Escape the Lurking Serpent's Mortal Sting

Basics to protecting your network from worms and other threats
Author:
Publish date:
Image placeholder title

iStockphoto/Robert Creigh
In the Jan. 13 issue I discussed how to keep broadcast equipment protected from intrusions from the outside world, i.e. the Internet. I gave examples of types of worms and viruses found in unprotected computer systems, what they do once they gain entry and how they replicate.

Here and in our next article, let's take a closer look at various means of infecting your computer and how they work.

Worms, horses and zombies

  • Virus: A virus is a software application attached to or embedded in real programs. Once the program is opened and run, the virus reproduces and attaches itself to other programs or e-mail. Usually viruses will attach to your e-mail messages and replicate themselves by mailing themselves to everyone in your address book.

    In some cases the victim doesn't even have to "double-click"; the virus may launch when you view an infected message in the preview pane of your mail software.

    Viruses can get into your system if you visit an infected Web site. Most antivirus software will keep your networks safe from this type of intrusion — if you update your software

    religiously.
  • Trojan Horse: This is a computer program disguised as a game or anything you might want to open; once it is unleashed, it does its damage. A Trojan horse typically does not replicate automatically and usually is not transferred from one computer to the next, as a virus or worm is.

    One notable Trojan horse, Clampi, has been gathering banking and financial information and has infected somewhere between 100,000 and 1 million computers. Hackers sneak Clampi onto computers and networks by tricking a user into opening an e-mail file attachment or by using a multi-exploit toolkit that tries attack code for several Windows vulnerabilities.

    Once Clampi is active, it monitors web sessions and captures user names, passwords, PINs and other information. It can access bank accounts, purchase goods using captured credit card numbers and in some cases store the information for later use.

    Periodically, Clampi will contact the command and control server run by the hackers to relay the hijacked information home, where it is decrypted and used. It has been determined that these command and control centers are being run in as many as 70 countries.
  • Worm: A computer worm is a small piece of software that utilizes networks and security holes to duplicate itself. As it does so, it is scanning the network for another computer that has a specific security hole, where it copies itself to the new machine and then starts replicating from there.

    Imagine a network with hundreds of unprotected computers on it. A worm can infect and duplicate itself within a matter of minutes, depending on its size and what it was designed to do.

    A worm is different than its malicious cousin the virus. A worm does not infect or manipulate computer files; it just makes clones of itself and travels from computer to computer using the system transmission capabilities (the network).

    A computer does not even have to be connected to the Internet to propagate. It can be injected into a computer via an infected disk or travel drive that contains the worm. Once it is on the host computer, it then begins replicating itself to all the other unprotected computers on the network.

    Every operating system has vulnerabilities, and these can be exploited by worms to replicate themselves. A good example is the Sasser worm, which uses security holes in the Windows LSASS service. Other worms spread only by using backdoor-infected computers. The "Bormex" worm relies on the Back Orifice backdoor to spread; Back Orifice is a remote administration tool that allows system administrators to control a computer from a remote location.

    There is a facility available within peer-to-peer networks known as the P2P folder that users of the network share. A worm can simply copy itself into the shared folder and sit there until other users intercept it. If the folder does not exist, the worm creates it for the benefit of the users.

    You may recall the names of worms that infected computers in the past. MyDoom, Melissa, Loveletter and Code Red are but a few.
  • Robots or bots: These are networks of PCs that have been taken over by malware programs. A computer infected with the malicious software is called a zombie.

    Once such software has taken up home in your computer, it can send spam e-mail messages, spread viruses, attack computers and servers and even locate and distribute personal financial information it found on your computer.

    A network of computers that have been compromised is a botnet. Just what happens when a botnet is installed on your computer is up to the ringmaster. The scary part is, the makers usually don't control the botnets, which are rented out to professional spammers and thieves looking to clean out your bank account.

    The botnet usually enters your computer by a virus or worm. The most common way is via e-mail attachment. Once the infected attachment is opened, it will install a botnet client, which then "calls home" to the controller to let them know another zombie PC is ready for duty.


Next time I'll explore more tips for protecting your computer network and the equipment attached to it.

Brian Cunningham, CBRE, is chief engineer for Crawford Broadcasting's western New York region, based in Buffalo.

Related