Articles and whitepapers

27/8/2003

Virus Protection for the Home

By Steve Moore

The Internet, and in particular, email, has revolutionised the way we communicate. In a few seconds we can send or receive documents, images and other information to anywhere in the world. Unfortunately, the same speed and convenience that makes email such a useful tool, also makes it useful to others whose intentions are less noble.

As little as three years ago, the threat of a virus via email was, by and large, quite small. The development of email-aware viruses or 'worms' however, has changed all that. During the height of the 'love bug' and 'Melissa' virus epidemics, parts of the Internet were brought to a virtual standstill. This had a dramatic effect on how we treated email - no longer was a virus attack seen as an obscure threat, but as a real and ever-present one. Many of these viruses exploited weaknesses within the email clients, and some even targeted the mail servers. Unfortunately, the threat of a virus attack is now part of using the Internet. Earlier this year saw the 'Bugbear.b' virus, a dangerous worm that spreads via e-mail and across shared network drives. It is extremely easy to become infected by this worm, as it exploits a vulnerability in Internet Explorer, and is automatically activated when the message is viewed through Outlook Express' preview pane. This particular worm also uses polymorphic techniques to make detection harder.

Other common forms of virus embed themselves within office documents, exploiting the power within these programs and the ease with which these documents can be shared. Others distribute themselves as email attachments, using social engineering to 'trick' users into opening the attachment - sometimes with the offer of free porn, sometimes with alleged receipts for expensive credit card payments. So successful is this ploy, that it is still widely used by virus makers. Once the end-user was tricked into opening the attached program, the virus would launch and infect that local machine. Then, using the locally stored email addresses, it would replicate and send itself out to every email address in that address book. All of this would only take seconds, whilst the user was waiting for their free porn, that would never come. Often, the first they would know that they had been infected, would be an email from one of the addresses in the infected machines address book, rejecting the virus-infected email.

While this was often seen as just an annoyance, some of the more sinister forms of attacks would install software on the local machine that would either search the local machine for information such as bank or credit card details, email address usernames and passwords, or would install software that would allow hackers direct access to the local machine through a hidden 'backdoor,' giving them full access to your computer.

One of the early viruses, 'Chernobyl' or 'CIH,' would even attempt to change the instructions held on your computer's BIOS. The BIOS holds the information about hard drive size, system date and time, and other information vital to initialising your computer prior to startup. If successful, this corruption would very likely result in the computer not starting up again without the intervention of a computer engineer.

So what can we do to reduce our risk to these virus attacks?

The most obvious answer is to obtain a copy of an antivirus program. The choice of vendors is wide and varied, and almost all offer similar functionality and protection. This though, is not enough. New viruses emerge all the time, and it is vital that you update your antivirus software on a regular basis. Many vendors offer email alerts to new virus updates, and on a bad day, you may receive as many as five alerts. While the risk of infection to these new viruses may be small, it would be foolhardy not to install the new updates, especially since most software can often be updated in seconds.

Some vendors are now utilising heuristic virus scanning. This scans the patterns within the payload of the email, and looks for actions that may be considered to be viruses. This form of scanning is very effective when used in conjunction with more traditional forms of virus scanners, as it can often detect new forms of viruses before the antivirus vendors can update their products' virus signatures.

Even with antivirus software installed on your machine, there are still steps you can take to further reduce the risk. The following are some basic guidelines:

* Backups - this is your most important tool in the fight against virus infection. Some viruses will leave your computer in an unusable state. If you do become infected with one of these viruses, ALL of your work could be lost.

* Protection - installing antivirus software is not enough, if your A/V vendor offers a notification service, sign up to it and update your software as soon as you can. If they do not offer such a service, consider changing to one that does. * Backups - have I mentioned just how important these are?

* Disabling macros in Office documents - or better yet, ask for Office documents as RTFs (Rich Text Format) or as CSFs (Comma Separated Format), whenever possible. Both of these formats can be opened or modified in Word or Excel, but neither support macros.

* Be Suspicious - if you do not know who the email is from or you have not requested an email from somebody that contains an attachment, don't open it. It could be the last thing you do on your computer for a while.

* Keep your system up-to-date - Microsoft offers a free system update service, Windows Update, that will keep your system patched against the latest security and system vulnerabilities. One recent virus, 'Kakworm,' exploited the same security 'hole' that 'bubbleboy' exploited back in 1999.

* Backups - yes I know I am going on about this, but...

Since writing this article, we have seen the arrival of a very nasty virus called W32/Sobig-f. On Tuesday 19th August, most antivirus vendors went into collective overdrive as W32/Sobig-f literally exploded onto the Internet. Within 24 hours, one in every eight emails contained a virus, and nearly 94% of these emails were infected by the Sobig virus.

Using social engineering with subject lines taken from a list, including 'Re: That movie,' 'Re: Approved' and 'Re: Wicked screensaver,' end users are tricked into launching this virus. It can then email itself out as an attachment to a list of addresses it finds on the infected machine.

It is anticipated that several new variants of this virus will be launched over the next few weeks/months, In the meantime, if you follow our advice and do not open attachments from an unsolicited source, and keep your antivirus software up to date, you will avoid being infected by this virus.

Useful web addresses:
www.cert.org - possibly the most socially responsible site announcing security vulnerabilities.
www.sophos.com - one of the best antivirus vendors out there, and it's British.
www.sophos.com/support/disinfection/sobigf.html - has detailed information on checking for, and removal of, the W32/Sobig virus.
uk.mcafee.com - a very popular range of antivirus and personal security products.
www.symantec.com/region/reg_eu/product/nav_index.html - possibly the best-known antivirus program around today.

Steve Moore is the IT Director for Internet and IT service provider Intuitive IT (UK) Ltd, one of the first UK ISPs to offer SPAM and Virus filtered emails as standard.

www.intuitiveit.co.uk