Protecting Your Computers From Invaders

Protecting your computers from invaders

Antivirus-software powerhouse Symantec offers tips for keeping viruses, worms, and Trojan horses at bay


Most people who use a computer and the Internet for business and/or personal activities are familiar with the potential havoc that can be wrought by computer viruses. These little programs often make news headlines and are capable of everything from annoying computer users to costing corporations millions of dollars because of lost time and destroyed information, as well as other damage to digital assets. The first step in protecting against the damage viruses cause is to understand exactly what a computer virus is and how it behaves.

A computer virus is a program that replicates by inserting or attaching itself to other computer programs or media and can disrupt a computer system’s functional abilities. Computer viruses come in both benign and malignant varieties. Viruses can be programmed to disrupt a computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage but simply to replicate themselves or make their presence known by presenting text, video, or audio messages. Much like biologic viruses, computer viruses are also capable of infection rates of varying speeds, and they can be polymorphic (they can reproduce self-operational clones) or metamorphic (they can evolve into different strains).

Different classes of Internet threats, such as worms and Trojan horses, act like viruses but have distinct differences. Worms are programs that replicate themselves from system to system without the use of a host file. This is in contrast to viruses, which require the spreading of an infected host file. Worms are “self-contained” code or programs that have the goals of replicating themselves and compromising as many computers as they can reach with (increasingly) little or no intervention from the computer user.

Trojan horses are programs that are hidden in software that programmers deliberately include without the user’s knowledge. They are impostors-files that claim to be something desirable but, in fact, are malicious. An important distinction between Trojan horse programs and true viruses is that Trojan horses do not replicate themselves. Trojan horses contain malicious code that, when triggered, causes loss-or even theft-of data. For a Trojan horse to spread, a user must “invite” the program onto his/her computer-for example, by opening an e-mail attachment or downloading and running a file from the Internet.

Evolving Threats
In the past, viruses were transmitted via floppy disk. This infection process is extremely slow by today’s standards. The Internet has provided a medium by which viruses are transmitted from host to host with amazing speed through e-mail, peer-to-peer file sharing, or instant-messaging applications; virus infection has come to take place predominantly through e-mail attachments.

Human nature is a funny thing, and virus writers often exploit it to create viruses that trick computer users into opening malicious programs. This tactic, called “social engineering,” preys upon a person’s curiosity or desire to be included or receive free items. Once a user opens an infected e-mail or an attachment is run, computers can become infected.

Today’s trends show increased numbers of a new type of threats called “blended threats.” The difference between traditional viruses and today’s blended threats is that blended threats attack multiple points, spread without human intervention, and exploit vulnerabilities. They also use multiple methods to propagate, such as becoming embedded into HTML files of an infected server, infecting any visitors to a particular Web site, and even sending e-mails with a worm attached. Multiple methods of propagation can make containment of a blended threat an even greater challenge. Blaster, Welchia (or Nachia), and SQL Slammer are examples of high-profile blended threats that used the methodology of attacking known security flaws in operating systems and database applications. This type of attack (exploiting known security flaws) is unique for virus-based attacks in that it might not require a file to be run on a targeted computer. The initial propagation of the attack runs in computer memory and can achieve global infection in minutes or hours rather than days, making blended threats very hard to defend against.

It is possible that the convergence of computers and everyday devices means that new types of threats will be created. The methods of infection and distribution will also evolve with the increased use of new devices that share information easily because they use the same basic technology. We already have handheld computers, phones with Internet access, and other appliances that are designed to automatically connect to networks when they are within a certain physical distance of the wireless environment and attempt to communicate with the network. These new technologies and devices are quickly approaching the functionality and critical mass necessary for them to become potential targets.

Antivirus software is critical in defending against computer viruses and other malicious programs (often called “malware”). Antivirus software identifies and protects against these threats by taking parts of the live electronic virus and using its characteristics as markers that are called “definitions.” To identify viruses for which a definition might not be yet available, antivirus companies use a method of virus identification based on modeling behavior called “heuristics.” In other words, if it looks like a duck, walks like a duck, and sounds like a duck, then it must be a duck. Employing heuristics, the software uses the basic characteristics of viruses and other attack software to actively search for programs or code with similar or identical characteristics or behaviors, tagging matching code as potential attack software.

Any organization can take some common steps to help protect against virus infections:

Install antivirus software from a wellknown, reputable company, update it regularly, and use it properly. New viruses come out every single day, and an antivirus program that hasn’t been updated for several months will not be as effective against current viruses. Use the software’s real-time scan feature and configure it to start automatically each time you boot your system. This will protect your system by checking for viruses each time your computer accesses an executable file.

To protect your enterprise from the new generation of blended threats, you need to take a look at the security strategies you currently have in place. The “one threat, one cure” approach, such as installing only one antivirus software version, has become outdated. Enlist a comprehensive approach, creating a defensive barrier that is comprised of antivirus, content-filtering, firewall, vulnerability-management, and intrusion-detection measures. This will make your system extremely difficult and costly for intruders to compromise. All parts of the network must be protected, and there must be a response in place to provide security at different levels of the network, including the gateway, server, and client levels.

Perform a virus scan on any new programs or other files that could contain executable code before you run or open them, no matter where they originate. There are several cases of commercially distributed floppy disks and CD-ROMs spreading virus infections.

Be extremely careful about opening binary files and Word/Excel documents from unknown or dubious sources. Be especially wary of files unexpectedly received as attachments to e-mail or during an online chat session. E-mail and online chat seem to be the primary means through which many viruses are transmitted.

Disable mobile code. In this context, mobile code is software that is transferred from a host to a client (or another host computer) to be executed (run). A worm is an example of malicious mobile code. If your e-mail or news software has the ability to automatically execute JavaScript, Word macros, or other executable code contained in or attached to a message, you should seriously consider disabling this feature in your Web browser. One of the best methods of preventing attacks is actively monitoring all software installed and run on your computer.

Perform regular backups. Some viruses and Trojan horse programs will erase or corrupt files on your hard drive, and a recent backup might be the only way to recover your data.

If you think your computer might have a virus, don’t overreact. Overreacting (i.e., panicking) will cause undue stress related to a problem that is very manageable. Viruses and worms can be effectively identified and treated, and often data can be recovered and files repaired. Learn and understand the symptoms by trying to assess how your computer is behaving differently. Some common symptoms that could indicate your system has been infected are:

  • Your computer slows down without reason.
  • Unusual messages or displays appear on your monitor.
  • Unusual sounds or music are played at random times.
  • Your system has less available memory than it should.
  • A disk or volume (a volume is a fixed amount of storage space on a disk or storage tape) name has been changed.
  • Programs or files are suddenly missing.
  • Unknown programs or files have been created.
  • Some of your files have become corrupted or suddenly don’t work properly.
If a virus does infect your computer, follow the directions in your antivirus program for cleaning it from your computer. Scan the files you restore to make sure your backups weren’t infected. For additional assistance, check your antivirus vendor’s Web site and support services for your antivirus software.

Bill Musson, a Certified Information Systems Security Professional (CISSP) and Global Information Assurance Certification (GIAC) Certified Intrusion Analyst (GCIA), is a Senior Security Consultant for Symantec Corporation and is currently contracted to the U.S government, performing support for the Navy-Marine Corps Intranet Network Operation Center on Ford Island in Pearl Harbor, Hawaii.

James Hukill, Jr., is a Security Consultant at Symantec and has worked in law enforcement and technology account management. He also is engaged in the Navy-Marine Corps Intranet project. For more information, e-mail

To comment on this article, please send e-mail to For reprints, call (866) 377-6454.

Topics: Articles , Risk Management , Technology & IT