IN THIS CHAPTER
Do you have a virus? No instruments, no senses can tell you if you are in the presence of the predator. | ||
| --Richard Preston, The Hot Zone | ||
If doctors and pharmacists worked like antivirus vendors, we’d all be immunized against all illnesses. Would this improve our viability as a species? | ||
| --David Harley, Icarus | ||
This chapter addresses one of the best known, most feared, and least understood problems in information security. It explains what viruses and worms really are (and aren’t), summarizes the means of limiting their consequences, and most importantly, includes some pointers to further information.
Computer viruses are perhaps the most well known and feared security threats of all. Certainly, they’re among the most misunderstood. All viruses entail a certain degree of damage, but their impact, with some very prominent exceptions, is mostly social. That is, they cause more damage in terms of damage to morale and reputation than in terms of file or file system damage.
Every virus does cause some (usually) limited denial of service because they all steal disk space, memory, and/or clock cycles (processor time). Some cause unintended damage on some systems. Some do intentional damage to files and file systems, and a few can make some hardware effectively unusable by trashing firmware (CIH, also known as Spacefiller, and, incorrectly, as Chernobyl, for example). At this time, no known virus directly damages hardware, although the possibility of such a virus can’t be discounted. However, some of the most successful viruses (in terms of survival) achieve longevity by virtue of the fact that they do nothing but replicate, and therefore aren’t conspicuous. Direct damage tends to be noticeable. However, some viruses cause serious damage to data by slow and insidious corruption, and others continue to survive despite their high damage profile.
Email viruses and network worms can cause serious denial of service because of the load on networks and network traffic, servers and other infrastructural resources, as well as the load on first-line, second-line, and third-line support. Critical transactions may be hampered when servers have to be taken down to effect repairs. Other network services such as HTTP may be blocked during cleanup to stop the broadcasting of Nimda- or Code Red-like probes from infected machines, and by testing for other infectable systems.
Increasingly, legitimate services are being blocked completely by security-conscious administrators because they are potentially vulnerable to abuse by malicious software. The most obvious example is in restrictions applied to attachment file types that might contain malicious code: not only screensavers and other program files, but sometimes vulnerable data files such as spreadsheets and other macro-friendly documents, Microsoft Access databases, other scriptable data files, self-extracting zip files, and even encrypted zip files.
It has to be said that even an innocuous virus can cause problems just by being there, or even by being misdiagnosed as being there. This can result in secondary damage because of inappropriate action taken by poorly informed virus victims. It can also result in social damage. Such damage can include loss of reputation, scapegoating of the victims of a virus attack, or even legal action. A victim might be accused of failing to apply “due diligence,” of being in breach of contract, or of being in contravention of data protection legislation. He might even be accused of implication in the dissemination of a virus, which is illegal in many countries (even those in which the actual creation of viruses is not in itself a crime).
Viruses that do no intentional damage are sometimes described as benign, in much the same way that a tumor might be defined as malignant or benign. However, this usage is potentially misleading because the use of benign in this context does not mean harmless, let alone benevolent, as it might be understood to mean.
The meteoric expansion of Internet usage (especially email) since the early 1990s has raised the status of the virus from an occasional nuisance to everyone’s problem. The vastly increased use of local networks and other means of sharing data and applications has also increased the risks by orders of magnitude. In brief, viruses can travel further and faster than was the case a few years ago. The big comeback story in the virus field is that of the computer worm. In the early 1990s, Internet usage became less specific to “big iron” mainframes and minicomputers reached via dumb terminals and terminal emulators. The first generation of worms declined in impact accordingly. Virus and antivirus technology became focused on the individual desktop PC. In the latter part of the decade, however, virus writers began to rediscover worm mechanisms as a means of accelerating dissemination, and now worms and worm/virus hybrids have become one of the most aggravating problems faced by system administrators.
The impact of fast-spreading email viruses has decreased dramatically in the last year, as industry has turned to increasingly strict regulation of allowable file attachment types, but at the cost of reduced convenience and functionality. Even worse, these inconveniences may actually have an adverse effect on security, in that end users may show surprising aptitude and cunning in their attempts to evade such restrictions. Nevertheless, we have recently seen a shift away from the explosive dissemination of infective emails from insufficiently protected corporate institutions, toward malware (MALicious softWARE), spread primarily by home users who rarely enjoy the benefits of obsessive regular updates of antivirus software and draconian blocking of infectable file types at the mail gateway.
This chapter, although it addresses worm mechanisms in detail, isn’t particularly focused on differentiating between viruses and worms. Even within the industry, the terms are often used interchangeably in the context of the hybrid viruses/worms that dominate the current virus scene.
Most antivirus professionals will accept a working definition of the term computer virus like this: “a program that replicates by ‘infecting’ other programs, so that they contain a (possibly evolved) copy of the virus.” (F. Cohen: A Short Course on Computer Viruses.)
Note that the emphasis here is on reproduction by infection. A virus is not destructive per se, whereas a destructive program is not a virus per se. Furthermore, although most viruses do attempt to operate without the knowledge of the system user, this isn’t a requirement, either. The only defining characteristic is replication—the primary “intent” of the infective program is to reproduce.
NOTE
The term program does not necessarily imply a program file, although most viruses do in some way infect files. Nevertheless, we refer to infected and infective objects in this chapter unless we are specifically considering file infection, so as to include boot sector infectors and macro programs embedded in data files.
Infection is sometimes described in terms of attachment of the viral program to one or more programs on the target system. However, attachment is perhaps a misleading term, although it is conventionally used in this context because the word attachment has a rather different connotation in the context of email. It might be more useful to look at the process in terms of a chain of command. The viral code is inserted into the chain of command, so that when the legitimate but infected program is run, the viral code is also executed (in some instances, the infected program runs instead of the legitimate code—some viruses and worms replace legitimate files, rather than attaching themselves to them).
We often describe infection in terms of the viral code becoming physically attached to the host program, but this isn’t always the case. Sometimes, the environment is manipulated, so that calling a given program calls the viral program. Sometimes, the viral program is activated before any program is run. This can effectively “infect” every executable file on the system, even though none of those files are actually physically modified. Viruses that take this approach include cluster or File Allocation Table (FAT) viruses, which redirect system pointers to infected files, companion viruses, and viruses that modify the Windows Registry, so that their own code is called before legitimate executables.
Except for a few extraordinarily primitive and destructive examples that actually trash the host program on infection, all viruses work along the following lines:
A computer user calls a legitimate program.
The virus code, having inserted itself into the chain of command, executes instead of the legitimate program.
The virus code terminates and hands over control to the legitimate program.
Companion or spawning viruses follow the same sequence, but the virus code is contained in a separate file, which is characteristically renamed, so that it will be executed instead of the program the victim thought he was launching. It then normally hands over control to the legitimate program.
Viruses that infect by overwriting the host file so that its normal functionality is impaired (or simply replace it) have not been particularly successful at spreading “in the wild,” historically. However, some email viruses have gone against this trend by replacing legitimate program or data files with copies of the malicious program. The “Loveletter” family of viruses used this technique with notable success (in terms of dissemination), often overwriting genuine graphics files such as JPEGs with a malicious Visual Basic script, in combination with the “double extension” trick of appending an extension signifying an executable filetype (in this case .VBS) to the filename, so that Windows recognized it as an executable file rather than as a non-executable data file.
The virus process is a little like the process of biological viral infection, although the analogy is overworked and can be misleading. Think of a person infected with an airborne disease. Whenever he exhales in a public place, he risks infecting others. Similarly, whenever an infected program is executed, the virus’ infective routine also runs, and can infect one or more other objects “in range.” Just as biological viruses infect hosts that are predisposed to infection, computer viruses target certain type of files and system areas, according to the virus type.
Replication is also the defining characteristic of a worm, and some authorities (including Fred Cohen, the “father” of computer virology) regard worms as a subset of the genus virus. However, worms present particular problems of definition. One viable definition distinguishes between worms and viruses in terms of attachment. Whereas a virus in some sense “attaches” to a legitimate program, a worm copies itself across networks and/or systems without attachment. It can be said that the worm infects the environment (an operating system or mail system, for instance), rather than specific infectable objects, such as files.
Some observers have used the term worm to refer to self-replicating malware that spreads across networks. This doesn’t really amount to a meaningful distinction, because many viruses can travel between machines on a Local Area Network, for instance, without being “aware” that a target volume is not on the same machine. This isn’t to say, of course, that viruses are never network-aware.
Thousands of new viruses have been reported in recent years. Viral mechanisms differ widely, and any type of file can be affected. However, viruses can only spread when code is executed, which means that only files or other objects (such as the boot sector) containing executable code can be carriers for further infections. This doesn’t mean, however, that only binary executable files such as DOS/Windows .EXE and .COM files can be infected.
Some data files can also contain executable code in the form of embedded macros. At present, Microsoft Office includes two of the applications (Word and Excel) that are most vulnerable to virus attacks that take advantage of interpreted macro/ scripting languages, such as Visual Basic for Applications and its siblings. Although macro viruses can and do exist for non-Microsoft applications, word processors that store macro code in separate files rather than within document files are arguably less vulnerable. People are far less likely to swap macros than documents.
Script viruses that take advantage of the Windows Scripting Host (WSH) to run Visual Basic Script (VBS) have declined somewhat in impact, as people have learned to recognize VBS as a “dangerous” extension, and turn off the WSH. Nonetheless, simple-minded VBS viruses continue to appear and enjoy some success.
Other types of macros, shell scripts, batch files, interpretable source code, even Postscript files also contain executable code, and are, in theory, vulnerable to virus attack. The likelihood of such an attack depends on a number of factors, however, such as the popularity of the platform and the access controls native to the operating environment. The restricted write access allowed to unprivileged accounts in a multiuser environment such as Unix or NT and its successors (Windows 2000, Windows XP) does tend to impede the spread of viruses and Trojans in such environments. However, it would be unwise to rely exclusively on this fact for protection of such systems. Some of the earliest experiments with viruses were in fact made on Unix systems, and some current worms are specific to NT-based operating systems.
As this chapter was being written, W32/Perrun, a proof-of-concept virus that infects JPEG files, was causing the kind of confusion that virus writers love to generate. Perrun works by attaching executable code to a pure data file. Windows does not normally attempt to execute a JPEG; it executes a JPEG viewer of some sort that displays the image. Perrun gets around this restriction by modifying the Windows Registry so that the infective file is executed as a program rather than displayed as a graphic. However, this means, effectively, that the infective file can only be executed on a system that has already been infected. Actually, an exploit such as this can be created for any type of data file, in principle. However, the writer of such a virus still has to find a way to execute code to modify the environment in the first place, nullifying the advantage of converting a non-executable data file to a program in the first place. Such exploits reinforce the need to avoid taking the innocence of data files for granted, but do not in themselves constitute a very likely major threat at present.
There are certain stereotypes associated with virus writing. On the whole, they’re rarely useful. Most virus writers try, for obvious reasons, to preserve their anonymity, so testing the truth of these images is somewhat problematic. Some virus writers do discuss and display their craft and angst in more or less public forums, such as the newsgroup alt.comp.virus. These groups are generally thought to be young males, and some research indicates that mostly they “age out” and leave the field as they acquire girlfriends and a life.
However, it’s unsafe to assume that the “virus writers” who dominate such newsgroups are always who they say they are, let alone that they are as talented as they claim to be, or necessarily serious representatives of all virus writers. Indeed, it’s possible that this group represents a constituency of wannabes rather than a group of real, competent virus writers. Certainly many (but by no means all) successful viruses seem to have been written by focused loners with no particular affiliations, rather than by groups.
It’s also noticeable that many of the most vociferous individuals quoted and feted by the media, law enforcement agencies, politicians, and others are not widely respected among their peers. Of course, the same is true of other types of computer vandals, not to mention many self-styled security and/or virus experts.
Some virus writers have responded to the very few serious attempts at research in this area. However, quantitative research is not realistically possible, and the research that has been done leans to the ethnographic. That is, rather than try to establish numerical data with large samples, researchers in this field have tended to rely on qualitative data, using interviews with very small samples (just a handful of virus authors).
The acknowledged authority in this area is Sarah Gordon, who has written extensively in this area and in related ethical areas. Her papers for the Fourth and Sixth Virus Bulletin Conferences on “The Generic Virus Writer” are particularly relevant. A number of her papers, including both “Generic Virus Writer” papers, can be found at http://www.badguys.org/papers.htm.
A second widespread stereotypical notion is that people who write antivirus software also write viruses in an attempt to drum up business for their products. I can’t say with absolute certainty that no vendor or researcher has ever written a virus, released a virus, or even paid a bounty for samples of original viruses. However, it’s hard to comprehend why any antivirus professional would see a need to stray toward “the Dark Side” at this stage of the game. There are more than enough amateurs producing viruses. In “Generic Virus Writer II”, Gordon notes that older security professionals, especially systems administrators and such, make their own contribution to the virus glut through (probably well-meant) experimentation.
However, despite the eagerness of virus writers to implicate “the enemy” in the problem, there is no conspiracy between systems administrators and vendors to keep vendor profits high. Or if there is, no one has offered me a percentage. Indeed, systems administrators are increasingly aware that dependence on antivirus vendors as the source of all wisdom is sometimes counterproductive, and may lead to addiction to outdated technological approaches and partial solutions that fail to take into account the relationship between virus management and other areas of security. There might always be a place for malware management based on scanning for known viruses and other threats, but virus-savvy system managers would also benefit from sharing information with their peers outside the antivirus industry through lists such as AVIEN and AVI-EWS (http://www.avien.org).
There are probably as many reasons for writing viruses as there are virus writers, although the reasons cited by virus writers (actual or wannabe) don’t always stand up to closer analysis. Some appear fascinated by the concept of a self-replicating and/or self-modifying program, and are curious to see how far their creations spread. Indeed, some apologists suggest that virus writing is a legitimate means of research into artificial life forms, or even artificial intelligence. (However, the adaptive behavior displayed by even the most sophisticated viruses is usually rather restricted.)
Many virus authors seem to enjoy matching wits with the antivirus establishment. Indeed, some viruses go straight from the creator to his favorite antivirus company without any attempt to spread it through the general population. Others, however, are more concerned with inspiring the admiration of their peers, rather than gaining the attention of the antivirus professionals. Others don’t make a hard and fast distinction between writing viral and antiviral software, and might write both. This isn’t normally the case in the antivirus industry, and those who have used their experience on both sides of the barbed wire to support their search for a job in the industry have usually been sadly disappointed. In fact, development teams in the industry have practical as well as ethical reasons for preferring to employ programmers whose experience is in other areas. It saves them having to clean ill-founded technical preconceptions out of the newcomer’s head.
There are, of course, many viruses that are intended to cause widespread damage, although deliberate destruction is the goal far less often than most people seem to believe. (Often, virus damage comes from thoughtlessness or sheer incompetence on the virus writer’s part.) Some virus writers argue that computer users who don’t have the technical savvy to protect themselves deserve everything they get. On the other hand, some virus writers also claim that they have no personal involvement in virus dissemination, and are not responsible for the use made of their code by others. In other words, the distributors are the problem, not the authors. This would be more convincing if such authors never made their creations available as source code and/or binaries on Web sites, in e-zines, and other locations. Then viruses wouldn’t be easily available to anyone who asks, or who trawls virus exchange Web sites.
Some people seem to believe that computer viruses appear spontaneously in the same way that biological viruses seem to do. This isn’t quite as silly as it sounds. Completely new viruses don’t just pop out of the primeval soup without warning. However, it’s not uncommon for a new variant (not necessarily a viable virus in terms of replication and the capability to infect) to be born without direct human intervention. For instance, a macro virus consisting of a fixed number of modules might mutate by losing some of its constituent macros, or gaining unconnected (not necessarily viral) macros. Some Word macro viruses have mutated without human intervention into many hundreds of variants. However, someone had to write the original virus.
It’s not inconceivable that an operating environment might come into general use, in that a viral program can be created from scratch without direct human intervention, but it doesn’t seem to have happened yet.
Most virus writers (and a high percentage of the rest of the world) have an exaggerated view of the ability necessary to produce a working virus. Undoubtedly, some virus writers produce technically competent code—but many more don’t. Furthermore, as we’ve seen, many viruses are one-trick ponies. They might do the replication trick well or not so well, but replication, even when done efficiently, represents a somewhat limited functionality, compared to that of a compiler or business application.
Older viruses were often written in assembly language. In fact, it’s difficult to write some types of viruses in a high-level language, even with the help of an inline assembler. This is an advantage, from the viewpoint of virus victims, in that it takes a certain level of programming expertise to create even a weak virus (or even to modify an existing virus so as to create a variant). Many variants are, in fact, simply existing viruses with a slight change that doesn’t affect functionality (such as modification to unimportant embedded text). Such a change might require no programming at all.
Some virus writers and their admirers still regard proficiency in assembly language as the hallmark of programming excellence. This is actually in sharp contrast to the professional programmer, whose choice of tool, given a choice, is liable to be somewhat more pragmatic, based on the best tool for a given job, rather than a preference for the esoteric. However, the current is, by and large, flowing the other way in malware coding. The most recent and widespread viruses and worms are very often written in high-level languages.
As virus technology developed, some virus programmers turned their attention to creating kits to enable a wannabe virus author to “develop” other viruses without programming—that is, using virus generators to produce virus code. This has not, however, necessarily resulted in an increase in the total number of viruses “in the wild.”
Kit viruses are often not actually viable (that is, they don’t replicate), and are frequently detectable generically. A new kit virus might be identifiable as having been generated by a particular generator, simply by family resemblance. Thus, kit viruses have tended to contribute to the “glut” problem (the sheer weight in numbers), rather than to the “in-the-wild” problem (see the next section).
Certainly, assembly language is not necessarily the language of choice among the current generation of virus writers. Interpreted macro languages (especially Visual Basic for Applications) are generally harder to use than kits, but much easier than assemblers. Furthermore, disk space and main memory are no longer expensive, and grossly bloated files are less conspicuous in a Windows environment. Thus, its become more practical (as well as easier) to write viruses and worms in C++ or Delphi.
A virus is deemed to be “in the wild” when it has escaped or been released into the general population. The general population refers to computing environments outside the development environment where the virus was created and tested, or the collections of antivirus vendors, researchers, and collectors. Viruses in these environments are typically (hopefully) processed under controlled circumstances, where no danger is posed to the surrounding communities. However, when a virus escapes a controlled environment, it might be said to be “in the wild” (often expressed adjectivally in the antivirus community as “In-the-Wild” or “ItW”). Note, however, that in the antivirus community, the fact that a virus is available on a virus exchange bulletin board or Web site does not make it In-the-Wild. Because access to such resources and exchange of viruses is voluntary, this counts as a controlled environment. However, it is perfectly possible for one of these “zoo” viruses to find its way into the wild long ater its author has forgotten about it, simply because someone picked it up off a virus exchange site and catapulted it into the real world.
In his conference paper “Counting Viruses” (Virus Bulletin, 1999), Paul Ducklin makes the distinction very clearly:
For a virus to be considered In the Wild, it must be spreading as a result of normal day-to-day operations on and between the computers of unsuspecting users. This means viruses that merely exist but are not spreading are not considered ‘In the Wild’.
In fact, the definition used by the WildList Organization is, historically, far stricter. For a virus to be on the WildList, the nearest thing to an industry standard metric for “In-the-Wildness,” it must be reported by two or more of the virus professionals who report to the WildList Organization. Furthermore, these reports must be accompanied by replicated samples. (Viruses that are reported by only one reporter are put into the supplementary list.) Clearly, this strictness means that the WildList can’t represent all the ItW viruses at a given time, but does represent viruses that are genuinely “out there.” Such data are often more useful than absolute numbers to the organizations and individuals using the WildList as a basis for testing and research. (Note that the WildList indicates a virus’s presence “out there,” but not the total number of virus incidents in which a single virus is implicated. Thus the list only provides a very rough guide to prevalence.)
In fact, the WildList Organization, which has had some financial and resource difficulties recently, seems to have relaxed this rule somewhat as more corporate administrators have joined the ranks of reporters. System administrators who report to WLO are not always able to capture samples, usually because malicious code is discarded before it passes inside their organization’s perimeter. This necessarily entails a change in the quality of information available from WLO. A reporter who cannot capture a sample has to accept that the discarded sample was the virus/ variant the antivirus scanner reported it as being. A discarded sample cannot be verified against a central pool of samples, so its exact identity is unproven. However, reporters with large customer bases do increase the size and volume of virus reports. The organization seems somewhat confused currently in its balancing industry reporters against corporate reporters.
What matters most for our purposes, however, is the disparity between the number of In-the-Wild viruses at one time (a few hundred, according to the prevailing WildList), and the total number of viruses in existence. At the time of this writing, that total is usually taken as being in excess of 70,000, although precise figures are dependent on exactly what is measured. There is no universal standard for distinguishing between viruses, virus variants, worms and other malicious code detected by anti-virus software, and, for technical and administrative reasons, it would be a huge job to enforce such a standard retrospectively by crossmatching samples.
A virus is, conceptually, a simple program. In its simplest form, a direct action virus can be modeled in terms of an algorithm such as the following:
begin
Look for (one or more infectable objects)
If (none found)
then
exit
else (infect object or objects).
endif
end They don’t remain in memory, but execute all their code at once, and then hand over control to the host program.
Many viruses go memory resident (install themselves into memory) after the host program is executed, so that they can infect objects accessed after the infected application has been closed.
The term hybrid is sometimes used for viruses that stay active as long as the host program is running. It is also (perhaps with more justification) applied to viruses that are both direct action and memory resident.
In fact, all viable boot sector infectors are memory resident—they have to be. Otherwise, their code can only be executed during the boot process, which rather limits their opportunities to infect other boot sectors. We’ll consider boot sector viruses in detail later on in this chapter.
Of course, all but the most incompetent viruses are a little better error-trapped than this, and at least check that the infectable object hasn’t already been infected. You’ll notice that I’ve also skated over the infect object subroutine. We’ll come to infection mechanisms when we discuss the main virus types later in this section.
Some viruses, of course, do more than just replicate. We sometimes describe viruses as having up to three components: an infective routine, a payload, and a trigger. The previous models demonstrate an infective routine, although it can be said that finding an infectable object is the trigger for the infective routine. However, we more often think of the trigger as being the condition that has to exist before the payload (or warhead) can be executed.
The payload can, in principle, be any operation that any other program can perform. In real life, however, it tends to be something flippant and irritating, such as visual or audio effects, or else downright destructive. So now our model looks like the following:
begin
(Go resident)
if (infectable object exists)
then
if (object is not already infected)
then
(infect object)
endif
endif
if (trigger condition exists)
then
(deliver payload)
endif
end The trigger condition might, for instance, be the execution of a file, or a particular date or time. The combination of a trigger and a malicious payload is sometimes called a logic bomb, especially in the context of a malicious program with no capability to self-replicate, such as a Trojan horse (covered in Chapter 18, “Trojans”).
Viruses can be classified conveniently (but by no means definitively) into five main classes:
Boot sector infectors (BSIs)
File infectors
Multipartite viruses
Macro viruses
Scripting viruses
To these classifications we might usefully add memetic viruses, especially virus hoaxes and other types of chain letters, and worms, though the distinction between worms and some of the other types of malware listed above is not absolute. One of the best-known macro viruses, Melissa, is usually described as a worm, as are most VBScript viruses.
NOTE
Memetic viruses (virus hoaxes and other chain letters) are not viruses in the same sense as the preceding classes because they infect people, not programs. They are considered here because hoax management is usually the responsibility of the person responsible for virus management.
BSIs are PC-specific viruses that infect the Master Boot Record and/or DOS Boot Record. At one time, these viruses accounted for the majority of reported incidents, but now they constitute a dwindling proportion of the total number of threats found in the wild, and new BSIs are something of a rarity. This might reflect that people now increasingly use email and networks rather than floppy disks to exchange files. The fact that these are harder to write than macro viruses and scripting viruses (or even file viruses) is also relevant.
When a modern PC boots up, it goes through a process called the Power On Self Test (POST). This stage of the boot process includes checking hardware components. Some of its information comes from information stored in CMOS, especially information relating to disk and memory type and configuration. If the CMOS settings don’t match the actual drive geometry, the machine will not be able to find system areas and files where they should be, and will fail to finish the boot process.
The Master Boot Record (MBR), sometimes known as the partition sector, is found only on hard disks, where it is always the first physical sector. It contains essential information about the disk, giving the starting address of the partition(s) into which it is divided. On floppy disks, which can’t be partitioned and don’t contain a MBR, the first physical sector is the boot record, or DBR (DOS Boot Record). On hard drives, the boot record is the first sector on a partition. The boot record contains a program whose job is to check that the disk is bootable and, if so, to hand over control to the operating system.
By default, if there is a bootable floppy present, most PCs will boot from drive A, the first floppy drive, rather than from drive C, the first hard drive. This is actually an unfortunate default because this is the normal entry point for a boot sector virus. If the PC attempts to boot from a floppy with an infected boot sector (even if the floppy doesn’t contain the necessary files to load an operating system and therefore can’t complete the boot process), the infected floppy will infect the hard drive. Characteristically (although not invariably), once the hard drive is infected, the virus will infect all write-enabled floppies introduced subsequently.
CAUTION
You might have heard that boot sector viruses can be disinfected without antivirus software using FDISK with a (largely) undocumented switch (/MBR), known in some quarters as FDISK/MUMBLE. The good news is that this works a lot of the time. The bad news is that, if you try it with the wrong virus, you can actually lose access to your data. Antivirus software is a very imperfect technology, but it’s almost invariably better and safer for removing viruses than general-purpose utilities that were never designed for that purpose. FDISK is not recommended as an antivirus measure unless you know exactly what you’re doing.
The majority of boot sector viruses also contain some provision for storing the original boot sector code elsewhere on the drive. There is a good reason for this. It isn’t because the virus programmer kindly intends to eventually return the MBR to its original state, although retaining a copy of the original boot sector can make disinfecting the virus easier. Rather, it is because she has to. Typically, a virus will keep a copy of the original boot record and offer it whenever other processes request it. This not only enables the system to boot in the first place, but also makes it harder to detect the virus without antivirus software that specifically recognizes it. However, some viruses simply replace the normal boot sector code with code of their own.
Some BSIs (Form is a particularly well-known and widespread example) only infect the boot record, even on hard disks. This creates particular problems with Windows NT and Windows 2000, and will usually prevent the system from booting at all. Thus a largely innocuous virus has suddenly become a major nuisance in some environments.
TIP
New boot sector viruses are comparatively rare. Nevertheless, even old favorites like Form still circulate among people who still exchange disks. Although reputable and up-to-date antivirus software is still a must for detecting them, a simple precaution eliminates most of the risk of infection on most PCs, even from unknown BSIs. Most PCs, by default, will attempt to boot from drive A if there is a floppy disk there. If there isn’t, it tries to boot from drive C. However, nearly all PCs can be reconfigured in CMOS to change this default. On most systems, this is done by modifying the boot order, so that the system always tries to boot from drive C first (or in the order of CD-ROM drive, drive C, then drive A).
Other systems (notably some Compaq models) enable the setting of an option to disable booting from the floppy drive altogether. If the system user actually needs to boot from floppy, this simply involves resetting the option to default. Motherboard and PC system vendors use proprietary ways of setting CMOS options—consult the documentation that came with your system. Note that “file and boot” (multipartite) viruses are less likely to be contained by this precaution.
File viruses infect executable files. Historically, most file viruses have not been particularly successful at spreading. Many thousands have been written, but the number actually seen in the wild has been comparatively small compared to BSIs, and more recently, macro viruses. Nonetheless, those that have survived in the wild have often spread surprisingly well—CIH, for example. Some of the most prevalent contemporary file viruses, however, are more commonly described as worms, as considered later in this chapter.
After a virus infects an executable file by direct attachment, that file, when executed, will infect other files. Fast infectors go for instant gratification. Each time the infection routine is executed, it infects a whole directory, all folders on the current path, a whole volume/disk, even all currently mounted volumes. Even file infectors that infect only one or two files at a time can spread quickly across systems and networks in a modern environment, where multiple binary executables are opened and closed many times over a single session. Every time you open an application, at least one executable file is loaded. Some applications will open several files at startup, whereas others periodically open multiple files when performing a particular operation.
Sparse infectors forgo the temptation to infect as many files as possible, usually in an attempt to make themselves less conspicuous. They may not infect every time the virus is executed, but infect only under very specific conditions, even when an infectable object is present.
NOTE
Binary executables are by no means restricted to .COM and .EXE files, but include DLLs (Dynamic Link Libraries), overlay files, VxDs and other classes of driver, overlay files, and even certain screensaver (.SCR) and font files. More recently, virus/worm authors have made increasing use of other file types such as .PIF, .BAT, and .LNK. Whereas .EXE and .SCR files, for instance, have the same essential structure, file types such as .PIFs denote quite a different type of executable file. However, Windows environments are not generally strict about checking that a file is the type its filename extension suggests. Renaming a program from myprog.exe to myprog.pif, for example, does not usually prevent its being executed “correctly”—that is, in the same way as the correctly named program file. The number of filename extensions that denote an executable file of some sort runs well into three figures, especially taking into account macro-bearing data file formats. This number holds even if we ignore executables associated with operating systems other than DOS/Windows, in which, like Linux or Mac OS, filename extensions do not have a particular significance to the operating system’s command interpreter. It’s unsurprising that most computer users can be tricked into running an obscure executable filetype, or an executable filetype masquerading as something else.
File and boot viruses are the most common example of multipartite viruses, viruses that use more than one infection mechanism. In this case, both boot sectors and binary executable files might be infected and used as the means of disseminating the virus. However, it’s likely that there will be an increase in multipartite viruses consisting of other combinations of virus types.
In recent years, the term multipolar has also passed into vogue. This is usually applied to malware that comprises more than one type of threat (a worm, a parasitic virus, and a Trojan, for instance). Such malware is also sometimes referred to as convergent, or blended.
Macro viruses infect macro programming environments rather than specific operating systems and hardware. Microsoft Office applications are by far the most exploited environment. Macro viruses can be regarded as a special case of file virus, in that they appear to infect data files rather than binary executables. However, this way of looking at the process might actually confuse the issue. Macros are essentially a means of modifying the application environment, rather than (or as well as) the data file. Indeed, in the case of Microsoft Office applications that support macro programming languages (Visual Basic for Applications and, in earlier versions, WordBasic and AccessBasic), the macro language cannot be unbound from the application’s own command infrastructure. Macro viruses usually infect the global template, and often modify commands within the application’s menu system. Macro viruses are particularly successful against Microsoft applications because they enable executable code (macros) to exist in the same file as data. Applications that segregate macros and data into different files are less susceptible to this kind of attack.
Macro viruses have lost market share in recent years, in parallel with the recent growth in email viruses and worms. Indeed, it might be argued that Melissa, though itself a macro virus, and very successful in terms of spread, marked a watershed for this particular class of threat. It did so, perhaps, by demonstrating how successfully a virus of any type can spread by exploiting social engineering techniques to trick the victim into running compromised code.
Script is a rather imprecise term, and actually suggests a slightly artificial distinction between macro viruses and script viruses (especially VBScript malware; VBScript being a script/macro language very closely related to Visual Basic for Applications). In this context, the term normally refers to VBScript and other malware that can be embedded in HTML scripts and executed by HTML-aware email clients through the Windows Scripting Host. Many of the viruses that use this entry point are often better characterized as worms, and are therefore treated under that heading later in the chapter. VBscript and Jscript are more virus-friendly than JavaScript (for instance), primarily because they have many of the file I/O capabilities of other variations on the Visual Basic theme. Extant JavaScript malware sometimes takes advantage of vulnerabilities in Internet Explorer for which patches exist.
This view of script viruses is rather restrictive. A broader definition might include HyperCard infectors, batch file infectors, Unix shell script infectors, and many more. However, these are currently of less practical importance.
There is a further class of virus that is unique, in that it comprises viruses that don’t exist as computer code. The term meme seems to have been coined originally by Richard Dawkins, whose paper “Viruses of the Mind” draws on computer virology as well as on the natural sciences. A meme is a unit of cultural transmission, of replication by imitation, much as a gene is a unit of inheritance (a rather imprecise unit, perhaps). The memes we are most concerned with in this chapter are those sometimes known as metaviruses. A metavirus is itself a virus (what Dawkins calls a “virus of the mind, not a computer virus”), but one that purports to deal with other computer viruses. These viruses don’t exist. In other words, they are virus hoaxes. Virus hoaxes are not only a subclass of memes in general, but a subset of a particular type of meme: the chain letter. However, the virus hoax is particularly relevant to this chapter, because the administrator who manages virus incidents will usually also be the person who has to respond to plagues of virus hoaxes. The same might not be true of other hoaxes and chain letters.
The most commonly encountered hoaxes are derived from the infamous Good Times hoax of the mid-90s. They conform to a pattern much like this:
[THIS WARNING WAS CONFIRMED BY SYMANTEC AND MCAFEE THIS MORNING.] IF YOU RECEIVE EMAIL WITH THE SUBJECT <GREEN EGGS AND HAM> DO NOT OPEN IT, BUT DELETE IT IMMEDIATELY!!! IT CONTAINS A VIRUS THAT JUST BY OPENING THE MESSAGE TRASHES HARD DRIVES AND CAUSES MOUSE-MATS TO SPONTANEOUSLY COMBUST. MICROSOFT, AOL, IBM, FCC, NASA, CND, AND KKK HAVE ALL SAID THAT THIS IS A VERY DANGEROUS VIRUS !!! AND THERE IS NO REMEDY FOR IT AS YET. PLEASE FORWARD THIS TO ALL YOUR FRIENDS, RELATIVES, COLLEAGUES, AND ANYONE ELSE WHOSE EMAIL ADDRESS YOU HAVE HANDY SO THAT THIS DISASTER CAN BE AVERTED.
By the way, as far as I know there is no Green Eggs and Ham virus or hoax. I’ve just done what many real hoaxers have done and pulled a silly title out of thin air (or in this case, my daughter’s bookshelf). In fact, the infuriating aspect of this problem is that most hoaxers are abominably lazy and unoriginal, and the subject of the email that carries the supposed virus is often the only bit of the hoax that varies between two variants.
This sort of hoax only continues to work because masses of people with little technical knowledge of computers (let alone computer viruses) join the Internet community for the first time every day. Each one is at high risk of passing on such a hoax because they don’t know any better. Of course, a hoax can be much subtler than this, but I’m not here to tell you how to write a hoax that might fool even an expert.
Here are a few of the features that will alert the experienced hoax watcher to the unreliability of the Green Eggs and Ham alert:
Uppercase is used throughout and the message carries clusters of exclamation marks for emphasis. Of course, this doesn’t prove anything about the accuracy of the alert. Nevertheless, it’s been observed many times that the use of uppercase, liberal exclamation marks, and poor spelling, grammar, and style characterize most common hoaxes. On no account, however, should you assume that an alert is accurate simply because it doesn’t have these characteristics.
The reference to McAfee and Symantec doesn’t give contact or reference information. It’s just there to add credibility to the hoax. There’s no real indication of when it was written, either. There are hoaxes circulating the Internet right now claiming that IBM announced something “yesterday” that have been around for years. The “yesterday” is just there to give a false impression of urgency.
It’s true that some email viruses/worms arrive with a characteristic subject header. However, there are many others that don’t, and it makes more sense to avoid executing any attachment than to try to remember what silly header goes with which virus. In fact, administrators trying to block particular viruses by filtering mail on subject alone using inappropriate criteria are responsible for a whole subclass of indirect denial-of-service attacks.
It makes sense to be cautious about email, but just opening a message can only infect your system if you have certain mail programs (Outlook, primarily) set with overly permissive defaults. Most mailers don’t execute code just by viewing the message. An alert that says this will happen but doesn’t specify any particular mailer should be regarded with suspicion.
It’s implied that the malicious code works on any hardware. This is pretty suspicious. What’s more, a payload that triggers as soon as you open the message/attachment will be pretty ineffective at spreading. You might think the mouse-mat payload is a bit over the top. Actually, real hoaxes are often as ridiculous as this (although they often conceal their improbability behind technobabble).
Of all the organizations listed, only IBM has any real expertise in viruses (though the company is not actually in the antivirus research field any longer). The others are only listed to impress you.
It’s claimed that there is no “remedy” for the virus. Antivirus vendors can usually supply fixes for new viruses in hours, even minutes. Of course, the effects of some viruses might be impossible to reverse, but data recovery firms can perform near-miracles sometimes.
A virus that trashes your system as soon as you execute it is unlikely to travel very far. What is being described here sounds more like a destructive Trojan, and they don’t generally spread well through email.
The warning urges you to forward the mail to everyone you know—that makes it a chain letter. Reputable and knowledgeable organizations don’t send alerts that way, although clueless ones sometimes do.
The 1988 Morris Worm (the Internet Worm) and its siblings, such as WANK and CHRISTMA EXEC, usually targeted heavy-duty mainframe and minicomputer hardware, mail, and operating systems. More recent threats have been aimed primarily at PCs, and in one highly publicized incident (the AutoStart worm), Apple Macs. However, worms might also have the incidental effect of bringing down mail servers through the sheer weight of the traffic they generate. Some of these have been variously classified by different researchers and vendors as viruses, as worms, as virus/worm hybrids, and occasionally as Trojan horses.
Universally accepted classifications of worms don’t yet exist, but Carey Nachenberg, in a paper for the 1999 Virus Bulletin Conference, proposed a classification scheme along the following lines:
Email worms, unsurprisingly, spread via email.
Arbitrary Protocol Worms spread via protocols not based on email (
IRC/DCC,FTP,TCP/IPsockets).
As well as proposing classification by transport mechanism, Nachenberg also proposed classification by launching mechanism:
Self-launching Worms such as the 1988 Internet Worm require no interaction with the computer user to spread. They exploit some vulnerability of the host environment, rather than in some way tricking the user into executing the infective code. However, KAK and the rather rare BubbleBoy are examples of self-launching worms. By exploiting a bug in the Windows environment, they can execute without user intervention. More recent examples include worms such as Code Red, which exploits vulnerabilities in Internet Information Services (IIS), and other malware that exploit buffer overflows and other weaknesses in Windows and Unix programs.
NOTE
For information on dealing with this problem by applying a patch, see http://support.microsoft.com/support/kb/articles/Q262/1/65.ASP.
User-launched Worms interact with the user. They need to use social engineering techniques to persuade the victim to open/execute an attachment before the worm can subvert the environment, so as to launch itself onto the next group of hosts. Many of today’s VBScript worms fall into this or the Hybrid-launch category.
In fact, some of the worms we’ve seen to date are probably better classified as Hybrid-launch Worms (by Nachenberg’s classification scheme) or multipartite (in terms of conventional virus terminology) because they use both self-launching and user-launched mechanisms. Nimda and later members of the Code Red family are hybrid worms, using a variety of techniques to infect and spread.
The following characteristics are not necessarily restricted to particular virus/worm classifications, but are of some importance if only because of the way the terms stealth and polymorphism are so often misused:
Stealth—. Almost all viruses include a degree of stealth; that is, they attempt to conceal their presence to maximize their chances of spreading. There have been viruses that asked permission before infecting, but this courtesy has not been rewarded by wide dissemination. Conspicuous payloads tend to be avoided, or are delivered fairly irregularly, or after a delay (on the nth iteration of the virus code execution, or on a trigger date, for instance). This gives them time to infect other systems before they’re noticed. Stealth viruses use any of a number of techniques to conceal the fact that an object has been infected. For example, when the operating system calls for certain information, a stealth virus might respond with an image of the environment as it was before the virus infected it. In other words, when the infection first takes place, the virus records information necessary to later fool the operating system.
This also has implications for antivirus tools that work by detecting that something has changed, rather than by detecting and identifying known viruses. To be effective, such tools must use generic anti-stealth techniques. Of course, it isn’t possible to guarantee that such techniques will work against a virus that has not yet been discovered. However, virus scanners that detect known viruses are at an advantage in this respect, because vendors will normally compensate for a new spoofing technique when they add detection for the virus that employs it. The trick employed by some BSIs of displaying an image of the original boot sector as if it was still where it belonged is a classic stealth technique. File viruses characteristically (but not invariably) increase the length of an infected file, and can spoof the operating system or a antivirus scanner by subverting system calls, so that the file’s attributes before infection, are reported, including file length, time and datestamp, and CRC checksum.
Polymorphism—. Polymorphic viruses are adored by virus authors and feared by nearly everyone else. This is partly because of an overestimation of the impact of the polymorphic threat. Nonpolymorphic viruses usually infect by attaching a more or less identical copy of themselves to a new host object. Polymorphic viruses attach an evolved copy of themselves, so that the shape of the virus changes from one infection to another. Some polymorphic viruses use techniques such as changing the order of instructions, introducing noise bytes and dummy instructions, and varying the instructions used to perform a specific function. A more sophisticated approach is to use variable encryption, drastically reducing the amount of static (unchanging) code available to the antivirus programmer to use to extract a pattern by which the virus can be identified. You might imagine (as many people do) that this makes polymorphism a formidable technology to counter. Indeed, the emergence of polymorphic viruses and plug-in mutation engines (enabling almost any virus author to include variable encryption in his own work without reinventing the wheel) contributed to the disappearance of some of earlier antivirus packages.
However, although polymorphic viruses are popular with virus authors demonstrating their skills, they have been less well-represented in the field than in the collections of antivirus researchers, certification laboratories, comparative testers, and others who need as complete a collection as possible. Antivirus scanning technology has also moved on, and simple signature scanning for a fixed character string doesn’t play a large part in the operation of a modern scanner.
The classifications of viral malware described earlier do not cover the entire range of objects detected by antivirus software. Some vendors are quick to point out that what they sell is antivirus software, not anti-malware software. Nonetheless, nowadays most commercial products detect some Trojan horses (see Chapter 18) and other objects that barely qualify as malware, let alone viruses. Such objects include intended (nonfunctioning) viruses, joke programs, DDoS programs, even garbage files that are known to be present in poorly maintained virus collections likely to be used by product reviewers. There are obvious commercial disadvantages to refusing to detect objects that are not viral or even malicious, when products may be marked down in poorly implemented comparative reviews for failing to detect them.
It might be noticeable that this chapter has been largely PC-centric. Certainly, there are more viruses that infect PC platforms (DOS and all flavors of Windows) than any other operating system. Native Macintosh viruses are far fewer. In fact, there are probably more native viruses on systems such as Atari and Amiga that have never had the same popularity (in corporate environments, at least). However, the fact that Macintoshes share with Windows a degree of vulnerability to Microsoft Office macro viruses makes them the other main virus-friendly environment today.
It should not be assumed, however, that other platforms don’t have virus problems. Access controls can be imposed on unprivileged accounts in Unix (including Linux), NT, NetWare, and other platforms to restrict infection flow. However, they can’t prevent unprivileged users from sharing files, if only by email. Nor can they prevent a privileged user from inadvertently spreading infection. Even systems that don’t support any known native viruses (servers or workstations) can carry infected objects between infectable hosts, a process sometimes known as heterogeneous virus transmission. It’s just as important to scan network file servers, intranet, and other Web servers, regardless of their native operating system. In fact, an increasing number of products detect viruses associated with other operating environments. Thus, some Mac products detect PC viruses, and vice versa.
A similar situation has arisen in Linux circles recently, as Linux worms have become more common, and possibly as more PC enthusiasts have taken to running multiple operating systems on a single PC. Indeed, the common hardware architecture hosting both Windows and some Linux versions results in some (limited) potential for cross-platform viral functionality.
Clearly, viruses do represent a risk on the Internet. That risk is higher for those running DOS, any variant of Windows, or certain macro-capable applications, especially the Microsoft Office applications suite. Mostly this is a matter of market share. Most virus writers target PCs and Windows because that’s what they have access to. However, there are other factors that increase the risk: PC hardware architecture, Microsoft’s dismissive stance regarding the need for security on single-user systems, and the dangers of having macro code and data in the same file.
There are some tools to help keep systems safe from virus attacks listed later in this chapter. Be aware though; the only way to guarantee safety is by obeying Richards’ Law of Data Security—don’t buy a computer, and, if you do buy one, don’t turn it on. (A tip of the hat to Robert Slade, my fellow author and collaborator on “Viruses Revealed” for bringing that one to my attention.) Antivirus software is mostly reactive: It responds to a perceived threat, and works most effectively against threats it can identify with precision (known viruses). The best defense against unknown viruses is often to work in an environment that doesn’t provide a host to particular classes of threat. Sadly, however, this is often not an option, particularly in some corporate environments where Microsoft products are considered obligatory.
Antivirus software can generally be defined as generic, malware-specific, or hybrid. Generic software commonly includes change detection software (integrity checkers), behavior monitors, and behavior blockers. It deduces the existence of a virus from a change in the environment or an infectable object (a file, for example), or from a process displaying behavior characteristic of malware. (Note that the term malware is increasingly used with particular reference to Trojan horses rather than viruses, though many researchers continue to use the term to cover all forms of malicious software. Trojans are considered at length in Chapter 18, as is change-detection software.)
Gateway machines in corporate environments are increasingly protected by another form of generic blocking. Filtering by file type is normally implemented by checking for “dangerous” filename extensions, though vendors are becoming increasingly aware of a need for mechanisms to check whether a program file’s real structure conforms to the structure suggested by its filename extension. For instance, a batch file is simple text. If a file with the filename extension .BAT turns out to have an .EXE file structure, this in itself is a danger signal. However, filtering by filename extension is conceptually simple and catches most potential threats. Objects that might be blocked in this way include the following:
Filenames that suggest an executable filetype that wouldn’t normally be found as a legitimate file attachment—A
.LNKfile, for instance, is a shortcut, a pointer to a local file or one mounted from the local network. It’s unusual to find one pointing to a remote system not accessible as a network share.Filenames that suggest an executable file type and blocked for policy reasons— It is very common for a policy decision to be made to block all executable files with extensions such as
.EXE,.COM, and.SCR. It is considered acceptable in such cases to be worth the inconvenience in those instances in which such a file needs to be transmitted for entirely legitimate reasons. In some environments, files blocked for policy reasons might include filenames associated with macro-friendly Microsoft Office applications such as*.DOC,*.XLS, and*.MDB.Filenames matching a suspicious filename template such as
*.jpg.pif(suggesting an executable masquerading as a graphic),*.txt.exe(an executable masquerading as a text file), or*. .com(filename containing multiple spaces before the final ‘real’ extension in the hope that the final extension will be pushed off the screen and thus not noticed). This type of pattern matching is less necessary when the real file extension (the only part of the filename with any special significance for Windows, in general), is proscribed under one of the previous rules.
Malware-specific software checks infectable objects against a database of virus definitions. If a match is found, it alerts the computer user and might be able to remove the virus from the infected object. This is usually possible with boot sector and macro infectors. File viruses are sometimes harder (and sometimes impossible) to disinfect, and some vendors don’t even try, taking the view that it’s always better to replace a binary executable than to risk disinfecting it unsuccessfully. Many modern viruses/worms are comparatively easy to remove in that the whole file can be deleted, so that restoring an original file to its pre-infected state isn’t an issue. However, collateral modifications to the environment, such as Registry changes, are still an issue in such cases, and can be very difficult to deal with. The increasing sophistication of detection algorithms also means that a virus-specific definition will also flag a close variant as infected, even where there is no specific detection for that variant. Some vendors are justifiably proud of the effectiveness of their technology in this area, and have developed generic drivers that can deal with whole families of viruses rather than a single variant. This is very useful in terms of detection, but can lead to difficulties with the disinfection and repair of collateral modifications to the environment.
Scanners can be on-access (real-time or memory resident) or on-demand. On-access scanners check files and other infectable objects as they are accessed (especially as they’re opened for reading or writing), and can be implemented as a DOS TSR, Windows VxD, NT service, Macintosh System Extension, and so on. Most antivirus packages include an on-access malware-specific component, but on-access change detectors do exist. On-demand scanners are executed only when called by the user or by scheduling software. They do their job, then terminate.
Modern malware-specific scanners are better described as hybrid. Although they use more or less exact identification, most are also capable of a generic technique known as heuristic analysis, which is related to behavior blocking. Code is checked for characteristics that suggest a virus, either by passive analysis of the code, or by executing it under emulation, so that its behavior can be safely monitored.
Inclusion in the following list of antivirus products doesn’t necessarily constitute a recommendation. Products change, and what works for one PC, environment, or organization won’t necessarily work well in another. However, these are all competent products. In general, URLs in this chapter have been modified since the previous edition of this book, so that only the relevant domain name is given. Experience indicates that actual pages move around a lot. For a comprehensive list of vendors, the specialist antivirus magazine Virus Bulletin includes a comprehensive list of vendors on its Web site at http://www.virusbtn.com/vb100/archives/products.xml?/.
The NAI range includes the current incarnations of McAfee and Dr. Solomon’s for a wide range of workstation and server platforms, including PCs/Windows, Macintosh, and Unix (including Linux). Visit NAI’s Web site at http://www.nai.com/.
Norton Anti-Virus is available for a wide range of workstation, server, and gateway platforms, including DOS, Macintosh, Windows 9x, and Windows NT/2000/XP. Find out more at http://www.symantec.com.
One of the few remaining desktop products free to some computer users. Visit http://www.grisoft.com for more information.
Eliashim, producer of eSafe and now part of the Aladdin empire, focuses primarily on gateway protection from viruses and other malicious software. Contact them at http://www.eliashim.com/.
Sybari’s groupware security product supports a number of mail server products and configurations. More information is available at http://www.sybari.com.
PC-Cillin by Trend Micro can be found along with their InterScan gateway products at both http://www.antivirus.com/ and http://www.trendmicro.com.
Sophos is focused on the corporate market. Products are available for a wide range of workstation, server, and gateway platforms, including PCs/Windows, Macintosh, and Unix (including Linux). Learn more at http://www.sophos.com/.
A number of products have been based on the F-Prot detection engine. The original product (which is free for personal use, and also available as a commercial product) can be found at http://www.complex.is.
The product formerly sold by DataFellows as F-Prot Professional is now known as F-Secure, and is available at http://www.f-secure.com.
The Command Software version of F-Prot Professional is at http://www.commandcom.com/.
Integrity Master by Stiller Research combines an advanced change detector with conventional known-virus scanning. The Stiller Web site is a good source of general information (hoax information, for example), and is located at http://www.stiller.com/stiller.htm.
There are hundreds of virus scanners and utilities. Those listed here have a good reputation, are easily available on the Internet, and are updated frequently. Viruses are found each day, all over the world. Most of them are unlikely ever to be seen In-the-Wild, but sometimes a formerly quiet virus will suddenly “get lucky” and go feral. New worms and other email-borne viruses such as Melissa or LoveLetter can go from unknown to global within hours. Strange to think that only a few years ago, it was still normal for antivirus software to be updated on a quarterly basis.
Virus and antivirus technologies continue to increase in complexity and sophistication. The likelihood of contracting a virus on the Internet increases as “fast burner” virus dissemination techniques evolve, and the number of potential hosts increases with the expansion of the Internet itself. It depends on where you go: If you frequent the back alleys of the Internet, you should exercise caution in downloading any file (digitally signed or otherwise). Usenet newsgroups are places where viruses might be found, especially in those newsgroups where hot or restricted material is trafficked. Examples of such material include warez (pirated software) or pornography. Similarly, newsgroups that traffic in cracking utilities are suspect. However, the nature of the virus threat means that you are far more likely to receive an infection from someone you know, someone with no malicious intention, than from a known or anonymous virus author/distributor. We therefore recommend that you look through the guidelines to practicing “safe hex” for computer users and administrators summarized in the final section of this chapter.
Virus technology has been through a number of phases. The first big wave was the PC boot sector infector, mostly overshadowing even the parasitic fast-infector and “big-iron” infecting worms. The second wave was largely the rise of the macro virus. Among these, the first email-aware macro viruses foreshadowed the coming of the next wave: Melissa, LoveLetter, and the macro and VBScript worms that dominate the scene at the time of this writing. Many examples of the current wave of email viruses/worms are less sophisticated than the more complex, “traditional” viruses, relying to some extent on social engineering (psychological manipulation) as much as technical complexity. However, some recent examples (such as Hybris, MTX, and Yaha) combine technical complexity with social engineering. For example, some recent worms carry their own SMTP engines. An accelerating and related trend is for viruses such as Klez to spoof mail header information so that it becomes more difficult to identify the sender of infected mail. In such a case, not only is it more difficult to identify and warn the owner of an infected system, but individuals whose systems are not infected may be bombarded with misdirected warnings and complaints.
It’s been suggested that upcoming operating systems will be so secure that viruses will cease to be a problem. However, experience indicates that as particular loopholes are patched, others are found and exploited. Expect the unexpected.
The following is a list of articles, books, and Web pages related to the subject of computer viruses. Some are only included or alluded to because they were in the previous edition. Some outdated links and unobtainable references have been removed, and several have been added. (We don’t guarantee that those listed are still available—in fact, you might have trouble getting hold of any but the most recent.) Inclusion of a resource in this section doesn’t necessarily constitute recommendation (as the comments make clear). However, it’s important to know and recognize the more prominent but poor resources, as well as the good ones.
This chapter can only give you an overview of the virus problem. If you have the misfortune to be a systems or network administrator responsible for protecting your customers from malicious software, you will need to do some serious research into virus and antivirus technology, and I recommend that you take advantage of the information resources listed in this chapter. If you’re an administrator or manager, you certainly can’t afford to rely on vendor sales executives or consultants to make all the decisions for you. More often than not, these people are better acquainted with the interface of their product range than with its real-world application to real-world virus management problems.
For your delectation, we offer some guidelines that should make your computing life safer:
Check all warnings and alerts with your IT department. Whether you are a manager or administrator, make sure that there is a known policy by which only authorized personnel can pass on alerts. This cuts down on panic, curbs dissemination of hoaxes and other misinformation, and reduces the risk of inappropriate action that might be worse than no action.
Don’t trust attachments, even from people you know and consider trustworthy. The sender might have no malicious intent, but she might not be keeping her antivirus software up-to-date, either. Furthermore, email viruses and worms generally send themselves out without the knowledge of the person in whose account they are received. Even a legitimate, expected attachment can be infected with a virus. Anything that meets the following criteria should be considered particularly suspicious:
From someone you don’t know, who has no legitimate reason to send them to you.
Attachment arrives with an empty message.
Message text doesn’t mention the attachment.
Message text doesn’t seem to make sense.
Message uncharacteristic of the sender.
Message concerns pornographic Web sites, erotic graphics, or other oddities.
Message includes no personal references at all.
Message attachments with filenames suggesting an attempt to disguise the fact that the file is an executable are, to the virus-literate, a dead giveaway. The following is a list of filename extensions that indicate an executable program, or a data file that can contain executable programs in the form of macros. This list is not by any means all-inclusive. There are filenames such as
.RTFthat shouldn’t include program content, but under some circumstances can (when it contains an embedded file, for example). Bear in mind that Word documents (for instance) can in principle have any filename extension, or none. Also, zipped (compressed) files with the filename extension.ZIPcan contain one or more of any kind of file.BAT.CHM.CMD.COM.DLL.DOC.DOTEXE.FON.HTA.JS.OVL.PIF.SCRSHB.SHS.VBS.VBA.WIZ.XLA.XLS
Remember that worm victims don’t usually know that they’ve sent you an infected attachment. There is no such thing as a trusted account. If someone sends you an attachment, especially if there’s no obvious reason they should, or if it meets any of the previous criteria, confirm with them that they did so knowingly.
Use antivirus software and keep it updated. However, don’t assume that using the latest updates makes you invulnerable. Antivirus software cannot catch and disinfect every type of threat, especially new malware or variants, and might not completely reverse their ill-effects. Use on-access scanning and auto-updating of definitions wherever possible.
If your environment allows it, disable the Windows Scripting Host.
Don’t install (or let others install) unauthorized Software. Programs such as games, joke programs, screensavers, and unauthorized utilities can cause difficulties even if they’re not intentionally malicious. Be particularly cautious about programs found in unsafe environments such as Internet chatrooms, newsgroups, unsolicited email, and so on.
If you use macro virus-friendly applications such as Word, ensure that macros are not enabled by default. Recent versions of Office enable macros in a document to be disabled as a default option. If you receive a document with macros from a trusted source, ask for verification. But don’t trust this option absolutely. If it’s possible to work with macro-hostile formats such as
.RTF(Rich Text Format), do so.Disable default booting from floppy disk in CMOS. (This blocks infection from pure boot sector viruses.)
Encrypted (passworded) attachments are normally legitimate mail, sent intentionally. However, if it started out infected, encryption won’t fix it. Furthermore, encrypted attachments can’t usually be scanned for viruses in transit.
If you use macro-friendly applications and programs with known vulnerabilities such as IIS, Internet Explorer, Outlook, and Outlook Express, make sure they have the latest patches.
Back up, back up, back up. And test your backups!