Dangers in disguise
Enterprise antivirus tools can help stop e-menaces at the perimeter
- By Kevin Jonah
- Mar 03, 2004
Pundits often throw around the phrase 'digital convergence' to describe how Internet and computing technologies are changing everything from television to telephone calls. But there's another, somewhat less friendly digital convergence happening on the fringes of the technology world'the merging threats of unsolicited e-mail marketing and malicious software.
Unsolicited e-mail, commonly known as spam, has grown so much in recent years that it now constitutes the majority of the message traffic that comes into many mail servers.
'The volume of spam is so high, we're intercepting 62 percent of mail coming into our customers as spam,' said Michael Sunner, chief technology officer of MessageLabs Inc., an e-mail security company based in Gloucester, England, with U.S. headquarters in New York. MessageLabs' clients include the entire U.K. government.
With increasing frequency, this mail carries malware, or malicious software. This includes virus programs that infect the data files of computers and increasingly common Trojan horses, disguised programs that trick users or computers into running them for malicious purposes.
Some purveyors of spam have gone so far as to use viruses to aid their efforts. The Bagel Trojan horse that swept through e-mail systems in January was suspected to be the work of e-mail marketers, who may have used the virus to collect millions of e-mail addresses, either for their own spam campaigns or for resale to other e-mail marketers.
It scans files on infected systems for e-mail addresses to send itself to, and then e-mails a copy of itself to new victims, with a faked e-mail address in the message's 'from' field.
Others have more sinister purposes. MyDoom, which hit just a week after Bagel in January, used a similar attack to spread a program designed to launch a distributed denial-of-service attack on Super Bowl Sunday against the Web site of the litigious SCO Group. It spread quickly, taking many corporate mail servers down in the process. And it succeeded in its efforts to knock SCO offline.
While e-mail might still be the preferred route for many virus attacks, last summer's MSBlast and other recent malicious programs have shown that in an increasingly connected world, the ill-intentioned will find ways to leverage other chinks in the armor of networks and computer operating systems.
By exploiting a hole in Microsoft Corp.'s remote procedure call (RPC) security, MSBlast and its variants were able to propagate themselves without hitching a ride on e-mail traffic'and brought many networks to the brink of collapse as a result.
Another threat comes from spyware. This software, often inadvertently downloaded by users from the Web, installs itself onto computers often by posing as something useful. Secret messages
But while it may in fact function as advertised, it also sends a stream of information back to the spyware coder'everything from what Web sites the user visits to a complete record of keystrokes.
Spyware also can be used to open back doors into systems, circumventing network security.
These threats are not easily taken on by traditional virus scanners, which look for signatures of known malicious software by checking files on a computer against a database that is updated weekly or monthly.
In fact, virus and Trojan authors can use virus scanners as a tool to help them modify their work to keep it from being detected, as the variants of the SoBig virus that brought e-mail servers worldwide to their knees last fall demonstrated.
Fortunately, there are tools available to fight the problems posed by spam, viruses and other e-malignancies.
These products and services catch malware as it tries to enter the network, or patch the vulnerabilities that new bugs seek to exploit.
When used alongside traditional desktop virus protection, these tools provide 'defense in depth,' said Dave Cole, vice president of product management at Foundstone Inc.
Perhaps the most ambitious and effective method for dealing with viruses is to kill them before they even enter your mail system.
That's the approach MessageLabs takes: It routes e-mail destined for its clients through its own network operations centers, distributed around the world. The company's software screens messages for spam, viruses and possible Trojan horses before forwarding them to their destinations. So, customers don't have to dedicate storage on their own mail servers to unwanted messages.
Another approach is to catch things right at the doorstep, by scanning incoming messages for attached Trojans and executable programs, and blocking them without the need for a new virus signature. These programs stop messages that would slip through traditional virus checkers.
Such 'gateway' e-mail protection systems typically are add-ons to messaging servers, or in some cases are messaging servers themselves. But they can offer a great deal of control over how you handle unwanted messages. You can put them in quarantine, send them off to digital oblivion, or pick a combination of rules-based approaches to the problem.
The downside is that your bandwidth and storage have to deal with the load of unwanted and infected messages.
In the case of a virus like SoBig or MyDoom, that load can be enough to seriously impede network performance, and quickly consume a great deal of disk space. While users will never see the viruses in their e-mail, other valid messages could get caught in queue behind the MyDoom spam as the process of screening messages bogs down under volume.
Even if your e-mail is scrubbed clean, there are a host of other avenues available for malware to find its way onto your network.
Web browsers offer hackers a host of ways to drop spyware or Trojans onto users' systems'especially browsers with well-known security vulnerabilities. And holes in operating systems that have been publicly announced are a gold mine for the creators of malware. MSBlast, for example, preyed on a vulnerability in Microsoft Windows that had been public for several months before the worm hit.
In fact, MSBlast.A, the primary version of the bug that attacked Windows systems last summer, is still the most prevalent piece of maleficent code, according to SoftWin, the Romania-based developer of BitDefender.Stubborn threat
In January, MSBlast was still atop SoftWin's 'Evil Top 10,' a report of the most prevalent viruses and Trojans, despite the fact that fixes that can wipe the MSBlast bug out had been available for more than six months.
The right security appliances can take a big bite out of that problem. Security scanners can find the vulnerabilities in networked systems that leave them open to attack by worms.
Automated security systems can take information from those scanners and alert administrators to where the holes are'and help them plug them automatically. The vulnerability data can also be passed to some firewalls and security appliances, which can in turn stop communication over unguarded ports and catch viruses before they can be downloaded from the Web.
But in the end, there's still a big role for traditional, enterprisewide antivirus software. Viruses can still sneak in on a floppy disk, or even in a packaged software application. And the way things are going so far this year, it might help to stay a little bit paranoid. Kevin Jonah, a Maryland network manager, writes about computer technology.