Viruses are from Venus and Worms are from Mars
Insight into the ugly PC-eating creepy crawlers
The Remediator speaks with Russ Cooper, Founder of NTBugtraq Newsletter
We don’t often think about what differentiates a virus from a worm. We just know they make big messes for administrators to clean up. For most folks, the differences don’t matter, but for the heroes behind the fighting lines, knowledge is a great weapon.
Russ Cooper |
Two of the things to watch for are: attack vector and mode of propagation. These ugly PC-eating species strike and reproduce in various ways.
Virus Attack Vector: A virus requires user interaction such as a user reading an email and clicking an attachment (as found in the "I Love You" virus), clicking a hyperlink, or reading an attachment. The machine won’t get sick unless the user performs a task -- not an ideal hacker entry method. A hacker typically wants to break into machines without needing a user at the console to take the intended action.
Virus Propagation: For a virus to propagate, the infected machine sends an email to other users whom perform tasks, which result in making their machines sick with a virus.
Worm Attack Vector: The worm that ducks the early bird, for example, takes advantage of a vulnerability on an unpatched computer system (i.e. the Blaster Worm that attacks machines without the MS03-026 patch). A worm doesn’t require a user to take action to compromise the computer. A computer plugged into the network can be attacked by the simple act of turning it on -- a hacker’s dream. This method gives hackers premium access to server machines and work stations at any time without needing a user to do a thing.
Worm Propagation: After the worm has compromised the system, it can propagate to other systems without user interaction. The nasty result is a worm traversing the Internet in a matter of hours, infecting numerous machines.
How to eradicate these nuisances
Viruses are pests - a nuisance - they don't necessarily help the attacker own the system or access resources or data. Hackers prefer worms because they can provide immediate remote administrative access to each compromised machine.
Though worms can sicken a PC without user interaction, technical users have the ability to be proactive in the fight to fry worms. According to Russ Cooper, Surgeon General of TruSecure Corporation / NTBugtraq Editor, a “Default, Deny posture ensures that everything from routers and firewalls, to personal firewalls are configured to only allow traffic in AND out, that has been justified (e.g. a Business Case assures the traffic is really needed to conduct your work).”
He continues, “Another thing to do is ensure that routers or VPN gateways between networks have rules specifying PERMIT of traffic which is widely used. Having a permit rule allows you to dynamically alter it to a deny rule in the event that a worm is discovered using such a protocol such as RPC. Before the worm spreads too far, you alter the rule and segment the network to control its spread.”
Cooper warns that admins should, “watch out for laptops and VPNs, because they are highly likely to be unprotected against worms, and thereby increase the chances of bringing an infection into a LAN.” He advises installing personal firewalls on laptops and closely monitoring VPNs during Internet events such as Blaster or Nachi.
Your plan of attack is completely dependent on the worm. “If, for example, the worm is Blaster, then its spread is relatively slow within a network. Adding a rule to any routers which log attempts to use the ports involved in the worm will help you identify which clients are affected,” explains Cooper.
He goes on to say, “Disconnecting hub switches / ports to isolate them offers, usually, a more centralized approach to limiting the worm’s spread while ‘feet on the street’ do the work required to remediate. In the case of Nachi, however, where the spread internally is far greater (not to mention the affect on bandwidth pulling down all of those patches), the router segmentation approach is typically more effective.”
Watch for clever disguises
Hackers are getting smarter and one way is by disguising emails to look like official emails. Cooper advises to stop using HTML-based email and use his NoHTML plug-in (http://www.ntbugtraq.com/nohtml.asp) or disable HTML email. Technical users can block executables at the gateway to prevent them from entering the email environment. Outlook has the capability to block certain types of file attachments. Oh, and recommend that everyone turn off Outlook’s preview pane.
Administrators may want to advise users to help by reporting weird computer behavior or anything out of the norm. In addition to running virus protection programs to protect computers, it’s also beneficial to know what is installed on the computer, what versions are in use, and who has what privileges.
Virus protection software on the market is plentiful and deciding which to install has become a conundrum. There is only one factor to look for in making the right decision. Cooper says to find a program that is ICSA Labs-Certified and all popular AV programs have long been certified. The certification indicates they all meet the same minimum requirements for functionality, and that they will all catch the same viruses. Beyond that, look for ease of use, products which can do in-memory scanning, block wildcard attachment types, and report when they've been disabled.
In Summary
Viruses are from Venus
They:
- Require user interaction.
- Propagate slower than worms, because of the need for human interaction.
- Primarily attack workstations, as users must be on the console machine to initiate the virus infection.
- Are not the primary mechanism of attack of hackers.
- Can be caught via the user of antivirus software.
- Do not leverage vulnerabilities; they mostly rely on end users making un-intelligent decisions (like opening an attachment from an unknown person).
- Are single parted in nature - meaning they tend to infect using one mechanism and then infect subsequent machines using the same mechanism.
Worms are from Mars
They:
- Do not require any interaction.
- Propagate quickly, because there is no need for human interaction.
- Can attack any unpatched machine that is on the network - both servers and workstations.
- Are a hacker’s best friend (not diamonds).
- Cannot be easily detected by antivirus software.
- Require the presence of a security vulnerability on the machine to compromise it.
- May obtain confidential data from that machine (like usernames and passwords), once the worm has compromised the machine, that can be used to compromise other machines - even machines that are patched (i.e. Code Red, Nimda).
- Can be multi-partite - meaning they can attack a machine via one vector and then attack subsequent machines using any of 25+ other attack vectors (worms can enter using Blaster and then attack other machines via open file shares, Nimda, Code Red, Slammer, etc.).
Be prepared for the next e-war
Armed with the information on attack vector and propagation, and access to the right tools to destroy these wily creatures, stay prepared for the next e-war. Be like the early bird who gets the worm before it goes anywhere.
About Russ Cooper:
Russ Cooper is surgeon general of TruSecure Corp., and founder and moderator of the NTBugtraq Newsletter. NTBugtraq was established in 1997 and has grown to more than 30,000 subscribers. With more than 26 years of experience in the computer industry, he has worked as an independent consultant who specializes in Microsoft Windows NT®, the Internet and security, with emphasis on securing the environment for Internet usage. He participates regularly with Microsoft in product design review, alpha, beta and service pack testing. Russ has an FAQ on Safe Mail (http://www.ntbugtraq.com/safemail.asp).
[PRINTER FRIENDLY VERSION]
