||Add To My Personal Library
November 20, 2009
Vol.31 Issue 28|
Page(s) 36 in print issue
Deal With Stubborn Viruses
Stop Them From Recurring
What’s more annoying than a virus outbreak? The recurrence of a virus outbreak.
• Be knowledgeable of the viruses and threats out there and have the appropriate tools to combat them.
• Browsers and databases for Web sites are increasingly threatened by new kinds of malware, such as “malvertisements” and SQL injection.
• Stubborn viruses often re-emerge because they’re designed to take advantage of human error, such as not disconnecting infected machines from the network or not installing needed security patches.E
After antivirus tools are installed, malware prevention and cleaning is often out of sight, out of mind for busy IT managers who have more pressing problems. But viruses thrive in environments where they’re the last thing on anyone’s mind.
Malicious code has diversified from the early days when viruses primarily spread by opening attachments in emails. Not only have hackers developed many infection routes, but they have also learned how to make malware that can hide in unexpected places to escape detection. That’s why antivirus software is only the beginning of keeping your data center healthy and stable.
Viruses To Watch Out For
Certain types of malware are more likely to hang around than others. For example, there’s Conficker, which spreads by way of machines that haven’t had the latest security patches. It also looks for machines that have weak passwords, open network shares, and removable devices. It’s especially annoying because its multiple infection vectors make it easy to see it repeatedly.
“If just one machine or device on the network is left uncleaned after an outbreak, this can easily lead to reinfection, unless all of the infection vectors have been meticulously plugged during the cleanup process,” says Mark Yason, researcher for IBM Internet Security Systems’ X-Force Research Team (xforce.iss.net).
Databases for Web sites are a preferred target for hackers these days. Troj/Mbroot, a Trojan horse that hides in the boot sector and uses a rootkit to hide from security software, is a virus that often exploits vulnerabilities in the Web browser to install malicious code. Because large database files aren’t always targeted for scanning by antivirus software, this kind of infection is often visible only when visiting the Web site.
“Data centers that include back-end databases for Web sites may find that security flaws in the Web application design have allowed criminals to add malicious code to the database using a technique known as SQL injection,” says Richard Wang, manager at SophosLabs US (www.sophos.com).
Bots are another type of malware that usually perform malicious criminal activity with your network’s help. They send spam, host illicit Web sites, and distribute denial-of-service attacks. It’s important to check for these programs after a Trojan horse infection, because sometimes Trojans are just the first step in a sophisticated attack.
“Many Trojans simply exist as a kind of ‘first rung’ to download and install additional sophisticated (or targeted) malware, such as bots or password stealers,” says Aryeh Goretsky, a researcher for ESET (www.eset.com), a provider of antivirus software.
Routes To Shut Down
“While cleaning an infection is largely a technical matter, remaining clean is largely a policy matter,” Goretsky says. That means that once the data center is virus-free, the best offense is a good defense. Thus, SMEs should keep some of the following security practices in mind.
For starters, you shouldn’t allow the use of removable media in the enterprise, or at least make sure that antivirus software is configured to scan it. You should also disable autorun on removable media, as “it’s now used as a vector by about 22 to 24% of the malware we see,” Goretsky says.
Remove insecure legacy operating systems (such as Win95) that manufacturers no longer support as well as legacy applications that require administrative access to run and write to system folders and otherwise do not follow the operating system vendor’s guidelines for secure coding.
Goretsky also recommends that SMEs implement a Least Privilege Security model, where employees can only run the applications needed to do their jobs; cannot install, update, or disable software on their computers; and have limited Internet access.
When dealing with requests for new software or access to Web sites, respond quickly—even if the answer is no—to discourage users from bypassing security. Monitor network traffic to have an idea of typical usage patterns within the company, and look for excessive spikes that could indicate unusual behavior.
Antivirus Products: What to Look For
Like our own immune systems, antivirus software is quite effective against familiar viruses and not necessarily so effective against new and unfamiliar ones. Emerging threats are scarier than established ones, because they have an easier time escaping detection. But the best products have tools to detect viruses they don’t recognize.
“Any good anti-malware solution will include rootkit detection, and many companies also offer free anti-rootkit tools for anyone to use,” says Wang.
Antivirus products that have good heuristics detection capabilities will also recognize potentially malicious code before it has a chance to propagate.
The best antivirus products also have a lot of technical support. When considering a tool, check out the provider’s support pages; the more thorough they are, the better. “Often, antivirus and operating system vendors’ technical support departments can tell you about specific steps to take (or patches you can apply) to prevent a particular piece of malware from re-establishing a foothold within the organization,” says Goretsky.
Temptations To Avoid
Unfortunately, in many cases, it’s not the brilliance of the code but the laxness of the response that allows viruses to re-emerge and do more damage. For example, sometimes the IT staff doesn’t disconnect infected machines from the network before cleaning them, and the virus finds its way to another server while the first is being cleaned.
At other times, inconvenience or other factors motivate IT staff to skip patches. “When some patches are applied, legacy systems don’t work, which means the staff person has to skip a patch in order to get those programs to work,” says Murat Kantarcioglu, Ph.D. and assistant professor of computer science at the University of Texas at Dallas.
In fact, IT staffs sometimes merely disable malware instead of removing it outright because of the inconvenience involved in shutting down the machine and disconnecting it from the network for thorough cleaning. This is never a good idea, warns Wang.
“Repeated warnings about the malware you know about may cause you to overlook warnings about new malware that arrives later,” he says. “The malware may also be a symptom of a larger problem, such as out-of-date security patches. Disabling should be considered a temporary measure in cases where malware removal must wait until an interruption in service is manageable.”
Finally, don’t let grumbling tempt you to compromise on security. Increased security is often going to mean decreased convenience. “If a company has never deployed antivirus software before, they may see a performance hit of 10 seconds a day caused by overhead from the scanner initializing at bootup,” Goretsky says.
“That’s still less than a minute a week, or an hour a year, and a loss like that might be more than made up by blocking access to entertainment, news, sports, and Webmail sites. There may be some grumbling at first about slower computers or blocked Internet access, but all it takes is one infected USB flash drive or Web site malvertisement to introduce hostile code to every computer on a network.”
There are no shortcuts when you’re building a fortress. Weak passwords, giving in to grumbling about performance due to security software, and other lapses in otherwise strong security policies can create reinfection routes.
by Holly Dolezalek
Top Tips |
• There’s more to antivirus costs than licensing. Antivirus software often sells by the license, but there are also maintenance costs such as renewal and per-incident support if it’s chosen instead of a package deal. There are also training and education costs. “Be sure to factor these in when making a decision about how much security the organization needs,” says Aryeh Goretsky, a researcher for ESET (www.eset.com).
• A good antivirus defense contains many layers: a firewall, antivirus software, patches, strong passwords, and encryption. “Your databases should be stored in an encrypted format so that even if a virus successfully compromises it, the data it steals will be encrypted,” says Murat Kantarcioglu, Ph.D. and assistant professor of computer science at the University of Texas in Dallas.
• Knowing how a virus is spreading is key to stopping it. This information is available on antivirus software vendors’ Web sites.
• At least on the desktop, manual virus cleaning is sometimes too time-consuming to be worth it. For this reason, Tyler Reguly, senior security engineer for nCircle (www.ncircle.com), suggests rolling out a clean image instead of manually cleaning desktops. “Certain pieces of malware could be cleaned with a scan, and others could be cleaned with manual tools we’d created, but at the end of the day it was always best to reinstall the system.”