Viruses, Worms and Trojans have been with us for many years, but rarely did
one show up in one of our clients' systems. Now, we're seeing a serious
attack every week or two. What changed? Several things changed:
Since the automation / integration features are so easy to use, even rank novices can write effective worms and viruses using them (as was the case with the ILOVEYOU worm). Since they are unrestricted, they can do anything with your computer you could do. Fortunately, none of the fast moving worms we have recently experienced has been designed to do much damage, but that will change.
Definition of Threats
How You Get InfectedBoot Sector Virus: These were very popular when the floppy disk was much more widely used. If you turn on your computer with an infected floppy in the A: drive, the program runs and infects the boot sector of your hard disk. From then on, any floppy you put in the A: drive becomes infected and will spread the virus to other computers.
File Infectors: When you run an infected program on your computer. It infects as many other programs as it can. Any of these programs can then infect another computer. Favorite ways to spread this class of virus is to infect pirated programs posted for "free download". Screen savers and other novelty programs are also favorites.
Word/Excel Macro Virus: These depend on automation features of Microsoft programs to run. they may infect any Word or Excel document and can do anything any other program can, including reformat your hard disk.
Hostile Code: Microsoft Windows provides an environment where practically any script or program is allowed to run in privileged mode, and Windows itself includes many powerful system tools these programs can exploit, so they don't have to bring much with them. Hostile code can be carried by email or inserted into your machine by visiting the perpetrator's Web site, or a Web site he has compromised.
VirusesThe exact effect of many viruses on a Windows system is unpredictable because Windows itself is so disorderly. A virus that crashes one system completely may cause minor inconsistencies on another and cause no noticable effect on a third. Many viruses try to hide completely and cause no disruption, because they are designed to do something fun (like format your hard disk) on a particular date.
The majority of viruses do nothing except propegate and let their presence be known on the systems they infect, but they still cost a lot of money to get rid of. You can't just leave them since you can't know what they might do. There are often many versions of a specific virus, some annoying, and others destructive.
Viruses must be removed with great care and by established procedures. A good anti-virus program can remove many, but not all. Boot sector viruses, for instance, are easily removed by booting on a DOS floppy, then typing the undocumented fdisk /mbr command. In response, boot sector virus have been developed that prevent you from accessing your hard disk at all once you have used this command to remove them. Disk access had been diverted through the virus, and it isn't there any more.
TrojansTrojans (short for "Trojan Horse"), are hostile code that permanently compromises your system, allowing access and control by an outside perpetrator. Once a Trojan is installed, your computer can be used to launch attacks against other computers, or can be used to gather private data from your hard disk or network.
A particularly notable Trojan is covered in our article Cult of the Dead Cow, but there are many others. Many Trojans today are designed for a single purpose, such as obtaining the cookies file from your browser (which will expose passwords and may allow credit card numbers to be obtained), or for launching DDoS (Distributed Denial of Service) attacks against Internet sites using your computer.
[ UPDATE: - New Trojan, Wrapster, turns Napster into a major security hole. ]
Fast Moving WormsWe cannot over emphasize that fast moving worms like Melissa, ILOVEYOU, Life_Stages, Pretty Park and the like affect only Microsoft Windows environments. They are made possible by the tight integration between all Microsoft products and the deliberate lack of security in design.
Since all systems running Windows are now nearly identical, a worm or virus can depend on having exactly the environment it needs wherever it goes. Since e-mail and Internet connectivity are now essential to business and in wide personal use, propegation is swift and sure.
Microsoft has denied all responsibility and has strongly stated they will not change the behavior of their product integration just because of the multi-billion dollar losses their customers have suffered in attacks. The value of locking out competitors far more important to them than economic losses to customers.
Microsoft's reasoning is perfectly sound. Most of their customers have completely failed to associate cause with effect, and the few who have have come up with endless rationalizations for why "we have to use Microsoft Office". The press certainly isn't going to push the point and risk their advertising revenue - and as long as competitors are locked out, customers won't have any choice anyway.
Microsoft apologists loudly claim that if any other environment were as popular as Windows it would be subject to similar attacks. This is not true. No other networked environment allows untrusted programs to run automatically, and certainly doesn't allow them to run in privileged mode where they can affect system files and directories. Nor do they have the tight "single vendor" integration Microsoft products have.
There's a joke going around about a Linux virus that works on the honor system. It asks the user to please e-mail it to a bunch of other people, and then please delete a bunch of system files at random.
[ UPDATE: 18-May-00 - after a U.S. Congressman lambasted anti-virus industry execs to their faces, and suggested some measures Microsoft's high IQ developers were apparently unable to think of, Microsoft reacted by anouncing patches for Outlook that partially relieve its vulnerability.
Microsoft has chosen to implement these features as an "all or nothing" solution. You either remain vulnerable or give up Office integration and automation features entirely - and you can't uninstall once you've installed. They allow no middle ground. The obvious explanation is to be able to say "We have fixed the problem", but to make the fix so onerous few will implement it. After the next attack they can say, "People didn't install the fix we made available - it's their own fault".
More information on the security patch and links to Microsoft's download site can be found in our news item Microsoft's Love Bug Fix. ]
Some measures developed by other companies, such as JustBeFriends (created in response to the I Love You worm), will protect the network and email system by stopping propegation, but will not protect the machine that has become infected. Using an e-mail program other than Outlook (we recommend PMMail) will also have this effect.
Of course, using an alternative office suite too, such as StarOffice, Corel WordPerfect Office, or Lotus SmartSuite will stop all these worms and macro viruses dead in their tracks, and protect the infected machine as well. But then you're giving up the automation features that make those animated off-color jokes you get in your e-mail so entertaining.
Worms, like viruses, must be removed with great care and by established procedures. Pretty Park and similar viruses, for instance, consist of a single file, FILES32.VXD. You can't simply remove this file, though, because changes have been made in the registry and you won't be able to run any programs at all once it has been removed. You must first correct the registry using REGEDIT. Life_Stages goes a little farther. It removes REGEDIT first so you don't have the tool you need to repair the damage.
HTML E-mail DangerMany spammers and other low-life send e-mail in HTML format rather than as plain text. Poorly designed mail systems will automatically open HTML mail using the Web browser. The effect is exactly the same as visiting the perpetrator's Web site. In other words, if the perpetrator wants to run a hostile script that e-mails your Quicken file to him, or plants a Trojan, or whatever, he can do it if you haven't tightened your security.
Hostile HTML e-mail will pass through any firewall because it looks like a legitimate document. You can safely examine HTML email using a mail reader that reads it as plain text (but it looks really messy), but you might as well just delete it unread since HTML mail is all advertising anyway.
Protecting YourselfIf you have read the above that should be obvious. All you have to do is move your computers to non-Microsoft software - but you aren't going to do that, are you? So, lets discuss second best.
©:Andrew Grygus - Automation Access
Velocity Networks: Network Consulting Service - Internet Service Provider - Web Page Design and Hosting
All trademarks and trade names are recognized as property of their owners