• Most of our clients' systems have become remarkably similar, in fact essentially identical. As Microsoft consolidates it's desktop monopoly, variation becomes difficult.
• E-mail has become a critical and necessary business tool - and a casual source of diversion for employees.
• Automation features have proliferated in Microsoft's products as a means of integrating what were once very separate applications.

Since the automation / integration features are so easy to use, even rank novices can write effective worms and viruses using them (as was the case with the ILOVEYOU worm). Since they are unrestricted, they can do anything with your computer you could do. Fortunately, none of the fast moving worms we have recently experienced has been designed to do much damage, but that will change.

Definition of Threats

• Virus - program code that propagates itself by attaching itself to or embedding itself within some other program. A program that is often passed from computer to computer is selected. Pirated programs posted for "free download", screen savers and games are long time favorites. The term "virus" is also loosely used to designate all the other threats on this list.
• Worm - differs from a virus in that it is a stand-alone program not attached to any other program. It usually propagates itself actively by using networks, e-mail systems and other data connections.
• Trojan - a program that hides on your computer and allows it's perpetrator to access your computer and its data at will. Many Trojans will use your Internet connection to "phone home", announcing their presence and your Internet address to the perpetrator, or will simply email specific files. Trojans may be propagated as viruses or worms.
• Hostile Code - scripts or programs that can be transferred to your computer within HTML e-mail, as e-mail attachments, or by visiting a hostile Web site. Hostile code can do anything you could do from the keyboard.

How You Get Infected

File Infectors: When you run an infected program on your computer. It infects as many other programs as it can. Any of these programs can then infect another computer. Favorite ways to spread this class of virus is to infect pirated programs posted for "free download". Screen savers and other novelty programs are also favorites.

Word/Excel Macro Virus: These depend on automation features of Microsoft programs to run. they may infect any Word or Excel document and can do anything any other program can, including reformat your hard disk.

Hostile Code: Microsoft Windows provides an environment where practically any script or program is allowed to run in privileged mode, and Windows itself includes many powerful system tools these programs can exploit, so they don't have to bring much with them. Hostile code can be carried by email or inserted into your machine by visiting the perpetrator's Web site, or a Web site he has compromised.

Viruses

The majority of viruses do nothing except propegate and let their presence be known on the systems they infect, but they still cost a lot of money to get rid of. You can't just leave them since you can't know what they might do. There are often many versions of a specific virus, some annoying, and others destructive.

Viruses must be removed with great care and by established procedures. A good anti-virus program can remove many, but not all. Boot sector viruses, for instance, are easily removed by booting on a DOS floppy, then typing the undocumented fdisk /mbr command. In response, boot sector virus have been developed that prevent you from accessing your hard disk at all once you have used this command to remove them. Disk access had been diverted through the virus, and it isn't there any more.

Trojans

A particularly notable Trojan is covered in our article Cult of the Dead Cow, but there are many others. Many Trojans today are designed for a single purpose, such as obtaining the cookies file from your browser (which will expose passwords and may allow credit card numbers to be obtained), or for launching DDoS (Distributed Denial of Service) attacks against Internet sites using your computer.

[ UPDATE: - New Trojan, Wrapster, turns Napster into a major security hole. ]

Fast Moving Worms

Since all systems running Windows are now nearly identical, a worm or virus can depend on having exactly the environment it needs wherever it goes. Since e-mail and Internet connectivity are now essential to business and in wide personal use, propegation is swift and sure.

Microsoft has denied all responsibility and has strongly stated they will not change the behavior of their product integration just because of the multi-billion dollar losses their customers have suffered in attacks. The value of locking out competitors far more important to them than economic losses to customers.

Microsoft's reasoning is perfectly sound. Most of their customers have completely failed to associate cause with effect, and the few who have have come up with endless rationalizations for why "we have to use Microsoft Office". The press certainly isn't going to push the point and risk their advertising revenue - and as long as competitors are locked out, customers won't have any choice anyway.

Microsoft apologists loudly claim that if any other environment were as popular as Windows it would be subject to similar attacks. This is not true. No other networked environment allows untrusted programs to run automatically, and certainly doesn't allow them to run in privileged mode where they can affect system files and directories. Nor do they have the tight "single vendor" integration Microsoft products have.

There's a joke going around about a Linux virus that works on the honor system. It asks the user to please e-mail it to a bunch of other people, and then please delete a bunch of system files at random.

[ UPDATE: 18-May-00 - after a U.S. Congressman lambasted anti-virus industry execs to their faces, and suggested some measures Microsoft's high IQ developers were apparently unable to think of, Microsoft reacted by anouncing patches for Outlook that partially relieve its vulnerability.

Microsoft has chosen to implement these features as an "all or nothing" solution. You either remain vulnerable or give up Office integration and automation features entirely - and you can't uninstall once you've installed. They allow no middle ground. The obvious explanation is to be able to say "We have fixed the problem", but to make the fix so onerous few will implement it. After the next attack they can say, "People didn't install the fix we made available - it's their own fault".

More information on the security patch and links to Microsoft's download site can be found in our news item Microsoft's Love Bug Fix. ]

Some measures developed by other companies, such as JustBeFriends (created in response to the I Love You worm), will protect the network and email system by stopping propegation, but will not protect the machine that has become infected. Using an e-mail program other than Outlook (we recommend PMMail) will also have this effect.

Of course, using an alternative office suite too, such as StarOffice, Corel WordPerfect Office, or Lotus SmartSuite will stop all these worms and macro viruses dead in their tracks, and protect the infected machine as well. But then you're giving up the automation features that make those animated off-color jokes you get in your e-mail so entertaining.

Worms, like viruses, must be removed with great care and by established procedures. Pretty Park and similar viruses, for instance, consist of a single file, FILES32.VXD. You can't simply remove this file, though, because changes have been made in the registry and you won't be able to run any programs at all once it has been removed. You must first correct the registry using REGEDIT. Life_Stages goes a little farther. It removes REGEDIT first so you don't have the tool you need to repair the damage.

HTML E-mail Danger

Hostile HTML e-mail will pass through any firewall because it looks like a legitimate document. You can safely examine HTML email using a mail reader that reads it as plain text (but it looks really messy), but you might as well just delete it unread since HTML mail is all advertising anyway.

Protecting Yourself

• Make good multi-tiered backups of all important data and keep them safe. Do it early and often (might we suggest - daily?). This is your first line of defense and your last resort when everything else goes wrong. Don't screw it up.

• You must install and keep up-to-date a good anti-virus program. By up-to-date I mean updating it every few weeks and immediately every time a major new threat is announced.

• Train users to be very suspicious of e-mail attachments they aren't expecting, even if they appear to be from someone they know and trust. Even if they have "safe" file extensions like .TXT (Windows often hides the real extension). User training has its limits because virus writers have available a lot of social engineering tricks they haven't even begun to exploit yet.

• Turn off automatic execution of macros in Microsoft Office. Of course, it'll bitch about this because Microsoft wants them turned on, but that's a cost of safety. Remember to turn them off again after any reinstall.

• Uninstall Microsoft Scripting Host (Control Panel / Install/Uninstall Software) if you can do without most integration and automation features.

• Install Microsoft's security fix if you can do without integration and automation features entirely and permanently.

• Your up-to-date anti-virus software can be made out-of-date overnight by a new virus. A virus can be launched in Asia at 2:00am, and it's on your system at 10:00am, so you need to check a virus news site every morning or subscribe to a notification service. If you're in the U.S. people in Europe have probably already been hit and the news is out.

• If you have a DSL or Cable Modem connection to the Internet, implement a firewall or at least invasion detection software. See our article on Security with DSL and Cable Modems for a lot more detail. Without these measures, if the viruses and worms don't get you, the script kiddies probably will.