Not Your Mother's Computer Virus Roger A. Grimes Use an antivirus scanner with an update signature database and you've done your best to protect your computer against malicious mobile code. At least that's the advice most security experts give. Well, as the LoveLetter worm proved recently, the status quo isn't working anymore. The email worm first hit the US in the early morning hours, and before lunch most companies were dealing with thousands of delete files and shutdown email servers. Before antivirus companies could release an updated solution, the worm had slipped past defenses and done its dirty work. Downloading a new signature database was almost futile, because all the leading antivirus sites were besieged by traffic. An antivirus scanner isn't enough anymore. It isn't the fault of the antivirus industry. Technology has changed faster than it could adapt. Everything is now connected to the Internet and new technologies make it easier than ever to send rogue code. This article will cover the new threats presented by malicious mobile code and offer ten steps you can take to limit the effectiveness of malicious mobile code on a Wintel-based system. Malicious mobile code includes viruses, worms, trojans, and rogue Internet content. Viruses are malicious programs which use other files (or boot sectors) to do their dirty work. In most cases, viruses "infect" a host file, forever modifying it so that with every execution more copies are spread. File and boot sector viruses are quickly taking a back seat to macro viruses. Macro viruses use an underlying application's macro language (in most cases in Microsoft Office) to copy itself from data file to data file. The spread of file viruses was initially limited because most people rarely traded executable program files. But everyone sends and receives documents and spreadsheets. Hence, macro viruses have become the most popular type of malicious mobile code reported today. Worms are malicious programs that use other programs as a conduit to spread, but they don't infect program files. For example, an email worm uses the client's email program to send itself to users in the client's email address book. Other types of worms may exploit a weakness in a particular login screen or try to guess passwords. The latest types of worms have been arriving in emails with hostile code written in Visual Basic. Once clicked, the Visual Basic code can do almost anything to the system it has invaded. A close relative of the worm, the trojan masquerades as a legitimate file. While the user thinks one thing is happening, the trojan is busy taking control of their computer system, deleting files, or formatting hard drives. Often, like the LoveLetter bug, the malicious mobile code is part worm and part virus. The worm part was the emailing portion that allowed it to travel around the world in hours. It then overwrote selected files with a virus written in Visual Basic. Remote access trojans, like Back Orifice, are one of the most serious threats on the Internet today. These trojans usually arrive in emails as joke programs, but when executed allow the sending hacker complete access to everything on the compromised system. The hacker can download files, delete files, manipulate the user's system (e.g., make beeping noises, fake error messages, open and close the CD-ROM drive tray), see everything the user types, and even record video and sound if the user has the appropriate hardware. With other forms of malicious mobile code, you can eradicate the rogue program and restore any corrupted files from backups. But remote access trojans can be used to record business secrets, download financial information, and monitor personal communication. Their effects can be felt long after the malicious program is cleaned up. Malicious hackers have even established their own online trading channels to exchange the IP addresses of thousands of compromised machines. Using Internet Relay Chat (IRC) channels, hackers trade the names and locations of compromised personal computers for pirated software or pornography-site passwords. The maturing development of the Internet browser has made randomly surfing the Web a risk. Any type of active content, whether from Java, ActiveX, Visual Basic, or other scripting language, can pose a real threat to your system. You can go to a new Web site, or click on an HTML link and completely kill your system. You can visit an innocent Web site that tracks your every move (i.e. cross-frame exploit) or downloads files from your system. As new software versions and operating systems become popular, malicious code writers get busy. MS-Office 2000 had its first multi-application virus before it was out of beta. Linux's growing popularity is shadowed by Linux viruses, trojans, and worms. Windows NT has viruses which wait for administrators to log on, and then steal their security credentials to attack trusted networks. Today's world of interconnectedness links businesses-to-consumers, email-to-pager, and Internet-to-cell phone. The LoveLetter bug caused pager and cellular disruptions throughout the world. The Chode worm uses PC modems to jam up 911 emergency lines. Clearly, malicious mobile code is much more of a threat today than ever. Although Microsoft and computer security vendors are working to close the known security holes, there are some general steps you can take to protect your system right now. Ten Best Steps to Protect Yourself Against Malicious Mobile Code 1.Don't Run Untrusted Code. If everyone followed this advice, malicious mobile code writers would be out of business. So don't run that joke program attached in your friend's email. Don't click on Internet links sent to you in email. Don't run programs from untrusted Web sites. Just because your friend ran the program without noticing a problem isn't reason enough to trust the code. 2.Disable booting from Drive A:. Go into your BIOS setup and disable booting from Drive A:. This will prevent pure boot sector viruses from taking control of your PC. 3.Keep Antivirus Software Current. Regardless of my opening argument, generalized antivirus software is still a great way to protect your system. (Just don't feel completely protected.) Make sure your antivirus software definitions are updated frequently, and if possible, automate the process. 4.Keep Your Browser Current. Both Microsoft and Netscape are constantly releasing interim bug fixes every few months. Most updates close the security holes found during the preceding weeks. Check your browser vendor's website and install updates. 5.Disable/Remove Windows Scripting Host (WSH). Microsoft added WSH to its latest versions of Windows and Office to bring a DOS-like macro language to its GUI (Graphical User Interface) platforms (a functionality that has been sorely missing since the days of Windows 3.x). Unfortunately, WSH has no security, and any emails containing scripting commands could potentially damage your system (e.g., the LoveLetter worm). Simply renaming WSCRIPT.EXE to WSCRIPT.EXX is an easy way to disable WSH. 6.Don't Open Files With Embedded Macros. Most new versions of Microsoft Office warn you if the file you are attempting to open contains a macro. Unless you absolutely expected the document to contain macros, choose to disable the macros as you open. 7.Decrease the Effects of Active Content in Your Browser. Both Netscape and Microsoft browsers allow you to configure the extent to which active content and scripting can modify your system. For untrusted Internet sites, restrict what active content can do to your system. At the very least, make sure your browser prompts you if the Web site tries to run executable content or manipulate your file system. 8.Make File Extensions Visible. It is safe to run non-executable file content, such as JPGs, MPGs, GIFs, WAVs, etc. You just need to make sure they aren't executables in disguise. Most Windows versions will hide known file extensions. Thus, a seemingly innocuously-named file, PICTURE.JPG, may be PICTURE.JPG.EXE. In Windows Explorer, look for the file extension hiding option under Folder Options. 9.Learn Your System. Take the time to understand what programs, processes, TCP/IP ports, and drivers are active in your system. Learn what is normal for your system, what takes up the most resources, and what TSRs are running in the background. If you've got Windows 98, try DRWATSON.EXE. You'll be surprised to learn that hundreds of programs and processes are active right now. Get a baseline understanding so that the next time your system seems sluggish or is having problems, you'll be able to spot the culprit quicker. 10.Nothing Beats a Good Backup. Make sure important data and programs exist in two places at once. Often by the time you notice malicious mobile code, the damage is done. A good backup takes away a lot of stress. Following these guidelines is a gigantic step in protecting your system against malicious mobile code. The Future The rapid pace of malicious mobile code is starting to make conventional antivirus protection tools ineffective. The best antivirus companies have been awaiting this day for almost a decade, and new companies with new ideas are forming everyday. The most successful protection products will not rely on signature databases but will instead prevent potentially damaging code from ever executing. Personal computer operating systems will become more security conscious, and the initial Internet tenets of complete privacy and default trust will give way to protection concerns. Because the Internet is now considered a vital infrastructure (like electricity grids, waterworks, and telephone networks), increased government regulatory overview is guaranteed. With that said, malicious mobile code will never disappear. No matter what defenses we put up, the incredible human spirit and the hacker subculture will be challenged to push the envelope. Personal computer users and network administrators will be tasked with making sure security and intrusion prevention underlies every application within their perimeter of control. Signature Database Antivirus scanners work by searching files and disks for previously identified code segments, a signature, that is likely associated with a particular bad program. Each antivirus program has a large database storing tens of thousands of signatures to be used for comparison. Malicious Mobile Code Malicious mobile code is a new term to describe all sorts of bad programs: viruses, worms, trojans, etc. The terms virus and worm are too limiting to cover all the new sorts of rogue traveling programs. To be considered malicious mobile code, an ill program must intentionally modify a user's system without their permission and contain coding to facilitate its transfer between different computers. It doesn't include events like hackers directly trying to break into a Web site or causing a remote denial-of-service attack. Macro Language A macro is a predefined shortcut used to automate a particular series of keystrokes or automate a program feature. For example, in most Windows programs, hitting Ctrl-S will save a file just as choosing File, Save and Enter from the program's menu bar. Macro languages allow very sophisticated macros, and entire other applications, to be developed.) Internet Relay Chat Internet Relay Chat allows two or more computers to send instant messages to each other. There are tens of thousands of IRC channels, each dedicated to a particular topic. Hackers use IRC to communicate to other hackers, to trade programs, and to announce the latest system invasions. Active Content Active content refers to any program coding or scripting that can manipulate a user's system. Most often, active content is initialized from within an Internet browser, but it can be started in other applications (i.e. email).