Malicious Software – SANS GIAC LevelOne © 2000, 2001 2Objectives • Malicious code • Virus and hoax information • Virus types and methods • Organizational AV policy • Desktop anti-viral c
Trang 1Malicious Software - SANS GIAC LevelOne© 2000, 2001 1
Malicious Software
(Malware)
SANS GIAC LevelOne Security Essentials
My name is Fred Kerby Today's webcast is entitled ”Malicious Software" - shown on the first slide
It's a part of the SANS Security Essentials series
Picture this - the trade press is all abuzz with warnings of a new killer virus, child of Chernobyl
Recall that Chernobyl struck on April 26, 1999 In Korea alone, it affected as many as a million
computers, causing more than $250 million in damages The boss has just come down with a
magazine article in hand and has told you to drop everything You have three days to ensure the
organization is ready before “child of Chernobyl” day Is this real or a hoax? What do you do to
find out? How do you meet the boss' demands to get anti-viral software installed and updated as
needed? Stay tuned for answers to these questions and more…
Of course this course isn’t going to solve all your problems if you suddenly get hit and have no plan
of action or procedures in place So you are going to need to apply what you learn here
Trang 2Malicious Software – SANS GIAC LevelOne © 2000, 2001 2
Objectives
• Malicious code
• Virus and hoax information
• Virus types and methods
• Organizational AV policy
• Desktop anti-viral care and feeding
Our next slide (entitled "Objectives") shows what we will be discussing during this Level One briefing
At the completion of this course, the student will be familiar with these core concepts of anti-viral
protection
What is malicious software? How does it spread? What are some of the characteristics of viruses?
What is the difference between a virus and a hoax? Where can I go to get more information on them?
Does my organization have an anti-viral policy? What does it say? Is it up to date?
What is anti-viral software?
What is involved in the care and feeding of desktop anti-viral software?
Trang 3Malicious Software – SANS GIAC LevelOne © 2000, 2001 3
Malicious Software (Malware)
Let's move to the next slide, “Malicious Software”
Malware is a generic term for a number of different types of malicious code - viruses, worms, Trojan horses and
malicious applets First, we will define what these things are
A virus is a piece of parasitic code (or program) written specifically to execute on behalf of the user without the
user's permission (or knowledge) It is parasitic in that it attaches itself to files (or boot sectors) and then
replicates, causing the spread to continue Some viruses do little more than replicate and serve as a nuisance;
others can do serious damage such as affecting programs or degrading system performance (the virus payload)
Never assume that a virus is harmless and leave it intact We will look at the various types of viruses in the slides
to follow
A worm is a self-contained program (or set of programs), that is able to spread functional copies of itself to other
computer systems (usually via a network) Host-computer worms are entirely contained on their host computer
Host-computer worms that delete from one host upon propagation to a new host are called rabbits - they ‘hop’
around a network Some worms run in multiple parts on many hosts These worms are called network worms.
A network worm with one coordinating segment and many client sub-segments is termed an octopus! Note:
malicious code is called a worm when it requires no specific action on the part of the user to enable infection and
propagation It just spreads If the code requires the user to open an email or load a screen saver or take some
other action, then it is called a virus
Trojan horses are programs with an intended action that is not documented or revealed Typically, Trojan
horses masquerade as some other harmless or trusted program A well-known Trojan horse is Back Orifice
Malicious applets are applets that attack the local system of a Web surfer and involve denial of service, invasion
of privacy, and annoyance Malicious applets are distinguished from attack applets that exploit vulnerabilities in
the implementation of the Java security model
It is interesting to note that of the 60,000 or so known viruses, worms etc., about 55,000 of them are
Microsoft-specific (Gene Spafford) Care is needed here because this statistic does not mean that systems such as Linux,
Unix or Mac are immune - there are just less examples found here We usually think of infection via the network
and floppy disks, but CDROMs are notorious for hosting malware Just think of the damage that could be done
Trang 4Malicious Software – SANS GIAC LevelOne © 2000, 2001 4
Virus Types (1)
• File infectors / Program viruses
– Direct-action
– Memory resident
– Cluster or File system virus
• Potential to spread over networks
Go to the slide entitled “Virus Types (1)” and let's take a look at viruses Viruses are identified by
the ways they infect computers Usually, a virus falls into one of the following three categories:
program viruses, boot record infectors, or macro viruses
For the next few slides we will focus on program viruses A program virus gets activated when the
program is executed (or run) The virus is loaded into the computer memory and then proceeds to
wreak havoc The results of the virus triggering may not be obvious immediately, as the virus may
have a built-in delay (an event-triggered virus) First signs of infection can include files being
saved with malformed or improper names
Program viruses are usually attached to files such as COM or EXE files, but can infect any
executable or interpretable file - overlays, drivers, system files, or binary files Examples also exist
of viruses that infect C source code such that the compiled executable is infected!
Direct-action file infectors find one or more selected programs to infect each time the infected
program is run Resident viruses install to the system service area of RAM and infect new
programs when they are run Cluster viruses infect program files indirectly by modifying file
system structures such as the file allocation table These viruses are loaded by the OS before the
target program because the file system points to the virus first
Program file viruses need to be executed to activate and spread As well as being run locally, users
can run infected programs from servers, download and run infected files, or execute mail
attachments These viruses therefore have the potential to spread from program to program on a
single host, and find their way to infect new programs on different hosts by being spread by network
users
Trang 5Malicious Software – SANS GIAC LevelOne © 2000, 2001 5
COM Program Infectors
Prepended virus Appended virus COM program
START
END
COMVIRUS
VIRUS
JUMP COM1
2
3
6
Our next slide is entitled “COM program infectors”
Now we’ll take a look at how program files are actually infected
COM file viruses attach themselves to their target in one of three ways - by prepending to the
beginning, by appending to the end, or by overwriting part of the file
A prepending virus gains control when the first instruction of the infected COM file is executed
The virus runs and then passes control to the original program Because of this, users may not notice
anything different
An appending virus writes an instruction to jump at the first instruction in the file This jump will
take execution to the virus which later returns control to the COM program
Overwriting viruses simply write their code to the beginning of the file These viruses therefore
destroy the original program More sophisticated overwriting viruses will make a copy of the
portion that they overwrite which can later be executed - all in an effort to remain covert
Trang 6Malicious Software – SANS GIAC LevelOne © 2000, 2001 6
EXE Program Infectors
Original EXE Program Infected EXE Program
CS IP
The next slide, “EXE program infectors”, shows how an infected executable is structured
Executables consist of two parts - the header, and the load image The header contains, among other
things, a pointer that points to the first instruction to be executed in the load image The pointer
(CS:IP) consists of a pair of values - the code segment (CS), and instruction pointer (IP) A header
entry named SIZE stores the size of the load image
When the executable is infected, these header entries are altered CS:IP becomes VCS:VIP and now
points to the start of the appended viral code SIZE increases to VSIZE and measures the size of the
infected load image Running the infected program will cause a jump to the virus load image When
completed, the viral code hands execution back to the original program
Trang 7Malicious Software – SANS GIAC LevelOne © 2000, 2001 7
Virus Types (2)
• Boot-record infectors
– Floppy boot record (FBR)
– Master boot record (MBR)
– DOS boot sector (DBS or PBR)
– No network spreading potential
• Multipartite
– Potential to spread over networks
Let’s go to the slide entitled “Virus Types (2)” The next virus we'll review is the boot infector.
Every disk has a boot sector (regardless of whether or not it is actually bootable) When a computer
is powered up, it looks for boot information according to a list provided by the computer BIOS If
any of the media in the drives specified in the BIOS list have a boot sector virus, the infection will
get transferred to the boot drive Once the infection is complete, the virus will get loaded into
memory at startup From there, the virus can be spread to every disk that is read after startup
Results of the infection can range from nuisance (if at all) to destruction of boot information, to need
for a complete format of the hard disk
Floppy disks contain a floppy boot record (FBR) which can harbor a virus If a system is booted
from such a floppy the virus will load and infect the hard disk Viruses on hard disks infect either
the master boot record (MBR) or the Partition boot record (PBR) (sometimes called the DOS boot
sector (DBS)) The MBR is the first place the BIOS looks when booting from a hard drive If a
virus is present it can seize control of the hardware before the operating system even sees the light of
day! PBR’s are executed after the bootstrap program in the MBR passes on control to the active
partition Operating system files that are present on a partition are loaded according to instructions
in the PBR Like the MBR infection, if a virus is present it will be loaded before the operating
system
Multipartite viruses are hybrids of boot infectors and program viruses When executed as a
program, boot sectors become infected, and vice versa - if multipartite-infected media are booted,
program files get infected Multipartite viruses provide a mechanism by which boot-sector viruses
can get around on networks (they travel as program files) Boot-sector viruses cannot on their own
infect across networks This is because the network protocols do not support sector level operations
Trang 8Malicious Software – SANS GIAC LevelOne © 2000, 2001 8
Virus Types (3)
• Macro viruses
– Targets are data files (e.g *.doc)
– Written in ‘macro languages’ (e.g
Melissa macro virus) – Visual Basic Editor
• High network spreading potential!
Our next slide is entitled “Virus Types (3)” A macro virus is malicious code contained in a set of
instructions that are included within an application such as a word processor or spreadsheet Unlike
program viruses, which target executables, macro viruses target data files Once the macro
containing the infection is loaded onto your computer, it can infect other files (such as the normal.dot
template for Microsoft Word) or cause itself to be propagated to other users automatically A typical
example is the Melissa macro It caused a document containing the macro to be mailed
electronically to other email users
The activated macro virus is limited only by the capabilities of the ‘macro language’ being used
Microsoft macros, written in Visual Basic, can access all host application features (e.g Word) and
many OS features (Windows) For example, in Word or Excel, try opening <Tools-Macro-Visual
Basic Editor> This opens a Visual Basic session enabling complex macro design Imagine the
potential damage from commands such as open, kill (delete), or rmdir!
Macro viruses can spread as email attachments Users open an infected attachment, the virus reads
the address book and mails itself on For this reason, macro viruses have a huge potential to spread
over networks
Trang 9Malicious Software – SANS GIAC LevelOne © 2000, 2001 9
Virus Protection Techniques 1
• Stealthing
– virus attempts to hide or ‘cloak’ itself
– hiding from anti-virus software
– read stealthing
– size stealthing
• Need to scan memory to detect
Let’s go to the slide entitled “Virus Protection Techniques (1)” To avoid detection, or being picked
up during an anti-virus scan, sophisticated viruses employ techniques to cover their presence or
tracks When active, the virus builds itself a “cloaking device”
Stealthing is achieved in a number of ways The virus, through being memory resident (or hooked
into system services), monitors system function calls When a system call is made, it is intercepted
by the virus and the virus tells a lie back to the system In this way the system is deceived
Read stealthing involves monitoring attempts to read or write infected files (e.g open, read, or
close) If an infected program file is opened and read, the virus might give back to the system
information from a backed-up copy of the original file - the infection is invisible! Another form of
read stealthing monitors direct access to disk sectors Even if low level calls are made to read the
master boot record (e.g BIOS Interrupt 13), the virus will interject
Size stealthing viruses monitor calls to directory entries and other parts of the file system If the
operating system were to inquire as to the size of an infected file, the call is intercepted and a lie is
told
Stealthing prevents or hinders detection by examining disks Anti-virus scanning software must
therefore resort to scanning the system portions of RAM to detect these viruses
Trang 10Malicious Software – SANS GIAC LevelOne © 2000, 2001 10
Virus Protection Techniques 2
• Polymorphism
– poly = many, morph = form
– encryption/decryption routines
– mutation engines
• Makes a scanner’s job a lot harder
Our next slide is “Virus Protection Techniques (2)” Now let's look at another protection technique
-polymorphism Polymorphism literally means many forms A polymorphic virus therefore has
many and varying forms - very biological indeed If a virus is continually changing the way it looks,
the job of the anti-virus scanner is made a lot more difficult
Viral polymorphism is achieved by using a mechanism that varies the code used to decrypt, or
unsheath, the virus into its active state The inactive virus is encrypted so that it cannot be easily
detected by scanning for common strings (in fact, the code of the virus body will look like random
data)
If the encryption and decryption routines did not change from virus to virus, then a scanner could
detect the virus by detecting the decryption code Therefore, polymorphic viruses change their
decryption routines on the fly These changes might be made by a mutation engine built into the
virus that is linked to a random number generator Alternatively, some mechanism might exist to
vary the sequence of instructions, or insert redundant instructions into the mutating routine The
decryption routines still perform their functions, but the way they look is different
The common cold is a biological example of viral polymorphism - however, the cold virus varies in
both form and function
Trang 11Malicious Software – SANS GIAC LevelOne © 2000, 2001 11
Other Virus Variations
– Fast and slow infectors
– “In the wild”
It is worthwhile taking a look at some other virus variations These are listed on the next slide
Fast infectors are memory-resident program viruses that not only infect programs that are executed,
but also those that are opened or accessed The danger with this is the potential spread of infection
before the virus is detected Imagine scanning (hence infecting!) 70% of all your files before you
detect the fast infector
Slow infectors only infect files when they are created or modified This is an attempt to avoid the
integrity checking or file monitoring capabilities of anti-virus software A file changes when it is
modified, so this is a good time for a virus to conceal its actions
Sparse infectors only infect occasionally (e.g 1 in 10 files accessed)
Cavity viruses write themselves to redundant or null constant portions of a program file In this way
the file remains the same size and has the same function, but it is carrying the virus in a ‘cavity’
Tunneling viruses bypass activity monitoring software by directly accessing interrupt handlers on
hardware controllers For example, disks can be accessed by directly reading and writing the address
and data buses
Armored viruses employ tricks to make analysis such as tracing and disassembly difficult.
Retro viruses are “anti-anti-virus” These viruses set out to attack or hinder the software that
detects them Retroviruses exist in nature with the most infamous example being HIV, which attacks
the human immune system
Finally, if a virus has been verified (by groups that track viruses) to have caused an infection in other
than a laboratory environment, it is described as 'in the wild' A virus that has not been observed in
a real world situation (i.e., not in the wild) can be described as 'in the zoo'.
That ends our survey of virus types and modes of action
Trang 12Malicious Software – SANS GIAC LevelOne © 2000, 2001 12
ILOVEYOU Virus
• E-mail attachment
• Attempts to spread to Outlook
address book contacts
• Installs a password-grabbing
program
• Overwrites some files
Now let’s examine the structure and mode of action of a recent virus - the ILOVEYOU virus
On May 4, 2000, many computer users encountered mail with the subject stating “ILOVEYOU”
The mail body instructed users to “kindly check the attached LOVELETTER coming from me”
-history now says that many did not resist the temptation
The attachment (named LOVE-LETTER-FOR-YOU.TXT.vbs), when opened, resulted in a script
being run that spread the same message to all contacts in all of the victim’s address books
Typically, address books contain multiple entries This means the virus amplifies after each new
infection
The ILOVEYOU virus has two distinct parts to its payload - installation of a password grabber, and
the overwriting of files
The password grabber is installed by changing the startup page of the local browser to a web page
that will attempt to execute a program named WIN-BUGSFIX.exe - so named in an attempt to fool
users into clicking “yes” when asked if the executable should run If run, the password grabber is
installed and set to run at boot time Upon booting it will ‘sniff’ user passwords when entered
The virus also overwrites some files (e.g vbs, vbe jpg, and mp3 files) These files are overwritten
with the virus code and are therefore infected If these infected files are run, the infection will
propagate
Trang 13Malicious Software – SANS GIAC LevelOne © 2000, 2001 13
Go to the next slide – “ILOVEYOU analysis (1)”
A look at the virus code is instructive
The ILOVEYOU virus is written in VBScript, and will therefore run on systems that have the
windows scripting host (WSH) installed, or systems that interpret Visual Basic and have a Wscript
library WSH is installed if you choose a standard installation of the operating system, or if you
install Internet Explorer 4 or 5, or if you download WSH from Microsoft (Check <My Computer
-View - Options - File Types> and look for VBScript or Windows Script Hosting components) An
application that can be driven by scripting engine is a scripting host
The code consists of five routines and some supplementary support functions The routines are:
main(), regruns(), spreadtoemail(), html(),and listadriv() Each of these
subroutines will be examined in turn
Trang 14Malicious Software – SANS GIAC LevelOne © 2000, 2001 14
– Adds Registry values to:
• execute the virus at boot time
• download a password-grabber and set it to run
at boot time
Our next slide is entitled “ILOVEYOU analysis (2)”
The subroutine main(), exists to do two things: make copies of the virus in system and windows directories,
and call the remaining subroutines
Look at the following VBScript:
dim dirwin, fso, c
Set fso = CreateObject(“Scripting.FileSystemObject”)
Set dirwin = fso.GetSpecialFolder(0)
Set c = fso.GetFile(Wscript.ScriptFullName)
c.Copy(dirwin&”\Win32DLL.vbs”)
Even if you are not familiar with VBScript you can still see that this language has the power to read directories
and create files - what more does a virus need? The code segment above starts by declaring some variables,
then declares a file system object, finds the system directory, gets the name of the virus currently running and
then copies this file to %system_folder%\Win32DLL.vbs - which looks like a legitimate system file
regruns()sets Registry keys to make the file created above run at boot time, changes the Internet Explorer
start page to load WIN-BUGSFIX.exe, and sets the Registry to execute this program at boot time These effects
are illustrated with the following script examples:
Set regedit = CreateObject(“Wscript.Shell”)
Trang 15Malicious Software – SANS GIAC LevelOne © 2000, 2001 15
ILOVEYOU Analysis (3)
• Subroutine spreadtoemail()
• Spreads virus to users in each
address book
• Creates Registry keys such that
virus is not sent to the same
address more than once
Go to the next slide – “ILOVEYOU analysis (3)”
spreadtoemail()spreads the virus to all entries in the victim’s address book Each address
book is found and each address is read in turn A new mail object is then constructed and sent
Set out = Wscript.CreateObject(“Outlook.Application”)
Set mail = out.CreateItem(0)
Set mailaddress = %script to get user from address book%
spreadtoemail()also contains code to ensure that the virus is only sent to each address book
entry once This is achieved by saving, in the Registry, those who have been targeted already
Trang 16Malicious Software – SANS GIAC LevelOne © 2000, 2001 16
ILOVEYOU Analysis (4)
• Subroutine html()
– creates an html page to be sent over
IRC – alternative mode of spreading
• Subroutine listadriv()
– overwrites specific files with the virus
– propagates infection
The subroutine html()writes an html page that will be sent through Internet Relay Chat (IRC)
The web page contains Java script that creates a window and a VBScript that recreates the virus and
executes it This provides another way for the virus to spread
listadriv()looks for specific types of files and then infects these files This is achieved by
using script functions such as GetFolder, GetExtensionName, OpenTextFile, write, and close These
functions look dangerous and are dangerous!
Files that are overwritten are deemed infected - if these files are run at a later stage, the virus will be
executed yet again
That ends our walk through of the VBScript for the ILOVEYOU virus One final point - the code
requires the user to open an email and run an attachment to be activated For this reason,
ILOVEYOU is a virus If no special actions were required by the user, it would be a worm Many
sources refer to this piece of malware as a worm A full analysis of the ILOVEYOU virus is
contained in the appendix Note that this analysis refers to the program as a worm - probably
because it uses a network to spread, rather than disks or files Look at the definitions of worms and
viruses and think about it Take a look at the full analysis and understand just what the virus is
doing After all, can we afford not to understand the enemy?
Trang 17Malicious Software – SANS GIAC LevelOne © 2000, 2001 17
Indications of an Infection
• Computer runs slower
• Disk drive makes noise
• Running out of free space
• File sizes change
• Unexplainable files
• Characters dropping from screen
Go to the slide entitled “Indications of an Infection”
The best way to detect and protect against viruses is to use a good anti-viral program By the way, no one program
ever seems to pick up all viruses, but running two anti-virus programs at the same time can be a recipe for disaster
Everyone I have talked with that has tried this in production has been burned bad One solution for organizations
that have a disk scan facility at the physical security desk is to run one brand of anti-virus to scan incoming disks and
another entirely inside the facility
Not everyone uses anti-viral and people who do, don't always keep the signatures up to date If that's not enough, the
virus programmers are continually writing new ones What's a guy to do? Look for signs of anomalous activity
This slide shows some of the symptoms you might observe Here are some of the comments you might hear:
"My system seems slower than normal."
"My disk drive makes a lot of noise."
"The disk drive light is on a lot of the time."
"I keep running out of free space."
There are other indications, but you get the idea - the computer is behaving in a different manner At this point, I
should mention that these indications in and of themselves do not constitute an infection
I bought a brand new shiny computer in December 1996 It had a massive 2 GB hard disk, and a whopping 16 MB
of RAM and came bundled with Windows 95 I added anti-viral software, Microsoft Office, a browser, and a few
other goodies Two and a half years later, after I had been updating patches and hot fixes to both the operating
system and the applications (as well as anti-viral signatures), I noticed that it seemed to take longer and longer to
bring up my desktop and files I wanted to edit To cut to the chase, I was not infected The updates and newer
programs had simply become much larger to the point that I simply didn't have enough RAM in the computer to get
decent performance After I added 32 MB of RAM, the system worked MUCH better There are two morals to this
story: (1) just because your computer shows one of the indications above, it does not mean that your are infected; (2)
while more memory is usually a good thing, it will not cure a viral infection
Trang 18Malicious Software – SANS GIAC LevelOne © 2000, 2001 18
What to do if you’re infected
• Contain the problem
• Fix it
• Share your experiences with others
Let's go to the next slide - "What to do if you're infected” If you see the signs above and don't have
a current anti-viral program installed, what should you do?
First, DO NOT PANIC Contain the problem by isolating the computer system (unplug the network
cable, leave the system powered up, and do not use it) If you are not the system administrator,
contact that person and ask for help
Second, fix the problem - install current anti-viral software and either clean up the problem OR
verify that you are not infected and move onto solving whatever is causing the symptoms you
identified
Third, share your experience - tell others what happened, how you corrected it, and what you
learned Even if you were mistaken and are embarrassed by it, you might prevent someone else from
making the same mistake if you let them know what you did
Trang 19Malicious Software – SANS GIAC LevelOne © 2000, 2001 19
Virus & Hoax Information
What we've discussed so far can be overwhelming You certainly can't hear everything you might
ever need to know about viruses in a single webcast, so let’s go to the next slide (Virus & Hoax
Information) to see some of the resources that are available on the web if you want or need more
information on viruses and hoaxes
CERT is the home of the Computer Emergency Response Team located at Carnegie-Mellon
University When you use this link, go to the site map and scroll down to the section entitled "Other
Sources" to get to the virus information
Symantec is the home of Norton AntiVirus (as well as other software packages with the Norton
name) This is a very informative site
Antivirus.com is where you will find the Trendmicro site You can go to housecall.antivirus.com
and request a free online scan of your system
NAI is short for Network Associates, Incorporated It’s the home of McAfee anti-viral software as
well as a wealth of information on viruses
ICSA is the International Computer Security Association (formerly the National Computer Security
Association) - yet another good source of virus and anti-viral information The site has been
revamped and you’ll be relocated to trusecure.com
Trang 20Malicious Software – SANS GIAC LevelOne © 2000, 2001 20
Virus & Hoax Information (2)
• Viruses
– http://www.virusbtn.com
• Hoaxes
– http://www.vmyths.com – http://www.hoaxkill.com
The next slide (Virus & Hoax Information (2) ) lists some additional resources for both topics
The first is the home of the Virus Bulletin The link shown claims to be "THE INTERNATIONAL
PUBLICATION ON COMPUTER VIRUS PREVENTION, RECOGNITION AND REMOVAL.” A useful
site though this bulletin is available only by paid subscription
The next two links shown (kumite and hoaxkill) are places you can go to get information on hoaxes I
mention these because there are a number of "viruses" reported which are not really viruses They cause a
tremendous 'denial of service' condition when folks unwittingly forward the hoax information to friends and
co-workers with the admonition “if you see this, delete it and don't open it - it will format your hard drive!” (or
something similar to this) If you get a notice such as this, please check it out with a knowledgeable source
before you forward it
This concludes the overview of virus types, characteristics, activation mechanisms, indications of an infection,
and what to do if you are infected We also covered (very briefly) hoaxes and where to go to get more
information Let's now pursue how you go about getting effective anti-viral protection implemented in your
organization
Trang 21Malicious Software – SANS GIAC LevelOne © 2000, 2001 21
Background
• Policy or Practice
• Need for guidance
• How it gets implemented
Let's go to the next slide – “Background” This is the first of three sections on Policy The other two (covered
in upcoming slides) are Scope and Responsibilities There is some discussion as to whether we need a policy
document or implementation guidance The difference is that the policy usually states WHAT must be done,
and the implementation guidance tells HOW to do it The 'what' we are trying to do might be 'to provide
effective anti-viral protection for all desktop computers' and the 'how' might be ‘to establish a single repository
from which each user will download and update desktop anti-viral software' It's important to know which
document you are writing before you begin If you don't, you may become very frustrated
A well written policy will have the following characteristics:
• Matches your organization and architecture
• Is adaptable to change
• Has management and administrator buy-in
• A policy that cannot be implemented (or enforced) is of little or no value Bear this in mind prior to
picking up the pen
Your policy must accommodate change We didn’t use anti-viral software on Unix computers five years ago
Anyone who has a Unix-based mail relay today and doesn’t scan email is looking for an incident
Cost, or actually, cost/benefits is a big factor when getting management buy-in Try to find metrics of the
harm viruses have done
Another key element that cannot be overstressed is getting management and administrator buy-in to what you
plan to do Lose in either camp and you lose big time
The bottom line is that your policy will establish the written measurable standard by which organizational
performance is gauged
Trang 22Malicious Software – SANS GIAC LevelOne © 2000, 2001 22
Scope (protect in depth)
• Desktops
• Portables and notebooks
• Servers (mail, file, other)
It would be great if we could provide anti-viral protection for every computer that exchanges
information with computers and users inside and outside of the organization Is this realistic (or even
possible)? Maybe not In any organization, we can implement “defense in depth” as we deploy
anti-viral protection The depth needed will be a function of the complexity of the computer and network
infrastructure
The list given on this slide shows some of the risk vectors that you might need to address in your
document Even if you don’t have these vectors now, you might have them in the not-too-distant
future Be sure your policy will cover them as needed
Trang 23Malicious Software – SANS GIAC LevelOne © 2000, 2001 23
Roles and Responsibilities
• Acquisition/procurement
• Installation and updating
• How often to update
• Logfile review
• Reporting infections
Now that we've looked at the scope of our policy, what are some of the roles and who is responsible for
getting things done?
The next slide, “Roles and Responsibilities”, lists several items that are candidates for inclusion in your
policy or implementation guidance
Who obtains the anti-viral software and how?
This is the place to identify if your organization will use a site license, and how folks can get a copy Is
each user responsible for his or her PC, or does the organization have a group whose job it is to do things
like this?
Who will install the software and who will keep the signatures up to date? How frequently? Again, are
the individual users responsible for ensuring that this happens?
Is anyone responsible for looking at contaminations on the individual computers or across the
organization? If so, who is that individual and do we need to report infections to that person? Typical
candidates can include the organization’s computer security folks, your incident response team, and the
corporate office
Answers to these questions should be included in your policy or implementation guidance
Trang 24Malicious Software – SANS GIAC LevelOne © 2000, 2001 24
• Internet search (Lycos, Yahoo)
Go to the slide entitled “Policy Pointers” It shows three (of many) places you can go on the web for
more information
The first comes to you from the Trend Micro site The title page says “Designing and Implementing
a Virus Prevention Policy: Key Issues and Critical Needs” It is a good resource to have handy when
you are developing a policy document While it doesn’t provide a ‘fill in the blank’ template, it
DOES provide much food for thought
The next (from TruSecure) is a link that I got from the ISCA page It goes beyond policy and into
implementation
Finally, I also got some good hits on a search run from Lycos ™ Your mileage may vary
To summarize the section on policy, your organization will benefit from having a written document
that describes what the organization is committed to protecting (desktops, servers, etc.), who is
responsible for doing what (buying, installing, updating, cleaning up, reporting, etc.) and what
standards must be met (performance criteria)
Trang 25Malicious Software – SANS GIAC LevelOne © 2000, 2001 25
Anti-virus Software
• Activity monitoring programs
• Scanners
• Integrity checkers
• Remember “defense in depth”
Let’s go to the slide entitled “Anti-virus Software”
What about virus protection? There are three main kinds of software protection techniques These
are: activity monitoring programs, virus scanners, and integrity checkers
Activity monitors (or behavior blockers) aim to prevent infection by monitoring for virus-like
activity (e.g writing to exe files, or formatting disks) Such programs can potentially detect viruses
that they have not encountered before - as long as those viruses perform some action that is being
monitored These programs are generally considered a weak form of defense Some viruses (e.g
tunnelling viruses) can bypass what is being monitored, or may in fact disable the monitoring Some
of the current anti-viral programs (such as Norton Anti-Virus and McAfee Vshield) offer the option
to block virus-like activities such as low level formatting of the hard disk, writing to hard or floppy
disk boot records, writing to program files and changing the file read-only attribute
Scanners, perhaps the best known form of defense, look for known viruses by searching for ‘scan
strings’ (signatures) or certain algorithms (to aid in detection of polymorphic viruses) Examples are
Norton and McAfee anti-virus Scanners suffer from the problem that even simple viruses, if they
are new or unknown, can be missed by the scan Therefore, a scanner alone is not a complete
defence against viruses
Integrity checkers compute checksums or hash values of original files and store the results in a
database The program can later recompute this value and compare it with the original If a file has
been modified, the “before” and “after” values will not match These programs are sometimes
described as generic detectors because they have the ability to catch new viruses Typical file
integrity analysis programs for a Microsoft NT environment include Tripwire for NT and Security
Profile Inspector You can do a ‘net search to locate shareware programs that perform cyclic
redundancy checks and store the value for comparison later These programs are in effect virus
detectors, not virus preventers
No one of the software defences is a complete defense on its own Good practice may include some
combination of all AV software The principle of ‘Defense in Depth’ takes us even further To be
Trang 26Malicious Software – SANS GIAC LevelOne © 2000, 2001 26
index.shtml
The next slide – “Antivirus Acquisition” - shows us some of the choices we have depending on the number of computers
we need to protect Unless you are infected and in an emergency state, it might be useful to review some options before
you begin In former times (also known as “the good old days”), I knew folks who would buy a site license and distribute the software on floppy diskettes That may have been a viable option when the software fit on a single floppy, there
weren't a lot of computers to protect, and the computers were not heavily networked For the most part none of these
conditions are true today The two anti-viral software installation programs commonly used in the US Department of
Defense (Norton and McAfee) are in the 8 to 12 MB range; most employees in many companies have a computer, and
many of the computers are networked
The protection plan for a single computer is trivial - download the software over the net or buy a copy on distribution
media
If you have more than one computer to protect, you have some options You can buy and install a separate copy for each
computer that is to be protected If you have just a few computers, this can sound attractive if you say it really fast It
doesn't take a lot of computers for this option to get to be a burden
Another option that is fairly popular is to load the software onto a server and have folks download it from there It
certainly is faster and easier than carrying around a box of floppies (or even a CD)
Things you will want to consider in selecting the server include networking issues and how you will control access to the
software to comply with the terms of your license
For example, the United States’ Department of Defense (DoD) has an agency-wide license for at least two anti-viral
packages They are available from servers on the Internet and can be downloaded only by folks who are located in mil
domains Seems to be a reasonable approach to managing access to the software
The last bullet - which product to buy - can be the basis for a great religious war and is beyond the scope of this webcast
It is a good idea to verify that what you are getting ready to install has been tested and certified as having met some
objective criteria Two useful links are under the third bullet in this slide The first will get you to a web site that lists
products certified by the International Computer Security Association
The second is the page that contains the Product Test Criteria for items that ICSA certifies
Trang 27Malicious Software – SANS GIAC LevelOne © 2000, 2001 27
Installation
• Self-extracting set-up wizards
• Configure at set-up
• Test that software is running
Let’s go to the slide entitled “Installation” Once acquired, what's involved in getting the anti-viral
protection loaded on your computer? Well, anti-viral products are easily installed by running a
self-extracting program and using a setup wizard that allows a good degree of customization For
example, at set-up time, the software can be configured to perform a hard disk scan at every boot,
become resident and continually monitor file activity, scan downloads, e-mails and floppy access
The configuration you set is determined by your anti-virus policy
Once installed, testing your anti-virus program with a real virus is not generally a good idea Most
reputable anti-virus packages will now trigger an alert if they scan a file beginning with the
following text:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
To make this file, copy the above text string into a text file and save it with a com extension
Virtually all Windows anti-virus programs and commercial Macintosh anti-virus programs can
recognize this test file Running the file displays the text
"EICAR-STANDARD-ANTIVIRUS-TEST-FILE!"
This comes from the European Institute for Computer Anti-Virus Research and can help test the
virus detection capabilities of Anti-Virus software
While this file obviously has absolutely no virus code in it, you should only distribute it to people
who have a clear understanding of what it does Also, do not store it on production machines that run
anti-virus software (except as part of a deliberate test), as it will probably trigger whatever alarm
bells are in place
Trang 28Malicious Software – SANS GIAC LevelOne © 2000, 2001 28
Desktop Care and Feeding
Let's turn to the next slide – “Desktop Care and Feeding” Note that these topics are applicable to
server environments, but for the moment we will focus on clients
Configuration - what do we need to do to "tune” the software? We’ll look at some example screen
shots from a Windows 9x computer to see what configuration options are available When setting
your anti-virus configuration, be guided by your AV policy
Updating - how to keep your anti-viral signatures up to date Anti-viral scanning software works by
scanning disks and files for KNOWN viruses As discussed earlier, this is achieved by looking at
potential disk or file targets and comparing the contents of those targets with a database of virus
profiles These profiles (commonly called signatures) may include a string found in the virus code, a
specific set of viral instructions, a routine that gets loaded into memory, or a specific program action
If a new virus appears in the wild, it probably has a novel signature If the anti-virus researchers
have never seen the virus, then the anti-virus software will not recognize it (although the software
may become suspicious) In the early days, virus propagation was somewhat slower than it is today
Early viruses generally relied on ‘sneaker net’ to get around - literally being walked from one
machine to another on a floppy Obviously, this is no longer the case Now we can talk about virus
propagation within minutes and seconds Therefore, it is necessary to keep our anti-virus databases
well fed with regular updates Do this manually, or use the automated ‘live-update’ features
provided with software