP phone what HTML is to a browser. It is based on XML, and although similar in syntax to HTML, it is much more like XML. Just like HTML and XML, WML is read and interpreted by a browser built into the WAP device. For WAP devices, the browser is commonly called a micro browser. The capabilities of the micro browser is of course limited to the capabilities of the WAP device. However, larger displays, larger memories and a functionally developing scripting language that is aimed at providing the functionality that the user population demands may make WAP phones susceptible to some form of virus invasion in the future.
Staff need to be made aware of security issues and should be sent on a computer user responsibilities course but whilst this is worthwhile in terms of making them more aware of the dangers and informing them of the appropriate course of action should anything untoward happen, you should not expect them to behave any differently afterwards. Attacking or threatening staff with disciplinary action will only drive any problems underground which, in turn, will make your job harder and prejudice the security of the system. For any policy to be effective, it should be easy to implement and largely automatic - these attributes being part of the solution provided by the major anti-virus products available today.
One interesting strategy is to recognise that many of your employees will have a computer of their own and that it is inevitable that at some stage, one of them may bring some software onto the company's site - possibly even with the permission of the IT department. The solution to this is to issue all employees that have computers with regularly updated anti-virus software for their own personal use, free of charge to them - legally of course. This has the twofold effect that: users become well trained in the use of anti-virus software without the company having to send them on refresher courses; and, that if they ever do bring anything into work, it is more likely to be free of viruses.
The various anti-virus strategies: virus scanning; heuristic analysis; and, integrity checking, tend to support each other but it must be appreciated that no single solution is perfect as a complete solution. In response to this, it is advised that a mixture of solutions is employed. A method of on-access detection on the client machines should be deployed with the automatic updating of any virus signatures as they appear. Checking all in-bound mail and file transfers for viruses is a must and, to comply with moral, if not legal requirements, all out-bound mail should be checked as well - files for FTP to remote machines should be checked for viruses when they are stored on the server (which should be checked periodically) and hash values for files and possibly digital signatures should be used for clients to verify that the file has remained unchanged since it was signed.
As always, one luxury that cannot be afforded is complacency. Making checksums on a machine that is already infected is not reliable. Checking only compressed files is not good enough as some viruses can be hidden by the compression technique and the encryption of any compressed files will hide everything any way. Relying entirely on only one virus checker is also too complacent as, although they may well score 100% in the tests, some viruses are aimed at specific checkers and the one that you pick could be vulnerable - using two reduces this chance significantly and three is recommended.
Copyright (c) 2000 P. A. Grosse. All Rights Reserved.
Back to the Internet Security Index
Back to the Index