Computer Viruses, Trojan Horses, and Other Destructive Programs


Computer viruses have been around for a long time. These are programs that travel from one computer to another, using various methods, such as programs that are not what they appear to be. Shareware downloaded from the Internet is a popular method for spreading virus code. You really should seriously enforce a policy for any programs that are installed on any computer in your network. Even software applications from a known vendor should be tested vigorously in a laboratory setting before being deployed on host computers in the network. Shareware, of course, should be evaluated much more closely. Regardless of any policy you decide to implement, it should be clear that viruses are particularly dangerous and sometimes tricky to avoid. The use of antivirus software is a must and should be required protection on any size network where infiltration and data destruction is undesirableand that includes just about every network, doesn't it?

Note

The term virus is used loosely in many publications, as well as within this book, and is meant to include Trojan horses, worms, and other software that can damage your network or data. However, there are some distinctions that will be detailed in the following sections. Keep in mind that the use of antivirus software applies to all types of malicious code and must be regularly updated due to the wide variety of offending programs and the regularity with which they are created and spread.


Trojan horses are programs that an intruder plants on one or more servers in your network. If you have these types of programs, they can be difficult to detect, because many use the same filename as a file that is already part of your operating system or application software. The Trojan horse program is activated by some specific event, such as the arrival of a certain date, or by a user running a program that has been replaced by the Trojan horse. This latter tactic is very popular. Some programs are not what they appear to be.

Worms are usually considered to be self-propagating programs that travel through email as well as by other means. A worm will replicate itself by sending copies of the software to all or most of the addresses in your email address book. A worm travels through the Internet very quickly because of this aspect of its replication. The solution? Don't open email attachments unless you have a good antivirus program (which you have kept up-to-date). After you open an email that contains a worm virus, all heck can break loose, and the friends in your address book will not be inclined to think very well of you!

Other types of destructive programs can attack your network. This is the case in a denial-of-service attack. The perpetrators never have to intrude into your network. Instead, they use one of several methods (which we'll talk about in just a minute) to send massive amounts of network traffic to your network router or server. The server or router becomes overwhelmed and can no longer operate efficiently. Other denial-of-service attacks target specific resources, such as servers or applications.

Trojan Horse Programs

Trojan horses are programs that are planted somewhere in your network to wait for a signal before springing into action. After hackers have gained entry to a server in your network, they can easily plant a program and then run the program, at a time they choose. The program can listen on a selected port waiting for a signal. The program can wait until a certain time has passed. Many methods are used to trigger such a program.

When the signal or time comes, the Trojan horse does its destructive chores. One of the most common techniques for hiding these programs is to give them the same name as some other common program on the computer. Indeed, some Trojan horses are nothing more than modified versions of a standard operating-system file. So what appears to be one thing might be something entirely different. As mentioned earlier, a Trojan horse program also can be activated by other means. The main difference between a Trojan horse program (or a worm) and a computer virus is that the virus is usually activated, does its damage, and then attempts to replicate itself by some means, such as mailing itself to everyone in your address book. Trojan horses are more like bombs waiting to go off.

Computer Viruses

Computer viruses come in all sorts of variations. They have been wreaking havoc on computers even before the Internet became commercial. Before the Internet exploded into the large network it is today, bulletin board services were a popular method for exchanging files, such as shareware programs.

A virus program usually is distinguished by two features. First, the virus replicates itself so that it can be spread to other computers. The method of transport can be a floppy disk that has had its boot sector code modified, or it can be a macrovirus that comes as part of an email attachment that uses the Internet email system to move about. Second, a virus usually is created to do something destructive, such as wiping out the contents of a hard disk or damaging some other system resource. However, this second feature is not always present in a computer virus. Some viruses simply display a silly message on the screen to let the user know he's been hit, and then they do no further damage.

Another thing to keep in mind is that a virus has two functions. First, it needs to be transported to another computer to infect. Second, it requires a mechanism to affect the system. In many cases these are implemented as two separate functions. The transport mechanism does just what it says: It finds a method (such as email) to get the entire virus package to another system (such as by using your address book to email itself to others). Then another part of the virus performs some action on your computer. This can range from a malicious action, such as deleting files, to an innocuous one, such as simply presenting a funny message on your screen. The important thing to remember is that viruses are becoming similar to worms, in that they provide a mechanism to propagate themselves, as well as to cause harm to your computer or network.

Now it seems that most viruses are destructive, so you should always use antivirus software on computers in your network. Although deploying an antivirus application on several hundred or several thousand computers can be expensive, especially when you consider that you also must pay for updates from the vendor, the amount of damage viruses can cause if you do get hit greatly justifies this cost. In an enterprise environment you can usually get a large discount for antivirus software. For some packages, you can simply purchase one copy for a small network, and then create file shares for each disk on a computer and configure the antivirus software to check all disks as well as file shares.

Many small network operators install a good antivirus software package and schedule the software to run on an infrequent basis, such as once weekly. If you are using the software for a home environment where the loss of data is insignificant, that might be a good solution, especially if you have a slow Internet connection. However, if you are operating a business from home (SOHO), I suggest that you run the antivirus software daily. You can schedule most products to run at night when you are not using the network. I also recommend that you use any update software on the same daily basis. Viruses are not pickythey don't appear on the Internet on just a weekly basis. They can find their way into your network anytimeeven on a daily basis. If you schedule software updates and virus scans to run at off-peak hours for your network, you might just find that you have avoided the latest, greatest new virus.

Tip

Can't decide which antivirus software to buy? Visit www.symantec.com and click on Download. There are several products you can download and use for a 15-day trial period. You'll find here a trial version of Norton antivirus software. You can also download a trial version of McAfee's VirusScan software at www.mcafee.com. Click on Download, and then the Evaluate button next to the product version you want to evaluate. These are the two most popular products sold in computer stores today. A quick search of the Internet will bring up many more antivirus software packages. Two important factors for most software applications are ease-of-use and support. Consider support to be the most important factor when choosing an antivirus product. The company should be one you can contact via the telephone should an emergency arise, and one whose product enables you to download updates frequently.


How Infections Occur

Viruses and other computer maladies can travel through various routes to get to your computer. One of the most common methods is through the use of email. How many times did you hear on the news last year, "Don't open the attachment if the subject line says..."? Because of the macro capabilities and newer features of modern email clients, it is easy to trick users into launching a program without realizing what they are doing. Many email macroviruses that you receive go through your address book first and mail a copy of themselves to all your friends. Then they go about doing their dirty work on your system. So, as a method of transport, email can be a very lucrative path for a virus to take. If an email offers a link that appears to lead to something that is just too good to be true, it probably isn't true. The old saying "There ain't no such thing as a free lunch" applies here. Anyone who has been on the Internet for a month or more will start receiving spam messages. Although most of these are harmless and can be deleted and ignored, there are always those that just seem to tempt the user in such a way that it must be further pursued. There are many companies that offer antispam software.

Tip

Many good antivirus software products on the market today not only can check the files on your computer's disk drives, but also can intercept incoming emails and flag them as candidates for viruses. For example, Norton AntiVirus will query you to "quarantine" a suspect email attachment. You can view it later to decide whether it is actually a virus, or an attachment you need to view. Many products even can warn you if you try to copy a file from a floppy disk to your system. When purchasing an antivirus product, be absolutely sure to define what your needs are, and determine whether they can be met by the software you purchase.


If you set a policy to prevent users from making use of company email for personal purposes, you can prevent a lot of this spam. In this way you also might be able to keep harmful emails from causing you a problem in the first place. Many modern email servers can be configured to check for attachments and prevent suspect attachments from being delivered to the end user. Even Microsoft Outlook Express enables you to set a security level to protect against this threat if your firewall does not. Yet this functionality is usually based on a good antivirus program associated with the email server or firewall, or a content filter that screens known suspicious content.

Still other avenues into the systems on your network exist. For example, as discussed earlier, shareware, freeware, and other demo software downloadable from the Internet can seem a bargain at first. And maybe now and then you find a program that actually fits a business use. However, some programs contain viruses, and the writers of the viruses are just waiting for you to download the program and execute it. The results can show up right away or can be triggered by a signal, such as a certain date, before springing into action.

A good security policy for any site will require that users submit requests to a security team before using software that isn't currently approved. The security team can first run the program through standard antivirus software and otherwise evaluate the security potential of the program. Never allow users to bring floppy disks (or other removable media) from home. This should be spelled out clearly in your company's network security policy.

One of the most useful functions that antivirus software provides is the capability to update itself. For example, Norton antivirus software provides a Live Update function that downloads newer versions of the software components, as well as newer virus definitions. It is a good idea to use this function for a known virus vendor.

Yet, for software vendors that provide the same functionality, can you trust this feature? When it comes to shareware programs, or other small vendors, be wary of automatic updates. If given the choice whether to enable automatic download and installs, select instead to have a choice to review the download before installing it. In this manner you can experiment with the results of such an update in a laboratory setting before deploying it to your network clients.




Upgrading and Repairing Networks
Upgrading and Repairing Networks (5th Edition)
ISBN: 078973530X
EAN: 2147483647
Year: 2006
Pages: 411

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net