The Challenge of Non-Viral Malware
"We have a firewall and anti-virus software in place, so our network
is protected." To a certain extent, that's true. But don't fall into
the trap of thinking that if you have a firewall and AV (maybe VPNs
and IDS, too), you're protected from everything. A false sense of
total security is more dangerous than recognizing that your network
isn't - and can't ever truly be - 100% secure. This is especially
true in the case of non-viral malware.
Non-viral malicious software is planted by hackers, or unknowingly
downloaded by unsuspecting users, or foisted on systems as part of a
software package to track the user's behavior or software usage. By
its nature, non-viral malicious software is designed to be inconspicuous and stealthy. Frequently, the damage to a system or network isn't immediate, so infections can go undetected for long periods of time.
While viruses generally damage individual files or file types, or
simply cause annoyance by jamming up e-mail systems, the potential
damage from non-viral pests extends into data theft, espionage,
electronic privacy violation, and issues of legal liability.
Non-viral malware poses unique challenges to network and security
administrators. First and foremost, it can easily evade existing
security measures - even today, many systems administrators mistakenly
believe that anti-virus software will provide adequate protection
against all types of malware. Unfortunately for them, the leading AV
products don't even attempt to deal with illicitly installed hacker
tools, spyware, or commercial RATs. And while they may detect standard
forms of some well-known trojans, those trojans can be easily "packed"
with a custom encryption program to evade detection. And anti-virus
programs generally can't remove trojans.
After a non-viral malware infection occurs, the threat changes from
a content security issue to a network security issue - and that's
just the beginning of the problem. Let's look at a RAT infection,
using SubSeven as an example.
Once installed on a PC behind a corporate firewall, the RAT silently
tries to connect to its sender. Because most firewalls are configured
to allow any outbound connection, they simply see this connection as
a legitimate session, and the hacker easily establishes control over
the victim's machine. Intrusion Detection Systems could use a rule
to identify earlier versions of RATs because they opened the same
port connection every time, but newer RATs will use port 80 or other
"must allow" ports. Other RATs may open a different random port every
session, and will notify the hacker via e-mail exactly which port
he should connect to for that session.
If the infected system is used by a remote user, when the user logs
into a corporate network via VPN, the hacker gains access to the
corporate network as well. The VPN simply encrypts the session - it
does nothing to stop the hacker from getting in.
Another challenge of non-viral malware is that it is extremely difficult
to remove. Unlike viruses, which infect a portion of existing files,
RATs and spyware install themselves as discrete programs, and will
often modify the registry and start up areas so that they are the
first processes activated during a boot. They may even rename themselves
to appear as legitimate Windows processes. So removing them often
requires changes to registry and start up areas as well as file
deletion, and may require a system re-boot. In some cases, it may be
necessary to compare the binary of a suspected file against a signed,
legitimate executable. Anti-virus products aren't designed to perform
these functions, and usually just refer users to a generic help
document about editing the registry.
Human behavior is one of the most difficult aspects of security to
regulate. Even a minimally skilled but disgruntled employee can wreak
havoc when equipped with a vengeful mindset and a piece of malware.
Disgruntled employees can cause chaos with tools that are easily
available on the web. Remote users (mobile employees and telecommuters)
are the #1 security concern for many security administrators. Such
users generally have a lax attitude toward or complete lack of
understanding of the importance of security. The following scenario
probably takes place thousands of times every day all over the world - and it's enough to send shivers up the spine of any security-conscious systems administrator:
A remote employee's family member uses the company computer during off
hours, and inadvertently downloads a RAT during an IRC session, giving
a hacker full access to the machine. The next day, the employee logs
into corporate network, but the VPN sees and stops nothing. Bingo - the hacker has access to the entire network.
Non-viral malware hiding on your network also poses a liability risk.
The body of case law relating to the responsibility of companies to
ensure that their computers cannot be unwittingly used in a DdoS attack
is growing. The reasoning is that, if hackers use your company's
resources to attack others and due diligence could have prevented it,
your company can be held liable. The same argument holds true for other
types of attacks that are routed through your systems. Right now, you
don't read much about such cases since they are generally settled out
of court - mainly to avoid the negative publicity and consequent share
price damage any publicity would cause. But that may not be the case
for long. And you can bet that, even if such a lawsuit never sees the
inside of a courtroom, heads will roll in the IT department.
Here are some practical steps to prevent non-viral malware infections:
- Shore up your security and personnel policies regarding the use of
hacker tools by employees
- Block all executable e-mail attachments, and don't open any type of
unsolicited e-mail attachments
- Enable your personal firewall to block applications that initiate
- Keep your anti-virus software up-to-date - some of the more popular
RATs are recognized by anti-virus software
- Use dedicated anti-trojan and anti-spyware products to provide
additional protection beyond the capability of anti-virus
- Only obtain software from legitimate sources, not from "warez" or
hacker sites which may trojanize their downloads.
- Never install software if you don't know where it came from
- And, of course, install PestPatrol software throughout the company:
Network World's 2002 Salary Calculator
How has the turbulent market affected your earning potential? Find out
with Network World's 2002 Salary Calculator. They updated their Salary
Calculator and revised it to reflect the results of the Network World
2002 Salary Survey. Give them some details about yourself and they will
tell you if you earn as much as your peers: