E-mail under siege

One Monday morning in early May, H, a senior staffer at a Sydney-based publishing company who prefers not to be identified for obvious reasons, checked his e-mail. Seeing a message with the subject "Fwd: Joke" from a friend who often sends jokes, he opened the message and its attachment. By the time H realised what had happened, it was too late: he had fallen victim to a thinly disguised copycat version of the LoveLetter virus that had swept the world only a week before.

Within a few seconds the virus (or, more accurately, the ‘worm') had lodged itself in H's PC, and written over image files not only on his computer but on networked drives to which he had access. Were it not for the company's stringent backup policy, considerable damage would have been done. As it was, nearly a day's worth of productivity was lost restoring the damaged data. Incidents like this, unfortunately, are not isolated, and they draw attention to one of the biggest issues confronting system administrators. Worm viruses like LoveLetter and last year's Melissa, written using nothing more sophisticated than Microsoft's own Visual Basic scripting, are most dangerous because of their simplicity. Because they don't require a great deal of skill to write or interpret, they offer destructive power to a much greater number of malicious programmers.

The basic rules of virus protection should be followed:

* Don't open e-mail from strangers, or attachments you are not expecting;* Change passwords frequently. Since many viruses send passwords from attacked machines back to the author, the security breach is lessened if the passwords are out of date when the author tries to use them.

* Don't ever open e-mails with ‘.exe' extensions;* Back up important files frequently;* Install the newest antivirus software and check the vendor's Web site often for updates. (NB: on the first day of the LoveLetter outbreak, Symantec's Web server reportedly crashed under the weight of the numerous requests for a fix);* Visit Microsoft's Web site frequently for updates and patches to its software. Patches for Visual Basic, Internet Explorer and Outlook are already available, although the company has not yet announced a patch for Outlook Express that would prevent another LoveLetter-like outbreak.

A particular warning for companies using Microsoft Internet Explorer and Office 2000: because of a security hole in an ActiveX control, your employees can execute viruses and other malicious code in e-mail attachments without even opening them. This applies to any HTML-enabled mail program, not only Outlook or Outlook Express. Microsoft has posted a fix at http://www.microsoft.com/security/bulletins/ms99-032.asp Even if you follow these rules religiously and enforce them as company policy, chances are your system will be breached at some time. The breach may come from new holes being discovered, or (as in H's case) it may be from an employee momentarily forgetting the rule. You can, of course, install e-mail filters on company servers that simply block attachments from entering your organisation.

However, such a move may place you at a disadvantage in terms of exchanging information. So what can you do, at the top level of the company, to prevent employees inadvertently doing thousands or even millions of dollars' worth of damage? An easy answer is not to use so much Microsoft software. This isn't a rabid anti-Microsoft bias, it's a fact. Visual Basic worms and macro viruses like Melissa rely on the common DNA of Microsoft's applications and Internet access in order to function. Those most affected by LoveLetter were companies with all-Microsoft installations, while companies that used, for instance, Eudora instead of Outlook Express were virtually unaffected. Likewise, companies that used WordPerfect or Lotus' word processing software were immune to Melissa last year.

This does not mean that Windows is the only vulnerable operating system. It's merely that its popularity and widespread usage on some 90 per cent of the world's desktop computers makes it a tempting target for malicious programmers. And the powerful tool Microsoft gives legitimate users in the form of easily scriptable Visual Basic also makes it easier for malicious users to do their damage. There are also security holes in Linux, Unix and Macintosh systems, as well as in non-Microsoft applications. And the fact that attacks on Microsoft platforms and applications spread so quickly also means that they are detected quickly, which can help you protect your business. Switching platforms or applications may help you block some of the immediate threats, but it will leave you vulnerable to others, which may not be detected or fixed nearly as quickly.

SANS, the System Administration, Networking and Security Institute, has identified some 500 or more security breaches affecting computers from homes to large enterprises. It says that most of these holes have not been fixed, largely because system administrators don't know which are the most dangerous and therefore should be fixed first. To this end, it has published its top 10 list, which can be found at http://www.sans.org/topten.html. The institute says it will release a list of the next-most dangerous holes when it believes the top ones have been addressed.

Among the top of the list:

* Berkeley Internet Name Domain (BIND) is the most commonly implemented domain name server on the Internet, used by some 50 per cent of organisations with Web servers. However, it is vulnerable to attack through a number of relatively easily exploited holes. Unix systems have BIND activated on them, even when they are not actually being used as DNS servers. Remove BIND from such machines. SANS also recommends using the latest version of the software (v.8.2.2, patch 5).

* Most Internet servers are also installed with a number of Common Gateway Interface (CGI) scripts installed as demonstrations. These represent an easily exploited security breach and should be removed immediately. If you must run CGI scripts on your Web server (for e-commerce, for instance) don't run them at the root level where they can do the most damage.

* Sendmail, easily the most common gateway for e-mail servers, is also vulnerable to a number of attacks. In one common scenario, the attacker sends a message to the machine running Sendmail, which Sendmail interprets as an instruction to send its password file to the attacker. Once cracked, this opens your organisation to further attack. SANS recommends running another e-mail gateway, although as I have already pointed out, other programs will have security holes of their own.

* Global File Sharing, on Windows and Macintosh computers, enables free legitimate exchange of information between users, but if improperly configured, also allows viruses free rein (this is how the 911 virus spreads). Especially where file sharing is used over the Internet, it must be very carefully configured to ensure that only the directories you need to share are shared. If possible, don't use file sharing over the Internet at all.

Various types of tools are available to help you fortify your business against the threat of viruses and other Internet attacks. The most commonly-used of these, Active Content Monitors, behave like the antivirus software you are (or should be) familiar with. They look at code as it is introduced to your machine and ensure that it does not represent a threat. It's very important to make sure you keep such software updated, so that it can identify new threats. Trend Micro's (http://www.antivirus.com) PC-Cillin 2000 is the first antivirus software certified for use with Windows 2000, and is able to monitor the behaviour of ActiveX controls, Web scripts and macros, among other things, to ensure they don't breach security. Trend Micro also sells ScanMail for Exchange 3.5, a content monitor designed to be installed on Microsoft Exchange servers to enable uniform antivirus protection across the enterprise. Finjan (www.finjan.com) produces several noteworthy products in the field as well. SurfInGate uses a "real-time content inspection process" to guard against malicious code without relying on updates to its database. A similar product for stand-alone machines, SurfInGuard, runs executable code in a protected ‘sandbox' environment, warning against any behaviour that breaches security. The growth of the Internet continues unabated, despite the security threats. Even as companies become more aware of the risks of connectedness, they are racing ever faster to join the wired community and do more business online. And as fast as the holes are fixed, new ones are found and exploited.

Don't lose hope, though. The Internet is still a relatively new medium, and as it gains maturity it will gain security. On top of its ‘nervous system', to use Bill Gate's term, it is gradually developing an immune system. Eventually, it will be a secure environment. Until then, all that is required is a bit of caution to make it safer for you and your company.

How a VB Worm works

1. An innocuous-looking e-mail message arrives at the victim's computer. LoveLetter carried the subject header "ILOVEYOU", preying on people's inherent need for affection. Subsequent copycats and variations have been more sophisticated in their choice of headers: NewLove, released a week after LoveLetter, appropriated a random filename from the previous victim's hard drive.

It may seem possible to stop such a worm in its tracks as soon as it arrives by simply not opening any suspicious attachments. However, the SANS Institute points out that Microsoft Outlook and Outlook Express will execute HTML and script code found in an e-mail as part of their default installations, without requiring the user to open anything.

2. Once activated, the worm installs itself in the computer's operating system and alters certain settings, ensuring that it will be active each time the computer is started up.

3. It scans the infected disk (and, in later variants, networked disks) looking for certain types of files, identified by their extensions. It overwrites these files with copies of itself (so that, for instance, ‘clapton.mp3' becomes ‘clapton.mp3.vbs'.

4. It sends itself to everyone in the victim's Outlook or Outlook Express address book. The infected attachment is usually one of the overwritten files from a previous victim, and the subject header on the e-mail bears the name of the stolen file, such as ‘Fwd: clapton.mp3'.

What's out there?

LoveLetter et al - Like a pop star whose rise to fame is sudden and brilliant, LoveLetter has quickly spawned a rash of copycats, many of which are more dangerous than the original. One variant, known as NewLove, attacks the file allocation table on a victim's hard drive and changes the length of every file to zero bytes - effectively wiping the drive. Other variants add a few lines of garbage code to themselves each time they replicate, making them harder for virus software to detect.

Resume - A variant of the Melissa virus that wrought havoc last year (in fact its proper title is ‘Melissa.BG'), Resume arrives disguised as a CV from a prospective job hunter. It is even reported to carry an innocuous-looking cover note in the body of the e-mail carrying it. Employing this critter is not advised, however, as the attachment contains a macro virus (using Microsoft Word's scripting language) that, among other things, deletes the contents of c:\windows\*.* (that is, it kills your system). Clearly, this virus is designed to attack executives, so watch out.

Kak, or KakWorm - Like a VB worm in most respects, Kak takes advantage of Visual Basic's ability to execute ActiveX objects, and installs unwanted executable files on victims' hard drives. At press time, only benign attacks of Kak had been reported, probably a factor of the virus writer's ‘beta-testing'. SANS warns that a malicious version can be expected at any time.

911 - Only really a problem for American victims, the 911 worm exploits insecure file sharing on Windows 95 and Windows 98 to install itself on the victim's hard drive and uses the modem to dial the emergency 911 telephone number at random intervals. As with Kak, a more malicious version can be expected.

By Matthew Powell

Join the newsletter!

Error: Please check your email address.

More about CGIFinjanGatewayMicrosoftSANS InstituteSendMailSymantecThe SANS InstituteTrend Micro Australia

Show Comments