Skip to content Skip to navigation

Protecting Your Computers From Invaders

March 1, 2004
by root
| Reprints
Systems security specialists tell how to fend off deadly virus attacks by Bill Musson and James Hukill, Jr.
Protecting your computers from invaders

Antivirus-software powerhouse Symantec offers tips for keeping viruses, worms, and Trojan horses at bay

BY BILL MUSSON AND JAMES HUKILL, JR. Most people who use a computer and the Internet for business and/or personal activities are familiar with the potential havoc that can be wrought by computer viruses. These little programs often make news headlines and are capable of everything from annoying computer users to costing corporations millions of dollars because of lost time and destroyed information, as well as other damage to digital assets. The first step in protecting against the damage viruses cause is to understand exactly what a computer virus is and how it behaves.

A computer virus is a program that replicates by inserting or attaching itself to other computer programs or media and can disrupt a computer system's functional abilities. Computer viruses come in both benign and malignant varieties. Viruses can be programmed to disrupt a computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage but simply to replicate themselves or make their presence known by presenting text, video, or audio messages. Much like biologic viruses, computer viruses are also capable of infection rates of varying speeds, and they can be polymorphic (they can reproduce self-operational clones) or metamorphic (they can evolve into different strains).

Different classes of Internet threats, such as worms and Trojan horses, act like viruses but have distinct differences. Worms are programs that replicate themselves from system to system without the use of a host file. This is in contrast to viruses, which require the spreading of an infected host file. Worms are "self-contained" code or programs that have the goals of replicating themselves and compromising as many computers as they can reach with (increasingly) little or no intervention from the computer user.

Trojan horses are programs that are hidden in software that programmers deliberately include without the user's knowledge. They are impostors-files that claim to be something desirable but, in fact, are malicious. An important distinction between Trojan horse programs and true viruses is that Trojan horses do not replicate themselves. Trojan horses contain malicious code that, when triggered, causes loss-or even theft-of data. For a Trojan horse to spread, a user must "invite" the program onto his/her computer-for example, by opening an e-mail attachment or downloading and running a file from the Internet.

Evolving Threats
In the past, viruses were transmitted via floppy disk. This infection process is extremely slow by today's standards. The Internet has provided a medium by which viruses are transmitted from host to host with amazing speed through e-mail, peer-to-peer file sharing, or instant-messaging applications; virus infection has come to take place predominantly through e-mail attachments.

Human nature is a funny thing, and virus writers often exploit it to create viruses that trick computer users into opening malicious programs. This tactic, called "social engineering," preys upon a person's curiosity or desire to be included or receive free items. Once a user opens an infected e-mail or an attachment is run, computers can become infected.

Today's trends show increased numbers of a new type of threats called "blended threats." The difference between traditional viruses and today's blended threats is that blended threats attack multiple points, spread without human intervention, and exploit vulnerabilities. They also use multiple methods to propagate, such as becoming embedded into HTML files of an infected server, infecting any visitors to a particular Web site, and even sending e-mails with a worm attached. Multiple methods of propagation can make containment of a blended threat an even greater challenge. Blaster, Welchia (or Nachia), and SQL Slammer are examples of high-profile blended threats that used the methodology of attacking known security flaws in operating systems and database applications. This type of attack (exploiting known security flaws) is unique for virus-based attacks in that it might not require a file to be run on a targeted computer. The initial propagation of the attack runs in computer memory and can achieve global infection in minutes or hours rather than days, making blended threats very hard to defend against.

It is possible that the convergence of computers and everyday devices means that new types of threats will be created. The methods of infection and distribution will also evolve with the increased use of new devices that share information easily because they use the same basic technology. We already have handheld computers, phones with Internet access, and other appliances that are designed to automatically connect to networks when they are within a certain physical distance of the wireless environment and attempt to communicate with the network. These new technologies and devices are quickly approaching the functionality and critical mass necessary for them to become potential targets.