Know Your Enemy to Defeat It

DATE: 30-JUN-2006
By Bob Kane
With the proliferation of malware, understanding what it is, how it propagates and the type of damage it can do is essential to determining your response to removal, protection and repair. Get to know the basics of malware and what to do about it.

From the very first virus in the wild -- "Elk Cloner" -- which infected Apple II systems back in 1982, to "Sasser", "Blaster" and "MyDoom", viruses are as much a part of the PC as the operating system. Unfortunately, their role on the PC has evolved from simple jokes to causing millions of dollars in damage due to employee hours consumed and hardware replacement costs. Add to that the more difficult to measure costs of lost productivity and damage to a company's reputation and the total costs of viruses is put somewhere between $10 and $100 billion/year. No matter how you measure it, viruses cost money and the cost of dealing with them needs to be a part of your IT budget.

Knowing this, the best thing for you and your team to know about viruses--or the more common term now used to describe all malicious software--and malware is what they are and what they do. Armed with this information, it becomes much easier for you to identify, contain and eliminate malware and minimize the damage it can do to your networked systems. Armed with this information you should be better able to budget for controlling and managing malware.

Three categories of malware

All malware is considered bad but how you deal with it depends upon the particular type of malware you encounter. The challenge is how a malware author combines functions for a destructive piece of code combined with how malware evolves in the wild; it's difficult to categorize malware into simple categories. But that won't stop us from trying.

At a base level, if a program or script is designed with a malicious purpose, it should be considered malware. Early viruses which simply popped messages on the user's screen without doing anything else destructive would probably not be considered malware. However, these seemingly harmless programs today are used as Trojan Horses to gain access to a user's system and get the user to perform a task by misrepresenting itself. A good example of this was the "Love Letter" virus which appeared to be an email from someone you knew proclaiming their love for you and the act of opening the email launched its malicious payload. One defining characteristic of a Trojan Horse is that it does not replicate itself so an easy way to stop it is through educating users and making sure that they don't perform specific tasks which could launch the Trojan.

Some Trojans are designed to allow hackers to take control of a compromised system. These backdoor, or Remote Access Trojans (RATs) usually have both a client and server component where the compromised system acts as the server and the hacker connects to it with a client.

Another famous type of Trojan is the rootkit. Targeting a specific operating system, rootkits create a backdoor into a system and target both the host computer and other systems on the network.

Unlike a Trojan Horse, the next category of malware is a Worm. Worms use self-propagating code that can distribute itself from computer to computer through network connections. One of the more famous Worms, "Blaster" infected computers and created a denial of service attack against Microsoft's Windows Update web site. Infected computers were reported to slow down so much that they needed to be rebooted after several minutes. The potential for damage was so serious that Microsoft offered a $250,000 reward for information leading to the arrest of the original author of Blaster. Worms don't usually need user intervention to propagate from one machine to another though some Worms may require users to execute the code. Hybrid Worms may also deliver a malicious payload to the user's system in addition to spreading itself across the network. The best way to stop Worms is a combination of blocking all but the necessary ports on your network with your firewall and making sure that you stay current with all the security updates for your operating system which usually address any known service vulnerabilities which a Worm might exploit.

The last major category of malware--and the one that we are all most familiar with is the Virus. The defining characteristic of a Virus is that it will add a copy of itself to a file, document or the boot sector of a disk to replicate itself. Viruses take on many forms--it may contain a Trojan which it delivers to a computer to perform its malicious act or it may simply replicate itself on a system destroying data as it goes along. That's why it's important to understand if you get a Virus, which one it is and what behaviors it has. Some of the more insidious viruses are those that target both files and boot sectors on a disk. These viruses are sometimes referred to as multipartite viruses.

Hosts and transports

In order for malware to be effective, it needs at least two things: a host to infect and a way to get to the host through some type of transport. Hosts can take many forms but usually malware will utilize executable files, scripts, macros or attach itself to the boot sector of a disk. Malware can also utilize many different forms of transport including scanning a network for vulnerable hosts, peer-to-peer networks or network shares, removable media (such as a floppy disk or a flash drive) or what is arguably the transport mechanism of choice for most malware--email.

In part two of knowing your enemy, we'll go into more details on how to manage hosts and transports as well as look more in depth at payloads, triggers and defense mechanisms.


 


Comment on this article
Be the first to comment on this article.
Sponsored Content
White Papers

No registration required to download these free white papers:

Security in the World of Web 2.0

Intelligent Infrastructure for Information Services

Making Server Consolidation A Reality

Protecting Client Systems from the Crimeware Invasion

Top 10 Ways to Increase Enterprise Security While Reducing Costs
Upcoming eSeminars

Data Protection Virtual Tradeshow
Cameron Crotty 50x50

Available On-Demand
Join Cameron Crotty and experts as they explore best practices and solutions needed to maintain a secure flow of data.
Available On-Demand
Security 2.0: Controlling Complexity
with Cameron Crotty. Sponsored by Symantec
Available On-Demand
Backup Exec 11d - The Gold Standard in Windows Data Recovery
with Frank Derfler. Sponsored by Symantec
Advertisement
Sponsors
  • 64 Pages of How-To Operational Advice for IT
  • You have a choice! Ericom's Alternative to Citrix
  • Discover what 2000 Cisco customers know about Riverbed
  • ScanSoft PDF Converter Professional 4
  • Defy the laws of reporting with Crystal Reports® 2008.
  • See how EMC can help you store more intelligently.
  • When Speed Counts, Count On 3Com.
  • Download the Windows Server® 2008 Release Candidate today.
    		•
    Security IT Hub Contact Us | About | Advertise
    Ziff Davis Enterprise

    Home | Contact Us | Advertise | Link to Us | Reprints | Magazine Subscriptions | Newsletters | RSS Feeds | Tech Shop | White Papers | Tech Encyclopedia | PC Downloads | ROI Calculators | Tech Jobs | Enterprise Product Comparison Guides | Tech Webcasts | Tech Podcasts | Tech Video

    1UP | AppScout | Baseline | Careers | Channel Insider | CIO Insight | Cranky Geeks | DesktopLinux | DeviceForge
    DevSource | DigitalLife | DL.TV | eSeminars | eWEEK | ExtremeTech | Filefront | GameVideos | GearLog
    LinuxDevices | Linux Watch | Microsoft Watch | Mid-market | My Cheats | Networking | PC Magazine | PCMagCasts | PDF Zone |
    Publish | Security IT Hub | Server IQ | Smart Device Central | Strategic Partner | TechnoRide | Web Buyer's Guide |
    What's New Now | Windows for Devices | Ziff Davis Media International

    Use of this site is governed by our Terms of Use and Privacy Policy
    Copyright © 2004-2006 Ziff Davis Publishing Holding Inc. All Rights Reserved. Security IT Hub is a trademark of Ziff Davis Publishing Holdings Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Media Inc. is prohibited.