Close encounters of the virus kind

Sunday Aug 1st 1999 by Gerald Lazar
Share:

Computer viruses may be unavoidable, but anti-virus software, proactive management, and user training reduce the danger of infection.


Even the healthiest people sometimes get sick. And even the best-protected companies can catch a virus. As with human health, the true test of a network's well-being comes in how quickly it fights off or recovers from an illness.

To keep computer viruses, worms, Trojan Horses, and other nasties that fall under the umbrella title of "malicious code" away, most companies simply deploy anti-virus software.

But what happens if the anti-virus vendor gets sick? Just ask Symantec Corp., of Cupertino, Calif. Earlier this month, the company received a message from hackers threatening to unleash a worm via e-mail. Luckily, employees in the Netherlands perceived the threat quickly. Executives in San Jose then deleted the message and repelled the infection with Symantec's security software, says company spokesperson Richard Saunders.

AT A GLANCE: Willamette Industries Inc.
The company: Based in Portland, Ore., Willamette Industries grows trees, harvests them, and makes paper and wood products. The company employs 14,000 people in over 100 manufacturing sites and 150 facilities worldwide, ranging from single-person offices to the 5,000-person corporate headquarters in Portland.

The problem: Periodic attacks from "malicious programs," including both computer viruses and worms.

The solution: Anti-virus software from Symantec Corp., which runs on servers, e-mail gateways, and desktops to intercept potential infiltration. Almost daily updates via the Internet provide up-to-the-minute support.

The IT infrastructure: Approximately 4,000 computer users run Windows95--about 80% of whom use Compaq Computer Corp. desktop computers, while 15% to 20% use IBM laptops. The firewall is a combination of a Cisco router and an unspecified Linux box running homegrown software. Willamette uses a Compaq ProLiant mail server, and the PCs run Microsoft Mail. Each site has a LAN attached to the company intranet through dial-up and T1 connections.

The lesson to be learned is that no network--no matter how secure--is totally immune. And while the best option is to avoid computer viruses, the next best alternative is to know how to quickly recover, as Symantec did, when your network does get sick. Remember to be aggressive. Deploying anti-virus software is a good start. Establishing and implementing a set of best practices and policies should be next on your agenda. If your network is compromised, having a plan can save time and a lot of headaches in the IT department.

Willamette Industries Inc. has taken this lesson to heart. The $4 billion integrated forest products company based in Portland, Ore., uses Symantec's integrated Norton AntiVirus product, combined with regular updates, careful inspection of all incoming files, and end user education. This system has made for a more secure environment.

Despite these checks and balances, the company earlier this year caught the Melissa virus. A macro virus that made the rounds in March by getting into users' systems through a Microsoft Corp. Office document, Melissa then replicated itself, and sent out copies via e-mail using Microsoft Outlook. Melissa propagated itself up to 50 times with each user it successfully infected. According to a recent survey conducted by Icsa Inc., a Reston, Va., provider of Internet security assurance services, there were 7.6 infections per 1,000 PCs during the week Melissa was released. The chance of encountering Melissa was around 30 per 1,000 PCs per month. Of the almost 5,000 PC users surveyed during or after Melissa, 3,650 reported having been infected.

Melissa managed to infect two servers at Willamette, one at corporate headquarters and one in a branch office in the Southwest, according to Robert Woods, PC systems manager for the company. "A few of our servers were slowed down by the volume of mail, but it was more of an annoyance than anything else," Woods says.

Fortunately, the impact was minimal because IT officials identified the problem, isolated the systems, and got them fixed quickly.

Press and Internet warnings had alerted Willamette to the virus. "We were aware that Melissa was a possibility, so we sent out a notification to all users via e-mail, telling them what to look out for and reminding them of the policies we had in place," says Woods.

Willamette's early warning system kept Melissa in check until a cure was found. As a result, IT officials watched the virus--mostly inert--in its system for about two days, until Symantec issued the "inoculation" that would scrub the virus out. It was distributed, and that was that.


In 1993, the federally funded Computer Emergency Response Team handled 1,334 incidents. By 1998, it was up to 3,734 incidents, and in the first third of 1999, the number was 1,795.
Thus, quick response on the part of the company and the supplier averted what was for other companies a period of costly downtime. "Damages from viruses can range from mere annoyance ... to the obliteration of critical data resources," says Bill Pollak, a spokesperson for the federally funded Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University, in Pittsburgh.

Enough to make you sick

Know your enemy
Types of "malicious software"
Virus: A computer program that makes copies of itself and needs a host program. It may be destructive, but that isn't the primary goal of the program. It may try to hide to avoid detection.
Worm: A computer program that copies itself from one computer to another. It doesn't try to hide, and doesn't need a host. Typically, it spreads through a network.
Spam: A mass e-mail mailing, which can clog up a system almost as much as a worm. More annoying than dangerous, spam wastes time and systems resources. It can often be filtered out by the corporate server or firewall.


Other sniffles
Bug: Programming error that causes computer software to misbehave--or, more often, not work at all. Bugs are not intentionally malicious, but can cause damage nonetheless. Also, virus writers can sometimes exploit known bugs for their own purposes.
Virus hoax: A message warning of a nonexistent virus. These warnings propagate quickly, like all rumors. They frequently spread over e-mail. They cause panic among users and force IT to waste time squelching the rumors. Some anti-virus vendors are considering adding known hoax e-mail filters to their software.
Spam: A mass e-mail mailing, which can clog up a system almost as much as a worm. More annoying than dangerous, spam wastes time and systems resources. It can often be filtered out by the corporate server or firewall.
The use of the term virus is somewhat inaccurate, since a computer virus is only one of several types of malicious programs that can wreak havoc with a company's network. But colloquially, virus can be used interchangeably with mal-ware, or malicious software.

"A virus is any type of malicious code that can be used to cause disruption of the information infrastructure," according to a spokesperson for the Defense Intelligence Agency (DIA), which is part of the U.S. Department of Defense. "The disruption can entail attacking the system's integrity, circumventing security capabilities, and causing adverse operation action, or exploiting and taking advantage of the information system."

Viruses are classified by the way they infect systems, says CERT's Pollak. File viruses attack executable files, boot viruses infect boot sectors of hard and floppy disks, and macro viruses are data files written to exploit the macro commands available to Microsoft Word and other applications.

Today, 80% of all viruses are macro viruses, according to Carie Nachenberg, chief researcher for Symantec's Anti-virus Resource Center. "It used to be the floppy disk, but today, a machine can get infected surfing the net, or from executables from Usenet [news] groups."

"It's way beyond the benign stage," adds Michael Erbschloe, vice president of research for Computer Economics Inc., an independent research firm in Carlsbad, Calif. According to the company's survey of about 2,000 customers using computers, from which it received about 150 responses, Erbschloe figures that companies worldwide lost $7.6 billion in the first half of 1999 because of computer viruses--that's more than five times the losses for all of 1998. "That includes about $1.4 billion to clean up results of the virus," he explains. "And the rest was lost productivity."



The DIA spokesperson, who requested anonymity, is familiar with the agency's virus defenses and says that "while there may be thousands of unique viruses or mutations of those viruses, only the more sophisticated ones cause problems today. There are probably less than 10 that are true problems right now."

Taking the initiative

Willamette's proactive approach to Melissa was due to the fact that the company has had other brushes with computer viruses. "We'd gotten the 'Concept' macro virus in 1996," explains Woods. The Concept macro resided in Word documents and replicated itself by writing over existing or creating new Word macros. "It made us realize what a problem viruses could be."

Doctor, doctor!
Desktop symptoms that may indicate the presence of a computer virus:
Programs suddenly take longer to load.
Program size keeps changing.
Hard disk keeps running out of free space.
User gets 32-bit errors in Windows.
Drive light keeps flashing when user isn't doing anything.
User can't access the hard drive when booting from the A drive.
Unidentifiable files appear.
Files have strange names that users can't recognize.
Keyboard keeps making clicking noises.
Letters look like they are falling to the bottom of the screen.
Computer doesn't remember CMOS settings, even though battery the is new.
Source: Symantec Corp.

At the time, Willamette had some anti-virus capabilities, including a variety of software from different vendors such as Symantec/Norton, McAfee, Trend Micro Inc., and others, "but it was a mishmash of different products at different places," says Woods. Because Willamette is decentralized, each office was permitted to buy whatever anti-virus products it deemed appropriate, with no regard for what everyone else was using.

When Concept hit, Woods ran the then-current Norton AntiVirus utilities on a corporate file and print server running Novell NetWare and discovered the more than 200 occurrences of the virus, which were then scrubbed clean. "But we realized we needed something global," Woods says. That's when Willamette turned to the integrated Symantec solution.

A systematic global approach is one of the important keys to preventing and mitigating malicious code attacks. "Generally, we're a fairly decentralized organization," Woods says. "We try to let each group run its own show. But in matters like this, we have standard policies and procedures that they must follow."

In addition to establishing policies about what anti-virus software should be used, updating regularly is an important key to protecting the network from malicious code. Willamette posts monthly updates made available from Symantec. The company also has mid-month updates as necessary and emergency notifications, according to Woods.

Willamette uses "the carrot, rather than the stick," approach to get policy compliance, according to Woods. "We don't say 'you must do this,' we say, 'here are some things that can help you.'" Anti-virus updates are done manually by administrators at each site, but they are nudged to do so by frequent reminders from corporate administration.

But it's not smart to just depend on your vendor for updates. Willamette regularly consults Web sites, Usenet news groups, and other sources for news on the latest viruses (see "Sites to see"). "We're checking the Web every day or two just in case," Woods says.

"A multitier solution is important--desktop, server, and gateway," adds Symantec's Nachenberg. "We used to say the desktop was the most important because viruses spread by floppy disk. Today, with e-mail and the Internet, security's most important at the gateway, where it is filtering traffic."

Willamette has virus checks at the firewall--which is a combination of a Cisco router and an unspecified Linux box with homegrown software--at the Compaq ProLiant mail server, and at the desktop level, which runs Microsoft Mail with Microsoft Exchange as sort of the backbone, says Woods. "Generally, one of them will stop a virus," he says.

Many companies are currently in the state Willamette was in three years ago. "Most companies today have a random hodgepodge of products," says Ted Julian, an analyst with Forrester Research Inc., in Cambridge, Mass. "One workgroup bought this product, another bought that...the company started with a desktop-oriented approach, but then added a firewall. It's a mess."


Today, anti-virus updates are done automatically and immediately with no trigger, which has proven to be a real time saver for IT.
The good news is that improving anti-virus practices isn't difficult, according to Julian. "Most companies are doing such a lousy job, anything is an improvement," he says. Julian recommends getting and keeping one type of anti-virus software and making sure it runs everywhere in the organization, as Willamette did. He also suggests updating anti-virus software regularly, using the multiyear, anti-virus service provider agreements that are already in place in the organization, as well as having a policy in place.

Timing is critical

In a rare example of cooperation in the computer industry, many anti-virus vendors share information when a new virus becomes known. Regardless of the vendor, patches are usually available within 48 hours of a virus' release, often the same day.

"Response time is what's critical," says A. Padgett Peterson, PE, principle engineer for Information Security, Corporate Information Security, at Lockheed Martin Corp., in Bethesda, Md. "Absolutely the most important thing is the ability to change your defensive posture instantly."

That's why "you've got to have the latest signature files," says the Defense Intelligence Agency spokesperson. The DIA uses a commercial anti-virus software package, and it is absolutely rigid about distributing the latest updates as soon as they are made available. Not every commercial organization can make that kind of commitment, though.

Bandwidth considerations may mean that distributions have to be done during off-peak hours, or even during the weekend. While updates may take only a few minutes to install, companies may not be able to dedicate the system during business hours because there's business being transacted on the intranet.

That's playing a dangerous game, though, since the longer a network is unprotected from a virus, the more likely it is to become infected. "There are lots of good tools out there," says Computer Economics' Erbschloe, such as firewalls, sniffers, and anti-virus software. "But you've got to keep them updated, or it won't do any good."



Remedy Intelligence Staffing, of Aliso Viejo, Calif., a nationwide staffing company, uses a central Novell NetWare server to distribute information to its users at about half of its 250 branch offices throughout the United States. Remedy IT officials started becoming truly concerned about security several years ago with the rise of the macro virus, according to Andras Somogyi, lead technical support specialist for Remedy's Network Services Group. "Since we're very much a Microsoft shop, macros became a big issue," he says.

Sites to see
There are literally hundreds of Web sites with information on computer viruses. Here are a few Internet resources we have found useful:

Computer Emergency Response Team Command Center: Carnegie Mellon's CERT Command Center has up-to-the-minute alerts about new computer viruses. It's also quick to post fixes or links to available fixes.

Wildlist Organization International: Many computer viruses are never spotted except in the laboratory. When malicious code actually infects a computer unintentionally and is spreading, it is said to be "In the Wild." Wildlist keeps a database of malicious code.

The Virus Hoax page: There are plenty of sites on the Internet that expose fake virus notices. This site isn't as much fun as some of the others, but it's the most up to date.

comp.virus, alt.com.virus are the two best known Usenet groups on the subject of viruses. Both sites are excellent for trading war stories and picking up information about the latest threats to IT. On Web browsers, click on news.

Dr. Soloman's Home Page: Now part of Network Associates International, this well-known site is still worth visiting for its insights and solutions.

Using anti-virus software from Trend Micro, in Cupertino, Calif., Remedy is stopping about 100 virus attacks a month throughout the company, Somogyi says.

"Today, updates are done automatically [and immediately] with no trigger" on 2,000 desktops, says Somogyi, which has proven to be a real time saver for IT. But, he admits, his company may have to switch to scheduling updates overnight because of other demands on corporate bandwidth. Remedy is connected through a 128K Frame Relay. The 1MB to 2MB updates take a minute or two, at which time each user who needs to be updated is taking a good chunk of the frame.

Remedy's automated scheme not only detects viruses as they come in, but also notifies whoever sent the e-mail that they have an infection. "We've gotten viruses from big companies like AT&T and Compaq," Somogyi says. "They've always been grateful for our feedback."

No network is immune

Despite the most valiant efforts, you're still going to get malicious code in your system. Virus designers are endlessly inventive, and viruses mutate too quickly for even the best system to catch all of them.

"Viruses will get in," says Dan Schrader, vice president of new technology for Micro Trend. "Your job is to make sure that if an incident strikes, it doesn't spread. If a virus affects one computer, it's a nuisance. If it affects 100, it's a disaster."

No network is completely immune, concurs Forrester's Julian. "If you set that as a goal, you will fail. So you should put policies in place that will minimize the impact. Companies have to learn to take these things in stride so that every mistake doesn't bring it down."

Plan ahead, Julian insists. "The way you respond to a self-replicating virus is different from the way you respond to an attachment infection," he says.

But that planning has to have flexibility built in, says Remedy's Somogyi. "We can't have any firm plans in place, because we can't know exactly where a virus is going to hit or how."

One policy both Willamette and Remedy have in place is to identify and isolate the systems that have been infected. "Shut the system down and try to isolate the machines it's on," Somogyi advises.

Lockheed's Peterson thinks isolation is vital. "You have to be able to isolate to limit the damage," he says. "In the past, that used to mean cutting a machine off the network. Now that may mean cutting off the network. And that means you have to find someone you can trust with the authority to shut your network down. You need a dictator you can trust, because you don't have time to react through bureaucracies. That kind of person isn't easy to find."

Once the network has been isolated, IT has to figure out what the network has been infected with and what the virus is corrupting. "Assess the probable damage and rate of speed," says Lockheed's Peterson. "What kind of virus is it? You have to categorize it quickly. Get a sample over to the anti-virus provider as soon as possible."

To correctly assess the impact of the virus, network administrators have to know what the system looks like normally. "Administrators should understand the inventory of the network," says Symantec's Nachenberg. "To identify the culprit, you can set up a test machine from a clean install, attach the machine to the network, and find out if anything attacks.

When the virus has been neutralized, the system has to be rebuilt. And that means using your backup files. Of course, it's crucial to ensure those backups are clean of the infection.

Finally, says CERT's Pollak, learn from your mistakes. "Collect and protect information...and identify and implement security lessons learned."

Primary line of defense

One of the major problems with getting a good anti-virus policy implemented is money, according to Computer Economics' Erbschloe. "We've been studying IT budgets for a decade, and security is always underfunded. You have to give [the security implementers] money so that they can keep up on current issues and get the tools they need."


"We've been studying IT budgets for a decade, and security is always underfunded. You have to give [the security implementers] money so that they can keep up on current issues and get the tools they need."
--Michael Erbschloe, VP of research, Computer Economics Inc.
Firewalls are one of those tools, and implementing a firewall is a prerequisite for computer security. But it isn't sufficient. Although firewalls can keep unwelcome users out, they can't protect your network from inadvertently dangerous payloads from approved sources like a customer.

"You have to have software on the desktop. That's your primary line of defense," says Lockheed's Peterson. Computer security for Lockheed Martin involves thousands of platforms, from PCs to Macintoshes to UNIX workstations and mainframes, at hundreds of locations worldwide.

That means IT still has to educate the end user on how to use the anti-virus software. It can be a difficult task, when you consider that most managers are still trying to convince end users simply to back up their files regularly.

The main lesson to be learned? "Scan anything from the outside world," says Symantec's Nachenberg, including any e-mail message, program, or data file introduced into the system. This must be done at each level of a multitiered approach. Some experts go even further and recommend not opening any e-mail attachments whatsoever. Of course, that's impractical in today's business world, but users should be taught to think twice before running an .EXE file, especially if it's from an unknown source.

It's difficult to get users to comply, though, since most are only semi-computer literate. "We think we have literacy," says Computer Economics' Erbschloe. "But you have people not backing up their files, not defragging regularly, not taking care of their systems." Basically, many users often don't know what they're doing. They need more training before venturing onto the information superhighway.

But not using anti-virus software is only one way corporate users put the network at risk. "People don't like to think about this, but even before there was Internet access, people were using their computers for personal use," says Erbschloe. "Today, they're getting joke e-mails, they're on mailing lists, they're visiting a variety of Web sites." Each of these areas is a potential source of virus infection.

The DIA has implemented a layered policy--defenses at the gateway, server, and desktop level--called Defense in Depth. There are agencywide guidelines as to what each person is responsible for in terms of handling media and the policy for malicious code. The DIA's spokesperson acknowledges that it might be difficult to make users in the commercial sector comply with strict policy mostly because people don't always do what you tell them to. For example, many people don't back up their software or defrag their disks, even though they're told to. On the other hand, the army can "order" someone to do it. "The fact that we're a defense organization means that we can make a policy mandatory...we have greater jurisdiction."

Order or no, it's unlikely that you'll be able to stop such practices--managers have been trying to do so for years. But through education, you should at least be able to raise user awareness of security issues, according to Erbschole.

Rising temperatures

The war between virus designers and anti-virus developers is only going to escalate. And new parties are going to be drawn in. "Macro viruses became possible because information became active," says Trend Micro's Schrader. "Today, more than 90% of the malicious code infections come in by e-mail. Soon, that code will be part of the e-mail itself."

The latest e-mail readers will display e-mail as an HTML page, and such code is an excellent hiding place for Javascript viruses, the first of which were spotted in Nov. 1998. In addition, buffer overflow-related threats indicate that a user might eventually receive malicious code without even opening the e-mail. When a user receives a buffer overflow error it means a piece of data is longer than a program has room for. It turns out that the "overflow" could conceivably be used to insert malicious programs, which would be executed simply by receiving the mail without even opening the attachment.

So far, anti-virus software providers have been able to respond rather quickly to virus threats, in part because of the slap-dash nature of many computer viruses. "They're still mostly amateur efforts," says Lockheed's Peterson. "And you can tell that because it's very rare that you come up against a virus that works cross-platform. I have never seen what I would call professionally written mal-ware."

That may change, though. "I think we're going to see more and more sophisticated [viruses]," warns the DIA spokesperson. Some analysts believe that a new breed of virus writers are deliberately targeting specific corporations. For instance, Trojan Horses may be used for industrial espionage, irate former employees are also a possibility. People with a political point to make might target the military or a specific industry.

Certainly, the speed with which malicious code propagates is increasing. "Once we had six to nine months between the time when a virus was reported and when we would see it," says Lockheed's Peterson. "Now it's almost instantaneous."

Willamette's Woods has a final word of advice about computer virus infection for his IT colleagues: "If it hasn't happened to you yet, it will. So you'd better get moving on it now." //

Gerald Lazar is a freelance writer in Tenafly, N.J. He can be reached at jl4hire@ix.netcom.com.




Share:
Home
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved