The "No Network is 100% Secure" series
- Computer Viruses -
A White Paper
All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants
What is a Computer Virus?: In it's simplest form, a computer virus is
unwanted software that can be downloaded, often unknowingly, and will
then execute arbitrary code on the host (infected) computer. Viruses frequently
have the ability to replicate and to mask their presence. Many viruses can
harm computers. Some can and do cause serious harm. Many viruses cause
the infected computer to operate as a "bot", seeking to infect other computers
inside your data center and elsewhere. Infected computers can be used to
send out millions of SPAM e-mails and can be used to coordinate denial of
service (DoS) attacks at the whim of the people who have access to the bot's
"back door" portal. Viruses typically infect computers when a person opens up
an e-mail attachment that contains a virus. Viruses can also be unknowingly
dowloaded by visiting web sites that have compromised web servers. Depending on
the virus type, the software typically tries to trick the user into clicking
on a pop-up that then activates and subsequently propagates the virus.
Anti-virus software has varying degrees of effectiveness preventing the downloading
and/or activating of viruses. Having anti-virus software installed on every
computer in your network is no guarantee that computers in your charge won't
become infected. However, deploying anti-virus software is the minimum
required strategy for dealing with blatant virus attacks.
Viruses started out as something that anti-social techo-geeks with too much time on their hands created and deployed for amusement. These days, infecting computers with viruses is big business that represents substantial revenue for SPAMMERS, porn site operators, criminal organizations and others. It is unlikely that virus attacks will get anything but worse and more frequent any time soon. In fact, now that organized criminals are involved, virus attacks have become increasingly more sophisticated and difficult to defend against. There are now viruses out there that are extremely difficult to remove from infected computers short of formatting the disk. Once little more than an annoyance, virus attacks now present a significant liability to business continuity and data integrity. Once again, IT Managers ignore the risks of virus attacks at their peril.
The types of viruses out there, their "payloads", how they operate, how they gain access to computers and how you get rid of them is a lengthy and detailed topic. Again, this white paper seeks to hit just the high points on this subject. Easyrider LAN Pro is a Systems and Network Engineering Consultancy that can audit your data center for vulnerabilities and can make recommendations on things IT Managers can do to reduce their exposure to risk. In many cases, implementing at least some of our recommendations can be done easily and inexpensively. Any reduction in risk can help delay the day that some clever hacker breaks into your network and does a lot of very embarrassing harm!
So what can I do about virus attacks without spending piles of money?: As mentioned earlier, installing a good quality anti-virus software product, anti-spyware software and an on-the-box firewall are all good first steps in any network security plan. And once again, keeping virus attacks on the Internet side of your border router is the most effective strategy. User training and education is important, but even with training and AV software installed, it's just a matter of time before some user downloads a virus that winds up travelling through your data center like wildfire.
Many viruses communicate (call home) using non standard IP ports. Infected computers running bots can send out non-stop pings to denial of service (DoS) targets. Others will send out tens of thousands of SPAM e-mails every hour. As discussed in the firewall white paper, having an aggressive firewall deployment strategy and tight firewall rules will help to at least confine the subsequent damage that infected computers will cause inside and outside your data center.
It is a common misperception that all viruses gain access to computers through e-mail. While this is true for the majority of infections, e-mail is not the only exploit method. Visiting a rogue or compromised web site can also cause an infection as can installing an infected removeable media such as a floppy or CDROM. There have been many documented cases of Vendor software distribution CDROMs that left the factory infected with viruses. Assuming that such products couldn't possibly be infected, installing a driver or another piece of software often resulted in some virus immediately racing through the network, infecting every computer it came in contact with. This is why it is an important best practice to virus scan ALL removeable media before doing ANYTHING with it, although I know of very few IT organizations that enforce this policy. Some IT groups do not allow users to have Administrator or even Power User rights on their own PCs which does help prevent at least some viruses from getting completely out of hand.
Another inexpensive precaution to take is deploying a web proxy server. This can be done easily and there is a lot of very good proxy software out there that's free! There are other advantages to using proxy servers, such as the browsing performance boost gained by page caching. User web site visits can be easily monitored so that if Users are spending an inordinate amount of work hours surfing the web or visiting questionable web sites, there is an audit trail available to use to have a discussion with errant Users. Most proxy server software is rich in tools and capabilities that block viruses, dangerous sites, phishing attempts and so on. As an additional benefit, since all browsing is being done effectively by the proxy server, HTTP and HTTPS can be blocked pretty much everywhere else in the enterprise.
Another thing worth considering is moving Users from Internet Explorer to Mozilla. Or at least giving them the option to do so. IE has always been a magnet for hackers, mostly because there are so many "dumb (non-technical) users" running it. Exploiting IE is often "easy pickings" for hackers, especially if the target user is not diligent about keeping up with patches and security updates. Microsoft products are frequently under sustained attack from new exploits even before a CERT bulletin is issued. Not so much with non-Microsoft products, primarily because these have much smaller installed bases and therefore are much less juicy as targets. Mozilla has quite a few security provisions built into the core product (which is free). Plus, there is an ever-growing list of nifty plug-ins available to add on to Firefox. Again, an easy and essentially free option that could offer substantial security benefits.
However, having said all of that.... I am a VERY knowledgeable, extremely cautious Computer Engineer who is suspicious of even Verisign certified sites and downloads. I run Zonealarm, AVG anti-virus software and Microsoft Defender as well as the Firefox web browser with every security plug-in known to man. I have a WEP encrypted wireless network with a wireless router that also has firewall capabilities. But even with all of that, I recently had a Zlob trojan virus download onto my Windows XP SP3 100% up to date patch-wise PC by visiting a web site that was apparently compromised. I was smart enough to kill the popup using the task manager and not by being suckered into clicking "cancel" or the close button (which would have instantly installed, deployed and propagated this VERY destructive trojan), but.... this recent event underscores the fact that even if you do everything possible to protect your network, you are still just one mis-step away from disaster. And if you haven't done everything possible to protect your enterprise (which is the case with almost all of the data centers I have visited, well.... you're just asking for judgment day, in my opinion.
About the Author
Frank Saxton is a computer network security engineer and Easyrider LAN Pro principle. Home-based in Portland, Oregon, Frank has been designing remote diagnostic and network enterprise monitoring centers since the late 1970s. Prior to becoming a professional systems engineering consultant in 1990, Frank had a 20 year career in computer systems field engineering and field engineering management. Frank has a BSEE from Northeastern University and holds several certifications including Network General's Certified Network Expert (CNX). As a NOC design engineer and architect, Frank works regularly with enterprise-class monitoring tools such as HP Openview Operations, BMC Patrol and others. In his enterprise security audit work, Frank uses sniffers and other professional grade monitoring tools on a daily basis.
Next in the security white paper series:
How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
High value sites recent hacks
Firewall White Paper
GhostNet White Paper
Password White Paper
Digital Identification Certificates White Paper
Cryptography White Paper
OpenID White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Phishing White Paper
DNS Poisoning White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourced IT White Paper
Easyrider LAN Pro Consulting services:
Network Security Audit and PC Tune-up service
- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting
Last modified March 25, 2009
Copyright 1990-2010 Easyrider LAN Pro