Life in a Dangerous World: Life in a Dangerous World: Developing effective strategies against Developing effective strategies against

Virus, Worms and Other ThreatsVirus, Worms and Other Threats

Marshall BreedingMarshall Breeding

Vanderbilt UniversityVanderbilt University

breeding@library.vanderbilt.edu

http://www.library.vanderbilt.edu/libtech/breeding/

The ThreatThe Threat

Computers are under attach more than ever Computers are under attach more than ever beforebefore

As computer operating systems become As computer operating systems become more powerful, they also become more more powerful, they also become more vulnerablevulnerable

Original Viruses were transmitted by files Original Viruses were transmitted by files and diskettesand diskettes

Macro viruses are cross platformMacro viruses are cross platform

The Threat ...The Threat ...

Most current viruses transmitted by e-mailMost current viruses transmitted by e-mail Mail attachments common vehiclesMail attachments common vehicles Some viruses live within message bodySome viruses live within message body Scripting engines are vulnerableScripting engines are vulnerable

What is a virusWhat is a virus

TransmitTransmit ReplicateReplicate AttackAttack MutateMutate

Major virus outbreaksMajor virus outbreaks

1980’s: attacks begin on COM, EXE, boot 1980’s: attacks begin on COM, EXE, boot sectorssectors– Jerusalemz (Friday the 13th)Jerusalemz (Friday the 13th)– AIDS (trojan)AIDS (trojan)

1988: Internet worm1988: Internet worm 1992: Michelangelo1992: Michelangelo 1994 Good Times hoax1994 Good Times hoax 1996 Concept (Macro virus)1996 Concept (Macro virus)

...Major Virus outbreaks...Major Virus outbreaks

1998: Chernobyl/CIH (activates 1998: Chernobyl/CIH (activates 26th of April)

1999: Melissa (Macro virus/propagates 1999: Melissa (Macro virus/propagates through Outlook)through Outlook)

2000: ILOVEYOU, Stages (VBX)2000: ILOVEYOU, Stages (VBX) 2000: Phage; Vapor: Palm Virus2000: Phage; Vapor: Palm Virus

ObservationsObservations

Over 50,000 viruses and variantsOver 50,000 viruses and variants Major outbreaks more frequentMajor outbreaks more frequent Microsoft products targetedMicrosoft products targeted Fast propagation through E-mailFast propagation through E-mail Very complex to manage: e.g. MicrosoftVery complex to manage: e.g. Microsoft

TrendsTrends

Current generation requires active role by Current generation requires active role by useruser

Emerging viruses: passive victimEmerging viruses: passive victim Future/present concern for wireless devicesFuture/present concern for wireless devices Wider range of targets: Computers, PDA, Wider range of targets: Computers, PDA,

Cell PhonesCell Phones

Anti-virus solutionsAnti-virus solutions

User behaviorUser behavior Technical Technical

The #1 Anti-virus strategy The #1 Anti-virus strategy involves human behaviorinvolves human behavior

Be aware and cautiousBe aware and cautious Train computer users to be wary Train computer users to be wary Never access files from an unchecked diskNever access files from an unchecked disk

– any removable mediaany removable media Do not download software from untrusted Do not download software from untrusted

sourcessources Know the true source of all software Know the true source of all software

Be careful with E-mailBe careful with E-mail

Don’t open obviously suspicious messagesDon’t open obviously suspicious messages Don’t open attachments unless you know the Don’t open attachments unless you know the

sender and are expecting that specific attachmentsender and are expecting that specific attachment Ensure that your mail client displays extensions Ensure that your mail client displays extensions

of attachmentsof attachments– Avoid: VBX, EXE, Avoid: VBX, EXE,

Never send attachments from listservesNever send attachments from listserves Never open attachments from listservesNever open attachments from listserves

What users should do when a What users should do when a virus is found or suspectedvirus is found or suspected

Notify system administratorNotify system administrator Don’t panicDon’t panic Don’t restart computerDon’t restart computer Don’t send spam E-mail warningsDon’t send spam E-mail warnings

Technical solutionsTechnical solutions

Implement a multi-layer Implement a multi-layer approachapproach

Desktop: dynamic inspection, regular Desktop: dynamic inspection, regular scanningscanning

Network ServerNetwork Server Mail scanning/interceptionMail scanning/interception

Anvi-virus ArchitectureAnvi-virus Architecture

MailServe

r

Local Network

INTERNET

Firewall

FileServer

DynamicScan-on-access

FileScanning

Desktop Computers

Mail Scanning

Current Virus

Signatures

Regular scanningof Disks

Desktop layerDesktop layer

Inspect files on accessInspect files on access Regularly scan all permanent disksRegularly scan all permanent disks Scan all removable media with each useScan all removable media with each use Regularly update virus signature databaseRegularly update virus signature database

Desktop Anti-virus softwareDesktop Anti-virus software

Norton Anti VirusNorton Anti Virus McAfee ActiveShieldMcAfee ActiveShield Command Anti-Virus (was Fprot)Command Anti-Virus (was Fprot) Data Fellows F-SecureData Fellows F-Secure Dr. Solomons Anti-VirusDr. Solomons Anti-Virus

Network Fileserver layerNetwork Fileserver layer

Regularly scan all disk volumesRegularly scan all disk volumes Shared folders easily missed by desktop Shared folders easily missed by desktop

scanning scanning

E-Mail scanningE-Mail scanning

Inspect incoming messages Inspect incoming messages Inspect outgoing messagesInspect outgoing messages Inspect messages from one local user to Inspect messages from one local user to

another within mail systemanother within mail system

E-Mail Scanning softwareE-Mail Scanning software

Trend Micro Virus WallTrend Micro Virus Wall Sybari AntigenSybari Antigen

Virus signature databaseVirus signature database

the key to the current generation of anti-the key to the current generation of anti-virus softwarevirus software

must be currentmust be current can’t be current enoughcan’t be current enough

FirewallsFirewalls

Part of a general computer security plan, Part of a general computer security plan, but also helpful with virusesbut also helpful with viruses

Institutional firewalls imperativeInstitutional firewalls imperative– CheckPoint FireWall-1CheckPoint FireWall-1

Consider personal/workstation-level Consider personal/workstation-level firewallsfirewalls– BlackIceBlackIce– ZoneAlarmZoneAlarm

What software should do when it What software should do when it detects a virusdetects a virus

clean file/message when possibleclean file/message when possible remove if it can’t be cleanedremove if it can’t be cleaned warn system administratorwarn system administrator warn recipientwarn recipient warn senderwarn sender

Need to identify the signature of Need to identify the signature of each viruseach virus

– distinguish malicious itemsdistinguish malicious items Original products scanned after the factOriginal products scanned after the fact Scanning of files as they are accessedScanning of files as they are accessed

Mitigate vulnerabilityMitigate vulnerability

Avoid being logged in with workstation/network Avoid being logged in with workstation/network administrative rightsadministrative rights

Minimize the number of network drives mapped Minimize the number of network drives mapped at any given timeat any given time– Web document directoriesWeb document directories– shared network drivesshared network drives

Turn off features not needed:Turn off features not needed:– e.g. Windows Scripting Host from e-maile.g. Windows Scripting Host from e-mail– Do we need support for VBX or JavaScript in e-mail?Do we need support for VBX or JavaScript in e-mail?

Web-oriented vulnerabilitiesWeb-oriented vulnerabilities

Java appletsJava applets Active-XActive-X

More advanced anti-virus More advanced anti-virus softwaresoftware

rely less on specific virus signaturesrely less on specific virus signatures rely more on trapping unwanted behaviourrely more on trapping unwanted behaviour

Future expectationsFuture expectations

No end in sightNo end in sight The world is becoming more dangerousThe world is becoming more dangerous Enormous dependence on commercial anti-Enormous dependence on commercial anti-

virus applicationsvirus applications Future computer OS will be designed to be Future computer OS will be designed to be

less vulnerable...less vulnerable...