9.13 Use of Malicious Code or File Insertion in WLANs

9.13.1 Virus Incidents

A virus is self-replicating code that operates and spreads by modifying executable files. Provide your users with training concerning how viruses work and the procedures that limit the spread of viruses. Viruses are user-initiated and would pose virtually no threat if every user always followed sound procedures.

9.13.2 Macro Viruses

Macro viruses are a new breed of viruses that can use an application's macro programming language to self-replicate and distribute themselves . Unlike previous viruses, macro viruses do not infect programs; they infect documents. In order to defend against such virus attacks, it is imperative to obtain well-known antivirus tools and keep them updated as needed. A security team should encourage the use of such tools as soon as possible if they are not already in place. Remember, saboteurs and malicious code can modify any program to which they have write access, so ensure the integrity of any antivirus tool. A good technique is to keep at least one known good copy of antivirus software on a write-protected floppy disk.

Immediately discontinue using any computer that becomes infected by a virus. Leave the infected computer on and call technical support. Leave a quarantine sign on the computer screen to warn others not to use the computer. Do not attempt to eradicate the virus and restore the system without the assistance of a qualified technical support specialist. A computer security specialist or properly trained systems administrator should make a copy of any virus that has infected a computer before it is eradicated so that a cyberforensics support team and/or local security staff members can analyze it. Be sure additionally that the virus is eradicated from all backup disks. Failure to clean backup disks is the major cause of reinfections.

9.13.3 Worms

Worms are self-contained, self-replicating code that are often capable of operating without modifying any software. Worms are best discovered by inspecting system processes. If an unfamiliar process (usually with a strange or unusual name ) is running and consuming a large proportion of the available system processing capacity, it may indicate that the system has been attacked by a worm. Worms often write unusual messages to the display screen to indicate (or brag about) their presence. Messages from unknown users that ask you to copy an e-mail message to a file may also propagate worms. As a general rule, any such message in your inbox should be routinely deleted.

Worms propagate themselves over networks most of the time. They can spread very quickly and cause quite a bit of damage in a very short time. The Sobig.F worm was one of the fastest propagating worms known to date. If a worm is discovered, users should notify the system administrator or a technical support specialist immediately. Saving a copy of any worm code found on a system can considerably accelerate efforts to analyze and deal with the worm. Promptly killing a rogue process created by the worm minimizes the potential for further damage. If the worm is a network-based worm, technical support should disconnect any workstations or client machines that have been infected from the network until they are sure the contaminated devices have been properly cleaned. Security staff will also need to be briefed about any worm as soon as possible to minimize the impact of the worm.

9.13.4 Trojan Horses

Trojan horse programs are hidden programs, often with a nefarious purpose. Most malicious code is really a variant of a Trojan horse program in some way or another. A virus that disguises its presence and then executes later is technically a Trojan horse program to some degree because the virus is hidden for part of its life cycle. Trojan horse programs are often designed to trick users into copying and executing them. Several years ago, for example, someone stood outside the location of a technical trade fair and handed out free diskettes to anyone who would take them. Although the program was supposed to determine the chances of contracting the AIDS virus, users who loaded and executed the program found that the program damaged the hard disk. Other instances include the use of hidden modem dialers that connect to remote servers and allow unauthorized activities to take place, such as providing an open connection to the Internet from someplace with outrageous phone charges, while the user thinks the modem has dialed a local point-of-presence (POP) number.

The best way to avoid Trojan horse programs is to be very cautious and discriminating about using any new software that is obtained, especially from people you do not know. Be especially suspicious of Internet downloads, some of which may contain Trojan horse programs. If there is any doubt about the authenticity or functionality of a software program, take it to your local systems administrator or security engineer. He or she can analyze it and determine whether the program contains any Trojan horse code. If it is discovered that a Trojan horse program has damaged or otherwise infected a system, leave the system alone and contact the system administrator or technical support specialist. Leaving a quarantine sign on the system is a wise procedure to prevent reuse of the system until it has been cleaned. It is usually very easy to eradicate a Trojan horse program by simply deleting it. Ensure that a copy of the Trojan horse program is saved (on a specially marked diskette used only for this purpose) and given to the organization's security staff before the program is deleted off the affected system.

9.13.5 Spyware

Another distinct, and relatively new, type of malware is spyware. Spyware is Internet jargon for advertising-supported software (a.k.a. Adware). It is a way for shareware authors to make money from a product other than by selling it to the users. Several large media companies ask the shareware authors to place banner ads in their products in exchange for a portion of the revenue from banner sales. You don't have to pay for the software, and the developers still get paid for their work. Although the banners are annoying, sometimes there is an option to remove them by paying a licensing fee. Spyware typically comes as a multifeatured software package that can capture instant messenger traffic, e-mail traffic, Web site traffic and sites visited, keystrokes, and passwords.

Spyware can also be installed surreptitiously without an install dialog. It can automatically generate and publish Web-based (HTTP) reports . When combined with other utilities, spyware can push itself to unsuspecting hosts and remotely execute and control them, thereby becoming a powerful tool for collecting information. An adversary can collect data by simply pointing his or her Web browser to the authorized user's IP address and a port number that has already been identified by the spyware. Spyware is often not detected as a virus because spyware is an installed application that looks like any other authorized program. For this reason, programs have been developed that act like virus scanners but are specific to hunting down spyware. One of the more popular antispyware applications is NetCop [12]. In many cases, the most effective way to prevent malware from entering a wireless network is through the use of personal firewalls. Some of the more popular personal firewalls are ZoneAlarm Pro, Black Ice Defender, and Tiny Software Personal Firewall.

9.13.6 Placement of Illegal Content

It is a common practice for members of software piracy groups to use open FTP servers on the Internet to store pirated software and illegally copied media such as songs (stored as MP3 files). The situation could become even more prevalent on wireless networks with intruders using an open wireless network to store many gigabytes of copyrighted software.