By Dancho Danchev
The recent MyDoom Worm successfully infected enough victims in order to shut down SCO's web site, followed by new variants that targeted Microsoft's web site. This paper isn't intended to discuss the motives of the author, instead it will help you understand how worms enter your network, how you can block them before they even reach your internal network, and how to act in case they get in.
Latest Malicious Code Events
Yet another worm is in the wild. As usual the media quickly picked up the story and turned it into another "ILOVEYOU" industry. But why do I use the word industry? Basically, because such large scale security implications for the Internet usually create a "marketing window" opened for security companies and anti-virus vendors who quickly start capitalizing on them by placing sponsored links or offering clean-up tools on their web sites, and as long as information and removal tools are free for an accident like this, there's nothing wrong with that. But there's something else to consider, it keeps happening again and again, and still nothing changes. The scenario repeats itself, over and over again; another worm is in the wild, exploiting a recently discovered vulnerability in a popular software, or relying on nothing more than peoples' naivety. The recent MyDoom Worm successfully infected enough victims in order to shut down SCO's web site, followed by new variants that targeted Microsoft's web site. This paper isn't intended to discuss the motives of the author, instead it will help you understand how worms enter your network, how you can block them before they even reach your internal network, and how to act in case they get in.
Why it's getting worse?
Sense of anonymity
A couple of years ago the Internet was quite an anonymous environment, even the novice Internet user knows that once connected he/she can send anonymous e-mails, chat or visit web sites without having to worry about his/her privacy. Malware authors are believed to be advanced computer users, and with minor exceptions they're aware of how the Internet works, thus they believe they can be anonymous while doing their job. What motivates them the most is the lack of cooperation, even understanding between law enforcement officials and the ISPs worldwide. Another factor that deserves serious attention is the lack of computer crime laws in the author's home country, no matter what you do, you won't get busted. Out of my personal observations of such countries, I can say that malware authors or hackers try to maintain a balance and preserve this situation for as long as possible by not damaging or attacking their country's computer networks, although they're aware that laws are going to be implemented sooner or later. All of these and many other factors only contribute to the increasing number of malware authors around the world.
Increasing "How To Hack" resources
The Internet can't be controlled, but it can be proactively monitored. During the past two years, a large number of countries joined the Internet (and more are expected to join), which soon they'll start creating local hacking scenes, papers on how to hack and how to code a virii/worm. It's part of the Internet and no matter how scary it may sound to the novice Internet user, this information is out there for free. You can't stop its dissemination, but you can monitor where it starts to disseminate from. Does the originating country has computer crime laws etc.?
How do worms hit your network?
The majority of Internet Worms spread through the Internet's most popular (and most abused) communication service - the e-mail. The company's e-mail is one of the first entry points for malicious software and social engineering attacks, so its security should be reasonably discussed.
You're strongly advised to keep the confidentiality of your company's e-mails as protected as possible, thus you'll significantly limit the amount of malware entering your network. Establish an e-mail policy pointing out that the company's e-mail, should be used for business purposes only, not for personal use, it should not be used for posting in USENET groups and forums. You might also regularly search the Internet for exposed company's e-mails, or hire a company to do this.
Instant Messaging Software
Are such programs allowed on your network? Then they represent a threat to your entire anti-malware strategy, because they only go through the desktop's anti-virus software, let's not mention the level of trust established between the staff member and the other party, it's much different than the one established through e-mails. If such software is allowed, receiving attachments of any type should be forbidden. But honestly, does the use of Instant Messaging Software making your staff more productive?
Extremely dangerous in the hands of an inexperienced staff member due to the fact that the majority of worms spread on such networks as well. Block the installation and use of such programs because they're in no way going to do any good for your company, but waste time and bandwidth.
Hostile Code at the Desktop
A large number of attachments that are dangerous and unrelated to any of your business functions can be blocked at the server level. Who needs to receive .exe .com .bat or .vbs from a fake e-mail, an e-mail that doesn’t' even resolve properly? Blocking a worm that's spreading in the wild, can be done by matching the MIME encoded attachment for the most popular extensions. These are often provided by anti-virus vendors, or system administrators can analyze received messages to accomplish the task.
Building awareness among the staff members
The staff members should be aware of the dangers posed by receiving an e-mail, even from a known person containing attachments and messages that are unknown and unrelated to their business work. Something else they should keep in mind is not to open an attachment that appears to have been bounced back to their e-mail. "I don't remember sending anything like this, it's not related to me, or probably it's a virus" should become their mode of thinking when receiving such e-mails.
The benefits of the e-mail as a tool for communication are indisputable, so are the high number of threats posed by its existence. The fight with malware should start at your ISP, next are your external servers, then it's the desktop. But the most important aspect, in my opinion, is the awareness that should be built among all the staff members.
Malware will continue to pose a serious threat to your networks as soon as you haven't taken the appropriate measures to limit them, namely staff education, security awareness programme and close cooperation with your ISP.
Dancho Danchev is a Security Consultant at Frame4 Security Systems since 1999. His responsibilities at Frame4 are mainly consultancy, implementation of security solutions, research and development of marketing concepts. Following his work at Frame4 Security Systems, he's currently a managing director of Astalavista.com and a consultant at WindowSecurity.com.
Click here for Dancho Danchev's section.