Malicious maladies multiply


What's malware? Software written for malicious purposes, such as viruses, or programs that spread through altered or "infected" data files; Trojan horses, or software that poses as something else to get a computer user to execute its function; spyware, or software that tracks the activities of a computer user and reports them back to the developer; back-doors, or software that provides a way for a hacker to circumvent security and gain access to functions of the computer the software is installed on.

How does it get on my network? The most common approach to spreading malware is by e-mail, via attached files. Worm Trojans and viruses can hijack an infected computer's e-mail client to send hundreds or thousands of copies of itself to addresses in the user's e-mail address book or found in any other files on the computer. Trojans like the recent MyDoom disguise where they've come from by spoofing the address of a person found in the address book.

Another increasingly common approach is to exploit other weaknesses in operating systems' security. MSBlaster exploited a problem with Microsoft Windows' use of Remote Procedure Calls; Code Red used weaknesses in Microsoft SQL Server to spread itself.

How much will protection cost me? Depending on how thick you lay the protection on, it can cost as little as $20 per user per year, or as much as $100 per user for more complete protection.

Must-know info? The best approach is a defense in depth. This includes a mail scanner at the server or mail gateway to block incoming messages with viruses or Trojans, desktop virus scanners to stop viruses and other malware that get onto systems by other means, and management software to control access policies to desktops and deploy patches to vulnerabilities quickly.

Antivirus tools help computer doctors stay one step ahead of infections

Pundits often throw out the phrase "digital convergence" to describe how Internet and computing technologies are changing everything from television to telephone calls.

But there's another, somewhat less friendly digital convergence happening on the fringes of the technology world ? the merging threats of unsolicited e-mail marketing and malicious software.

Unsolicited e-mail, commonly known as spam, has grown so much in recent years that it now constitutes the majority of the message traffic that comes into many mail servers.

"The volume of spam is so high, we're intercepting 62 percent of mail coming into our customers as spam," said Michael Sunner, chief technology officer of MessageLabs Inc., an e-mail security company based in Gloucester, England, with U.S. headquarters in New York. MessageLabs' clients include the entire U.K. government.

With increasing frequency, this mail carries malware, or malicious software. This includes virus programs that infect the data files of computers and increasingly common Trojan horses, disguised programs that trick users or computers into running them for malicious purposes.

While e-mail might still be the preferred route for many virus attacks, last summer's MSBlast and other recent malicious programs have shown that in an increasingly connected world, the ill-intentioned will find other chinks in the armor of networks and computer operating systems.

By exploiting a hole in Microsoft Corp.'s Remote Procedure Call security, MSBlast and its variants were able to propagate themselves without hitching a ride on e-mail traffic ? and brought many networks to the brink of collapse as a result.

Another threat comes from spyware. This software, often inadvertently downloaded by users from the Web, installs itself onto computers often by posing as something useful. But while it may in fact function as advertised, it also sends a stream of information back to the spyware coder -- everything from what Web sites the user visits to a complete record of keystrokes.

Spyware also can be used to open back doors into systems, circumventing network security.

These threats are not easily taken on by traditional virus scanners, which look for signatures of known malicious software by checking files on a computer against a database that is updated weekly or monthly.

In fact, virus and Trojan authors can use virus scanners as a tool to help them modify their work to keep it from being detected, as the variants of the SoBig virus that brought e-mail servers worldwide to their knees last fall demonstrated.

Fortunately, there are tools available to fight the problems posed by spam, viruses and other e-malignancies. These products and services catch malware as it tries to enter the network, or patch the vulnerabilities that new bugs seek to exploit.

When used alongside traditional desktop virus protection, these tools provide "defense in depth," said Dave Cole, vice president of product management at Foundstone Inc., a network security systems provider.

Perhaps the most ambitious and effective method for dealing with viruses is to kill them before they even enter your mail system.

That's the approach MessageLabs takes: It routes e-mail destined for its clients through its own network operations centers, distributed around the world. The company's software screens messages for spam, viruses and possible Trojan horses before forwarding them to their destinations. So, customers don't have to dedicate storage on their own mail servers to unwanted messages.

Another approach is to catch things right at the doorstep. This can be done by scanning incoming messages for attached Trojans and executable programs, and blocking them without the need for a new virus signature. These programs stop messages that would slip through traditional virus checkers.

Such gateway e-mail protection systems typically are add-ons to messaging servers, or in some cases are messaging servers themselves. But they can offer a great deal of control over how you handle unwanted messages. You can put messages in quarantine if you like, send them all off to digital oblivion, or pick a combination of rules-based approaches to the problem.

The downside is that your bandwidth and storage have to deal with the load of unwanted and infected messages. In the case of a virus like SoBig or MyDoom, that load can be enough to seriously impede network performance, and quickly consume a great deal of disk space.

Even if your e-mail is scrubbed clean, there are a host of other avenues available for malware to find its way onto your network.

Web browsers offer hackers a host of ways to drop spyware or Trojans onto users' systems-especially browsers with well-known security vulnerabilities. And holes in operating systems themselves that have been publicly announced are also a gold mine for the creators of malware. MSBlast, for example, preyed on a vulnerability in Microsoft Windows that had been public for several months before the worm appeared.

In fact, MSBlast.A, the primary version of the bug that attacked Windows systems last summer, is still the most prevalent piece of maleficent code, according to SoftWin, the Romania-based developer of BitDefender.

In January, MSBlast was still atop SoftWin's Evil Top 10, a report of the most prevalent viruses and Trojans, despite the fact that fixes that can wipe the MSBlast bug out had been available for more than six months.

The right security appliances can take a big bite out of that problem. Security scanners can find the vulnerabilities in networked systems that leave them vulnerable to attack by worms.

Automated security systems can take information from those scanners and alert administrators to where the holes are and help plug them automatically. The vulnerability data can also be passed to some firewalls and security appliances, which can in turn stop communication over unguarded ports and catch viruses before they can be downloaded from the Web.

But in the end, there's still a big role for traditional, enterprisewide antivirus software. Viruses can still sneak in on a floppy disk, or even in a packaged software application. And the way things are going so far this year, it might help to stay a little bit paranoid.

Kevin Jonah, a Maryland network manager, writes about computer technology.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.


contracts DB