Sunday, December 14, 2008

Password Advice

Password Advice

Use of a good password is your first security defence. You should always use a password on any computer that others can access, so that no one can access your private information, use your account and impersonate you on the Internet delete your files by mistake, etc.

You should change your password regularly, where regularly is determined by your environment -- perhaps every 60 days in an office environment and every six months on a secure home computer. From least to most secure, there are three types of passwords:

  • What you have. Examples include keys and pass cards. The risk is that they can be lost or stolen.
  • What you know. Examples include computer account passwords and building entry passwords, information that passes from your brain through your hand to the security system. The risks are that they can be copied if you are observed entering them, and unless they are sufficiently unique they can sometimes be guessed or cracked.
  • What you are. Examples include fingerprints, retina patterns, and other biometric passwords. These are much more difficult to copy (so far) and are therefore the most secure passwords.

The most common type of password on the Internet are passwords you know, mainly alphanumeric keywords. For a reasonably secure home computer, password selection might be a less critical issue, but on networks open to the Internet there are many very real threats to administrator, network, and application passwords. Many ingenious programs have been written to crack passwords at high volume, some by hackers and some as legitimate security testing tools, and are of course loose on the Internet. Many of these programs use a variety of dictionary based attacks to combine common words and word variations to try thousands of passwords as fast as the targeted system will permit. Some start by guessing a whole bunch of common passwords.

Other password cracking techniques include low-tech but surprisingly effective methods as sending an email supposedly from an authorized administrator requesting the password, making a telephone contact supposedly from the authorized company and then requesting the password for authentication, and use of electronic spy ware to capture the legitimate entry of a password and send it to the eavesdropper. As always, the human element is more unpredictable than the technical part.

To provide maximum protection, there are four basic rules for password management security:

  • Pronounceable. The best password is at least eight letters, and pronounceable so that it is memorable. Your password should not be a recognizable word, and should include at least one number, to minimize the chances it can be found by "dictionary" based attacks. There is a simple trick to making them up instantly -- pretend you are two years old, combine random syllables into words, then add a number, such as "banilum4", "somi3can", and "telupson6".
  • Non-clichés. Lots of people use their birthday or spouse's birthday, the name of someone from their family or friends, the name of a favorite pet, or some other high profile subject for their password. Avoid all the obvious choices, since professional hackers try these first.
  • Unique. Never use the same password for more than one purpose, and change important passwords regularly without reusing old ones. Use separate passwords for your computer login, internet account, email account, and other functions. If you use the same password for more than one purpose, you run the risk that if someone knows one of your passwords then they can break into all of your accounts. (This rule may be relaxed for low threat environments such as a home office).
  • Write it down. Unfortunately, the trade-off for using good password practices is that you might forget them, so you need to record them somewhere. If you don't do this, it is a statistical certainty that sooner or later you will find yourself locked out of a computer or application at a very inopportune time. The trick is finding a secure location for storage of this sensitive document. If you have a very secure storage location (locked filing cabinet, encrypted file on your main computer) than you might store it there, but make sure it is secure; if that security protection is bypassed, all of your passwords are lost.

    First principles are: don't leave it on your desk, store it in your wallet, or tape it to the bottom of anything. For non-electronic storage, a common but effective technique is to record your passwords in pencil on a document that stored with a lot of other documents, or on the margin of a page of a book on a shelf with a lot of other books. Therefore, even if someone had the time to search for it, it would be difficult to find, and even if found it wouldn't be obvious what it was.

Saturday, December 13, 2008

Virus Protection...Virus

Virus Protection

The most important computing advice is "back up your files", which helps to safeguard your data if you ever get a virus. The second most important principle is "run an anti-virus protection program". If your anti-virus program does not include a good firewall, you must obtain one of those as well.

Modern computer viruses are more virulent than ever. It is critically essential for the protection of all of the valuable programs and information on your computer that you run a good anti-virus protection program. Most of these applications can regularly update their database over the Internet as the threats evolve and automatically keep your anti-virus protection up-to-date and your computer safe.

Commercial. The following companies are leading anti-virus protection providers:

Maintenance. Once you have installed anti-virus protection, take the following additional protective measures:

  • Never use a floppy disk, CD, DVD, tape, or other external media that has been on someone else's computer without first scanning it with your anti-virus protection program, which should be set to scan all media by default. If you lend media to someone else to copy a file, write-protect it first so that it won't get inadvertently infected.
  • Protect your perimeter. Make sure your anti-virus protection settings are turned on by default to scan files incoming over email and downloaded off the Internet.

Infection. Computers that run good anti-virus protection usually don't get infected. However, if you are sure that your system has somehow got a virus anyway, you can take the following steps:

  • Immediately shutdown your computer, and do not reboot it from the infected disk, in order to prevent the virus from wreaking more damage.
  • Boot the computer from some clean external media such as a bootable floppy, CD, DVD, or external disk that has previously been scanned by your anti-virus protection.
  • Run your anti-virus protection software from the clean boot disk, on the infected disk, and if required fix or delete infected files and replace them on the infected disk.
  • If you need help or your anti-virus protection can't clean the disk, then you are best advised to take your computer to a good professional repair shop where they have tools to try and clean and recover your disk as best as possible.

Keep in mind that anti-virus protection sometimes generates false alarms -- a common cause is when a program file has changed size but for a valid reason. Another common indicator that you may have a false alarm is if your anti-virus protection claims that a file may contains a virus but doesn't know the virus's name. Don't delete files unless the anti-virus protection software specifically recommends it, recognizes the viruses name, and it otherwise looks like a reasonable suggestion.



Friday, December 12, 2008

Internet Worms....Virus

Worms -- Types and Habitats

Worms - Types and Habitats

Penetration of a remote system can be accomplished in any of three ways... In each case the worm arranges to get a remote command interpreter which it can use to copy over, compile and execute the 99-line bootstrap. The bootstrap sets up its own network connection with the local worm and copies over the other files it needs, and using these pieces a remote worm is built and the infection procedure starts over again.

Internet worms are truly autonomous virtual viruses, spreading across the net, breaking into computers, and replicating without human assistance and usually without human knowledge.

Worms are particularly interesting technological constructs, with an intriguing mathematical structure and complexity. They fascinate because they take the digital imitation of life to another step -- they autonomously search for computers, penetrate them, and replicate their intelligence to continue the process.

An Internet worm can be contained in any kind of virus,program or script. Sometimes their inventor will release them into the wild in a single copy, leaving them to replicate by themselves through a variety of stratagems and protocols.

History. Worms use a variety of methods to propagate across the Internet. Early worms simply scanned the local network drives and folders and inserted themselves into programs wherever they could, trusting human beings to move disks and directories around in the normal course of things so they could continue to spread.

Since the late 1990's, many Internet worms have been Visual Basic script viruses which replicate on Windows computers by interacting with the user's email program to send themselves to many (often all) of the addresses in the address book. Once on a new machine, they repeat the process with the new user's address book, quickly expanding the number of people reached. Some of the worst outbreaks of email worms have spread around the world within just a few hours, and email remains the Internet worm's fastest known transmission method.

Beginning in 2001, the most dangerous worms started to employ weaknesses in the Windows operating system to attack machines directly across the Internet. When a significant Windows weakness was found, Microsoft would patch it, hackers would release worms to attack it a few weeks later, and any unpatched machine connected to the Internet would soon be compromised. With several hundred million machines running Windows, statistically speaking a lot don't get patched immediately, so there are always thousands of vulnerable systems. Even computers inside a firewall protected intranet are at risk as long as there is one weak link somewhere -- an unprotected machine on the Internet able to reach the rest of the intranet. Microsoft introduced automatic operating system updates to help solve this problem.

The most successful Internet worm of all time, in terms of sheer saturation, was the code red worm, which scanned the Internet for vulnerable Windows computers running the IIS web server to install itself and continue the infection. For example, a list of the code red infected computers trying to break into the LivingInternet site on August 7, 2001, can be found here. (Fortunately, the site was running on the Apache web server.)

A wide range of other inventive strains of Internet worms have employed security weaknesses in IRC, finger, and other programs and protocols. A few worms began to be discovered for Linux in the late 1990's as it became more popular across the Internet and some vulnerabilities were found, but the strong security architecture of Linux has kept the number of problems relatively low.

The first worm. The first worm disabled most of the Internet then existing. Robert Morris, a Computer Science graduate student at Cornell University and (embarrassingly) son of the Chief Scientist at the National Computer Security Center, wrote a 99 line program in the C language designed to self-replicate and propagate itself from machine to machine across the Internet. The worm performed the trick by combining a bug in the debugging mode of the sendmail program used to control email on almost all Internet computers, a bug in the finger program, and the Unix rexec and rsh commands.

On November 2, 1988, Morris released his worm, but did so from an MIT computer to disguise his origin. In his view, only one thing went wrong -- the worm started replicating at a much faster rate than he had predicted, and began crashing and disabling computers across the Internet.

Morris sent out an anonymous message telling people how to disable the worm, but because it had brought down the Internet, the message about how to disable it couldn't get through. The worm eventually infected more than 6,000 computers across the Internet. Within a day teams of programmers at the University of California at Berkeley and Purdue University reverse engineered the worm and developed methods of stopping it. The Internet then came back to normal in a couple of days.

Morris claimed that he had intended his worm as an innocent experiment and hadn't planned it to have any negative effects. Nonetheless, he was eventually convicted of violating the computer Fraud and Abuse Act (Title 18), and sentenced to three years of probation, 400 hours of community service, and a $10,050 fine. His appeal was rejected in March, 1991.

At least one good thing resulted from this incident -- the Computer Emergency Response Team, or CERT, was formed by ARPA in response to the Morris worm incident to track and provide information on Internet security threats.

Thursday, December 11, 2008

Script & Macro Viruses...virus

Script & Macro Viruses

Script / Macro Viruses - Types and Habitats

Script Viruses - Types and Habitats

Script viruses (sometimes called macro viruses) generally travel embedded in email and office automation documents, although they can be found in web pages as well.

Old fashioned program viruses are usually implemented in executable system code, whereas script viruses are usually written in a powerful high-level language that is compiled and run on the fly. They often have sophisticated functionality and direct interfaces to high level applications such as word processing, spreadsheet, email, and web programs, and can wreak considerable havoc. Since they first surfaced in office automation programs, they are sometimes also called "macro" viruses. Script viruses can also propagate through IRC protocols.

On Microsoft computers, turning on your script checking virus protection is essential. However, keep in mind that there may be an associated performance hit for some applications. Many applications on Windows are written in Visual Basic, and real-time script virus checking can double the time it takes for their usual functions to run. If you find that ordinary functions take an inordinate length of time to complete, you can try temporarily turning this feature off in your anti-virus checker -- but don't forget to turn it back on afterwards!

Active threats. The following types of script viruses are currently the most active and dangerous, on the Windows platform:

  • Visual Basic is a flexible and powerful programming environment for Microsoft Windows, Office, and internet applications. Script viruses written in Visual Basic can run throughout the Microsoft architecture, giving them considerable reach and power, and making them the primary virus threat today.

    The first widespread Visual Basic script virus was Melissa, which brought down several of the large international corporations for several days in March 1999. Melissa traveled in a Microsoft Word document and ran when the document was opened, then opened the associated Microsoft Outlook email program, read the user's email address book, and then sent email copies of itself to the first fifty names it found. It spread very quickly.

    The Melissa virus architecture was quickly followed by many similar variants programmed by hackers around the world, including the ground breaking KAK, the first Visual Basic script virus that triggered as soon as an email was opened. KAK was then followed by BubbleBoy, which triggered if an email was even viewed in the preview pane. A steady stream of Visual Basic script viruses continue to circulate to this day. There are even automated, point and click programs like VBS Love Generator to help hackers produce additional variants. Script viruses which use email to send themselves to others are also a form of worm.
    The term "macro virus" is used less often, and generally refers to a virus in an office automation application macro, most commonly a Visual Basic macro in a Microsoft Word or Excel document. Macro viruses can cross system boundaries from Windows to Macintosh computers with MS Office documents. Current versions of Microsoft Office contain strong anti-macro protections to guard against known attacks.
  • ActiveX is one of Microsoft's distributed application technologies that enable web pages to download programs on the fly with the full power of any executable running on your machine. This makes ActiveX modules especially efficient and powerful, but also a security risk since they can create, change, and delete files, add system programming code, or take any other action your user account is allowed on your computer.

    To help mitigate the risk, Microsoft provides a network architecture of encryptedsecurity certificates for ActiveX modules. This network gives you the option of refusing the download of unsigned ActiveX modules from unknown authors, and at least disclosing the signed identity of those modules that you do accept in case they later cause problems. However, this approach is not universally accepted by the general user and professional security communities, and is sometimes called "trust me now, try to catch me later". Users running Internet Explorer on Windows machines should make sure that their browser security settings are set to "disable" for unsigned ActiveX applets, and to "prompt" for signed applets.

Hypothetical threats. The following script viruses are largely theoretical, but illustrate that they can turn up wherever there is scripting code:

  • Java is a standard cross platform development environment, and is often used to download scripts to add functionality like a clock or chat room interface to a web page. Java was written with a strong security model which protects your computer's data and resources, and it has so far proved remarkably resistant to script virus infection. You can turn Java off in your browser if you want to be extra careful, but it will disable some useful functionality on some web pages.

  • JAVAscript is the standard web programming language. JavaScript also has a well-defined security model that protects data and resources, and the few JavaScript viruses that have been discovered have been mainly theoretical in nature. You can turn JavaScript off in your browser settings if you want to be extra careful, but it will disable functionality on many web pages.
  • MIME. The first script virus that triggered as soon as an email was opened was a MIME virus that applied to older versions of Netscape Mail, Microsoft Outlook, and Eudora Mail. In a variation on an old hacker technique, the attached MIME file was given a very long name that triggered a bug which allowed the end of the name to be run as a series of instructions, which could then be written to run the virus. However, a fix for the bug was quickly developed for each vulnerable email program, and MIME viruses have so far remained hypothetical.

Boot & Program Viruses...Virus

Boot & Program Viruses

Boot & Program Viruses - Types and Habitats

Boot & Program Viruses - Types and Habitats

Boot and program viruses were the first viruses. They are generally made of executable code that hides inside device boot programs and application programs, and are usually targeted for a specific computer operating system. These were the earliest types of computer viruses developed, and remained relatively common in the wild until overtaken in 1998 by script and macro viruses.

Boot viruses. Boot viruses hide in the boot code for a media device, such as a disk or CD, and run automatically when the media is loaded since boot programs are always the first code loaded from any device. Boot viruses proliferated on floppy disks and even CD's into the late 1990's, but aren't seen as often these days with the decline in importance of transferable, bootable media.

The first computer boot virus was built by a 15 year old kid named Rich Skrenta in 1982 for Apple II computers. Called "Elk cloner”, it would activate whenever a floppy disk was booted on a computer, install itself on the computer, and then infect other disks used later. Once every 50 times an infected floppy was inserted in a computer it would display the following message.

Elk Cloner: The program with a personality

It will get on all your disks
It will infiltrate your chips
Yes it's Cloner!

It will stick to you like glue
It will modify ram too
Send in the Cloner!

Skrenta launched the virus into the wild in early 1982 by infecting his school’s computer and giving out disks at a computer club. Since viruses were not yet known and there were no safegaurds, it spread around the country and continued to pop up on Apple II computers for years afterwards.

The first boot virus to infect Microsoft computers was called Brain, developed in 1986 by two Pakistani brothers, and displayed the phone number of their computer repair business.

Program viruses. Program viruses can travel on media like a CD or across the Internet email attachment. They hide in an apparently useful program and then run when the program is opened. They are often called trojan horse viruses, after the hollow wooden horse containing soldiers that Ulysses and the Greeks gave to Minerva during the Trojan war, and from which the soldiers emerged that night to open the gates of the city of Troy to the Greek armies, thereby causing the city's downfall.

Program viruses may be deliberately hidden in a program by the developer, or surreptitiously attached after the fact at some point along its travels from computer to computer. Program viruses are also sometimes the vector of infection for boot viruses and worms.

Virus infection. A greeting card program emailed to you from a friend might display a holiday animation and song, while at the same time installing a remote access virus program that gives a distant hacker control over your computer whenever you're connected to the Internet. Similarly, a shareware program downloaded and emailed to you by another friend might have been infected with a virus on his computer or the server where it was stored.

The first thing a boot or program virus often does is insert commands and settings in the operating system so that they can operate freely, undetected, and unaudited, without warning messages or access log records. Some of them even change the Basic Input Output System (BIOS) that interfaces between the computer's hardware and software to help mask their activities.

The most sophisticated program viruses include "stealth viruses", which encrypt their contents to try and avoid detection by virus protection software, and "polymorphic viruses", which alter their content every time they replicate to try and avoid detection, which exhibits behavior just like real viruses. Most anti-virus program can still catch most of these types of viruses.

Viruses

Virus (Boot, Script, Macro, Worm) Families and Habitats

Viruses - Families and Habitats

Computer viruses of one kind or another have infected the Internet since its very first years of existence. Virus protection is now required technology for everyone that uses the Internet.

Signs that your computer might have a virus could include spontaneous startup of programs like email programs, unexplained attempts by programs on your computer to access the Internet, changes in file date stamps, unusually slow program load or run times, lots of unexplained disk activity, or failure of a program or your computer to start. However, if you have an anti-virus protection running, then problems like a slow computer or lots of disk activity are most likely caused by an inefficient system configuration, not enough memory, a fragmented disk, or other benign causes, since most viruses won't give any visible signs.

Some viruses are only annoying, displaying a message, using extra memory or disk, or changing file names. However, some are destructive and will change files and erase data, and some will erase your entire hard drive. Some run silently in the background and give outside agents complete control of your computer without your knowledge whenever you are connected to the Internet.

The Internet gives viruses a particularly efficient new path for global infection. Some email viruses have spread around the world and brought down tens of thousands of computers in just a few hours. It is absolutely essential that you run an anti-virus protection program to safeguard your computer from these serious threats.

Email Security

Corporate email: A mission-critical application

Email is well-established as a prime means of communication for business purposes that is quicker and cheaper than more traditional methods. Yet it brings with it the necessity to make one's corporate messaging system as secure as possible.

Email-related threats to network security

A variety of different elements weaken your corporate email system and while some are widely known - such as email viruses - others tend to be ignored. Emails carrying offensive messages or confidential corporate information can create immense inconvenience and expense for a company that has not equipped its mail server with the appropriate tools. The same goes for spammers who use the email system at work to send thousands of unsolicited email messages. And what about the vast damage and time-loss caused by email viruses, which seem are making ever more frequent appearances these days?

Some companies lull themselves into a false sense of security upon installing a firewall. This is a wise step to protect their intranet, but it is not enough: Firewalls prevent network access by unauthorized users. But they do not check the content of mail being sent and received by those authorized to use the system, for instance. More targeted measures are needed to counteract this and other security loopholes in a corporate network.

The threat of information leaks
Organizations often fail to acknowledge that there is a greater risk of crucial data being stolen from within the company rather than from outside.

Various studies have shown how employees use email to send out confidential corporate information. Be it because they are disgruntled and revengeful, or because they fail to realize the potentially harmful impact of such a practice, employees use email to share sensitive data that was officially intended to remain in-house.

FBI statistics, for example, reveal that among Fortune 500 companies, most data thefts in 1998 were by internal users. Again, research results carried in PC Week in March 1999 report that, out of 800 workers surveyed, 21-31% admitted to sending confidential information - like financial or product data - to recipients outside the company by email. Ten per cent of those surveyed disclosed that they had received email containing company-confidential information.

The threat of emails containing malicious or offensive content
Emails carrying sensitive information, or unsolicited mail messages sent out by corporate users are not the only problem a company has to tackle with regard to employees' email use. Emails sent by staff containing racist, sexist or other offensive material could prove equally troublesome, not to mention embarrassing - and expensive!

This factor hit the headlines during the much-publicized antitrust case against Microsoft Corp., when the US government presented as evidence the contents of emails written by top Microsoft executives describing plans to topple competitors. On a similar note, Chevron recently had to pay $2.2 million to settle a lawsuit resulting from an email message bearing sexist contents.

Under British law, employers are held responsible for emails written by employees in the course of their employment, whether or not the employer consented to the mail. The insurance company Norwich Union was asked to pay $450,000 in an out-of-court settlement as a result of emailed comments relating to competition.

Besides, offensive emails can cause considerable damage to the work environment simply by generating an unpleasant, hostile or unprofessional atmosphere.

The threat of viruses
Viruses are a major email security hazard that companies simply cannot afford to ignore. Over 11,000 different computer viruses exist to date and some 300 new ones are created each month. Their effects range from negligible to bothersome to destructive.

The extent of the problem is so great that today many companies have even begun to prohibit the use of email attachments, as this is where viruses are often embedded. Unless forewarned, users are generally unaware that they have received a virus until they open the infected attachment. By this time, it is too late: the virus is activated and starts to take over, completely infecting the hard drive and the messaging network.

The danger of viruses transmitted through macros, another common form of virus transmission, is that they allow the user to continue working and sharing documents. This way, the virus spreads faster, infecting more and more users. One such macro virus, known as Melissa, reared its ugly head on March 26, 1999. Melissa forced organizations the world over - among them Microsoft and Intel - to suspend all email transactions. This may well have been an effective response to the new viral onslaught, when timely action was taken - but it also signified incalculable productivity loss, despite stemming data loss. As a result, Melissa left a huge dent in corporate coffers: "It is responsible for millions of dollars worth of damage", an April 1999 issue of InfoWorld reported.

Other fiercely destructive viruses followed fast on Melissa's trail, such as the Chernobyl (CIH) virus and the Explore Worm, both of which wipe out files, resulting in data loss. Again, companies like Microsoft, Intel, Boeing and Forrester Research were reported in the press as having shut down their mail servers when hit by the Explore Worm outbreak in June 1999. And, as if all this were not enough, anti-virus researchers predict that more damaging email viruses are yet to come.

The threat of spam
About 90 per cent of email users receive spam - or unsolicited commercial mail - at least once a week, a survey conducted by the Gartner Group shows. The research results, issued in June 1999, revealed that almost half those surveyed were spammed six or more times a week. The study surveyed 13,000 email users.

Although the U.S. Congress and state legislatures are seeking to ban spam, and the Federal Trade Commission sues spammers whose junk mail deceives consumers, unwanted mail is on the increase.

As well as consuming bandwidth and slowing down email systems, spam is a frustrating time-waster, forcing employees to sift through and delete mounds of junk mail. It also proves irritating and offensive to recipients who feel their privacy has been invaded. However, there is a third aspect to spam: it constitutes a security hazard.

Spammers can use a corporate mail server to send out their unsolicited messages, often bringing trouble upon the unwitting organization. Virgin Net recently underwent such an experience when one of its subscribers apparently used its network to send out 250,000 junk messages. As a result of this individual's actions, Virgin Net was put onto the Real-time Blackhole List (RBL), an undesirable listing which leads other ISPs to reject mail coming from that company.



SPAM Filtering

Protecting against security breaches

Corporate security policy
The security menaces are many, but effective solutions do exist. The first step to enhance security recommended by cyber-security consultants is the formulation of a corporate email policy document. This is used to inform all members of the organization which messaging practices are deemed unacceptable.

Without being overly restrictive, such documents should provide guidelines and procedures to be followed by employees in their use of email at the workplace. Examples of the kinds of email messages that could prove detrimental to the organization should be supplied. The overriding point to be emphasized is that by adopting this policy, the company and its staff stand to gain by benefiting from messaging security that is as watertight as possible.

Next, the organization must acquire new security tools to help enforce these regulations, informing all users that this measure is being taken.

The image “http://www.postinisolution.com/images/email_defense_large.jpg” cannot be displayed, because it contains errors.

Security software
Corporations may choose from a selection of email security packages. Some solutions are created to tackle a particular menace alone while others contain a convenient bundle of tools to deal with the various hazards. It is up to each organization to select the software that best suits their needs.

As always, price is bound to be one of the determining factors in making the right choice. Another essential characteristic to seek is a product that is as transparent to the user as possible. A package that installs on the existing corporate email system and is easy to use means that a company can enjoy the security benefits offered immediately upon installation. This section examines the different email security features available on the market, either separately or as part of a solution.

Preventing information leaks
A content checking tool is a must to prevent users from sending out confidential or sensitive corporate information via email. This tool automatically scans the contents of each message being mailed.

To be effectual, this tool should link to a quarantining feature that isolates emails with suspect content and prevents them from being sent unless an authorized person within the organization has approved the message.

Content checking
Likewise, a content screening tool is necessary to prevent corporate users from sending or receiving malicious, offensive, or inappropriate emails. This should be coupled with a tried and tested quarantining feature that bars emails with suspect content from being sent or received unless an authorized person within the organization has approved the message first.

Combating viruses
A reliable virus scanner screens all incoming and outbound messages and attachments for email viruses and worms.

Of course, it is not enough for a package to detect a virus. A good security tool must be able to block the infected documents or clean them before the email reaches the addressee. Additionally, the anti-virus solution should notify the recipient and/or network administrator of the email-borne virus. This way, viruses are stopped in their tracks before they do any harm and senders can be alerted that their systems are infected.

Eliminating spam
An efficient anti-spam tool will pick up words and phrases that usually appear in unsolicited commercial emails and block the unwanted message from entering the system. While preventing inconvenience to recipients, this saves the corporation time that employees would otherwise have wasted reading and deleting junk mail - paid work time that could be better applied.

Advanced anti-spam features include the detection of incorrect 'From' headers and addresses in the email body, typical spam practices, as well as the facility to be programmed to block emails containing any phrases the company chooses. Another essential ingredient is the ability to prevent spammers from using the corporate system to send out vast quantities of mail, a practice known as mail relaying.

Also effective against spam is a quarantining feature that deters email messages with dubious content from going through. This feature acts as a kind of clearinghouse, allowing an authorized person to approve the filtered messages before they are sent or received.

A powerful solution that arms your Exchange Server 2000

GFI MailSecurity for Exchange/SMTP
Your only true defence is to install a comprehensive email security solution to safeguard your mail server and network. GFI MailSecurity for Exchange/SMTP provides email content checking, exploit detection and anti-virus for Exchange/SMTP. it can be deployed at the gateway level, or at information store level (based on the Exchange 2000 VS API).

Key features include: Multiple virus engines - Don't depend on 1 only; Email content & attachment checking - Quarantine dangerous emails; Exploit shield - Email intrusion detection & defence; Email threats engine - Analyses & defuses HTML scripts, .exe files & more. Other features include:

  • Automatic removal of HTML scripts

  • Automatic quarantining of Microsoft Word documents with macros

  • Detects attachment extension hiding

  • Rules-based configuration

  • Apply rules to AD users or groups

  • Approve/reject quarantined mail using the moderator client/email client/public folders

  • Lexical analysis

  • Seamless integration with Exchange Server 2000 through VS API

  • Anti-spam (gateway version)

  • Great value


Tuesday, December 2, 2008

All About Malicious Codes

Abstract

Malicious code refers to a broad category of software threats to your network and systems. Perhaps the most sophisticated types of threats to computer systems are presented by malicious codes that exploit vulnerabilities in computer systems. Any code which modifies or destroys data, steals data , allows unauthorized access Exploits or damage a system, and does something that user did not intend to do, is called malicious code. This paper will briefly introduce you to the various types of malicious code you will encounter, including Viruses, Trojan horses, Logic bombs and Worms.

Taxonomy of malicious Code

A computer program is a sequence of symbols that are caucused to achieve a desired functionality; the program is termed malicious when their sequences of instructions are used to intentionally cause adverse affects to the system. In the other words we can’t call any “bug” as a Malicious Code. Malicious codes are also called programmed threats. The following figure provides an overall taxonomy of Malicious Code.

Figure 1 Malicious Code Taxonomy

Malicious Code Taxonomy

Taxonomy is a system of classification allowing one to uniquely identify something. As presented in the above figure, threats can be divided into two categories:
  • Independents: are self contained program that can be scheduled and ran by the operating system.


  • Needs host program: are essentially fragments of programs that can not exist independently of some actual application program, utility or system program.
You must also differentiate between these software threats that do not replicate and these that do. (Replication is a process that a code reproduces or duplicates itself.)The former are fragments of programs that are to be activated when the host program is invoked to perform a specific function , the latter consist of either a program fragment or an independent program (worm , zombie ) that when executed may produce one or more copies of itself to be activated later on the same system or some other system . In the following, I briefly survey each at these parts of malicious software.

Trap doors

defined - 1.syn.Back doors a bad thing. 2. A Trap door function is one which is easy to compute but very difficult to compute the inverse of [Jargon Dictionary]
A trap door is a secret entry point into a program that allows someone that is aware at the trap door to gain access without going through the usual security access procedure. In many cases attacks using trap doors can give a great degree of access to the application, important data, or given the hosting system. Trap doors have been used legitimately by programmers to debug and test programs, some of the legitimate reasons for trap doors are:
  1. Intentionally leaves them for testing, and make testing easier.

  2. Intentionally leaves them for covert means of access. In the other words, allows access in event of errors.

  3. Intentionally leaves them for fixing bugs.
But they may use illegitimately, to provide future, illegal access. Trap doors become threats when they are used by unscrupulous programmers to gain unauthorized access.

Back door is another name for a trap door, back doors provide immediate access to a system by passing employed authentication and security protocols, Attackers can use back doors to bypass security control and gain control at a system without time consuming hacking.

Logic Bombs

defined - The logic bomb is code embedded in some legitimate program that execute when a certain predefined events occurs, these codes surreptitiously inserted into an application or operating system that causes it to perform some destructive or security – compromising activity whenever specified conditions are met [Jargon Dictionary]

A bomb may sent a note to an attacker when a user is logged on to the internet and is using an specific program such as a word processor, this message informs the attacker that the user is ready for an attack, figure 2 shows a logic bomb in operation .Notice that this bomb dose not actually begin the attack but tells the attacker that the victim has met needed state for an attack to begin.

Figure 2 Logic Bombs

Logic Bombs

  1. Attacker implants logic bomb
  2. Victim reports installation
  3. Attacker sends attack message
  4. Victim dose as logic bomb installation
Examples of conditions that can be used as triggers for a logic bomb are the presence or absence at certain files, a particular day of the week or date, or a particular user running the application. One triggered a bomb may alter or delete data or entire files, cause a machine half or do some other damage.

Trojan Horses

defined - A malicious, security –breaking program that is disguised as something benign, such as directory lister, archiver, game, or (in one notorious 1990 case on Mac) a program to find and destroy viruses!" [Jargon Dictionary]

A Trojan horse is a useful, or apparently useful program or command procedure containing hidden code that when invoked performs some unwanted or harmful function. Trojan Horses can be used to accomplish functions indirectly that an unauthorized user could not accomplish directly. For example, to gain access to the files of another user on a shared system, a user could create a Trojan Horse program that when executed, changed the invoking user’s file permissions so that the file are readable by any user, the another example of Trojan horse program is a compiler that has been modified to insert additional code into certain programs as they are compiled such as a system login program, the code creates a trap door in the login program that permits the author to log on to the system using a special password. Another common motivation for the Trojan horse is data destruction.
The program appears to be performing a useful function but it may also be quietly deleting the victim’s files.

Zombie

A zombie is a program that secretly takes over another internet-attached computer and then uses that computer to launch attacks that are difficult to trace to the zombie’s creator. Zombies are used in Denial of service attacks, typically against targeted web sites. The zombie is planted on hundreds of computers belonging to unsuspecting third parties and then used to overwhelm the target website by launching on overwhelming onslaught of internet traffic.

Viruses

defined - [From the obvious analogy with biological viruses]. A cracker program that searches out other programs and 'infects' them by embedding a copy of itself in them so that they become Trojan horses. When these programs are executed, the embedded virus is executed too, thus propagating the ' infection ' this normally happens invisibly to the user. Unlike a worm, a virus can not infect other computers without assistance. It is propagated by vectors such as humans trading programs with their friends the virus may do nothing but propagate itself and then allow the program to run normally. Usually, however, after propagating silently for a while, it starts doing things like writing cute messages on the terminal or playing strange tricks with the display. Many nasty viruses, written by particularly perversely minded crackers, do irreversible. Damage, like nuking the entire user’s files… [Jargon Dictionary]

A virus is a program that can ' infect ' other programs by modifying them , the modification include a copy of the virus program , which can then go on to infect other programs . Therefore the key characteristic of virus is the ability to self replicate by modifying a normal program file with a copy of itself. On Nov, 1983 Fred Cohen ("father of computer virus") thought of the idea of computer viruses as a graduate student at USC. Cohen wrote the first documented virus and demonstrated on the USC campus network. “Virus” named after biological virus the following table shows details:

Biological Virus Computer Virus
Consist of DNA or RNA strand surrounded by protein shell to bond to host cell Consist of set of instructions stored in host program
No life outside of host cell Active only when host program is executed
Replicates by taking over host’s metabolic machinery with it’s own DNA/RNA Replicates when host program is executed or host file is opened
Copies infect other cells Copies infect (attach to) other host program


A virus can do anything that other programs do. The only difference is that it attaches itself to another program and executes secretly when the host program is run. Once a virus is executing, it can perform any function such as erasing files and programs. During its lifetime a typical virus goes through the following four phases:
  • Dormant phase: The virus is idle the virus will eventually be activated by some event, such as a date. The presence of another program or file, or the capacity of the disk exceeding some limit, not all viruses have this stage.


  • Propagation phase: The virus places an identical copy of itself into other programs or into certain system areas on the disk. Each infected program will now contain a clone of the virus, which will itself enter a propagation phase.


  • Triggering phase: The virus is activated to perform the function for which it was intended. As with the dormant phase, the triggering phase can be caused by a variety of system events, including a count of the number of times that this copy of the virus has made copies of itself.


  • Execution phase: The function is performed. The function may be harmless, such as a message on the screen, or damaging, such as the destruction of programs and data files.
Virus Anatomy
Virus Structure has four ports
Mark can prevent re-infection attempts
Infection Mechanism causes spread to other files
Triggers are conditions for delivering payload
Payload is the possible damage to infected computer

Figure 3 Anatomy of Virus
Mark (optional)
Infection Mechanism
Trigger (optional)
Payload (optional)

Types of Viruses

Memory – resident virus: lodges in main memory as part of a resident system program. From that point on, virus infects every program that executes.

Program file virus: Infects programs such as Exe/Com/Sys – files. The following figures show details:

Figure 5 Program File Viruses

Program File Viruses

Polymorphic virus: creates copies during replication that are functionally equivalents but have distinctly different bit patterns. In this case the “signature “of the virus will vary with each copy. To achieve this variation, the virus may randomly insert superfluous instructions or interchange the order of independent in-generally called a mutation engine, creates a random encryption key to encrypt the reminder of the virus. The key is stored with the virus, and the mutation engine itself is altered. When an infected program is invoked, the virus uses the stored random key to decrypt the virus, when the virus replicates, a different random key is selected.

Boot Sector Virus: Boot sector viruses infect the system area of the disk that is read when the disk is initially accessed or booted. This area can include the master boot record the operation system’s boot sector or both. A virus infecting these areas typically takes the system instructions it finds and moves them to some other area on the disk. The virus is then free to place its own code in the boot record. When the system initializes, the virus loads into memory and simply points to the new location for the system instructions. The system then boots in a normal fashion except the virus is now resident in memory. A boot sector virus can replicate without your executing any programs from an infected disk. Simply accessing the disk is sufficient. For example, most PCs do a systems check on boot up that verifies the operation of the floppy drive even this verification process is sufficient to activate a boot sector virus if one exist on a floppy left in the machine and the hard drive can also become infected.

Stealth Virus: A format virus explicitly designed to hide itself from detection by antivirus software. When the virus is loaded into memory, it monitors system calls to files and disk sectors, when a call is trapped the, virus modifies the information returned to the process making the call so that it sees the original uninfected information. This aids the virus in avoiding detection. For example many boot sector viruses contain stealth ability. If the infected disk is booted, programs such as FDISK report a normal boot record. The virus is intercepting sector calls from FDISK and returning the original boot sector information. If you boot the system from a clean floppy disk however, the drive is inaccessible. If you run FDISK again, the program reports a corrupted boot sector on the drive. To use stealth, however, the virus must be actively running in memory, which means that the stealth portion of the virus is vulnerable to detect by antivirus.

Macro Virus: it is set of macro commands, specific to an application, which automatically executes in an unsolicited manner and spread to that application’s documents. According to the national computer security agency (www.ncsa.com), macro viruses now make up two – thirds of all computer viruses. Macro viruses are particularly threatening for a number of reasons:
  1. A macro virus is platform independent. Virtually all of the macro viruses infect Microsoft word documents. Any hardware platform and operating system that supports word can be infected.
  2. Macro viruses infect documents, not executable portions of code. Most of the information introduced on to a computer system is in the form of a document rather than a program.
  3. Macro viruses are easily spread. A very common method is by electronic mail.
Macro viruses take advantage of a feature found in word and other office applications such as Microsoft Excel, namely the macro. In essence, a macro is an executable program embedded in a word processing document or other type of file. What makes it possible to create a macro virus is the auto executing macro this is a macro that is automatically invoked, without explicit user input. Common auto execute events are opening a file, closing a file and starting an application. Once a macro is running, it can copy itself to other documents, delete files and cause other sorts of damage to the users In Microsoft word. There are three types of auto executing macros:
  1. Auto execute: If a macro named Auto exec is in the "Normal. Dot" template or in a global template stored in word’s start up directory, it is executed whenever word is started
  2. Auto macro: An auto macro executes when a defined event occurs, such as opening or closing a document
  3. Command macro: If a macro in a global macro file or a macro attached to a document has the name of an existing word command, it is executed whenever the user invoked that command.
A common technique for spreading a macro virus is as follows:
An auto macro or command macro is attached to a word document that is introduced into a system by e-mail or disk transfer. After the document is opened, the macro executes. The macro copies itself to the global macro file. When the next session of word opens, the infected global macro is active. When this macro executes, it can replicates itself and cause damage.

Email Virus: A more recent development in malicious software is the e-mail virus. The first rapidly spreading e-mail viruses, such as Melissa, made use of a Microsoft word macro embedded in an attachment. If the recipient opens the e-mail attachment, the word macro is activated then:
  1. The e-mail virus sends itself to everyone on the mailing list in the user’s e-mail package


  2. The virus does local damage
Worms

Can one IP packet cripple the Internet within 10 minutes? On January 25Th 2003 “SQL Sapphire Slammer “worm causes more than 1.2 billion US dollars damage, 70% South Korea’s network paralyzed, 300,000 ISP subscribers in Portugal knocked offline, 13,000 Bank of America machines shut down, Continental Airline’s ticketing system crippled.

Figure 6 SQL Sapphire / Slammer Worm

SQL Sapphire / Slammer Worm

Worm (n)
[From ‘tape worm’ in John Brunner’s novel “The Shockwave Rider “… ], A program that propagates itself over a network, reproducing itself as it goes … [Jargon Dictionary]

Worm is also self-replicating but a stand-alone program that exploits security holes to compromise other computers and spread copies of itself through the network. Unlike viruses, worms do not need to parasitically attach to other programs. Because of the recursive structure of this propagation, the spread rate of worms is very fast and poses a big threat on the Internet infrastructure as a whole.

Worm Anatomy


Mark: structurally similar to viruses, except a stand-alone program instead of program fragment
Infection Mechanism: searches for weakly protected computers through a network (i.e., worms are network based)
Triggers: are Conditions for delivering payload
Payload: might drop a Trojan horse or parasitically infect files, so worms can have Trojan horse or virus characteristics

Figure 7 Worms Anatomy
Mark (optional)
Infection Mechanism
Trigger (optional)
Payload (optional)
 

blogger templates | Make Money Online