In an effort to protect against evolving network attacks, vendors and customers need to deploy a variety of security tools, technologies and techniques.
One technique is to deploy a worm tracking program like wormcatcher, said Robert Vibert of the anti-virus information exchange network at
a recent Infosecurity Canada conference held here in downtown Toronto.
In the fight against viruses, Vibert said anti-virus vendors are increasing detection and adding new features such as sandboxes, executable attachment filtering; adding new devices including gateway filtering hardware; offering remote updates for laptops; deploying a combination of virus and spam mail filtering devices; detecting potentially unwanted applications (spyware, dialers, adware, hidden FTP servers, loggers and sniffers); and cleaning viruses of any complexity (via thread stopping and process killing).
In addition to installing up-to-date anti-virus software, making regular back ups and using personal firewalls, Vibert said users need to turn off unnecessary file shares; apply network security; apply file level permissions on all public information; keep security patches current and cover home/remote users.
He said viruses and worms have flourished over the last 12 months because of insecure environments, leaving the door open to a constant stream of new threats. “”Viruses, worms and Trojan horses are making our lives difficult and they are costing us money – and affecting our well-being.”” he said.
The Computer Emergency Response Team (CERT), for example, cites 52,658 online security incidents in 2001, up from 21,756 reported in 2000 and 9,859 in 1999.
According to the International Computer Security Association (ICSA) – an anti-virus lab that provides information on computer viruses, worms, and the newest forms of malicious code – there were 1.2 million virus incidents in 2002.
Symantec, meanwhile, reports 50 new vulnerabilities each week in 2002 – an 80 per cent increase from the year before. Vibert said there are about 80, 000 viruses out today – and it’s growing every month.
“”The bottom line is things are getting worse,”” he said. “”Some people say they are twice as likely each year as in the past of encountering a virus. It’s a continuing, ongoing problem. There hasn’t been any gap, or a time when things have calmed down – they just keep on coming.””
What are the nasty effects of viruses? Vibert said the most common complaints among computer users are the loss of productivity; PCs are made unavailable to the user; the spread of corrupted files; loss of access to data or the actual loss of data.
“”There are viruses which will go around, take your file and recreate the file with zero bytes. So you have an expense report or some sort of a study that you’ve done, and it appears that the study is still there, and the backup software will faithfully back it up onto your backup system – it’s just that now it has zero bytes.””
The biggest threats are the net-aware and net-enabled viruses and worms, he said. “”Today, the single biggest form of attack is coming in through e-mail attachments.””
Blended threats, in particular, which combine viruses, worms and hacking attacks are on the rise and wreaking the most havoc, he said.
Blended threats, for example, may use instant messaging to spread (Microsoft Messenger) via file transfer; scan networks for open shares; scan for unpatched vulnerabilities; use own SMTP engine to mass mail itself; open backdoors; remote/deactivate anti-virus software; hide evidence of infection; remove audit traits; roll back existing security measures; and generate excessive network traffic, both internally and externally.
Some examples of viruses include Sircam, which performs mass mailings with an attachment from a victim’s ‘My Documents Folder.’ It may infect other systems using open network shares; it talks directly to the SMTP server to send mail; and it can delete files, he said.
The Bugbear worm I virus, meanwhile, copies itself over LANs using open file shares; gets a direct connection to default SMTP server for mass mailing; and logs key strokes.
The Bugbear worm II, on the other hand, attempts to disable popular anti-virus programs; and grants control over infected machines (and can send/receive/copy/execute files/terminate processes and send out user information), he added.
For more information on the anti-virus exchange network, check out www.avien.org. To check out worm activity, log onto www.wormwatch.org.
