Vigilance is rule as viruses keep up attack
The right antivirus software can help deflect assaults
- By John McCormick
- Mar 31, 2005
The past year has seen unprecedented consolidation in the IT security field, especially in the antivirus business, where big companies have gobbled up innovative small companies.
On one hand, you have fewer products to choose from. On the other, the remaining programs have more tools and features.
There are several categories of antivirus software, and most agencies need to look at all of them. This guide addresses the broad category of antivirus software, which tackles three similar types of malware: viruses, Trojan horses and worms.
Wireless notebook PCs and personal digital assistants probably are most at risk. Laptops eventually will be connected to your network, so infections to them are a serious risk, even if the mobile units don't contain confidential information or aren't particularly important on their own.
An office that protects only devices hardwired to the network remains vulnerable to a wide variety of threats. Managing devices centrally is obviously the best option, but you must weigh the ability of enterprise tools to properly protect individual systems.
For example, should a user get updates directly from vendors or through the enterprise network? How well do the management tools work? Do they work at all for PDAs, notebook PCs and cell phones?
In evaluating an antivirus program, many managers overlook the fact that most programs will sample new viruses and send them to the vendor for analysis. That sounds like a great feature, but do you know if any confidential ? even top-secret ? data is embedded in that code segment?
The program must offer a way to let you either shut off this feature or review all code before approving transmission.
Of course, it's a good idea to be sure antivirus software has been tested, but before putting too much faith in an independent test, you need to know exactly what was tested and how, and what constituted a successful test in the eyes of the testers. For instance, in the past some tests were performed with live viruses while others weren't.
Most IT departments don't have the resources to test antivirus software, but at a minimum you should look for programs that have passed the ICSALabs testing done by TrueSecure Corp. of Mechanicsburg, Pa. See www.icsalabs.com for the most recent test results.
The infections that antivirus software looks for include:
- >Boot sector malware, which hides in the basic control data for the operating system
- Executables, which are contained in or masquerade as .exe or other program files
- Macros, which usually are found in Microsoft Word .doc files or Excel files, because both programs have powerful and potentially dangerous macro language tools. A simple fix is to set all computers to default to .rtf file format for Word
- VB worms, which are viruses based on Visual Basic code.
Viruses sometimes are categorized by how they disguise themselves. This isn't exact, and many viruses use several techniques, but are some of the more dangerous virus types:
- COM viruses. If you have a legitimate .exe file, a .com file with the same file name but containing a virus will execute first under MS-DOS.
- Polymorphic viruses. These transform themselves constantly to make it difficult to scan for a signature.
- Stealth viruses. These will try to hide, perhaps by killing off antivirus processes.
- Date or random-event viruses. Some viruses are always attacking; date or random-event viruses activate only under certain conditions.
- Armored viruses. These are difficult for antivirus engineers to disassemble.
The types of attacks also are always evolving. 2004 was the year of the phishing attack, which doesn't pose as much of a threat to government agencies as it does to individuals, because it usually targets financial information. But phishing could be turned against a secure network in an attempt to capture log-on credentials.
Despite all the media play that phishing and spam deservedly got, viruses has had a banner year in 2004. Multiple viruses made the rounds, then started around again in just a few weeks, with new variants popping up each time a virus was stamped down.
It is clear to those who watch these things hourly that the initial virus often is rather weak but has some effect, while others are ready and waiting to be released as soon as the antivirus vendors produce a signature file to combat the previous one. There are also copycats.
Safe e-mail services, such as www.messaglabs.com
, maintain statistics on virus infections.
Of 147 billion messages passing through its servers in 2004, 6 percent carried a virus. The peak was April through June 2004, when the average was nearly 10 percent, but even in November the tally was still 3 percent.
This is a common pattern, so look for virus attacks to surge again in the warmer months.
Viruses, once the creation of misguided students or vandals, today often carry a payload turning infected systems into spam servers. This commercial side of viruses is relatively new, and it means the infection is less likely to cause obvious damage to your system. But these also are likely to be far more sophisticated.John McCormick is a freelance writer and computer consultant. E-mail him at firstname.lastname@example.org.