|
 Viruses,
Trojans and Bots, oh My
Ron
McCellan, CISSP, NSA-IAM
Did the 15 year old
Richard Skrenta know what he was starting
over 25 years ago when he wrote “Elk
Cloner”1? Probably
not, he was just a kid that had a good
sense of humor and wanted to pull a
joke on his friends. While the Mac community
has long touted that they are more secure
than the PC market, Elk Cloner was written
on and for the Apple II Operating System.
But who would have thought that here
after the Silver anniversary of the
first virus that we would be dealing
with multiple new viruses appearing
almost on a daily basis. So what started
as a mere annoyance to his friends has
evolved into a major security risk that
we have to deal with each and every
day.
With over 10,000 viruses
known to exist, that averages out to
be over 33 new viruses or variants produced
every month for the past 25 years and
it is now reported that over 200 a month
are being produced (International Computer
Security Association).
As the virus has evolved
greatly over the years, so has the delivery
method, one of the latest being IFrame
viruses which are delivered compromised
web-servers, not defaced, just compromised.
There is a major difference here, defacements
are aimed at changing the content of
the site, while a compromised box could
look exactly the same but some of the
links are changed to redirect unsuspecting
users to other malicious websites with
drive-by exploits. In some cases what
may appear to the user as just a simple
pause while waiting on the page to refresh
is actually a window of time that a
JavaScript is loaded in the background.
Now while you continue to surf the Internet,
the JavaScript in the background will
download and install a Trojan or root-kit
(MPack etc) and you could become the
unwilling accessory to a Denial of Service
attack or worse. Trend Micro reported
that in one attack of this type, that
as many as 10,000 websites fell victim
to this type of attack and were redirecting
users.
While Anti-Virus programs
are great at stopping and in most case
preventing infections, they are not
always 100% dependable. In some cases,
it has been seen that the virus was
so sophisticated that it would intercept
the Virus software alert to the OS that
there is an infection and stop you from
being alerted. So there are several
signs that users should watch for to
see if you are infected, such as:
- General
slowness or lagging of your computer
or programs
- Hard
drives are being accessed excessively
for small tasks
- Unknown
programs running on your system in
the Task Manager (Windows)
- System
resources, memory of disk space use
increases for no reason
- Unexplained
programs, files or executables, especially
in the Windows Start-Up folder
If any of these events
occur you should run a standalone version
of your Anti-Virus if they have one.
Most professional Anti-Virus software
packages come with a bootable version
of their software that will scan before
any malicious software is allowed to
run. If you are using a free version
or don't have access to the disk, there
are some bootable forensic CD images
out there that will allow you to boot
to a Linux kernel and use programs such
as Clam AV to check for issues (This
is not recommended for the casual Windows
user). If this doesn't work or you don't
feel comfortable with the freeware tools,
its time to call that Geek buddy, that
everyone has. If all else fails, see
rule #8 below and replace the work “backup”
with “restore”. Sometimes
it's easier to save your critical files
and re-install, than spending countless
hours trying to recover from a bad virus.
In summary, it best
to do all that you can to prevent viruses
before they happen, because it is really
a race between the virus creators and
the anti-virus companies to prevent
massive outbreaks. As I have always
heard, “Plan for the Worst, expect
the Best.” Because it's hard to
tell what form the simple computer virus
will take by its Golden Anniversary.
Top
Ten Ways “Not” to get a
Virus, Computer Virus that is:
10. Avoid e-mails
from strangers (especially ones with
attachments, even if it's photos of
Anna Kournikova
9. Don't insert
any strange disks (CD, DVD, Floppies,
and Flash Drives etc.)
8. Backup, Backup,
Backup
7. Disable macros
in Word, Excel and Powerpoint
6. Be Careful
while surfing, with over 10,000 sites
seen recently with malicious I-
Frames, you just
never know what you might find when
looking for pretty “scenery”
pictures.
5. Instant Messaging,
MySpace, and other Social engineering
sites are a dangerous
playground, so
remember when you are chatting with
friends, you are also chatting
with everyone
that they have ever chatted with,
Good, Bad and Ugly
4. Install Anti-Virus
software (AVG has a free personal
version from http://free.grisoft.com/
3. Scan all of
your drives often
2. When in doubt,
Delete first, ask questions later
1. Update your
AV daily
1 http://searchsecurity.techtarget.com
About the Author
United
States Army Veteran and has served in
military and contract support for the
National Security Agency, Defense Information
Systems Agency, INSCOM, and NASA supporting
world-wide security efforts. He has
an A.S. in Computer Programming from
Hawaii Pacific University and B.S.’'s
in Computer Science and Information
Systems from University of Maryland,
University College. He was an INFOSEC
Adjunct Facility member at the National
Cryptologic School for NSA. He has over
20+ years of experience in Information
Security, Vulnerability Assessments,
Risk Management and Penetration Testing.
He is currently working for the US Courts
systems monitoring and maintaining the
WAN security networks for over 100 sites
world-wide, including IDS/IPS, Firewalls,
Web Application security.
|
