Viruses, Worms, and Trojan Horses
A computer virus
is a piece of executable code that can attach itself to files or
programs. The virus then replicates and spreads its infected files over
the network, from one computer to another. A virus requires a host program to work—that is, the virus must be run before it can replicate and infect other computers.
Viruses often deliver a payload.
This is an action that a virus carries out in addition to replication.
While some viruses simply replicate, tying up resources but causing very
little damage otherwise, the more unpleasant strains can drop payloads
that can corrupt software or data. Even if a virus does not deliver a
payload, replication can cause Problems by consuming storage space,
memory, and bandwidth, and degrading the performance of the infected
computer and the network to which the computer is attached.
A worm
is a program that can replicate itself in the same way as a virus.
However, a worm does not require a host program and can replicate itself
automatically whenever an application or the operating system transfers
or copies files.
A Trojan horse
is a program that pretends to be one thing (usually something benign,
such as a computer game or a utility) but does damage when it is run. A
Trojan horse cannot replicate itself. It relies on users to spread the
program through e-mail.
Virus Transmission
Viruses are
typically transmitted in e-mail attachments or in programs downloaded
from the Internet. A user activates the virus by opening the e-mail
message or by starting the program. The virus then loads itself into a
legitimate program’s memory space and searches for other programs. If
the virus finds another suitable program, it modifies that program by
adding its virus code. The next time the program is run, it infects
other programs, and the virus spreads. If a virus infects a messaging
system, it spreads quickly because e-mail clients send messages to other
clients and also provide access to software such as address book
programs.
A virus can
infect secure resources, such as files, applications, and operating
system source files. Therefore, you should always install and configure
new computers while they are disconnected from an external network.
Before you reconnect to the network, you can apply software upgrades,
and then install antivirus software and run a manual scan of the
software by using the latest signature files.
Preparing an Antivirus Strategy
You need to prepare an
antivirus strategy to protect your messaging system. This strategy
should include educating users about viruses, installing antivirus
software in the appropriate locations, and ensuring that the antivirus
software is current.
You educate users by
making them aware of current virus threats and the importance of keeping
their computer systems up to date with the latest signature files and
security updates. If users are aware of viruses, they may be able to
help stop the spread of a virus that is attacking the system. For
example, users should know not to open attachments that they receive
from any application (including e-mail clients and instant messaging
applications) unless they know the sender and they are expecting the
attachment.
Important
Many
users believe it is sufficient to install antivirus software and to
regularly update virus signatures. It is not. Users also need to
download and install operating system updates that include security
patches to fix known holes,
or security weaknesses. You need to make users aware of this, and
whenever possible, encourage them to take advantage of the various
auto-patching functionalities made available by Microsoft, such as
Windows updates. |
You can use a variety of
methods to alert users of an e-mail virus threat, including e-mail
messages explaining what attachments not to open and information about
current virus threats, known viruses, and how to combat them.
|
Your advice on this
topic needs to be reasonable and sensible. You cannot advocate blocking
the download of all attachments if, for example, you work for a
publishing company that frequently receives work from authors by this
method. You should instead inform users (and management) about known
exploitable file types, such as .bat, .com, .scr, .vbs, and embedded
Hypertext Markup Language (HTML) scripts. Some organizations prohibit
the download of any executable code from the Internet. These
organizations can still be attacked but will not have downloaded
up-to-date virus signature files or security updates.
|
Installing Antivirus Software
Your antivirus
strategy should include plans for installing antivirus software. This
can be installed on client computers, servers, and firewalls.
Client-Side Antivirus Software
Viruses are activated
when users open infected attachments. Therefore, you should install
client-side antivirus software on all the clients that connect to your
network, including remote clients. Client-side antivirus software
installs file system filters that check files for the signatures of
known viruses as these files are written to disk. Some antivirus
software searches e-mail attachments for virus code on the e-mail
client. If a virus is detected, then the software deletes the attachment
or copies the attachment to the local hard disk and disinfects the
file.
Note
This
system is not perfect. Sometimes useful and required attachments are
detected as viruses. If you send zipped files as self-extracting
executable (.exe) packages, some filters may block them. |
Server-Side Antivirus Software
Server-side
antivirus software scans mailbox and public folder stores, and some
server-side antivirus software can also scan transports and eliminate
any virus that it finds before that virus enters your network.
Antivirus software
that you install on an Exchange Server 2003 server must be developed
specifically for Exchange, because Exchange has a large database and the
antivirus software must differentiate between the signature of a known
virus and a random string of bytes that matches a virus signature.
You should install
server-side antivirus software on every Exchange server in your
organization. This helps to prevent viruses from spreading to users who
are not using client-side antivirus software.
Firewall Antivirus Software
A firewall
protects your network from unauthorized access and can also provide
virus protection. Antivirus software on a firewall scans files as they
enter the firewall and filters out the viruses before they reach your
network. It also destroys any viruses exiting from your network. This
last is an important consideration. Security systems need to protect
against the malicious or careless insider as much as against external
attack.
Typically, firewall
antivirus software enables you to specify how viruses are processed. You
can configure firewall antivirus software to remove an attachment, to
send e-mail to an administrator, or to hold the suspect message in a
queue for later review.
Keeping Your Protection Current
New computer viruses,
or new strains of old viruses, constantly appear. You need to ensure
that your antivirus software is up to date and that you have downloaded
signature files for the latest viruses. You must configure every
component in your organization in which virus protection is implemented
to receive updates automatically. Automatic updates do not require
administrator or user intervention and are particularly important on
client computers because users often do not regularly update their
software or definitions.
Caution
Virus
protection updates can introduce new code. If you configure systems for
automatic updates, then you do not have a chance to test the code in
your environment and therefore cannot tell in advance if the new code
causes problems with your software. This is not a reason for failing to
implement automatic updates, but it is something you should be aware of. |
Choosing Antivirus Software
Microsoft
does not currently distribute an antivirus package, and you need to
choose software from a third-party vendor. You need to take a number of
factors into account when you choose antivirus software, including the
following:
Does the software integrate with Exchange Server 2003 and with other services in your environment?
Does the software significantly degrade Exchange Server performance?
Does the vendor support the software for use with Exchange Server?
Does the software guard against viruses, worms, Trojan horses, and other malicious code?
Does the software support automated deployment of client-based software?
Do mechanisms exist for monitoring clients from a single, central location?
Does the software provide the same level of security for remote systems as it does for locally connected computers?
Does the software scan both inbound and outbound e-mail?
Does the software support automated updates?
How
often does the vendor release product updates—especially in the event
of a virus attack—and does the vendor guarantee that the product will be
updated to detect new viruses as required?
Does
the software provide virus scanning at the Exchange Server client, the
Exchange Server IS, Exchange Server transport, and firewall level?
Is the vendor TruSecure International Customer Service Association (ICSA) Lab or CheckMark certified?
Virus-Clean Policies and Procedures
Virus attacks can still
occur, even after you have prepared an antivirus policy and installed
antivirus software. Your security strategy should include virus-clean
policies and procedures that will help to prevent such attacks. You also
need to plan what to do when a virus does attack your system.
These policies and procedures should be in position before a virus attack occurs. They should help you to:
Understand the extent and source of an attack
Protect sensitive data
Protect systems and networks
Recover infected systems
Enable your organization to continue operating
Collect information about the attack
Prevent further damage
Support legal investigations
If a virus attack
occurs that could cause extensive damage, then your planned procedures
should enable you to isolate the affected systems by taking them
offline. If your antivirus software does not then completely remove the
virus from the affected system, you must restore the system to its
original state by using backup data that has not been compromised. You
may also need to reinstall the operating system and all of the
applications by using source disks.
Tip
If
a virus-infected e-mail message spreads to a user mailbox, you may be
able to remove the virus from the mailbox by using the Exmerge.exe tool.
Exmerge.exe usually exists in the C:\Program Files\Exchsrvr\bin
subdirectory. If not, it can be downloaded from http://www.microsoft.com/exchange/2003/updates. For more information on this utility, search the http://support.microsoft.com site for article Q265441. |
When you restore a system, you must ensure that it is functioning normally by using historical baselines.
Historical baselines allow you to compare the current performance for
items such as message delivery rates to those of your system before the
system was restored. You must also monitor your system for repeat virus
outbreaks.
Security Updates
Security updates
are product updates that eliminate known security vulnerabilities. When a
security update becomes available, you should immediately evaluate your
system to determine if the update is relevant to your current
situation. Suppliers release security updates for client software such
as Web browsers, for client operating systems, and for server software
and operating systems such as Windows Server 2003 and for server
software and operating systems such as Windows Server 2003 and Exchange
Server 2003. If the Windows operating system is vulnerable, then
Exchange is also vulnerable.
You can download security updates from software companies’ Web sites. You can find Exchange updates at http://www.microsoft.com/exchange/downloads and http://support.microsoft.com.
Depending on the configuration of your operating system, you may
automatically be prompted to download Windows updates. You can access
the Windows update site by clicking Start and then Windows Update.
You can also access bulletins and utilities to keep you informed about the latest security issues and fixes. Table 1 gives details of the available bulletin services.
Table 2 lists the utilities that can assist in keeping your system secure.
Table 2. Security Utilities
| Utility | Function | Download location |
|---|
| Microsoft Baseline Security Analyzer (MBSA) | Checks
for missing patches, blank or weak passwords, and vulnerabilities on
servers running Windows 2000 or later, Microsoft Internet Information
Services (IIS), Microsoft SQL Server, and Microsoft Internet Explorer
5.01 or later. | http://www.microsoft.com/technet |
| Microsoft Software Update Services (SUS) | Helps keep Windows-based computers and servers up to date with the latest critical updates. | http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp |
| Microsoft Systems Management Server (SMS) | Automates the distribution and installation of the recommended security fixes for large companies with multiple locations. | http://www.microsoft.com/catelog |
Virus Signatures
You
need to keep your software and operating system up to date. If you
install thirdparty virus detection software, this must also be kept up
to date. However, the task that needs to be done most often is to
download virus signatures (or definitions) for the new threats that
appear regularly on the Internet. Virus signatures identify viruses,
worms, and Trojan horses, and allow virus detection software to detect
and eliminate them.
Your virus protection is
only as good as your signature list, and this too must be kept up to
date. Virus signatures should be downloaded regularly. If and serious
attack occurs, the virus signature needs to be downloaded as soon as it
is available. When you purchase antivirus software, you may also need to
purchase a subscription to a professional virus signature update
service. Check with your vendor to determine their policies and
procedures.
Caution
A
virus attack can re-occur some time after you believe the virus was
eradicated. A user returning from a vacation or leave of absence can
open the attachment to an old e-mail message and re-introduce the
problem. |
Practice: Downloading Antivirus Software
You
can usually download evaluation antivirus software from the Internet
before you decide on a purchase. You first need to check that the
software supports Exchange. Microsoft publishes a list of approved
antivirus software suppliers, as this practice illustrates.
Exercise 1: Download Antivirus Software
To download antivirus software, perform the following steps:
1. | |
2. | Read the disclaimer. Microsoft makes no warranties or representations with regard to these products or services.
|
3. | Select a supplier (for example, Symantec) and click the hyperlink.
|
4. | Access the fact sheet and any other resource that assists you in evaluating the product’s suitability.
|
5. | Access the evaluation software (typically called Trialware).
|
6. | Follow
the prompts and complete the necessary forms. Download the evaluation
software installation packet to a shared folder on a server and install
it on all computers on your trial network.
|
7. | Obtain
details of cost and service contracts. Check out the frequency of virus
definition downloads. Apply the criteria listed under “Choosing Antivirus Software” in this lesson.
|
8. | Repeat the process for other listed suppliers. |
