Computer Virus White Paper

The "No Network is 100% Secure" series
- Computer Viruses -
A White Paper

What is a Computer Virus?: In it's simplest form, a computer virus is unwanted software that can be downloaded, often unknowingly, and will then execute arbitrary code on the host (infected) computer. Viruses frequently have the ability to replicate and to mask their presence. Many viruses can harm computers. Some can and do cause serious harm. Many viruses cause the infected computer to operate as a "bot", seeking to infect other computers inside your data center and elsewhere. Infected computers can be used to send out millions of SPAM e-mails and can be used to coordinate denial of service (DoS) attacks at the whim of the people who have access to the bot's "back door" portal. Viruses typically infect computers when a person opens up an e-mail attachment that contains a virus. Viruses can also be unknowingly dowloaded by visiting web sites that have compromised web servers. Depending on the virus type, the software typically tries to trick the user into clicking on a pop-up that then activates and subsequently propagates the virus. Anti-virus software has varying degrees of effectiveness preventing the downloading and/or activating of viruses. Having anti-virus software installed on every computer in your network is no guarantee that computers in your charge won't become infected. However, deploying anti-virus software is the minimum required strategy for dealing with blatant virus attacks.

Viruses started out as something that anti-social techo-geeks with too much time on their hands created and deployed for amusement. These days, infecting computers with viruses is big business that represents substantial revenue for SPAMMERS, porn site operators, criminal organizations and others. It is unlikely that virus attacks will get anything but worse and more frequent any time soon. In fact, now that organized criminals are involved, virus attacks have become increasingly more sophisticated and difficult to defend against. There are now viruses out there that are extremely difficult to remove from infected computers short of formatting the disk. Once little more than an annoyance, virus attacks now present a significant liability to business continuity and data integrity. Once again, IT Managers ignore the risks of virus attacks at their peril.

The types of viruses out there, their "payloads", how they operate, how they gain access to computers and how you get rid of them is a lengthy and detailed topic. Again, this white paper seeks to hit just the high points on this subject. Easyrider LAN Pro is a Systems and Network Engineering Consultancy that can audit your data center for vulnerabilities and can make recommendations on things IT Managers can do to reduce their exposure to risk. In many cases, implementing at least some of our recommendations can be done easily and inexpensively. Any reduction in risk can help delay the day that some clever hacker breaks into your network and does a lot of very embarrassing harm!

So what can I do about virus attacks without spending piles of money?: As mentioned earlier, installing a good quality anti-virus software product, anti-spyware software and an on-the-box firewall are all good first steps in any network security plan. And once again, keeping virus attacks on the Internet side of your border router is the most effective strategy. User training and education is important, but even with training and AV software installed, it's just a matter of time before some user downloads a virus that winds up travelling through your data center like wildfire.

Many viruses communicate (call home) using non standard IP ports. Infected computers running bots can send out non-stop pings to denial of service (DoS) targets. Others will send out tens of thousands of SPAM e-mails every hour. As discussed in the firewall white paper, having an aggressive firewall deployment strategy and tight firewall rules will help to at least confine the subsequent damage that infected computers will cause inside and outside your data center.

It is a common misperception that all viruses gain access to computers through e-mail. While this is true for the majority of infections, e-mail is not the only exploit method. Visiting a rogue or compromised web site can also cause an infection as can installing an infected removeable media such as a floppy or CDROM. There have been many documented cases of Vendor software distribution CDROMs that left the factory infected with viruses. Assuming that such products couldn't possibly be infected, installing a driver or another piece of software often resulted in some virus immediately racing through the network, infecting every computer it came in contact with. This is why it is an important best practice to virus scan ALL removeable media before doing ANYTHING with it, although I know of very few IT organizations that enforce this policy. Some IT groups do not allow users to have Administrator or even Power User rights on their own PCs which does help prevent at least some viruses from getting completely out of hand.

Another inexpensive precaution to take is deploying a web proxy server. This can be done easily and there is a lot of very good proxy software out there that's free! There are other advantages to using proxy servers, such as the browsing performance boost gained by page caching. User web site visits can be easily monitored so that if Users are spending an inordinate amount of work hours surfing the web or visiting questionable web sites, there is an audit trail available to use to have a discussion with errant Users. Most proxy server software is rich in tools and capabilities that block viruses, dangerous sites, phishing attempts and so on. As an additional benefit, since all browsing is being done effectively by the proxy server, HTTP and HTTPS can be blocked pretty much everywhere else in the enterprise.

Another thing worth considering is moving Users from Internet Explorer to Mozilla. Or at least giving them the option to do so. IE has always been a magnet for hackers, mostly because there are so many "dumb (non-technical) users" running it. Exploiting IE is often "easy pickings" for hackers, especially if the target user is not diligent about keeping up with patches and security updates. Microsoft products are frequently under sustained attack from new exploits even before a CERT bulletin is issued. Not so much with non-Microsoft products, primarily because these have much smaller installed bases and therefore are much less juicy as targets. Mozilla has quite a few security provisions built into the core product (which is free). Plus, there is an ever-growing list of nifty plug-ins available to add on to Firefox. Again, an easy and essentially free option that could offer substantial security benefits.

However, having said all of that.... I am a VERY knowledgeable, extremely cautious Computer Engineer who is suspicious of even Verisign certified sites and downloads. I run Zonealarm, AVG anti-virus software and Microsoft Defender as well as the Firefox web browser with every security plug-in known to man. I have a WEP encrypted wireless network with a wireless router that also has firewall capabilities. But even with all of that, I recently had a Zlob trojan virus download onto my Windows XP SP3 100% up to date patch-wise PC by visiting a web site that was apparently compromised. I was smart enough to kill the popup using the task manager and not by being suckered into clicking "cancel" or the close button (which would have instantly installed, deployed and propagated this VERY destructive trojan), but.... this recent event underscores the fact that even if you do everything possible to protect your network, you are still just one mis-step away from disaster. And if you haven't done everything possible to protect your enterprise (which is the case with almost all of the data centers I have visited, well.... you're just asking for judgment day, in my opinion.

Next in the security white paper series:

Firewall White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Shelfware White Paper