Threats of Computing
in a Virus
or, how I stopped worrying and
learned to love the worm….
Dr. John Johnson, CISSP
The Joys of Computing in 2003
65,336 PC viruses discovered to date
4,129 IT vulnerabilities in 2002
Microsoft Vulnerabilities by Oct.
“Millions Reported in Damage Last Year Due
“MSBlast Continues to Spread”
The Tip of the Iceberg”
“IE users defenceless to trojan attack”
“Broadband severely increases security risk”
I’ll talk about the problem and give some examples.
I’ll give some ideas to deal with viruses in both the
corporate and home environments.
I’ll give some Best Practice suggestions.
I’ll give some WWW resources.
I’ll try to take as many questions as I can before the
CSI/FBI Computer Crime
Survey 2003 (Virus Loss)
2003 CSI/FBI Computer Crime Survey, www.gocsi.org
based on 47% of the 530 responses that could quantify these losses
HOAXES & CHAIN LETTERS
TROJANS, BACKDOORS & ZOMBIES
Definition: (loose) Self
Malicious viruses didn’t arise until the 1980s.
Fewer than 5 viruses in 1987
Boot Sector Viruses
use a macro language and spread via
applications like Microsoft Word (first cross platform virus)
There are now > 10,000 macro viruses worldwide.
Who Writes Them
? No longer just the teenager, now the
profile is 14
30s Male, looking to feel empowered
HOAXES & CHAIN
Hoaxes and Chain letters are sometimes just jokes,
sometimes annoying, and sometimes dangerous
Often these email messages are a great
waste of time and bandwidth, with people sending them to all of
their friends. Sometimes, they convince the user to actually
delete files (like the JBDGMGR “teddy bear” hoax).
With a misconfigured email system, the confusion alone can
cause many replies which then route to all the users on a
mailing list, and the noise can take days to die down.
Some antivirus programs treat these like viruses and quarantine
A worm is a self
replicating program that
propagates from host to host.
Originally, a sector map would show worm
like errors from a misbehaving code. The name stuck
and came to describe viruses that act on their own
using more and more sophistication,
exploiting technology and vulnerabilities.
The first worms were helpful tasks,
and malicious worms have become
the most dangerous kind of viral
mailers exploit vulnerabilities in the way email
programs work, like Microsoft Outlook, to gather
email addresses and spread to all the users they can
find via email. These messages look like they came
from a friend (social engineering), so they are often
opened and executed. Some will auto
exploiting an operating system vulnerability as well.
I Love You
Virus hit in May, 2000.
This was my first BIG virus crisis!
It started with an innocent letter, appealing to lonely email
readers (social engineering). The subject was
I Love You
the payload was a VBS script that, when executed, quickly
spread in email to all the users in your address book, and
wormed its way through fileshares, destroying image files.
At least 82 variants of this worm were discovered. The latest is
VBS.LoveLetter.CN, dated May 31, 2001.
TROJANS, BACKDOORS &
These spread as viruses and worms,
and include hidden code that will allow a remote user
to access the computer or use the computer to attack
As an example,
be wary of any screensavers my son
might send you! It may contain netcat, a program that
allows him to remote control your computer, see your
screen, open your CD drawer and play with your
Not all are so kind.
Some will use your computer as a
launching point in a multi
layered attack against
another target. They can use you as a
Distributed Denial of Service
A blended threat will use network vulnerabilities
(often known widely for many months) along with virus or worm
vectors to quickly spread to many hosts.
In 2001, Code Red came out late in the summer. It
was the first virus that spread using a published vulnerability in
IIS on Windows NT and Windows 2000.
Blended threats are the fastest growing and most dangerous
type of virus threat to date. Within minutes, vulnerable
computers across the world can become infected (depending on
Response to Blended Threats requires both antivirus tools and
network tools (to monitor and control
such as IDS and
In 2001, Code Red came out late in the summer. (The
name came from the team at eEye that discovered it, as they
were spending many long hours drinking
Mountain Dew Code
The CodeRed Worm affects Microsoft Index Server 2.0 and
the Windows 2000 Indexing service, exploiting this
vulnerability and propagating as a worm. Code Red
performed a denial of service on whitehouse.gov.
Code Red II, quickly followed on the heels of Code Red. It
was more destructive, but used the same buffer overflow
vulnerability. Code Red II contained a trojan file, and
modified system files.
Nimda (admin spelled backwards) followed closely on
the heels of Code Red. It was first discovered 9/18/01.
Nimda used a vulnerability in MIME types to auto
and become memory
resident. Therefore, a machine that
was unpatched, could become infected even if it had
Sends itself by email.
Searches for open network shares.
Attempts to copy itself to unpatched or already vulnerable
Microsoft IIS web servers.
Is a virus infecting both local files and files on remote
Several variants of Nimda came out subsequently.
The Blaster virus came out in August this year. It was
a real big pain too!
It used a recent exploit announced (DCOM RPC) by
It also looked for open TFTP shares.
This virus used common ports that Microsoft also uses for
It also attempted a Denial of Service against Microsoft.
It tried to download a trojan and install it.
Several variations on the theme followed.
This virus exploited a known SQL injection
This virus spread to 90% of all the vulnerable (exposed)
hosts on the Internet in just 10 minutes.
Once infected, a computer sent out attempts to infect
subsequent computers with the same virus.
An unintended side effect was the Denial of Service
generated by the tremendous amount of network traffic.
ATM systems, and other major corporations were shut down
until they had filters in place on their routers and firewalls.
The only way to fully stop a virus like SQL Slammer or
Blaster is to patch all vulnerable machines.
These are annoying and often you don’t even know
they are running, or what they are reporting.
They can include hidden programs to spy on your activities.
They can be simple marketing gimmicks (gator.exe),
Or they can be annoying and alter your browser and cause
They can even be used to steal passwords.
Sometimes these get installed when you download a free
program off the Internet. Always be careful what you
download and what you click on. You may agree to install
something by clicking on the EULA without realizing it.
We all know what SPAM is, and it ain’t all that tasty!
SPAM is annoying, unsolicited email.
Often the spammer generates a subject that looks legitimate,
or a FROM address that looks like someone you might
know. It might say MOM or JOHN, and may refer to
something that looks like you already discussed in a
Sometimes they try to use the Authority card, and pose as
an update from Microsoft or Dell.
Most people report over a third of their email is now SPAM
SPAM costs businesses an estimated $11.9B/year in 2003.
How you might fight the SPAM…
Don’t open anything from anyone you don’t know.
Don’t answer SPAM
it tells them that you exist.
At home, buy a spam filtering program and update it.
At work, or ask your ISP to install spam filtering. Content
filtering can block certain adult material, as well as
messages that appear suspicious. (This can also destroy
At work, use a web proxy to avoid downloading “web bugs”.
At work, subscribe to a Black Hole List.
Register online for FTC No Spam Registry. (legal?)
Realtime Blackhole List
Boycott Internet Spam
Network Abuse Clearinghouse
Forum for Responsible and Ethical Email
Now, How can I keep my data with
everyone about me losing theirs?
Take a deep breath. It’s not so bad.
(It could be a lot worse!)
What does this mean for the corporation?
What does this mean for the home user?
The Corporate Threat
Defense in Depth!
DMZ for Internet exposed applications
Content Filtering (web, smtp, ftp…)
Client Antivirus, Email Antivirus, SMTP Gateway
Access Controls on Remote Access/Wireless
A Good Security Team!
Documentation and tested response
On the Homefront
“I’m not really a computer expert…”
You don’t have to be. Have confidence. Know when to ask
an expert, and don’t be shy!
Be extra careful if you have kids and/or broadband.
Fork over the money and buy ANTIVIRUS!
Keep your antivirus UPDATED!
Keep your computer patched!(If you don’t own a PC you
have a lot less to worry about!)
Get SPAM filtering software / Pop
If you’re on broadband, you should have a firewall too.
On the Homefront
BUY a copy of a good antivirus program (like Symantec, McAfee, Trend,
Panda...)Available for all platforms. If you like the online scanner below, you can
purchase a commercial version from their site for around $30 with a 1
Keep it updated AT LEAST once a week. Try to set it to autocheck at a
convenient time so you don't forget. The paid subscription lets you auto
you don't pay after it expires, you can still get virus updates manually from the
vendor website, in most cases.
Here is a link to a page I made to check on the latest virus news:
Here are some links to FREE ONLINE resources for scanning your PC.
+ Symantec (PC):
(you can perform a virus scan, or check for vulnerabilities)
+ Trend Micro (PC):
+ Panda (PC):
+ McAfee (PC):
On the Homefront
There is nothing worse than having a TON of junk mail in your inbox when you check it. You
may not check mail every day, which makes it even more of a chore to deal with the glut of
When you get junk mail, you will generally know it is not from someone you know. If you are
in doubt, just DELETE the message. Don't take the risk of opening unsolicited email.
Even though you can sometimes opt out of SPAM mailing lists by following the instructions
at the bottom of the message, more often than not you are letting the SPAMMER know you
are there, and they will send you more SPAM. So, don't reply to SPAM.
Until there is some miracle way of opting out of it altogether, you will need to invest in a
SPAM blocking program. While there are filtering options in some email systems, they are
weak and it is worth a few bucks to buy a program that will filter SPAM and have a
subscription to keep updated with new filters. Here are some options:
+ McAfee/Spamkiller (PC, $30):
+ Matterform/Spamfire (Mac only for now, $25/$40):
+ CoffeeCup PC
haven't tried, but good reviews, $30):
+ SpamWeed for POP3(bayesian spam filter, should learn and improve over
haven't tried but looks good, $30):
On the Homefront
Dealing with Ad
Ware/Malware (the stuff that gets installed when you
download another program or visit a website that reports on what you
This is primarily a PC problem, so these tools are
exclusively for the PC.
Here are links to a couple FREE software packages that you
can use to scan for any adware that might be installed on
your system (i.e. Gator, etc.):
aware (PC, FREE):
+ Spybot (PC, FREE):
On the Homefront
There are several vendors that have tools to block pop
ups. Always be
careful that you don't install spyware in the process of downloading a
neat toolbar to block pop
ups. Here are some I like. They may also have
additional functionality, like Google searching, etc. (Mozilla might be the
up blocker for classic MacOS users.)
+ Google Toolbar (PC, FREE):
+ You might also try running Mozilla, instead of Internet Explorer:
+ On MacOS X, use Safari, it will block pop
+ CoffeeCup Pop
up Blocker ($20):
On the Homefront
It is vital that your PC remain patched from critical security vulnerabilities. This
Windows site will check your computer for missing patches, you should keep the
security patches updated, but may decide not to install other large patches that
are not "critical security patches".
[Note: Most new operating systems offer the ability to auto
patch your system, you
may decide this is your best option, and that way you won't forget.
FOR MAC USERS: You can also use the control panel to look for "software updates"
on the Mac... this site is for the savvy MacOS X user. In general, the Mac is much
less vulnerable to viruses than the PC.]
Some of the recent "blended" threats, like Blaster, will infect ANY unpatched
computer that is vulnerable if left long enough on the Internet. Even if you have
the latest antivirus. Remember that antivirus is NOT a 100% solution anymore.
+ Apple(MacOS X) Security Updates:
, the Internet will extend its reach
into your home and every aspect of your life.
Viruses and threats will become
Vendors will need to ship computers with
, instead of default
If you keep updated and practice
stay safe and
keep your data in the chaos.
Computer Secutiry Institute:
John’s Security Page:
A Virus Tutorial:
You may also go to a good online software site, like
and go under your operating system
(Windows, Mac, Linux) and then click on Internet to pull up tons of
freeware and software titles if you don't find something that you
like in my list above.