Malicious Code | Secure Messaging with MicrosoftВ® Exchange Server 2003 (Pro-Other)

Criminals exist in every walk of life, including the computing world. An unfortunately large number of malicious pieces of code are floating around in the world, ready to seize control of, and potentially damage the data on, your computer. These malicious programs are often spread through messaging systems, either directly in mail messages themselves or as attachments contained in messages. As you ll see in Chapter 13, Securing Outlook, there are a number of built-in Exchange and Microsoft Outlook features that allow you to limit the spread of these malicious programs, and there are many other remedial measures that you can take as well. It s useful to understand a bit about how these programs work and what kind of threat they pose.

Types of Malicious Code

Malicious code (also known by the descriptive term malware ) comes in three primary varieties:

Viruses are self-replicating programs that infect individual files or messages. The well-known Sircam and Klez viruses are great examples; once you re infected, the virus code spreads to multiple files on your machine. Some viruses have destructive payloads; others don t. Viruses have to initially be executed on a machine, which means that the user has to launch an infected program.
Worms are self-replicating programs that target services on a particular computer, but remain resident in memory instead of writing their contents to files on the local disk. Worms spread by themselves, without any action on the user s part. CodeRed and Slammer are probably the best-known Windows worms, with Nimda running a tight third. As with viruses, some worms actually cause data loss, whereas others only use resources on the host machine to help them replicate.
Trojan horses (or just Trojans ) are named after the legendary wooden horse that the Greeks delivered to the residents of Troy. They are malicious programs masquerading as something else. Trojans are often packaged with code that will distribute copies of the Trojan through e-mail or file shares. The most common Trojans contain code that allows an attacker to remotely instruct a target computer to take part in a distributed denial of service (DDoS) attack, as described in more detail in Chapter 4, Threats and Risk Assessment.

How Malicious Code Does Its Work

The first step in the life cycle of a piece of malware is simple: a miscreant has to write the code and release it. The mechanism it uses to spread depends on how clever the author was and whether it s a virus or worm. Viruses are most commonly spread through attachments to e-mail messages, although some exploit the ability of mail programs to display complex Hypertext Markup Language (HTML) and JavaScript messages. Worms typically spread by scanning a range of IP addresses, looking for machines that are running whatever service contains the vulnerability that the worm uses. Trojans can be spread as e-mail attachments or downloadable programs; it s increasingly common to see bad actors sending Trojans through instant messaging programs like Microsoft Windows Messenger or AOL Instant Messenger.

Worms spread all by themselves because their whole raison d tre is to exploit vulnerabilities in system services that allow the attacker s code to be run automatically. Viruses and Trojans, however, typically require the user to execute them, and that s where the problem lies. Malware creators are fiendishly good at packaging viruses and Trojans so that they look innocuous . Users are, in general, not careful about running untrusted programs from unknown sources, and ”until relatively recently ”Microsoft hadn t added sufficient security controls to Outlook to protect users from this unhappy combination. Fortunately, Microsoft Outlook 98, Outlook 2000, Outlook 2002, and Outlook 2003 have good protective tools either included or available. See Chapter 13 for details.