Malicious maladies multiply
Antivirus tools help computer doctors stay one step ahead of infections
- By Kevin Jonah
- Mar 04, 2004
Pundits often throw out the phrase "digital convergence" to describe how Internet and computing technologies are changing everything from television to telephone calls.
But there's another, somewhat less friendly digital convergence happening on the fringes of the technology world ? the merging threats of unsolicited e-mail marketing and malicious software.
Unsolicited e-mail, commonly known as spam, has grown so much in recent years that it now constitutes the majority of the message traffic that comes into many mail servers.
"The volume of spam is so high, we're intercepting 62 percent of mail coming into our customers as spam," said Michael Sunner, chief technology officer of MessageLabs Inc., an e-mail security company based in Gloucester, England, with U.S. headquarters in New York. MessageLabs' clients include the entire U.K. government.
With increasing frequency, this mail carries malware, or malicious software. This includes virus programs that infect the data files of computers and increasingly common Trojan horses, disguised programs that trick users or computers into running them for malicious purposes.
While e-mail might still be the preferred route for many virus attacks, last summer's MSBlast and other recent malicious programs have shown that in an increasingly connected world, the ill-intentioned will find other chinks in the armor of networks and computer operating systems.
By exploiting a hole in Microsoft Corp.'s Remote Procedure Call security, MSBlast and its variants were able to propagate themselves without hitching a ride on e-mail traffic ? and brought many networks to the brink of collapse as a result.
Another threat comes from spyware. This software, often inadvertently downloaded by users from the Web, installs itself onto computers often by posing as something useful. But while it may in fact function as advertised, it also sends a stream of information back to the spyware coder -- everything from what Web sites the user visits to a complete record of keystrokes.
Spyware also can be used to open back doors into systems, circumventing network security.
These threats are not easily taken on by traditional virus scanners, which look for signatures of known malicious software by checking files on a computer against a database that is updated weekly or monthly.
In fact, virus and Trojan authors can use virus scanners as a tool to help them modify their work to keep it from being detected, as the variants of the SoBig virus that brought e-mail servers worldwide to their knees last fall demonstrated.
Fortunately, there are tools available to fight the problems posed by spam, viruses and other e-malignancies. These products and services catch malware as it tries to enter the network, or patch the vulnerabilities that new bugs seek to exploit.
When used alongside traditional desktop virus protection, these tools provide "defense in depth," said Dave Cole, vice president of product management at Foundstone Inc., a network security systems provider.
Perhaps the most ambitious and effective method for dealing with viruses is to kill them before they even enter your mail system.
That's the approach MessageLabs takes: It routes e-mail destined for its clients through its own network operations centers, distributed around the world. The company's software screens messages for spam, viruses and possible Trojan horses before forwarding them to their destinations. So, customers don't have to dedicate storage on their own mail servers to unwanted messages.
Another approach is to catch things right at the doorstep. This can be done by scanning incoming messages for attached Trojans and executable programs, and blocking them without the need for a new virus signature. These programs stop messages that would slip through traditional virus checkers.
Such gateway e-mail protection systems typically are add-ons to messaging servers, or in some cases are messaging servers themselves. But they can offer a great deal of control over how you handle unwanted messages. You can put messages in quarantine if you like, send them all off to digital oblivion, or pick a combination of rules-based approaches to the problem.
The downside is that your bandwidth and storage have to deal with the load of unwanted and infected messages. In the case of a virus like SoBig or MyDoom, that load can be enough to seriously impede network performance, and quickly consume a great deal of disk space.
Even if your e-mail is scrubbed clean, there are a host of other avenues available for malware to find its way onto your network.
Web browsers offer hackers a host of ways to drop spyware or Trojans onto users' systems-especially browsers with well-known security vulnerabilities. And holes in operating systems themselves that have been publicly announced are also a gold mine for the creators of malware. MSBlast, for example, preyed on a vulnerability in Microsoft Windows that had been public for several months before the worm appeared.
In fact, MSBlast.A, the primary version of the bug that attacked Windows systems last summer, is still the most prevalent piece of maleficent code, according to SoftWin, the Romania-based developer of BitDefender.
In January, MSBlast was still atop SoftWin's Evil Top 10, a report of the most prevalent viruses and Trojans, despite the fact that fixes that can wipe the MSBlast bug out had been available for more than six months.
The right security appliances can take a big bite out of that problem. Security scanners can find the vulnerabilities in networked systems that leave them vulnerable to attack by worms.
Automated security systems can take information from those scanners and alert administrators to where the holes are and help plug them automatically. The vulnerability data can also be passed to some firewalls and security appliances, which can in turn stop communication over unguarded ports and catch viruses before they can be downloaded from the Web.
But in the end, there's still a big role for traditional, enterprisewide antivirus software. Viruses can still sneak in on a floppy disk, or even in a packaged software application. And the way things are going so far this year, it might help to stay a little bit paranoid. Kevin Jonah, a Maryland network manager, writes about computer technology.