Briefing Paper: Best Practice Report on Virus Management by Paul Grosse

Briefing Paper: Best Practice Report on Virus Management

by Paul Grosse - May 2000

Introduction

The definition of a virus is a very simple one, being a piece of code that can replicate itself under its own control. If it cannot do this, it is not a virus. This ability usually takes the form of a code segment attaching itself to an executable file of some sort. The worms that have been attached to e-mails in recent outbreaks are also viruses as they are capable of replicating under their own control but a subtle difference between a worm and a normal virus is that the worm is completely self-contained and does not need a piece of host code, such as an executable file, to infect. However, all viruses, whether they are worms or not, need an environment in which to replicate and that is where they pose a threat to the security of individuals, organisations and companies alike.

Computer viruses display some of the epidemiological characteristics of biological infections although there are two key differences that are worthy of note:

Biological infective agents are a result of millions of years of evolution and are the result of chance, whereas computer viruses are the result of deliberate design - the chance being sufficiently remote for such code to have come into existence spontaneously in such a short period of time; and,
The payload in biological infective agents is there purely to propagate the species with, for example, a sneeze effecting the spread of the organism. In examples where a biological virus is lethal, this property is usually the result of the virus jumping a species boundary as there is nothing to be gained in terms of evolution by killing the host. In the case of a computer virus, the focus of the payload is to do harm to the host machine or its data and this code is not required for its propagation.

There are some similarities between the way that biological infective agents and computer viruses propagate - an understanding of these can aid with strategies for defending computer systems:

Infective agents that do little apparent damage to start with generally go undetected for a longer time and therefore stand a greater chance of spreading before they are found out and eradicated. If a virus only occasionally changes a little bit of data, perhaps using the date stamp on files to work out which file changes are least likely to be detected, a system and all of its back-ups can become corrupted before the infection is detected. The AIDS virus in humans is an example of a slow-acting virus, spreading globally and infecting millions;
Infective agents that kill their host quickly do not have much of a chance to spread. The Ebola virus is a famous example that kills its victims in a very short time and usually only gets a chance to kill a few tens of people. The only way that Ebola could spread over a large area would be if it could infect individuals that travel far and fast, passing on the infection before they succumb to its effects. The recent Internet worm incidents show how a dangerous infective agent can disperse effectively if it gets the opportunity to move quickly.
Infective agents that change their appearance each time they infect better survive detection strategies as the defence mechanisms in place are never certain of what they are looking for. The Influenza virus is one such example in real life and this strategy is mirrored in computers in the form of polymorphic viruses;
Infective agents that use different mechanisms to spread, lead to a number of different epidemiologies;
Systems that are bombarded with new strains have a higher probability of becoming infected; and,
Breaking the chain of infection precludes infection.

Strains of Virus

For a virus to replicate and disperse, it must be able to take control of and exploit an environment that allows the execution of its code in full, otherwise it will not function correctly. Once this process is complete, control is returned and the user will suspect nothing unless the virus is designed to give away its presence. Dispersal is usually via the user copying infected files innocently to transfer onto other machines either using floppy discs or a network. However, some viruses are programmed to transmit copies of themselves by appropriating the user's e-mail address book and sending copies of itself as an attachment to the first twenty contacts. This strategy is limited by the proportion of the user population that uses a virus compatible e-mail program that is set up in its effectiveness the way that the virus needs it to be.

Viruses can be written on a number of levels, ranging from processor-specific machine code and assembler, through C, Java and Turbo-Pascal, to high level scripts that can be run in backward compatible programming environments that are supported on a number of different platforms - examples being word processors and spreadsheet programs. These are designed so that they can read documents or worksheets from previous versions and in this way, they can also read and execute the viruses that the files contain.

Some viruses take advantage of peculiarities of the operating system to trick the user into thinking that the file is not dangerous. For example, the I-LOVE-YOU worm was sent by itself to people as an e-mail attachment in a file that appeared to be a text file. The operating system allows the user to suppress file extensions that the system recognises and if the system is configured to recognise Visual Basic Script files, this extension is not displayed, leaving the .TXT extension and giving the user the impression that the file is nothing more than a plain text file. If the file is dragged and dropped into Notepad, the true nature of the file becomes apparent but if the user double clicks on the file, it executes. Users should always be wary of the implications of opening unsolicited attachments and he should ask himself why his manager appears to have sent them a mail saying that he loves him.

Apart from worms, computer viruses come in a variety of forms which can be divided up into six categories: Boot Sector Viruses; Parasitic Viruses; Multi-partite Viruses; Companion Viruses; Link Viruses; and, Macro Viruses.

Boot Sector Viruses infect the boot sector of a disk, forcing the system to execute the virus code before the system's whenever the computer is booted up. They install themselves in memory and remain there until the computer is switched off - infecting all disks that are used by the system in the mean time.
Parasitic Viruses infect executable code such as EXE and COM files although there are many types of executable file that may be infected on any reasonably complex system. Similar to boot sector viruses, they run before the main program does thus ensuring that they infect the system. When EXE files are compiled, there is usually an abundance of unused space in the file and the virus either inserts its code in some of this free space or appends itself to the end of the executable file. It places a vector in the first part of the executable so that it is run first, then returning control to the original program. There is little point in rendering the executable totally useless as the user would replace it with a functioning, uninfected version thus stifling the virus.
Multi-partite Viruses infect both the boot sector and EXE and COM files and benefit from both worlds.
Companion Viruses exploit an artefact of the DOS command line interpreter, that is to say that if the extension of a file is not specified on the command line, the operating system will, first of all, look for the file name with the COM extension before looking for an EXE file. Thus, the companion virus is loaded up first, executes itself (looking around where to plant suitably named copies of itself) and then loads up the EXE file that the operator thought he had loaded in the first place. When a system is infected with a companion virus, the virus does not alter the EXE file in any way, it merely adds itself to your system. If the virus does not carry a payload the user will be oblivious to its spread - the only long term problem being that the drive fills up with COM files.
Link Viruses link the pointer of the directory entry of one or more executable files to a single cluster that contains the virus code, the original location of the start of the file being stored in spare space in the directory entry. When an infected file is copied, the memory resident virus passes the file information to the copy command as though it was looking at a normal file, although the file that is passed is infected. When a disk with a link virus is scanned on a machine that has already run the link virus, it covers its existence by passing what appears to be the uninfected file to the virus checker thus making the machine look clean.
Macro Viruses are essentially pieces of high level macro language code that infect their environment and any file they choose, outside the control of the operator. The code can be written by anybody who is familiar with enough of the macro language in question and as long as the functionality is included within the subset of functions offered by the environment, the virus will function. If a particular word processor or spreadsheet macro language will permit macros to stay in the program's environment between documents or spreadsheets, it can infect other work and spread. If the macro language permits macros to format your hard drive then there is the possibility that a macro virus will do it for you. Being written in a high level language means that they can take on many forms, be modified by the novice and still function as a virus (it is worth noting that it is thought that a large number of macro viruses originate when a curious user encounters a virus for the first time and wonders how it works and how the virus detector finds it, changing it until the detector doesn't detect it, then realising what they have done). New releases of word processors and spreadsheets are usually backward compatible with previous viruses.

In addition to these types, consideration should be given to polymorphic viruses and stealth viruses. Polymorphic viruses hide from virus scanners by encrypting themselves using a different key each time they infect a file and any of the above types have the potential for encryption somewhere in the code. Stealth Viruses take measures to ensure that once they are installed in the computer's memory, they will not be detected.

Symptoms of infection

Some symptoms of virus infection are:

Increase in the length of files although some viruses infect files without changing the length by making use of spare space within the file. Note that companion viruses do not even infect the file, just the disk.
Changes in date/time stamps and other attributes. However, many viruses make a note of the existing date/time stamp and other attributes, infect and then use a system call to change them back resulting in no change therefore it cannot be stated that a file cannot be infected just because the date/time stamp is correct.
Non-standard screen activity including non-standard error messages. Asking the user to pick a number between 1 and 6 or the hard drive becomes useless is definitely not normal.
Unanticipated drive writes. Many drives check themselves automatically and multithreaded operating systems will have a number of processes going on in the background so seeing the drive light flicker is not necessarily that reliable. However, it is better to ask someone than to ignore it.
Program and system dysfunctionality. The operating system performs worse than it normally does - less memory available, lower disk performance - programs seem to take even longer to run, perhaps delayed at the beginning or maybe not run at all. Again, multithreaded systems or programs that use many Dynamic Linked Libraries (DLLs) may tend towards behaviour like this normally.
Bad sectors appearing on disks. Disks usually perform very well with only a slight increase in bad sectors after several years with the computer usually being scrapped before any new ones appear. However, suddenly having several appear can be a sign that something serious is starting to happen to the disk physically or in some cases that sectors are being marked bad so that they can be used for something else by a virus.

Detecting and preventing infection

Anti-virus software packages have a number of strategies available and the better ones will give the administrator a choice of which ones to use. Each strategy has its own advantages and disadvantages:

Virus scanners compare the contents of all appropriate files against known fingerprints. This type of detection is particularly suited to perimeter defences such as at a firewall, examining all mail attachments and FTP transfers before they enter a site. Scanning has the advantage that viruses may be detected before they have a chance to do any harm although, in order to remain effective, the database of fingerprints has to be kept reasonably up-to-date - this being particularly appropriate when a worm is let into the wild and travels around the Internet as an attachment for a few days. As part of their contract, many anti-virus vendors provide online access to fingerprint updates via the Internet or other dial-up services. In this way, the user can be reasonably certain that files that appear to be clear are clear. Scanner fingerprints are designed so that they do not show up false positives although there are some problems with viruses that are compiled from high level languages as the compiled code contains many of the same structures as legitimate programs and if virus writers pass the source code around, different versions of the virus can be prepared by using different compilers.
Heuristic analysis involves monitoring the system for certain types of behaviour that could indicate the actions of a virus. Such things include unusual and suspicious calls to the operating system such as format the hard drive or reset the machine. This type of analysis is capable of leading to the detection of viruses before they have been reported to the anti-virus vendors.
Integrity checking compares a newly calculated checksum of a file against an old checksum and looking for any changes. The strength of this method is that it not only looks for the type of changes that viruses do when they infect an executable file but in addition, it identifies changes in other types of file. Files that are changed frequently fall outside its scope but many files do not and it is these files that can indicate the presence of virus activity. One main flaw with this type of checking is that the original checksums must have been done on a clean machine as changes caused by viruses can be hidden by viruses if they were present before the checksum was calculated.

Between 300 and 600 new viruses appear each month and there is also the occasional glitch when thousands of viruses are added to the list. As a result of this, the amount of time that it takes to scan for all known viruses increases as well - it is not a particularly good idea to scan only for those viruses found in the wild, ignoring the rest, as one could make it onto the list and be ignored. Taking this into consideration, scanning techniques are often used as: on-demand; or, on-access.

On-demand scanning relies upon the user to be vigilant, scanning any new files as they are loaded or downloaded onto the machine. Any unauthorised software or file attachments not being scanned in this way can therefore corrupt the integrity of the system. In contrast to this, on-access scanning looks at any file as it is used and as a result, this slows down the system if many files are used. The main advantage of on-access scanning is of course that it does not require the user to make any decisions. In order to minimise the impact upon system performance, some on-access scanners use checksums to determine whether or not a file has changed - this is based on the assumption that if it has not changed and it was clean before, it should still be clean. Like check summing itself, the weakness in the system is the state of the system when the original check summing was carried out.

A number of anti-virus products provide automated or optional removal of the virus from infected files. To do this, a file needs the virus code removing and the vectors that pointed to the virus code need pointing back to where they used to point. Although this can work well, the exact nature of the modifications that the virus originally made need to be known and in some cases, this cannot be known for sure. As some viruses damage files in such a way that they cannot be repaired automatically, a policy of not repairing but instead, replacing infected files should be adopted as this is the safest route.

Some virus checkers offer to inspect compressed files on a local machine or, at the firewall where decompression of a file before virus inspection would use up too much processor power, causing an unacceptable loss of performance whenever a large number of compressed files went through it. Sometimes, compression will hide viruses from the scanners and a situation arises where the user population is under the impression that a file is safe because it was scanned when compressed - this leads to a state of complacency that is potentially more dangerous than not scanning compressed files in the first place. In recognition of this, some virus scanner vendors have ceased to support the scanning of compressed files.

Breaking the chain

As has been stated earlier on, for a virus to be able to replicate and disperse, it needs to find an environment that allows it to do these two things - if you deny the virus either of these factors, it cannot infect your system.

With the size and speed of computer networks growing, the opportunity for code and data to make its way onto company systems has increased substantially. One of the best lines of defence against Internet-born viruses is a firewall but unfortunately, a recent study showed that around four out of every five UK companies does not use a firewall with the figure for the USA not being that much better. Internal and external network connection speeds approaching the Giga-bits per second range allow data to be transferred between workstations in ways that defy all sensibility with regard to security. To the end user on an unprotected system, with the obscurity of his IP address apparently offering enough security against directed attacks, the user has access to anything and everything in an instant. Unfortunately, this also allows everything else, including viruses, instant access to the resources on the network.

Where a firewall is used, advancements in technology have led to a situation where the hacker is finding it increasingly difficult either to break into a site or to sniff and spoof established sessions, substituting data packets with malicious code. It is, of course, possible that code that travels across the Internet intact may be infected with viruses - second generation firewalls check for this type of content and, when instructed to, third generation firewalls do is as well. However, firewalls can only look at the data that passes through them and, possibly due to the strength of firewalls, most attacks on systems now depend upon surprise or originate from within the firewall boundary.

Having direct, internal access to the system, the authorised user population poses the greater threat but this problem is difficult to define and control as it presents itself in so many ways:

Unauthorised software poses a significant threat to the security of the system. The usual idea that people have is unfortunately prejudiced to the point of inducing complacency in security staff. The software that is most likely to find its way onto a system is games software from magazines as CD ROMs are easy to carry around but even when taking into account an outbreak around two years ago, caused by a virus accidentally being included on a magazine cover CD ROM, this is not the main culprit - magazines are usually careful as they do not want the reputation that goes with this type of event. An ideal vector for a virus is a program that cannot be traced but that is used many times - the disclosure that one major international company had shift supervisors running their own hard core pornographic software on computers overnight serves to illustrate the point. It is likely that these programs were never logged in any company software audit. The solution is to use on-access virus scanning that the user cannot turn off and, if possible, log every executable file that a user runs.
Service engineers pose a greater vector threat as they visit many machines that, for some reason, are not working as they should. They insert their diagnostic diskettes into these machines and then into yours. Again, on-access virus scanning is the best method but it must be appreciated that service engineers carry a great deal of authority and can convince curious users that running a machine without protection in place is acceptable if it is for a service engineer. Therefore, it is recommended that service engineers should be escorted around a site by someone from systems who knows what they are doing.
Executables files or files containing executable code as e-mail attachments, including documents and spreadsheets, pose a particular threat as they may contain viruses or worms. Although the attachment needs to be run to have any effect, the user may be tricked into running it by accident so it is better to scan everything entering a site for viruses before it has a chance remembering that it only needs to happen once.
Word processor and spreadsheet macro viruses are a product of a richly functional environment that usually provides access to disks and network objects. They are written in a high level language that is easy to modify without compromising the functionality of the code. It is possible for a user to make a functioning virus that the checker will not detect just by tampering with the code so it is important to encourage staff to report viruses and then wait for someone from systems to turn up instead of having a go themselves. However, the best medicine is prevention and macro viruses can be pre-empted by transferring data in a form that cannot carry a virus - documents should go in plain text or, if formatting is required, Rich Text Format (.RTF). People who specify that documents should be sent in a format that allows viruses need to pay more attention when they go on computer security courses. Unfortunately, some companies use the highly functional scripting environment to customise menus so that programs have a corporate appearance. Such vanity is not worth the extra risk. The simple rule "if it can't be said without scripting then it isn't worth saying" should be applied wherever possible.

The Future

As has been said before, a virus needs to have an environment in which it can replicate and a means of dispersing. Technologies that allow the user to interact with a network such as the Internet, processing and transmitting the user's information are already in use and subject to virus attacks. The usefulness of computers has been adapted to making them mobile with PCs taking on the form of the laptop and notebook, connected to the Internet using mobile phone technology. However, these are only slight variations of the PC and sooner or later, someone will write a virus aimed specifically at a PDA (Personal Digital Assistant).

One of the biggest markets is in mobile phones and using WAP (Wireless Application Protocol) technology, currently in its early stages of development, users can access e-mails and browse specially developed parts of the Internet to obtain access to share prices, sports results and so on. WAP phones use WML (Wireless Mark-up Language) which is to a WAP phone what HTML is to a browser. It is based on XML, and although similar in syntax to HTML, it is much more like XML. Just like HTML and XML, WML is read and interpreted by a browser built into the WAP device. For WAP devices, the browser is commonly called a micro browser. The capabilities of the micro browser is of course limited to the capabilities of the WAP device. However, larger displays, larger memories and a functionally developing scripting language that is aimed at providing the functionality that the user population demands may make WAP phones susceptible to some form of virus invasion in the future.

Conclusion

Staff need to be made aware of security issues and should be sent on a computer user responsibilities course but whilst this is worthwhile in terms of making them more aware of the dangers and informing them of the appropriate course of action should anything untoward happen, you should not expect them to behave any differently afterwards. Attacking or threatening staff with disciplinary action will only drive any problems underground which, in turn, will make your job harder and prejudice the security of the system. For any policy to be effective, it should be easy to implement and largely automatic - these attributes being part of the solution provided by the major anti-virus products available today.

One interesting strategy is to recognise that many of your employees will have a computer of their own and that it is inevitable that at some stage, one of them may bring some software onto the company's site - possibly even with the permission of the IT department. The solution to this is to issue all employees that have computers with regularly updated anti-virus software for their own personal use, free of charge to them - legally of course. This has the twofold effect that: users become well trained in the use of anti-virus software without the company having to send them on refresher courses; and, that if they ever do bring anything into work, it is more likely to be free of viruses.

The various anti-virus strategies: virus scanning; heuristic analysis; and, integrity checking, tend to support each other but it must be appreciated that no single solution is perfect as a complete solution. In response to this, it is advised that a mixture of solutions is employed. A method of on-access detection on the client machines should be deployed with the automatic updating of any virus signatures as they appear. Checking all in-bound mail and file transfers for viruses is a must and, to comply with moral, if not legal requirements, all out-bound mail should be checked as well - files for FTP to remote machines should be checked for viruses when they are stored on the server (which should be checked periodically) and hash values for files and possibly digital signatures should be used for clients to verify that the file has remained unchanged since it was signed.

As always, one luxury that cannot be afforded is complacency. Making checksums on a machine that is already infected is not reliable. Checking only compressed files is not good enough as some viruses can be hidden by the compression technique and the encryption of any compressed files will hide everything any way. Relying entirely on only one virus checker is also too complacent as, although they may well score 100% in the tests, some viruses are aimed at specific checkers and the one that you pick could be vulnerable - using two reduces this chance significantly and three is recommended.

Back to the Internet Security Index

Back to the Index