Virus Infections

If you have heard any technology news story in the past few years, you have heard about virus attacks. Computer viruses are digital attacks against your computer, your Palm Pilot, and eventually every piece of Internet-related technology you have. Some simple viruses even use cell phone e-mail capability to propagate themselves. A virus is a self-replicating program that can attach itself to files or applications to do some function that the user didn't intend. A virus can harm your system by wiping out files and causing substantial destruction.

Just as you can catch a biological virus that can affect your health in many ways, your computer can receive a virus through several means, some of which include e-mail, downloads, infected floppy disks, and browsing a Web site. A virus can be triggered when you execute some attachment in an e-mail or execute some piece of code on your hard drive. People don't usually execute a virus intentionally, so virus writers have to hide them behind files or rename them to somehow make the virus seem benign. The networked world makes it so much easier to transfer a virus and cause widespread destruction. The Code Red worm in the third quarter of 2001 caused more than 1.2 billion dollars in damage.

The terms virus and worm have become almost interchangeable. Both cause damage and spread from computer to computer, propagating themselves. The main difference is that a virus remains local to a single computer, depending on humans to spread it by floppy disk or intentionally sent e-mail. Worms, in contrast, replicate themselves automatically across a network, spreading through various ways, which might also include e-mail. The difference is that worms do not require human intervention to spread through e-mail. When a worm is launched, it takes the liberty of searching your contact list and mailing itself to every e-mail address it finds. Recent worms have been as destructive as viruses. Along this same vein are Trojan horse programs. These usually hide themselves as some other program. They can actually perform the functions of that other program, but in the background, they can do something completely different, such as allow a hacker a backdoor into your computer that you do not know about. A stealthy virus or worm can hide itself for months and then execute on some specific day. The sophistication of these types of attacks is growing, and the Internet now helps them spread them worldwide in a matter of hours.

The reasons people write viruses are about as varied as the reasons people hack. The reasons are numerous, but unlike hacking, which was born of a desire to fix things and be creative with technology solutions, viruses have always been created for evil purposes.

Virus Categories

Although many types of viruses exist, they basically fall into the following categories:

• Boot sector virus— This type of virus modifies the boot sector of the computer. Boot sector viruses hide in the first sector of a disk. The virus is loaded into memory before any operating system files are loaded.

• File virus— This virus operates in memory and infects executable files with the following extensions: *.COM, *.EXE, *.DRV, *.DLL, *.BIN, *.OVL, and *.SYS. When the file is executed, the virus copies itself to other executables and remains in memory.

• Macro virus— Many applications have macros, and this type of virus takes advantage of the macro program languages to execute malicious code.

• Polymorphic virus— This is a sophisticated virus that can change itself and try to bypass virus scanners.

• Stealth virus— This virus can hide itself and make infected files seem safe. This type of virus is usually caught easily.

• Multipartite virus— This virus can infect system sectors or files. This type of virus is difficult to develop.

• Script virus— This virus can take advantage of programming languages such as Visual Basic or JavaScript and take advantage of the user through applications, attachments, or a Web site.

Software Solutions

The number of viruses has grown over the years to more than 40,000. Each day, we see news stories about a new virus. Within the past several years, viruses have become increasingly more dangerous and destructive. You might recall several of the more popular and destructive viruses such as Melissa, ILOVEYOU, SirCam, Code Red, and Nimda. The reason these spread so quickly and around the world is because of e-mail and Internet access. By taking advantage of vulnerable Web servers and e-mail systems, a virus can spread around the world in a matter of hours.

The business of virus scanning is booming because of such destructive attacks. Virus scanners have to do much more today because of the various methods of attacks that a virus has available. The days of just spreading a virus by sharing an infected disk are long past. Every method of connecting to the Internet can be a potential method of contracting a virus, such as receiving an e-mail, browsing a Web site with Java/ActiveX applications, or downloading a shareware program. With the many forms of virus attack, the virus scanners have become very sophisticated. They can monitor every file in or out of the computer, by whatever means you are connected to the Internet or however else a file can get on your computer, such as through a floppy or CD-ROM.

There are as many antivirus vendors as there are firewall vendors (we saw a number of firewall vendors in Chapter 11, “Securing Your Standalone PC: Broadband Connections”). As we have seen, viruses come out on an almost daily basis. The vendors must keep updated with the latest attack and find a detection method as soon as the virus hits the public. The easiest way of getting the update to you is through built-in update capabilities, in which the virus scanner retrieves updates from the vendor's Web site. Any virus software worth anything will have such a feature. If you had to go out and find the patch to download from the vendor every time you thought you needed to update the virus software, you would get annoyed very quickly.

Software Operation

A virus scanner can find a virus through two methods: looking for a known signature of how a virus operates (it's already been detected and analyzed) and looking for virus-like qualities in unknown viruses. Known viruses have a signature that identifies them to the scanner. Unknown viruses will have some qualities of other viruses that the scanner can use to guess that it is a virus. This type of guessing can lead to the scanner thinking that a valid program or file is a virus when it is not. Just about all scanners provide options of quarantining the file, deleting it, or letting it pass through, so this type of heuristic checking isn't so bad.

Each vendor has an extensive information section on its Web site so that you can research known viruses and get any update information you might need. When one virus comes out, you can usually guess that another will follow that is similar and easier to detect after the type of activity it performs is known and a signature for the virus is defined. One such example is the Code Red virus/worm. When Code Red finished its run and was detected, another couple variants came out such as Code Red II and Code Blue.

Most software has two modes of operation to detect viruses: on-demand and on-access. The on-demand model allows you to selectively determine when and what to scan. This means you can choose to scan once a week and perhaps only scan a part of your hard drive, or just scan your e-mail. You manually determine when and what should be scanned. The on-access model means that the scanner is running in the background; any time a file is accessed through e-mail or downloaded, it can be scanned. The scanner can be running patiently in the background at all times, continuously scanning your system for viruses. Both can work in conjunction to keep you secure.

Several popular products do a good job of protecting your system. They are listed in Table 12.1.

Table 12.1. Virus Scanners

Product	Web Site	Cost	Key Features
F-Secure Anti-Virus(available for Windows Me, Windows 2000, Windows NT 4.0, Windows 95/98, and Linux)	www.datafellows.com	$125	Multiple scanning engines operating together (F-Prot, AVP, and F-Secure Orion Scanning Engine) E-mail scanning Automated installation and updates Policy-based management for security settings Daily updates to antivirus signatures Fully integrated with all F-Secure Workstation Suite applications Command-line scanning capability Includes the F-Secure Firewall
Panda Antivirus Platinum (available for Windows Me, Windows 2000, Windows NT 4.0, and Windows 95/98)	www.pandasoftware.com	$29.95	Detects various forms of viruses Auto-update capability for signatures Checks e-mail, Java, ActiveX, and Internet downloads 24/7 technical support Multiplatform support Daily virus update Fix technology for damaged files Checks for unknown viruses
Norton Anti-virus 2002 Norton Anti-virus for Macintosh(available for Windows Me, Windows 2000, Windows NT 4.0, Windows 95/98, and Windows XP)	www.symantec.com	$49.95	Automatically, detects virus signatures Blocks e-mail viruses and scans both inbound and outbound e-mails Integrates with Windows Explorer Security site to perform remote checking of the computer Scans for Java and ActiveX Sends infected files to Symantec
McAfee VirusScan 6.0 (available for Windows Me, Windows 2000 Windows NT 4.0, Windows 95/98, and Windows XP)	www.macfee.com	$39.95	Scans both known and unknown viruses Content scanning looks at e-mail, downloads, Java, and ActiveX Easy-to-understand user interface Incorporates well with other McAfee products Extensive virus information on the Web site Wide range of platform support On-demand and on-access scanning Incremental virus updates Password protection Automatic updates Paid technical support available
Pc-cillin (available for Windows Me, Windows 2000, Windows NT 4.0, Windows 95/9, and Windows XP)	www.antivirus.com	$29.95	Automatic updates Microsoft Outlook and Eudora e-mail scanning Web URL filtering Download file scanning Password protection E-mail virus to Symantec support Version available for Palm OS Certified for Windows ICSA Certification Free online virus scan Business hours technical support by phone and e-mail support

When using any of these products, keep several key features in mind:

• Speed— How fast does the product scan your entire system and scan downloaded files? A virus scanner can have an impact on your computer's performance.

• Accuracy— How often will the scanner miss a virus? This is the most important aspect. You really don't have to worry about known viruses with signatures already defined, but it's the ones that are unknown that your scanner can miss that are the major problem.

• Update— How often does the vendor update the virus signatures? When you see a news story on Monday morning about a new virus spreading like wildfire, you don't want to have to wait until Tuesday to get a signature for that virus. The vendor should be responsive to new viruses and be tracking viruses that don't make the news stories with equal vigilance. Updates are a key feature in a scanner. The program should be able to automatically go out and get updates from the vendor's Web site.

• Interface— Does the product integrate well with your system and perform in the background? You do not want to have to interact every five minutes with the running software. You should be able to configure it and let it do its thing without your intervention in most cases. The user interface should be intuitive and easy to use. The worst thing about an interface is that it can make it hard for you to understand how to update the signatures and configure the scanning options.

• Trial period— Most vendors offer a trial period for the software. Download some different programs and try them out to see which one you like best. Important: Do not run multiple antivirus programs simultaneously because doing so will likely crash your computer. Install a program, try it, and then uninstall it before trying another program.

A Server-Side Strategy for Home Most home users install a virus scanner on each of their home computers. Your firewall computer, the kids' computer, and your home office computer each run their own client-side scanner. Detection and disinfection can occur separately on each computer. This can be a problem if each home user can shut off the virus scanner because it introduces a weakness in your environment. Therefore, if you are running your own small networking kingdom at home, perhaps running your own firewall, e-mail, and Web server with other computers in your home network, you might want to consider a server-side antivirus scanner. With this type of strategy, the server can scan all the incoming e-mail and files through the firewall, and the other users cannot change virus scanner configuration options. The downside is that server-side strategy can be much more expensive than just client-side software. If server-side were your only virus strategy, you would have a problem protecting each individual computer from viruses that might get past the server. Combining both types of virus scanning, server-side and client-side, will give you thorough coverage.

Virus Detection and Disinfection

After the scanners are installed and functioning, they should automatically find most viruses. In a typical scenario, a message alert box will pop-up giving you the following options:

• Try to clean the infected file— This option tries to remove the virus and salvage your file.

• Delete the file— This option removes the virus from your computer.

• Quarantine the file— This option allows you to separate the virus from the rest of your files and come back and do something with the infected file later.

• Do nothing with the file and continue operation— This should be the last option you ever choose.

False positive results could exist if the virus scanner thinks a file is a virus when it clearly is not, such as if you have a UNIX file on your Windows computer or a piece of hacking software such as Back Orifice.