"Anti-virus protection is no longer just a case of buying a software package," says Mike Dalton, VP of SMB Sales for anti-virus vendor McAfee. It is a marketing line one has come to expect from companies eager to sell business a range of services, but in this case it hides an ominous reality.
The truth is that businesses and home users are starting to buckle under the pressure of an ever-escalating virus onslaught that is becoming increasingly difficult to predict and even harder to prevent. It is a battle that even those in the anti-virus market agree they can`t win - a difficult confession from an industry that exists solely to secure clients` systems and information.
No one is immune. And being on the other side of the globe from the acknowledged IT hub of the world does little to protect South African business from the threat of malicious code as the recent Code Red and Nimda attacks demonstrated. The potential of viruses knows no boundaries and keeps no time.
Anti-virus protection is no longer just a case of buying a software package.
Mike Dalton, VP of SMB Sales, McAfee
It`s hard to quantify exactly how big and dangerous the threat is, but industry figures go some way to illustrating the growing threat. One such collection of figures are those released by the CERT Coordination Centre (CERT/CC statistics 1988 - 2001), one of the more influential security reporting centres.
In 1988, CERT reported a total of six virus incidents - a figure that topped 130 the following year. Almost doubling every year in the early 1990s, the incidents rose to more than 2 000 in 1994 and over 3 500 in 1998, culminating with almost 10 000 in 1999. The exponential growth continued in 2000 with more than 21 000 virus incidents, and 2001 has already proven to be a bumper year with more than 35 000 incidents reported in the first three quarters of the year. These incident reports are from only one monitoring centre, but are illustrative of the rapid growth in viruses.
Dalton says that over 500 new viruses are reported every month and he suggests that this is not about to slow down. If anything, we can expect a great deal more in the coming months and years. It is a frightening prospect for companies that have come to rely on the Internet for the business opportunities it offers.
Quick fix?
There is no silver bullet in the virus war, says Bryce Thorrold, systems engineering manager at Symantec South Africa. He agrees with Dalton that the fight has gone beyond the simple anti-virus software package. Integrated multi-level approaches are fast becoming the only defence against the onslaught, he says.
No matter whether you talk of "managed services" or "integrated defence", the message is clear: a comprehensive strategy that includes everything from intrusion detection and content filtering, to firewalls and anti-virus software is the only way to defeat this particular enemy. This 24-hour "war" requires a sophisticated and all-embracing response.
There is no silver bullet in the virus war.
Bryce Thorrold, systems engineering manager, Symantec South Africa
Buying a software package is the easiest, and the cheapest, part of the equation, says Dalton. "On average, the amount of money spent by companies on virus protection software amounts to just 20% of the overall expenditure on virus protection and recovery." The other 80%, he says, is spent on managing the software, ensuring all users are up to date with the latest virus definitions, and recovering from virus attacks.
<B>Virus overview</B>
Viruses have been around almost as long as computers. They may not always have been as malicious as they are today, nor as virulent, but they do have a long history. The first recognised virus activities were found on mainframes as early as the 1960s and were known as "rabbits".
The first true PC virus was called "Brain" and was created by two Pakistani brothers in 1986. The software vendor brothers wrote the virus to track piracy of their software. The virus was a boot sector virus that replicated itself on 369Kb disks and the virus quickly spread beyond the borders of Pakistan and into computing legend.
"Security is not a core competency in most companies," says Dalton. Keeping security software up to date is a time-consuming job, and often one that is neglected, he adds.
The best defence
<B>What makes a virus different to a regular program?</B>
The primary difference between a virus and a standard program is that viruses are designed to self-replicate, most often without the knowledge of the user. Viruses generally also include a "payload" that can range in variety from a simple message or pattern to a complete format of a hard drive or even more permanent damage.
Initially viruses were transported through floppy disks or other swappable storage mediums. Today the bulk of viruses are replicated through the Internet using e-mail or, more recently, through Web servers and Web sites.
The three main types of viruses are macro viruses, boot viruses and parasitic viruses. These are general types that describe general characteristics and replication patterns.
Macro viruses are the most prevalent of viruses for the simple reason that they require little more than a better-than-average knowledge of standard applications that include the ability to execute 'macros`. Macros are automated program commands found in applications such as Word and Excel. Macro viruses are activated by opening files that include macros and are able to replicate themselves by infecting other documents opened by the infected program.
Boot sector viruses account for around 20% of the viruses reported and affect the startup programs on a user`s computer. Boot sector software is the first software that is loaded by a computer. If this is infected with a virus, the entire computer can be rendered useless. Boot sector viruses have to be loaded at startup time and have no affect once a computer is running.
The third, and often more sophisticated, viruses are the parasitic type viruses that attach themselves to program executable files. Executables are the files used to launch applications or programs. Parasitic viruses are usually executed before the application and mask themselves by ensuring that the requested program is launched as normal. Once launched, these viruses are capable of installing, deleting and launching applications without the knowledge of the user. Like any of the other virus types, payloads can vary from annoying behaviour to highly destructive behaviour.
No matter how strong the attack was in the past, the future looks particularly bleak if the new wave of worms is anything to judge by. The latest worm to wreak havoc on the Internet was Nimda, which could be best described as a "blended" worm.
Nimda was so dangerous because it used not just one method of replication, but four, making it one of the fastest spreading worms of all time. While it could be described as a Windows worm, because it exploited a known vulnerability in Microsoft`s IIS Web server, the worm also attacked other operating systems and Web servers.
In most cases, the sheer volume of the attacks brought many companies to their knees and many IT administrators reported hundreds or even thousands of attempts to access their servers every hour.
In "Computer Economics malicious code attack economic impact update - 31 August 2001", Computer Economics, a California-based research company, estimates the costs of the Nimda worm to be more than $500 million during its relatively short-lived lifespan of just a couple of days. The same report suggests that the total cost of virus attacks over the first half of 2001 amounts to around $10.7 billion through lost production, downtime and recovery procedures.
The cost of virus and worm attacks in the first half of 2001 amounts to $10.7 billion.
Computer Economics malicious code attack economic impact update, 31 August 2001, CERT/CC
Possibly the best defence against viruses is a technique known as heuristics, a methodology that uses "common sense" rules to predict the occurrence of viruses. In anti-virus software this equates to making rules out of known virus behaviours and applying them to new situations to detect likely malicious code activity. Simply put, any program that acts like a virus is treated as such and quarantined for inspection. It is an inexact science, and can often end in false results and dead ends, but it does go a significant way to breaking the back of the virus onslaught.
However, as new worms become more sophisticated, the task becomes significantly harder as they operate through new and unexpected channels. "Ideally," says Dalton, "I would like to see a system that automatically filters out all harmful code, but I know it is not going to happen."
Keeping ahead of the game?
So are vendors doing a good job? Yes, says Neil Watson, financial director of local online IT procurement company Digital Planet. "99% of viruses that come out are caught by the anti-virus software ... I suppose the anti-virus companies are doing a pretty good job in general," says Watson, whose company has been hit quite hard by recent worm attacks.
He notes that while most malicious incidents are covered by anti-virus software, there is always going to be the worm that gets through. Watson believes the battle against the onslaught has to be a "joint effort" between anti-virus vendors and system administrators. "At the end of the day it is up to the system administrators to make sure that systems are up to date."
At the end of the day it is up to the system administrators to make sure that systems are up to date.
Neil Watson, financial director, Digital Planet
As with most of the anti-virus players, Watson agrees that the weak spot in the defence lies with the users. He explains that there is no real responsibility on users when it comes to safe usage policies. "You can`t really punish users for irresponsible use, but you can prevent them from causing harm."
Watson says many administrators will have to start looking at restricting the access that users have to important system resources if they hope to protect themselves adequately.
<B>What is the difference between a virus and a worm?</B>
A computer virus is designed to infect files and replicate itself throughout the computer. However, despite being able to replicate itself through the files on a single computer, it is not designed to spread itself to other computers. The spreading of viruses usually comes from the swapping of files using either disks or, most recently, e-mail. Documents e-mailed from person to person carry the virus and infect the files on the computer on which it lands.
Worms, however, are designed to replicate themselves across and between networks, most often using e-mail, but more recently through sophisticated code that searches for similar vulnerabilities on the network to propagate themselves. The Nimda worm is the most recent, and most powerful, of this type of threat.
In the end, however, it is something that companies will have to learn to live with, he says. "Viruses are a fact of life. I suppose we have to learn to live with it. You have got to expect it but you still have to be careful."
He notes that when Digital Planet first set up more than a year ago, it didn`t even think about having a firewall. 'Now you can`t survive without one."
Software responsibility, choosing the right platform
If you`re in the business of supplying software and services, the dynamics are very different. Someone like Richard Firth, CEO of software development company MIP Holdings, is more than aware of the responsibility that rests on companies such as his to not introduce vulnerabilities into a client`s network.
<B>Blended attacks: The new frontline of the virus wars</B>
As the Internet grows in popularity so too do the viruses and worms that take advantage of the increased connectivity to wreak havoc around the globe within just hours of their launch. Now there is a new strain of worm that has emerged and is making even more disastrous and destructive forays into the world of business and home computing. Worms such as Nimda and Code Red take advantage of the sophistication of the Internet to employ new and varied propagation methods.
This summary of a white paper from Symantec titled "Responding to the Nimda Worm: Recommendations for addressing blended threats" outlines the threat that these new worms pose to Internet security:
Nimda is a worm. What makes it different from other Internet worms is that it requires no human interaction to spread, instead using software vulnerabilities and multiple methods of infection.
Instead of the usual single method of propagation, Nimda has no less than four methods of replicating itself across networks:
1. Systems affected by the worm scan other networks for unpatched Microsoft Internet Information Servers (IIS). When a target is found, Nimda gains control of the server using a specific exploit, or vulnerability.
2. Nimda is also able to propagate through e-mail. It harvests addresses from a host machine and then sends e-mail to new victims through its own SMTP server. It replaces the "From" field in the e-mail with a random address from the address book thus hiding its location. When the worm arrives in a new e-mail box, it can be activated by merely previewing the message.
3. Visitors to compromised servers are prompted to download a file in Outlook Express format which contains the worm.
4. Nimda attacks hard disks that have file sharing enabled. The worm creates open network shares, allowing access to the computer. During this process the worm creates a guest account with administrator privileges.
One of the major side effects of Nimda is that it causes localised denial of service conditions on networks with infected machines. This is largely the result of network scanning and the extra e-mail traffic generated by the worm.
Using multiple propagation methods, these new worm strains are proving harder to detect and faster spreading than previous worms. Code Red is a similar blended threat, attacking Web servers and leaving behind Trojan programs for later use. Because Code Red is processed in memory instead of on disk, it often escapes detection by anti-virus software.
"It is one of the main reasons that we don`t implement a full Microsoft solution for our clients," he says, noting that currently most of the virus activity is centred on the Microsoft platform. Instead, Firth explains, he prefers to recommend that clients use Unix-based machines for their back-end requirements, as there are barely any known viruses for the Unix system.
"The Microsoft boom took place before viruses became an issue - in the days when viruses were spread using floppy disks." The increase in Internet connectivity, Firth says, has changed this forever. Like Watson, he agrees "there is no way of stopping a virus attacking your network. The only way is to stay away," alluding to his preference for Unix-based back-end systems.
Home is where the virus is
<B>Useful links</B>
Computer Economics malicious code attack economic impact update - 31 August 2001: www.computereconomics.com/cei/news/codered.html
Virus-related statistics: www.securitystats.com
An excellent virus encyclopedia including an English copy of Eugene Kaspersky`s "Computer Virus" book: www.viruslist.com
Chekmate anti-virus Web site including paper and documents on virus statistics: www.chekware.com
CERT/CC statistics 1988 - 2001: www.cert.org/stats/cert_stats.html
Symantec security response site, featuring white papers in PDF format and advisories: www.sarc.com
McAfee home page: www.mcafee,com
Home of DRSASaP managed security services: www.drsasap.co.za
Symantec home page: www.symantec.com
Sophos anti-virus, including articles on security: www.sophos.com
Information on active viruses with papers on virus technology: www.wildlist.org
The Virus Bulletin, including prevalence tables: www.virusbtn.com
Combined virus statistics from Virus Bulletin and Wildlist in graph form: www.smimmer.org/morton/vstat.html
It`s not just large corporations that are suffering the brunt of the virus onslaught but as home users spend more time online they become easier targets for infection. Unlike companies that often have skilled staff on hand, home users are still largely ignorant of the risks.
Thorrold points out that as systems become easier to use, more people are installing software, such as Web servers, that open them up to attack without having the requisite knowledge to protect against infection. At worst, these users may even unwittingly aid the propagation of worms such as Nimda.
"ISPs [Internet service providers] need to assume a larger responsibility when it comes to protecting users against viruses," he says. "Everyone is doing something but they could be doing a lot more."
ISPs need to assume a larger responsibility when it comes to protecting users against viruses.
Bryce Thorrold, systems engineering manager, Symantec South Africa
The issue is a sticky one and raises the spectre of privacy infringements to which Thorrold says it is a case of users deciding "how seriously they take their security". More than posing a threat to themselves, users are increasingly utilising mobile devices and laptops in both home and working situations, significantly upping the chance of transporting viruses between networks. It is a situation that is no doubt going to increase exponentially as wireless networks become ever more popular.
Stalemate?
It`s highly probable that anti-virus vendors have no chance of defeating the malicious code onslaught, but this is not to say they are doing a bad job. It is, after all, hard to overachieve in an industry which is by nature reactive and which only gets attention when it fails to prevent outbreaks.
It`s hard to overachieve in this industry.
Mike Dalton, VP for SMB Sales, McAfee
The message is clear: malicious code is not going away. If anything, the war is going to increase exponentially over the coming years and the only effective protection will be a network-wide security strategy.
As Thorrold says, there is no silver bullet in this war and the battle requires an integrated approach that covers every aspect of network security from intrusion detection and content filtering through to anti-virus software and firewalls. As a result, the trend in the industry is towards managed services and outsourcing - placing a company`s security in the hands of a team of experts.
Security is not a core competency in most companies.
Mike Dalton, VP for SMB Sales, McAfee
Most companies are already offering these types of services and it is a safe bet that all will be offering them soon. If they don`t, they will be out of business, says Thorrold, who believes that the next few years will see a whittling down of the anti-virus vendors as those with "incomplete solutions" fall by the wayside.
Companies may well have to learn to live with the threat, but they will also have to start managing their networks professionally and with skilled staffers if they hope to keep ahead of the game.
Glossary of terms
Back door: A feature built into programs to allow special privileges normally denied to users of the program. Back doors allow hackers or viruses to repeatedly re-enter the computer without the user`s knowledge.
Boot sector: Area located on the first track of a disk that contains the boot record.
Bug: An unintentional fault in a program that causes results the programmer never intended.
Cavity virus: A virus that overwrites part of its host file without increasing the file size or compromising the file`s functionality.
Cookie: Blocks of text placed on a user`s hard drive and used by Web sites to identify users when they visit. Cookies include information such as registration information, shopping histories and user preferences.
Denial of service (DoS): An attack designed to disrupt the normal service offered by a system. Most often involves flooding the target system with requests, overloading the system to a point at which normal service is disrupted.
EXE file: An executable file usually executed by double clicking an icon or by entering the name of the program at a command prompt. Executables can also be executed by other programs, batch files or scripts.
File Allocation Table (FAT): A list of all files on the computer stored in the boot sector of the disk. Used in earlier Windows versions and MS-DOS. If the FAT is damaged, the operating system may not be able to locate files on the disk.
File viruses: File viruses usually attach themselves to COM and EXE files, but can infect a range of other files, including SYS, BIN and DRV files.
Firewall: A firewall typically acts as a barrier between an internal and external network, protecting the internal network from direct contact with the external network or Internet. Software on the firewall analyses information passing between the internal and external network, and can be configured to reject anything that does not conform to its set of rules.
Heuristic analysis: Compares program behaviour with a known template of virus activities to identify potential viruses.
In the wild: A virus is considered to be "in the wild" if it is known to have infected a computer outside of a research facility.
Javascript: A scripting language that can run wherever there is a compatible script interpreter. Typically Web browsers include a Javascript interpreter. ASP scripts containing Javascript are potentially hazardous because they are often allowed unrestricted access to machine resources and applications.
Macro: A series of instructions designed to simplify repetitive tasks within a program such as Microsoft Word or Excel. Macros are mini-programs and can be infected by viruses.
Macro virus: A malicious macro attached to a document file.
Malware: A generic term used to describe malicious software such as viruses, worms and Trojan horses.
Payload: The destructive effects of a virus.
Polymorphic virus: These viruses create copies of themselves as a way to avoid detection by anti-virus software, so the same virus may look completely different on different systems with different files.
Stealth virus: Stealth viruses conceal their existence to anti-virus software. Usually they intercept disk access requests to provide the anti-virus software with a "clean" image.
Trojan horse: A malicious program that pretends to be a benign application and does something other than what the user intends. Trojan horses are not viruses since they do not replicate but can be just as destructive.
Visual Basic Script (VBS): A programming language that can invoke system functions such as launching and closing programs. VBS files can be embedded in HTML pages on Web sites to provide enhanced interaction but they can also be used with malicious intent.
Virus hoaxes: Not real viruses but deliberate e-mail messages warning people of a supposed virus. Although not directly harmful, they can often cause as much trouble as viruses through the amount of e-mail they generate.
Worm: Parasitic computer programs capable of replicating across and between networks. Worms can create copies on the same machine or other machines on connected networks. Worms usually spread through e-mail or Internet Relay Chat.
Zoo virus: A zoo virus is in a controlled situation such as a research laboratory and has not infected a real world computer system.
Share