project on virus

8/7/2019 Project on Virus

1/30

1

What is a computer virus?

A computer virus is a small software program that spreads from onecomputer to another computer and that interferes with computer operation.

A computer virus may corrupt or delete data on a computer, use an e-mail

program to spread the virus to other computers, or even delete everything

on the hard disk.

Computer viruses are most easily spread by attachments in e-mail

messages or by instant messaging messages. Therefore, you must never

open an e-mail attachment unless you know who sent the message or

unless you are expecting the e-mail attachment. Computer viruses can be

disguised as attachments of funny images, greeting cards, or audio and

video files. Computer viruses also spread by using downloads on the

Internet. Computer viruses can be hidden in pirated software or in other

files or programs that you may download.

Symptoms of a computer virus

If you suspect or confirm that your computer is infected with a computer

virus, obtain the current antivirus software. The following are some primary

indicators that a computer may be infected:

y The computer runs slower than usual.

y The computer stops responding, or it locks up frequently.

y The computer crashes, and then it restarts every few minutes.


2/30

2

y The computer restarts on its own. Additionally, the computer does not

run as usual.

y Applications on the computer do not work correctly.

y Disks or disk drives are inaccessible.

y You cannot print items correctly.

y You see unusual error messages.

y You see distorted menus and dialog boxes.

y There is a double extension on an attachment that you recently

opened, such as a .jpg, .vbs, .gif, or .exe. extension.

y An antivirus program is disabled for no reason. Additionally, the

antivirus program cannot be restarted.

y An antivirus program cannot be installed on the computer, or the

antivirus program will not run.

y New icons appear on the desktop that you did not put there, or the

icons are not associated with any recently installed programs.

y Strange sounds or music plays from the speakers unexpectedly.

y A program disappears from the computer even though you did not

intentionally remove the program.

Note These are common signs of infection. However, these signs may also

be caused by hardware or software problems that have nothing to do with a

computer virus. Unless you run the Microsoft Malicious Software Removal

Tool, and then you install industry-standard, up-to-date antivirus software

on your computer, you cannot be certain whether a computer is infected

with a computer virus or not.


3/30

3

Symptoms of worms and trojan horse viruses in e-mail

messages

When a computer virus infects e-mail messages or infects other files on a

computer, you may notice the following symptoms:

y The infected file may make copies of itself. This behavior may use up

all the free space on the hard disk.

y

A copy of the infected file may be sent to all the addresses in an e-mail address list.

y The computer virus may reformat the hard disk. This behavior will

delete files and programs.

y The computer virus may install hidden programs, such as pirated

software. This pirated software may then be distributed and sold from

the computer.

y The computer virus may reduce security. This could enable intruders

to remotely access the computer or the network.

y You receive an e-mail message that has a strange attachment. When

you open the attachment, dialog boxes appear, or a sudden

degradation in system performance occurs.

y Someone tells you that they have recently received e-mail messages

from you that contained attached files that you did not send. The files

that are attached to the e-mail messages have extensions such as

.exe, .bat, .scr, and .vbs extensions.


4/30

4

Symptoms that may be the result of ordinary Windows

functionsA computer virus infection may cause the following problems:

y Windows does not start even though you have not made any system

changes or even though you have not installed or removed any

programs.

y There is frequent modem activity. If you have an external modem,

you may notice the lights blinking frequently when the modem is not

being used. You may be unknowingly supplying pirated software.

y Windows does not start because certain important system files are

missing. Additionally, you receive an error message that lists the

missing files.

y The computer sometimes starts as expected. However, at other

times, the computer stops responding before the desktop icons and

the taskbar appear.

y The computer runs very slowly. Additionally, the computer takes

longer than expected to start.

y You receive out-of-memory error messages even though the

computer has sufficient RAM.

y

New programs are installed incorrectly.y Windows spontaneously restarts unexpectedly.

y Programs that used to run stop responding frequently. Even if you

remove and reinstall the programs, the issue continues to occur.

y A disk utility such as Scandisk reports multiple serious disk errors.


5/30

5

y A partition disappears.

y The computer always stops responding when you try to use Microsoft

Office products.

y You cannot start Windows Task Manager.

y Antivirus software indicates that a computer virus is present.

The popularity of the internet and the steady adoption of always-on

broadband technologies have allowed malicious threats to spread quickly.

Now more than ever, it's important to effectively and efficiently defend

every computer in an organization against Trojans, viruses and worms.

Introduction to malware, trojans, viruses, worms and other

threats

When you know what threats you face, you can determine which proactivemeasures to take. During the past decade or so, viruses have become

increasingly sophisticated.

At the same time, the internet's ever-growing popularity and the steady

adoption of always-on broadband technologies have made it possible for

viruses to spread more quickly than has ever been possible in the past.

Now more than ever, it's important to defend every computer in an

organization against viruses in the most effective manner possible.

A virus, at the most basic level, is a small piece of software that causes

unexpected activities or actions on computer systems. A virus is an

executable program, often just a script that relies on another application


6/30

6

sure to be running on a computer, like the macro viruses that infect

Microsoft Word. Like a biological virus, a computer virus replicates quickly.

A virus lives to create more viruses, and its secondary purpose is to do

some damage or cause embarrassment.

A virus cannot infect computer data because data files are not executed.

Users sometimes believe that document files carry viruses, but the macro

code hidden inside those files is actually the culprit.

Viruses vary, but almost all have three parts:

y Replicator

The code concerned with replication creates copies of the virus. If the virus

does nothing beyond this, it remains an irritation but does not cause

damage beyond consuming disk space, CPU (central processing unit) time,

and bandwidth.

y Concealer

Concealment promotes the virus from being an irritation to being a real

problem. Viruses that take the trouble to hide generally plan to cause more

damage. Viruses began hiding in boot sectors -- that is, code files that are

activated when the computer starts up -- early in virus history, and this can

cause serious frustration. But viruses also use other tricks, such as

morphing Overwriting and nonoverwriting.

y Payload

The payload delivers the pain in a virus to the end user. If the user is lucky,

a message appears, essentially laughing at the user's inability to protect his


7/30

7

or her computer. If the user is unlucky, the viruses causes commands to

execute, files to be trashed, data to be captured and sent to outsiders, or

hard drives to be completely reformatted.

Types of Viruses

y Macro viruses

Most users are wary of unverified and unscreened .doc files because they

can carry viruses. A user doesn't energize a virus by opening and readingthe .doc file but by executing macros included in that file. Macro viruses

take advantage of the fact that Microsoft chose to enhance integration

across its Microsoft Office component applications by creating a method for

Visual Basic routines to execute inside Microsoft Word. Clever corporate

developers weave magical applications that flit in and out of desktop Word

and Excel files while tying them all to large databases. Clever virus

developers follow gleefully behind, tying desktops in knots.

The vast majority of viruses causing corporate grief today are macro

viruses. More than 73,000 viruses have been cataloged, and approximately

99 percent of them derive from one of a few hundred foundation viruses.

The majority of those, 75 percent or more, depending on the reference

source, are macro viruses.

y Polymorphic Virus

A polymorphic virus aggravates people until the tracking tools become

refined enough to catch it. Hackers now circulate programming tools that

convert standard viruses into polymorphic viruses.


8/30

8

y Stealth viruses

A sneaky way for a virus to remain undetected is to actually hide where it

exists in your computer memory or on the hard drive. It may do this by

coopting a function, such as examining memory locations or physical

locations on the disk drive. When antivirus programs or other tools search

these locations, the stealth virus redirects them to the original code, which

was copied during the infestation. The original code doesn't have a virus,

so the antivirus software reports that all is well. Still hidden thanks to the

redirection ruse, the stealth virus remains and continues to infest the

computer.Stealth viruses, which intercept and redirect complete DOS calls to read

the hard drive sectors, must be fairly large. To avoid detection, they report

false file sizes so changes in executable files remain hidden.

y Boot viruses

In today's world of hard disk drive boot processes, the MBR (master boot

record) is a target for virus writers. Because a boot virus grabs control ofthe system early in the boot process, it can do great damage and remain

hidden.

Any disruption of the MBR turns your hard disk into a paperweight, and

even reformatting the drive can't get all the boot sector virus types still in

the wild.

y Email viruses

Because the majority of viruses are spread via email in some form or

fashion, there really isn't a pure email virus limited to email transmission.

However, users forever fall into the trap of opening files attached to emails,

making this category a necessary one.


9/30

9

An executable file attached to an email wreaks havoc almost instantly after

someone clicks and opens it. You can yell all you want about not opening

attached files, but users often either forget the warnings or get fooled.

Miscreants are getting more adept at hiding their executable email

attachments. One of the early tricks was to show an extension on an

attached file that indicates a non-executable file, such as .txt or .doc, and

trusting that the user hadn't changed the Microsoft Windows default of

hiding extensions. A .txt file appears in the display, but when the user clicks

to open it, the real extension, .exe, kicks in and starts the devastation.

Today, virus attachments sometimes have a .vbs extension for Visual Basic

because many users don't recognize that extension. They also sometimes

have the obscure .shs extension, for Windows OLE (object linking and

embedding) scrap files. Some cleverly include an .lnk extension to trick the

user to click the link file and launch the .exe application described within.

Viruses are a tricky group of malicious software. There's more than one

way to contract a virus, and there's more than one way for a virus to make

your life miserable. However, viruses aren't the only threat out there. On

the next page, you'll learn about a type of malicious software called worms.

These nasty little bugs can quickly become major headaches, so keep

reading to learn more about how they work.

y Malware

It refers to any malicious, unexpected, or parasitic macros, code, or

applications. It is sometimes difficult to classify code as strictly a virus,

worm, or Trojan -- and it often doesn't matter which particular variety you're

dealing with. The term malware is therefore used as a generic term for any

malicious software.


10/30

10

y Worms: a self-replicating threat

Worms are a malware threat that can create havoc if given enough wiggle

room. Worm writers have become clever. The Bigtime Worm -- SoBig.f --

created internet chaos and spread worldwide in a few short minutes. It hit

the internet with the devastation of a category 5 hurricane slamming into

the coastline. And when something hits like a hurricane, firewalls and other

barriers quickly blow away. Worms are different from viruses because

worms are self-replicating, and they don't have to be attached to a

document or another file created by an outside user. Worms can sendthemselves, quickly and quietly, to everyone in an email contact list.

As with viruses, internet email carries the freight for worms. In addition,

worms such as SoBig.f can work across Windows-based network shared

disk access and carry their own email-sending server software. Also like

viruses, worms take advantage of a built-in Microsoft feature: In this case,

they exploit the handy ability Microsoft gives developers to allow

applications to read and write a user's address book and launch new email

messages. Microsoft has addressed these issues in newer versions of its

applications, however, making the worm writer's job more difficult.

Original worms replicated themselves until the host system's memory or

hard disk space (or both) was filled with worm copies. Today, we can look

back at that type of worm with warm nostalgia. New worms are likely to

explode across the internet while disabling security programs in infected

systems.


11/30

11

y Good worms

Programs that coordinate large numbers of connected systems by putting

and getting data points for individual processing are, technically, worms. In

fact, interactive technologies such as IRC (Internet Relay Chat) could be

called worms in some odd definitions.

The first and therefore most famous good worm is the SETI (Search for

Extraterrestrial Intelligence) project. Millions of computer users, through the

SETI screensaver, agreed to let the SETI group parse radio antenna data

for intelligent signals. (Other groups are doing the same type of operation in

their quest for drug development and the like.) Each user agreed to makehis or her system a host for this worm, which comes and goes with data,

without interaction from the user. We call this version a good worm

because people agreed to host the application on their systems and allow

data collection and transmission automatically.

But many worms are not good and in fact can create havoc in a matter of

minutes. Oftentimes, worms overwhelm email servers and choke

bandwidth rather than trashing hard disks or corrupting files. Some worms

double the number of infected systems every minute (yes, every minute),

so a worm with a destructive payload could do great damage. When you

read headlines saying that major Fortune 500 companies are paralyzed

because a worm infestation clogged their email servers, it's not a stretch to

think that the next attack could format the majority of desktop-housed hard

disks.

However, viruses and worms aren't the only threats you need to worry

about. Another threat, called a Trojan, can be equally devastating. On the


12/30

12

next page, you'll learn more about what Trojans are and how they can

affect your computersand your network.

After fighting with the Trojans for years, the ancient Greeks built a giant

wooden horse and offered it to the Trojans as a peace offering. The

Trojans didn't know, however, that the Trojan Horse held hidden Greek

soldiers. The Trojans allowed the horse to be brought inside the fortified

city walls and began to celebrate. While the Trojans were sleeping off the

party, the Greek soldiers crawled out of the horse and captured the city.

Trojans that infect your computer work the same way as the Trojan Horse:

They sneak in and catch you unaware. By the time you know there's

something wrong, the damage is already done, and it's usually not

reversible.

y Trojan horse worms

A Trojan horse application actively emails copies of itself to addresses

found on infected computers. Often using the lure of an adult picture, a

Trojan becomes a virus in horse's clothing. Users may never get wise to

worms and viruses sending them malware from the infected computers of

their friends. Because Trojans can beat antivirus program checks while

masquerading as standard services, email attachments are assumed safe.

Trojans triggering DDoS attacks.

Some Trojan horse programs don't attempt any mischief until triggered to

launch DDoS attacks on specific targets. By launching these attacks from

thousands of computers on thousands of access points around the internet,

the attackers were more successful than they had been by using one or

two hidden sources for DDoS attacks. Trojan horse malware offers great

advantages to evildoers. The programs can be distributed in a number of


13/30

13

ways and can self-distribute via the worm modifications. As if viruses,

worms, and Trojans weren't enough, we also need to protect against

spyware, which is discussed next.

y Spyware: a quiet, dangerous threat

Like Trojan horse malware, spyware sends information out across the

internet to some other location. However, spyware monitors user activity on

the system, down to keystrokes typed, and then it sends this logged

information to the originator. If the originator is a hacker, passwords,

account numbers, and other secrets will be secrets no longer. Messages

sent from spyware often escape undetected by using standard emailprocesses. Users collect spyware from many places, especially websites.

Spyware often hides in shareware applications that perform otherwise

useful functions. Oftentimes, the originator of spyware is the company that

owns the computer and employs the user. Legally, the company has a right

to operate such software because everything the employee does as a

matter of employment belongs to the company.

Although a company can monitor employees in this manner, it's not a good

idea. When employees find out, they get angry. If the company monitors a

nonemployee, such as a salesperson logging in to his or her own website

for a price update, the company breaks the law by capturing that person's

password. Besides these types of issues, having legitimate spyware on

systems makes it difficult to find and expunge outside spyware. Spyware is

becoming an increasingly dangerous threat. It's quiet, it's hard to detect,

and the results can be devastating.


14/30

14

Understanding basic protections

With a thin client, all applications run on a server, If your company doesn't

have a firewall, or multiple firewalls, you're in trouble. If your company

doesn't search email attachments before they get to users, you're in

trouble. Because you're taking this class, you may already know you're in

trouble. Let's look at some of the basic things you must have to protect

your company.

y Implement firewalls

Notice that the heading is plural: You need multiple firewalls. Unless your

company exists completely within four walls as a single-location entity with

only one connection to the outside world, you need more than one firewall.

Do not let anything or anyone bypass your firewall, no matter how

trustworthy they swear they are. Nothing comes or goes from your

company except through a firewall.

y Scan email attachments

Much malware spreads via email attachments. Sometimes users can see

these attachments, and sometimes they're cleverly hidden. You can't trust

users to remember how to handle attachments. Your spam control software

should offer virus checking of email attachments. If it doesn't, you should

update your spam control software or buy separate attachment-scanning

tools. Stopping spam helps stop virus attacks as well. If you don't have any

type of spam control, you need to get some. Letting spam into your office

means trusting your users to properly handle attachments and messages

that have exploits hidden inside them. These are just the basics of security,

but there's much more. No single protection technology can keep your

organization safe. Instead, you need to have layers of security, each more


15/30

15

difficult to bypass than the previous. On the next page, you'll learn about

layering your security efforts.

y Secure firewalls

Early firewalls blocked most port numbers against outsiders and did little

else.The world of firewalls has grown, matured, and grown some more.

Firewalls today deserve their reputation as the first, and perhaps strongest,

line of defense against malware. Early on, firewalls never checked the

content going through them. As long as incoming packets matched

requests, such as a web server response to a client request, and email

came with a proper address, the firewall let the packet through. Today, withadvanced firewall filtering and security functions, you can keep up to 90

percent of malware outside your network. Imagine that number again: You

can eliminate 9 out of 10 problems by implementing a strong firewall with

the proper configuration.

y Implementing antispoofing

Spoofing occurs when an outsider modifies a packet header to make itappear as though the packet really came from inside the network. This can

fool a firewall because the IP address has security clearance properties

that allow it inside the network. You need to turn on antispoofing in your

firewalls.

y Clean up

You need to apply patches to your virus software, server software, and

desktop software. Major vendors normally issue patches after a major

outbreak just for this reason. You should also find and restore any

damaged files and go through affected servers, especially email servers,

and verify that email boxes and history files remain intact. Debrief the team


16/30

16

and affected users Team members and power users can help you decipher

what really happened and, possibly, why. You should discuss steps taken

during the attack and rationally decide which steps helped and which hurt.

Then you should do the same for your managers if they're not in the room.

Security tools and techniques

Protection products provide important tools to keep your computers free of

security threats. But new types of malware arrive every day, so it's

important to have the right products and keep them up to date.

y Selecting antivirus protection

Antivirus software -- software that scans your computer, searching for

telltale signs that a virus has either infiltrated your machine or is trying to

infiltrate your machine -- is no longer just an option. Today, with the

exponential growth of threats from viruses, it's a requirement. There are

dozens of great antivirus programs on the market to choose from (and

hundreds more that are so-so). So how do you know which antivirus

program is right for you? There really is no easy answer to this question

because each organization has different needs. One important

consideration is how much your organization wants to spend. An

organization may not care about the cost of antivirus software but want the

program to protect every file during every movement. For a situation like

this, several antivirus programs work well, including those from McAfee and

Norton. However, those programs can be very expensive when you begin

installing them on a corporate level.

McAfee offers complete protection packages for SMBs.


17/30

17

On the other hand, some organizations don't have the capital to sink into

that type of protection, but they still want to be very well protected by their

antivirus program. For such situations, an organization can turn to one of

the host of free services that do a decent job of protecting all the computers

on a network. If you choose to go the free route, you could potentially not

have all the protection you need. A much better option is to choose one of

the well-known antivirus programs and add to it services that you can

afford. For example, with Norton AntiVirus, you can have just the basic

antivirus scanning, or you can add everything from a firewall to spyware

protection. You can start by adding the elements you can afford, and later,

as more capital becomes available, you add additional services.

y Update your software

An important issue with antivirus software is its timeliness. Viruses change

daily. The big virus that everyone is fighting today will be a memory

tomorrow, when it's replaced by something different. If you don't have a

regular update service on your antivirus software, you may be protected

today, but tomorrow you could be hit by the mother of all viruses.

All antivirus programs offer update packages. However, not all update

packages are created equally. Some programs are updated on a fee basis

so that the more you pay, the more frequently the antivirus definitions are

updated. Other programs offer hourly, daily, or weekly updates. Which

scenario is right for you depends on your business needs. If you have

heavy internet or email traffic, you may prefer to have hourly or daily

updates, but if the traffic outside your network isn't that high, you might be

able to wait for weekly updates.


18/30

18

y Try before you buy

Each antivirus program is different. If you perform an internet search for

antivirus, you'll find a plethora of available programs. It's a great idea to

take the time to go through the trial period with each antivirus program you

think might meet your needs. This trial will let you see how easily the

antivirus program integrates into your existing security structure as well as

how difficult or easy it is to use. When you've completed the trial period for

several products, you can make a final decision.

You need to take some time to find the antivirus program that works best

for your organization. After you've found the right one, you should considerlooking at other virus and malware protection technologies, such as

scanning technologies that are more advanced than those included with

most antivirus programs.

y Exploring scanning technologies

Two common scanning techniques are the old standby signature scanning

and the newer, more effective behavior-based virus detection. Signature-scanning techniques look for snippets or patterns of programming code that

are unique to viruses and other malware. Behavior-based scanning works a

little differently. Instead of looking for a design element such as code,

behaviorbased scanning looks at the way certain executable files make

your computer behave. So, for example, if you install a small piece of code

that doesn't contain a known signature, but it suddenly causes your email

program to begin sending out thousands of emails, the behavior-based

scanning tool will locate the problem more quickly than a signature-based

scan might.


19/30

19

y Scan for signatures

Early virus detection programs scanned files to find thousands of virus

signatures used by viruses. Almost every program, virus or not, has some

identifiable text inside its code. Searching for one of those known virus

signatures was the method of choice in the early days of virus fighting.

Such technology can still be used to detect simple viruses written using

commonly available virus creation tools. Each virus creation application

inserts known text into a virus; scanning software can find that code by

comparing the contents of files against a known database of virus

signatures. Weaknesses in the signature-scanning method abound,however. First, with new viruses, no history is available, so it's difficult to

know which code snippets to look for and gather. Second, even when a

new virus code signature is found, there's no guarantee that the users have

updated their signature files to include the new information. Polymorphic

viruses, mutate their signature files to avoid such filtering tools.

Unlike with signature scanning, with behavior-based tools there's no

smoking gun to identify a virus as a known piece of malware. Heuristic

scanning has the following advantages: It catches viruses before they're

added to signature files. It can watch for malware activities such as

replication. Heuristics scanners learn about viruses as they see more

examples of them. Of course, heuristic scanners have some shortcomings.

Compared to signature-scanning tools, they have the following

disadvantages: They trigger more false alarms. They're more expensive.

They require more system processing power. They're slower when

checking large numbers of files. No program can yet emulate the

knowledge and experience of a well-trained virus detective. Scanners can


20/30

20

only identify code they think will cause some problem, such as file access

routines or code to create new files. Each instruction examined gets filed

into a "possible virus code" or "innocent code" bucket. When the scanning

finishes, the bucket with the most entries wins and makes the final

recommendation.

A scanner application must decide whether file access or file creation is a

result of virus activity or general application functions. Suspect behavior

and unknown code sequences trigger alarms in heuristic scanners. Some

of these suspect files turn out to be innocent, of course, and cause false

alarms. False alarms aren't good, but they're better than virus infections. In

many ways, heuristic scanners follow the patterns of artificial intelligence

software. They show great promise, but the reality has yet to catch up, and

the programs are complex. Heuristic scanners improve with time and with

each new code iteration. Most vendors offer configuration choices so you

can adjust your alarm threshold when necessary, dialing back the

sensitivity when you receive too many false alarms.

y Staying up to date

Scanning applications using signature scanning must include newly

discovered virus patterns; therefore, you must keep those up to date.

Heuristic-scanning tools gradually improve their capabilities for determining

the difference between unseen code and potentially harmful virus code.

Therefore, you must keep those programs up to date as well. Viruses

change, as do antivirus measures, no matter whether they use signature

scanning or heuristics. Try to get volume discounts with vendors that offer

both virus and spam heuristics tools. In this way, you can leverage

advances in heuristic scanning for both areas. Stopping spam also stops


21/30

21

some viruses, so getting a volume discount by combining protection

purposes makes sense. Remember that heuristic scanners catch unknown

virus signatures, protecting you against new viruses as they appear in the

wild. After they've been in the wild for a few weeks, your signature-

scanning software database includes those new signatures. Lag times

between identification via heuristic means, verification by antivirus vendors,

and signature database updates shrink each month. So updating your

signature file today may well protect you against the virus launched just last

month and reaching your network tomorrow. You have antivirus software

protecting you, a firewall in place, and antispyware technologies working

overtime, so you're well protected, right? You may be, but even the most

protected computer networks in the world fall victim to human error from

time to time. Therefore, adding a layer of security at the email server level

is essential, not optional.

y Protecting email servers and notebook computers

Many different types of programs are available to help protect email

servers, including antivirus programs that include additional modules,

firewalls, and other elements to help ensure that you're protected. If you

use these programs, you don't waste program resources by trying to keep

dozens of machines, or even your whole network, safe. It's to your

advantage to develop close relationships with your vendors to help ensure

your systems are protected and up to date. You shouldn't be afraid to lean

on your vendors to do their job. You need to get your information and

patches as regularly as possible. Once or twice a month is a patch. Once a

quarter or longer is an upgrade, and chances are, the vendor will try to

charge you for an upgrade. You need to get a vendor's updates as often as


22/30


23/30

23

completely rebuild servers to rid them of a pernicious virus. To reach far

enough into the past to avoid reinfecting your systems with a dormant form

of a virus, you need backups from multiple dates. For operating system file

restorations, you should reach as far back as possible. The first backup

after operating system installation or after the last service patch upgrade is

your best bet. For applications, the first backup after verification of proper

working order is a good one. When restoring after a virus attack, you need

to consider your data. Even though data files, other than Microsoft Word

and Excel, rarely get infected, you should still scan all data files for viruses

and match your data to the application patch level. Making backups for

your routers, switches, and network servers is critical. These systems can

be destroyed during firewall probing and hacking, and you need them to be

ready before you go back online. In addition to enlisting the support of

vendors, getting training, and creating a backup and restoration plan,

another important part of proactive protection is forming an action team,

which is discussed on the next page.

y Assign responsibilities

In a malware crisis, dividing the jobs and conquering the virus should be

your goal. Every infection requires work on multiple fronts. You therefore

need to select team members to cover each technical issue you're likely to

face, along with overlap to help or cover other areas, as needed. Figure 4-1

shows an example of a malware team structure. Figure 4-1: Every level of

the malware crisis team requires a manager or leader role.

Someone from the malware action team should be involved with your

corporate efforts to block and control spam. Malware uses spam as a major

transmission media, so your team must be up to date on spam control


24/30

24

technology in general and your company's efforts in particular. Outbreaks

often create outgoing spam by grabbing addresses and spreading via

email, so your spam control system may have to turn inward to block

outgoing traffic as well. A member of the action team should also be

involved with your backup procedures and plans for disaster recovery. Files

need to be restored, ranging from a few infected DLL files to complete

operating systems. Late at night during a crisis is no time to start learning

the tape storage nomenclature for restoring files. At least one member of

the action team needs to know the details of all backup and restoration

procedures and systems.

Someone from the action team should have a library of rescue disks

created and ready for use. Every operating system that clients, servers,

and support systems use should have a rescue disk ready to go. Copies of

the full operating systems for rebuilding systems are necessary as well, but

the rescue disks come into play first. You must have a way to boot a

system from a clean CDROM and start virus-cleaning operations. Having a

rescue disk for each operating system is one good option. Having a generic

boot, clean, and restoration disk for recovery situations is handy as well.

After a system is booted cleanly, virus tools can be put to work.

A member of the action team should be responsible for personal support,

including food and drink, during the emergency. Disaster planners

sometimes go so far as to buy military MRE (meals ready to eat) packets,

but that nourishment (hard to call it food) passes inspection only when

there's a general disaster in the area. For a virus attack on your network,

local pizza parlors and sandwich shops will still be open for business.

Someone must plan ahead and build procedures for ordering and

delivering food and drink during your virus exorcism. Yes, you can fight


25/30


26/30

26

y Operating system levels

y Patch levels

y New network devices

y Application upgrades

y New monitoring software

y New applications

y Directory structure

Any changes in these areas can create situations that look like virus

attacks. Can't find a server? Maybe a virus clobbered your drivers. Or

maybe a new DHCP (Dynamic Host Configuration Protocol) server isn't

supplying the right name server IP address, leaving a few clients blind as

they wander around the network. In most situations, thankfully, external

breakouts elsewhere on the internet reach you by news before an infected

message gets through your defenses. When you can see the storm coming

over the horizon, you can make a determination about whether it's hit you

by looking for the expected signs of infection inside your network.

With internal malware problems, you get no warning. With problems that

don't respond to normal troubleshooting processes and that start to multiply

and spread across the network, you may need to sound the alarm. You

should structure your responses so that you can call a halt to a virus

response if you find out it's a false alarm. Just like a fire truck sometimes

goes out but does not unroll the hoses and spray water, your team should

be able to stop before going into full-fledged crisis mode.


27/30

27

y Unleash the malware action team

Management must be involved in the call to pull the malware action team

into play. The team must have a clear mandate from management to start

to work because the team's activities will be disruptive to many employees.

Any time your network will be out of action for a time, you need

management approval. You should work with your management liaison to

determine when a problem has spread enough to warrant calling the

malware action team. You should show your management champion

evidence of serious infection by comparing the current situation to normal

network activity. You're asking this executive to make a serious decision tocommit plenty of company resources in a highly visible situation.

Many executives work hard to hide from tough decisions, so you need to

train your executive proactively so you can get approval to start working

before a problem spreads too far. How will you give out the call to put the

malware action team into play? Email probably won't be the best choice

because email systems are targets for viruses, and delivery can become

unreliable. Phones will still work, and pagers will work if you don't rely on

computer-based signaling systems or need a particular computer to send

messages. Wireless connection quality will depend on what type of virus

attack is under way and whether the wireless network components are

involved. Having one method of calling the team isn't enough. You need to

ensure that you have at least two contact methods for every action team

member.

y Clean up and debrief

When a malware episode ends, your job continues. Someone must assess


28/30

28

what happened and why it happened and must clean up the remaining

damage. Before you dive into all that, however, you should rest for a day.

The action team needs its own restoration and a chance to recover from

the mental and physical exertion of reacting to the emergency. Tired teams

do lousy work, but rested teams have a chance to mentally sift through the

actions taken during the process. A period of reflection allows ideas to

bubble up and puts the mess into perspective. A full investigation --

tracking the who, what, where, when, and why of the episode -- must be

your first order of business when you reconvene the team.

Sometimes, an attack comes from a direction no one had ever considered,

and no one can be blamed for the mess. More often, however, some level

of human error caused the problem. In such a situation, you may know who

to blame, and you might want to hang the offending person in the public

square to make an example for the others. You shouldn't do that, even

though you think it might make you feel better. Placing blame will get you

nowhere, but doing a full investigation and recommending security

improvements can help you avoid a similar situation in the future.

After the team has gathered, discussed, and prioritized improvements, it

needs to implement them. Good ideas on paper don't protect systems from

viruses; good ideas put to work on your network do. After a crisis, you need

to amend your proactive virus protection activities. You need to patch new

holes and then watch them. You also need to manage new vendors to

improve their patch delivery. Finally, you must retrain new users (and

retrain them again, if necessary) to prevent future mistakes. If your action

team and accompanying plan don't get larger with each episode,

something is not right. However, at some point, you may get everything


29/30

29

automated to the point where you're sliding down the backside of the

learning curve and have your network protected as well as possible.

You've proactively planned for every possible malware attack, and you've

implemented all the protection techniques you can. But you're still at the

mercy of a dangerous security threat: the humans who use your network.

y Understanding the human element

The old joke saying "user is a four letter word" exemplifies the situation

between security administrators and normal users. On one hand, a network

exists to serve the connected users, not vice versa. Without users, there'sno reason for a network. On the other hand, user actions cause more

anguish to IT support people than almost anything else. Users may not

care about directory services, RAID (redundant array of inexpensive disks)

level 5, or blocking firewall ports used by IM (instant messaging), but they

do care about their files. And they know that viruses can cause their hard

disks to melt into molten aluminum, drip out of their computer cases, and

pool on the floor. Or at least they know that virus infections can cause their

computers to act even stranger than normal.

y Virus protection training and reminders

Every training opportunity needs to include a reminder about virus

protection processes. During company operating system or new application

training, you should distribute your organization's official virus protection

guidelines. You can also add a virus reminder page to a vendor training

packet and put virus warnings and security steps on the company's

intranet. You should take advantage of many opportunities to get your

messages across. If possible, you should schedule special security and


30/30

virus protection classes for every employee. If you can't cover everyone,

you should create a half-day training class for all department managers and

power users. The more they know, the more they can help teach their

users and coworkers.

List of Top 10 Antivirus of 2011

1. Bit Defender Antivirus 2011

2. Norton Antivirus 2011

3. F-Secure Antivirus 2011

4. ESET NOD32 Antivirus 4

5. Kaspersky Antivirus 2011

6. TrendMicro Antivirus 2011

7. Panda Antivirus 2011

8. AVG Antivirus 2011

9. ZoneAlarm Antivirus 2011

10. G Data Antivirus 2011

project on virus

Documents