Written by: Robert Sandilands (Director: Research, Virus Protection Systems (Pty) Ltd.) BEng (Hons) (Electronic Engineering).
You receive an e-mail from a colleague with the subject: “FW: multi million dollar project.doc” and attached a file with the same name. You know that you have been working on that project together and you go ahead and open it. Your machine starts working furiously and a few minutes later it crashes. You restart your computer and it does not want to start again… What happened? The virus is called VBS.Spamming.A or VBS.NewLove.A depending on which anti-virus software you should have been using. The “good part” is that you can go to the colleague that sent the e-mail, and you know that he has been hit by the same problem. The bad part is that everybody in your address book will be in a similar position to what you were in when you first received the original message.
What really happened? Your colleague received a similar message from a friend. He decided to double click on the attached “document” because it seems to be something useful. In reality it was not a document he clicked on, but a script virus that disguised itself to look like a useful document. When the virus executed it looked at the recently used file list and selected a name at random. It then created a copy of itself with the same name, added a .vbs extension, and sent the file to everybody in the address book. The virus then proceeds to delete every file on the infected computer. Due to the fact that the extension is a “known” extension Microsoft Windows will not show the .vbs part of the file name, and will leave you under the impression that you received a valid document. For example the file in the examples name was really “multi million dollar project.doc.vbs” but it was displayed as “multi million dollar project.doc”. Astute computer experts will say that you can change your configuration not to do that, but how many people have the knowledge or foresight to make the necessary changes?
Let us try another example. You receive an e-mail from a friend asking you to please stop sending viruses around in your e-mail. You know that you never click on attachments and that you never do anything on that computer but read e-mail. He tells you that the virus is called JS.KK. How did you get the virus and how does it spread? Included in an e-mail you received from a friend was a hidden signature with some HTML code containing a Visual Basic script. If everything was in order this should not be a dangerous occurrence. Unfortunately there is a security breach in Microsoft Scripting Engine 5.0 as distributed with Microsoft Outlook 2000, Microsoft Office 2000 and Microsoft Internet Explorer 5.0 that allows the script to contain a virus that will infect your computer. This virus will then modify your Microsoft Outlook settings so that the virus is attached to all outgoing e-mails. The fix is rather simple, load the patch provided by Microsoft on the affected machines and this category of virus will stop being a danger.
The one type of virus requires human intervention, the second exploits a lack of good security in the software. Another difference is that the one limits it’s own spread by being very destructive and the other one will be with us for many years to come due to the fact that it is difficult to spot. Theoretically there is nothing that prevents a JS.KK variant to be very destructive.
What can we do about this? Are we at the mercy of virus writers everywhere? The problem involves three parts, the virus, the people and the general security of the environment.
Generally known viruses and their variants can be detected, and precautions put in place to stop them from invading your system. You can load up to date anti-virus software and keep it up to date. If you don’t keep anti-virus software up to date it is like driving a car with incredibly safe bumpers and a paper thin glass roof in the middle of a hailstorm. One of the problems is however that there is always a delay between when a new virus is created and when the anti-virus company adds it to their software. The further delay is the notification to the user to update the software to protect against the new virus threat.
There are a number of computer “professionals” that think that computers work despite the people using them. In the modern world we teach children not to cross the road without making sure it is safe. We give mine workers’ intensive training on how to work safely and we have volumes of guidelines on how to use the financial systems of a company. Rarely is there any training on computer usage and safety. Why is this the case? Safety training saves lives, training on financial systems save money. Computers may not be able to kill, but they do cost money. To provide computers, software and to keep them operational is a definite cost that increases daily. The amount of work that can not be done, or have to be repeated due to the failure or lack of availability of a computer, can reach staggering costs. Do you spend enough time and money in preventing those costs? Do you or people that work with you know what to do when receiving an attachment? Do you load all the newest security patches? Is there somebody with the responsibility to manage this process?
The last issue is the security of your computing environment. Do you have a security policy in place? Is this policy being reviewed, checked and implemented? Is there a process in place making sure that all the servers and client machines are loaded with the latest security updates?
When something is a possible threat you have to measure the size of the problem, potential impact and the cost of worst case scenarios. What impact will it have on your organization? Have you implemented your defense with security and specifically viruses in mind?
For more information go to http://www.vps.co.za/ or phone us at 012-349-2670.