- Email: [email protected]
The on-going evolution of viruses
FEATURE
The On-going Evolution of Viruses Dario Forte
I
ntegration among the various typologies of public and private networks is increasing the danger of exposure to infections, in particular by viruses, at an exponential rate. As many people working in this sector have reiterated in recent times, installing a series of products for limiting the attacks that are known at a given moment and then forgetting about them, ignoring their up-dates, is equivalent to not having any defences at all. This principle is valid for firewalls and for Intrusion Detection Systems alike, and applies more than ever to protection against viruses. The current trend on the part of independent software vendors in the field of information security is to combine several products in a single suite, so as to simplify the work of the administrators, also from the point of view of product up-dating. In this article, however, we will concentrate more on virus-dependent emergencies, attempting to separate what is new from the ‘deja vu’, and the real dangers from what could remain mere academic experiments or, even worse, marketing gimmicks.
HTML viruses The first reports concerning HTML viruses date back to December 1998. From a general point of view, we can say that this new computer virus typology apparently infects the Web pages of Windows NT server machines, those with Internet Information Servers (IIS) or any Windows machine on which Windows Scripting Host is run. The main danger incurred in running a Web page stored locally would be that of infecting the other Web pages or of damaging the files present in the system. The main solution suggested to users is to remove the
Scripting Runtime Library present in the system, if it is not necessary. If, on the other hand, the presence of this library is necessary, keeping one’s anti-virus product up-to-date is a must, as well as checking that any Web pages downloaded, saved and read locally originate from trusted sources, with particular reference to those containing ActiveX controls. It must in any case be remembered that the main vehicle for propagating this type of virus is VbScript, Microsoft’s Web automation language. There are, however, many researchers who have suggested that similar dangers may (and here the conditional is compulsory) also be generated by JavaScript. Once the prevention procedures established, it is in any case fair that users that the risk is relative, as confirmed sources such as CIAC, CERT and various organizations.
have been should know by qualified underground
The risk is defined as low above all for people who navigate. In fact, in order to facilitate infection by a virus, consulting the Web page that has been downloaded to a local unit (not read on the server) is not enough; there has to be a scripting run-time library installed in each machine. These libraries are normally only present in Windows NT 4 Server machines in which a Microsoft Internet Information Server has been installed. Unless the library has been requested as a component of Windows Scripting Host, it is not installed in Windows NT Workstation or 9x machines. While the no-profit organizations concerned with security place useful Tips & Tricks for identifying the existence of any infections under way at your disposal, administrators should also remember the following: l
l
l
If no Windows Scripting Host Active Server Pages (ASPS) are being used, the Scripting Run-time Library should not be installed. Similarly, even if ASPS are used (and in any case they do not have to access local files), since they do not require the ‘indicted’ library, it is necessary to do without the latter in the configuration, uninstalling it if necessary. To do this, it is necessary $WINDIR\System32\scn-un.dll
a 3723/99/$20.00
to locate the file and to move it to a
Computer Fraud & Security March 1999 Q 1999 Elsevier Science Ltd. All rights reserved
FEATURE floppy disk, so that it can be reinstalled need.
in case of
A combination of HTML and an Office suite bug was recently used by a writer, probably Russian, for “Russian New Year Genuine and Dangerous”. This is not only a new agent, it also uses a new approach to illegal penetration. The discoverers of this virus, Finjan and SecureIT, pointed out that the code uses a combination between HTML and a Microsoft Excel function (the well-known CALL function), to stage an attack which apparently leads to the concealment (and/or the disappearance) of user documents without the user being aware of what is going on. What is so interesting about this is that Excel does not have to be launched at the time in order for the virus to wreak its effects. It is sufficient for it to be installed. This virus works with Exce197, but not with Exce195.
The new Trojans To bear witness to the fact that the world of viruses is evolving all the time, we must also introduce the problem of some Trojan horses that have generated more than a little alarm among users. The most common definition of a Trojan is that it is a malicious file, hidden inside another apparently quite normal file (usually a game or freeware, but also non-runnable software). It insinuates itself into the host machine, where it starts to condition its operation. BackOrifice is a Trojan discovered last year and it is still causing problems for both administrators and workstation users. It is a genuine remote administration tool, and consists of a client side and a server side. Through the latter, the ‘malicious’ administrator can gain control of the target machine to an even greater extent than the person who is seated in front of the keyboard at that very time. At time of writing of this article, the only client platform at risk with regard to BO is Windows 9x. The server, on the other hand, can also be installed in a Unix environment. To control the ‘BO-served’ machine, the default port used by BO is high port 31337. It is also possible, however, to change the number of the port acting as a vehicle. Another Trojan that acts in a manner similar to BO is Netbus. Like Back Orifice, NetBus enables the
Computer Fraud & Security March 1999 3723/99/$20.00 0 1999 Elsevier Science Ltd. All rights reserved
malicious hacker to take over control of a given workstation, for example by installing inside it runnable files that are infected in their own right. Recent literature has identified the game called Whack-a-Mole as the main means for circulating NetBus. In one of the latest virus reports by Norton Symantec, it was recalled that most anti-virus programs are able to identify these files but not to remove the agent. For this reason any infected files have to be deleted. We have said that, as is the case with Back Orifice, NetBus enables complete control of a machine to be achieved from a remote station. At the time of writing this article, however, there is a significant difference between the two tools: NetBus operates both under NT and under Win95198, while BO can only operate on a 9x platform. Regardless of the arguments going on between vendors about the products that are supposed to be capable of identifying and, above all, removing these Trojans, in the official pages of BO and NetBus the authors themselves provide indications as to how users can protect themselves from the improper use of these tools. A recent CERT Advisory bears witness to the spreading of various forms of Trojans, pointing out the existence in circulation of several copies of TCP Wrappers containing Trojans capable of allowing a malicious hacker to take over a target machine. TCP Wrappers is a tool managed by security expert, Wietse Venema (one of the two creators of SATAN). It is normally used to monitor and filter connections to network services in a Unix environment. The news came out recently that the file tcp_wrappers_7.6.tar.gz (the file containing the source code of tcpw 7.6) was modified by a hacker and apparently now contains a Trojan horse thanks to which an intruder can establish a link with source port 421 and acquire the privileges of a super-user. The action taken by the owners of the software in order to prevent spreading of this Trojan has been developed in various directions (checking and revision of the source code, repositioning of several FTP sites at risk). At the same time CERT has carried out a series of Checksums, which users should check in order to ensure integrity of their files.
FEATURE To complete this review of Trojans, we should mention picture.exe. This is a runnable that is attached to some spam E-mail messages. The user runs the attachment (although this, of course, ought not to be done). The latter captures a series of personal data (password, user-ID and so on) and sends them to an Email address in China. In spite of the strength with
The ‘Sticks and Stones’ macro virus is one of the most recent and, fortunately, one of the least damaging of its kind. It strikes at the Microsoft Word platform. One of the ways in which it can be circulated is, of course, through E-mail attachments. The virus installs itself like a macro. Its effect is linked to a specific date, which is usually the 14th of
which this alarm was given, almost as if it were something unheard of, some parties point out that this sort of thing has already been seen. In this case, the alarm does not reside in the type of the program but in the fact that, once again, there is an almost total lack of preventative safety education.
each month. When Word is opened on that date, the virus reaches the fields where the data identifying the licensee of the program are housed and displays a dialogue window which says: “[name surname ] is a stupid jerk.” It is a ‘funny’ joke, but annoying in the long run.
The macro virus trend
An American working for Symantec, Eric Chin, who had been involved for years now in anti-virus research work, expressed his surprise about the capacity of this macro virus to reproduce itself. As far as concerns the products capable of recognizing it, at the time of writing this article, in addition to Symantec, almost all virus scans should be capable of remedying the problem.
In this field too, many viruses have been discovered over the last few months. The problem is that, as the use of VBAs increases, the number of platforms involved is also increasing. Some time ago, viruses for Access had been identified, and many are also talking about PowerPoint, too.
10 3723/99/$20.00
Computer Fraud & Security March 1999 0 1999 Elsevier Science Ltd. All rights reserved
FEATURE There are also macro viruses ready and waiting for platforms that are not even in circulation yet or that have been released very recently. PandaSoftware recently informed their users about a destructive program that prevents the documents created with the new Microsoft package from being viewed. This virus is called W2OOOM/PSD, and it is the first created for Office 2000. It is a variant of the better known W97M/PSD which infects the files of Office ‘97 . The virus consists of a single macro, “Document_Open()“, with two functions renamed at random. It disables the security functions of the TOOLSMACRO menu, preventing the user from being able to change these options. The security options are brought to level 1, with the consequent change in the system register (HKEY_CURRENT_USER\Software\ Microsoft\office\9.O\word\security), disabling Word 9.0’s macro protection. W2OOOM/PSD is a polymorphic that changes each of its variables at random also taking in the names of the macro functions for each document infected. The virus has the following destructive effects: whenever an infected file is opened, the virus checks whether the day and the minute match. In this case, from one to 70 geometrical shapes, in colour, are created at random and scattered throughout the text so as to prevent it from being viewed correctly.
The “Remote Explorer” case This virus was discovered by the Network Associates researchers. The news of its discovery caused more than a few arguments, both among the learned and among the vendors, some of which accused each other of unfair behaviour as far as concerned circulation of the remedies. The story of Remote Explorer is atypical from many points of view. The first victim, well known in the community for its high-level security policy, was MCI WorldCorn. This is a prestigious worldwide carrier that, in addition to managing telephone transmission functions, is also responsible for much of the Internet worldwide backbone. The news caused such a great fuss that it even aroused the interest of CNN, and the network
Computer Fraud & Security March 1999 3723/99/$20.00 Q 1999 Elsevier Science Ltd. All rights reserved
broadcast a long report on it recently. One of the people in charge of Network Associates in America, who provided the first assistance, has stated that it is apparently a genuine episode of cyber-terrorism, and that it might not remain the only one. Remote Explorer really does behave ‘badly’. According to what the spokesman for NAI stated, this virus seems to be capable of compressing the runnable files in such a way that they can no longer be run and carries out cryptography on .txt and .html files so that they can no longer be deciphered. Propagation of the virus (the size of which is about 120 k, a rather unusual one) takes place through Windows NT networks, and takes advantage of the privileges pertaining to Account Administrators. Although it actually hits NT networks, at Network Associates they have pointed out that other platforms, too, can be used as means of transport for the virus, such as Windows 9x, Unix and Netware. The arguments among the vendors concern the way in which NAI tackled the problem. In practice, NAI has been accused by some competitors (and also by the most important international security forums) of not having circulated immediately the virus code, which came to their knowledge following the discovery. In this way they allegedly allowed the virus to spread, albeit involuntarily, and on the other hand they also damaged clients who did not have NAI installed bases on their computers. The spokesman for Network Associates stated, among other things, that this is a normal choice, since it is aimed at preserving first and foremost the integrity of the systems of their own customers. The modules for identifying the actual virus and, in some cases, for getting rid of it, are currently available at the site www.nai.com and at those of other suppliers of virus scanning programs. Personally, I advise readers to use the Windows NT account administrator only in case of truly extraordinary maintenance of the system. I would also like to remind them that it is a common (and always ‘healthy’) precaution to create an administrative account with a different UserID, entrusting it with the true privileges of administration, leaving the administrator UserID the role of mere ‘decoy’.
11
FEATURE Users of Windows NT can check whether have the infection or not as follows: l
l
they
Run the ‘services’ applet from the control panel. Check whether the ‘Remote Explorer’ string is present among the active services. If it is, then the system has been infected.
Or: l
l
Run the program TASKMGR.EXE processes in activity.
and check the
If the files IE403R.SYS or TASKMGR.SYS EXE) are found, the system is infected.
( not
Java viruses The discussion among the experts concerning the Java virus risk dates back to the beginning of last year when Mark LaDue, a well-known American researcher, raised the doubt as to whether it could happen. However, as LaDue himself pointed out at the time, the aspect that was still ‘pending’ was the question as to whether a Java virus could be harmful or not for the computers hit. The first time a Java Virus was discovered was towards the end of 1998, when Symantec’s SARC stated that ‘Strange Brew’ had been discovered and isolated. This was a virus able to affect Java applications with the function of an infector only, so that it was troublesome rather than truly harmful. Strange Brew has been joined recently by another virus, discovered by an Austrian anti-virus manufacturer. BeanHive (this is the name of the agent) is described as more treacherous and difficult to identify than Strange Brew. George Wu , an expert in Ikarus Software (the ISV which issued the advisory) believes that this virus is a serious danger for the endusers of AppletJava, unlike Strange Brew, which due
to its very nature had been defined as “a plaything for developers”. At the time of writing this article, the details of the activity supposed to be carried on by BeanHive, in order to gain possession of the resources of the system, have not been described in detail. It can be considered, however, that with the advent of the new security model adopted by Java 2 (what was called “Jdk 1.2” until a short time ago), the problem should be viewed from two perspectives. Indeed, the new security model is, fundamentally, policy-based. For this reason, regardless of the use of an anti-virus program, an improper set-up of the JVM security mechanism can actually facilitate infections.
Conclusion I will be frank. Many researchers and, above all, readers, scattered all over the world with whom I am in contact (and there are a large number of them), are beginning to suspect that the discovery of most of the viruses reported so far is the result of marketing manoeuvres of the actual manufacturers, and to complain about this. Indeed, countries such as Spain and Austria, where there is no well-rooted tradition of research in this sector, give rise to suspicion on the part of the most ‘knowing’ users who wonder how it is that viruses could have been discovered even before the platforms are actually marketed, or, worse still, that viruses, Trojan horses and so on are reported which, as if by coincidence, are only recognized and eliminated by given products, and so on. Personally, I have never been one to consider these signals from a negative point of view, since it is only too easy, particularly in a competition-based system, to speak badly of one or another competitor. However, it can be said, without second thoughts, that an atmosphere of unwarranted alarm has been created often enough. For this reason, the international bodies concerned with security are often forced to issue urgent advisories in order to explain how things stand to the many users scared by information raining down on them and that is often over-estimated.
12 3723/99/$20.00
Computer Fraud & Security March 1999 0 1999 Elsevier Science Ltd. All rights reserved
The On-going Evolution of Viruses Dario Forte
I
ntegration among the various typologies of public and private networks is increasing the danger of exposure to infections, in particular by viruses, at an exponential rate. As many people working in this sector have reiterated in recent times, installing a series of products for limiting the attacks that are known at a given moment and then forgetting about them, ignoring their up-dates, is equivalent to not having any defences at all. This principle is valid for firewalls and for Intrusion Detection Systems alike, and applies more than ever to protection against viruses. The current trend on the part of independent software vendors in the field of information security is to combine several products in a single suite, so as to simplify the work of the administrators, also from the point of view of product up-dating. In this article, however, we will concentrate more on virus-dependent emergencies, attempting to separate what is new from the ‘deja vu’, and the real dangers from what could remain mere academic experiments or, even worse, marketing gimmicks.
HTML viruses The first reports concerning HTML viruses date back to December 1998. From a general point of view, we can say that this new computer virus typology apparently infects the Web pages of Windows NT server machines, those with Internet Information Servers (IIS) or any Windows machine on which Windows Scripting Host is run. The main danger incurred in running a Web page stored locally would be that of infecting the other Web pages or of damaging the files present in the system. The main solution suggested to users is to remove the
Scripting Runtime Library present in the system, if it is not necessary. If, on the other hand, the presence of this library is necessary, keeping one’s anti-virus product up-to-date is a must, as well as checking that any Web pages downloaded, saved and read locally originate from trusted sources, with particular reference to those containing ActiveX controls. It must in any case be remembered that the main vehicle for propagating this type of virus is VbScript, Microsoft’s Web automation language. There are, however, many researchers who have suggested that similar dangers may (and here the conditional is compulsory) also be generated by JavaScript. Once the prevention procedures established, it is in any case fair that users that the risk is relative, as confirmed sources such as CIAC, CERT and various organizations.
have been should know by qualified underground
The risk is defined as low above all for people who navigate. In fact, in order to facilitate infection by a virus, consulting the Web page that has been downloaded to a local unit (not read on the server) is not enough; there has to be a scripting run-time library installed in each machine. These libraries are normally only present in Windows NT 4 Server machines in which a Microsoft Internet Information Server has been installed. Unless the library has been requested as a component of Windows Scripting Host, it is not installed in Windows NT Workstation or 9x machines. While the no-profit organizations concerned with security place useful Tips & Tricks for identifying the existence of any infections under way at your disposal, administrators should also remember the following: l
l
l
If no Windows Scripting Host Active Server Pages (ASPS) are being used, the Scripting Run-time Library should not be installed. Similarly, even if ASPS are used (and in any case they do not have to access local files), since they do not require the ‘indicted’ library, it is necessary to do without the latter in the configuration, uninstalling it if necessary. To do this, it is necessary $WINDIR\System32\scn-un.dll
a 3723/99/$20.00
to locate the file and to move it to a
Computer Fraud & Security March 1999 Q 1999 Elsevier Science Ltd. All rights reserved
FEATURE floppy disk, so that it can be reinstalled need.
in case of
A combination of HTML and an Office suite bug was recently used by a writer, probably Russian, for “Russian New Year Genuine and Dangerous”. This is not only a new agent, it also uses a new approach to illegal penetration. The discoverers of this virus, Finjan and SecureIT, pointed out that the code uses a combination between HTML and a Microsoft Excel function (the well-known CALL function), to stage an attack which apparently leads to the concealment (and/or the disappearance) of user documents without the user being aware of what is going on. What is so interesting about this is that Excel does not have to be launched at the time in order for the virus to wreak its effects. It is sufficient for it to be installed. This virus works with Exce197, but not with Exce195.
The new Trojans To bear witness to the fact that the world of viruses is evolving all the time, we must also introduce the problem of some Trojan horses that have generated more than a little alarm among users. The most common definition of a Trojan is that it is a malicious file, hidden inside another apparently quite normal file (usually a game or freeware, but also non-runnable software). It insinuates itself into the host machine, where it starts to condition its operation. BackOrifice is a Trojan discovered last year and it is still causing problems for both administrators and workstation users. It is a genuine remote administration tool, and consists of a client side and a server side. Through the latter, the ‘malicious’ administrator can gain control of the target machine to an even greater extent than the person who is seated in front of the keyboard at that very time. At time of writing of this article, the only client platform at risk with regard to BO is Windows 9x. The server, on the other hand, can also be installed in a Unix environment. To control the ‘BO-served’ machine, the default port used by BO is high port 31337. It is also possible, however, to change the number of the port acting as a vehicle. Another Trojan that acts in a manner similar to BO is Netbus. Like Back Orifice, NetBus enables the
Computer Fraud & Security March 1999 3723/99/$20.00 0 1999 Elsevier Science Ltd. All rights reserved
malicious hacker to take over control of a given workstation, for example by installing inside it runnable files that are infected in their own right. Recent literature has identified the game called Whack-a-Mole as the main means for circulating NetBus. In one of the latest virus reports by Norton Symantec, it was recalled that most anti-virus programs are able to identify these files but not to remove the agent. For this reason any infected files have to be deleted. We have said that, as is the case with Back Orifice, NetBus enables complete control of a machine to be achieved from a remote station. At the time of writing this article, however, there is a significant difference between the two tools: NetBus operates both under NT and under Win95198, while BO can only operate on a 9x platform. Regardless of the arguments going on between vendors about the products that are supposed to be capable of identifying and, above all, removing these Trojans, in the official pages of BO and NetBus the authors themselves provide indications as to how users can protect themselves from the improper use of these tools. A recent CERT Advisory bears witness to the spreading of various forms of Trojans, pointing out the existence in circulation of several copies of TCP Wrappers containing Trojans capable of allowing a malicious hacker to take over a target machine. TCP Wrappers is a tool managed by security expert, Wietse Venema (one of the two creators of SATAN). It is normally used to monitor and filter connections to network services in a Unix environment. The news came out recently that the file tcp_wrappers_7.6.tar.gz (the file containing the source code of tcpw 7.6) was modified by a hacker and apparently now contains a Trojan horse thanks to which an intruder can establish a link with source port 421 and acquire the privileges of a super-user. The action taken by the owners of the software in order to prevent spreading of this Trojan has been developed in various directions (checking and revision of the source code, repositioning of several FTP sites at risk). At the same time CERT has carried out a series of Checksums, which users should check in order to ensure integrity of their files.
FEATURE To complete this review of Trojans, we should mention picture.exe. This is a runnable that is attached to some spam E-mail messages. The user runs the attachment (although this, of course, ought not to be done). The latter captures a series of personal data (password, user-ID and so on) and sends them to an Email address in China. In spite of the strength with
The ‘Sticks and Stones’ macro virus is one of the most recent and, fortunately, one of the least damaging of its kind. It strikes at the Microsoft Word platform. One of the ways in which it can be circulated is, of course, through E-mail attachments. The virus installs itself like a macro. Its effect is linked to a specific date, which is usually the 14th of
which this alarm was given, almost as if it were something unheard of, some parties point out that this sort of thing has already been seen. In this case, the alarm does not reside in the type of the program but in the fact that, once again, there is an almost total lack of preventative safety education.
each month. When Word is opened on that date, the virus reaches the fields where the data identifying the licensee of the program are housed and displays a dialogue window which says: “[name surname ] is a stupid jerk.” It is a ‘funny’ joke, but annoying in the long run.
The macro virus trend
An American working for Symantec, Eric Chin, who had been involved for years now in anti-virus research work, expressed his surprise about the capacity of this macro virus to reproduce itself. As far as concerns the products capable of recognizing it, at the time of writing this article, in addition to Symantec, almost all virus scans should be capable of remedying the problem.
In this field too, many viruses have been discovered over the last few months. The problem is that, as the use of VBAs increases, the number of platforms involved is also increasing. Some time ago, viruses for Access had been identified, and many are also talking about PowerPoint, too.
10 3723/99/$20.00
Computer Fraud & Security March 1999 0 1999 Elsevier Science Ltd. All rights reserved
FEATURE There are also macro viruses ready and waiting for platforms that are not even in circulation yet or that have been released very recently. PandaSoftware recently informed their users about a destructive program that prevents the documents created with the new Microsoft package from being viewed. This virus is called W2OOOM/PSD, and it is the first created for Office 2000. It is a variant of the better known W97M/PSD which infects the files of Office ‘97 . The virus consists of a single macro, “Document_Open()“, with two functions renamed at random. It disables the security functions of the TOOLSMACRO menu, preventing the user from being able to change these options. The security options are brought to level 1, with the consequent change in the system register (HKEY_CURRENT_USER\Software\ Microsoft\office\9.O\word\security), disabling Word 9.0’s macro protection. W2OOOM/PSD is a polymorphic that changes each of its variables at random also taking in the names of the macro functions for each document infected. The virus has the following destructive effects: whenever an infected file is opened, the virus checks whether the day and the minute match. In this case, from one to 70 geometrical shapes, in colour, are created at random and scattered throughout the text so as to prevent it from being viewed correctly.
The “Remote Explorer” case This virus was discovered by the Network Associates researchers. The news of its discovery caused more than a few arguments, both among the learned and among the vendors, some of which accused each other of unfair behaviour as far as concerned circulation of the remedies. The story of Remote Explorer is atypical from many points of view. The first victim, well known in the community for its high-level security policy, was MCI WorldCorn. This is a prestigious worldwide carrier that, in addition to managing telephone transmission functions, is also responsible for much of the Internet worldwide backbone. The news caused such a great fuss that it even aroused the interest of CNN, and the network
Computer Fraud & Security March 1999 3723/99/$20.00 Q 1999 Elsevier Science Ltd. All rights reserved
broadcast a long report on it recently. One of the people in charge of Network Associates in America, who provided the first assistance, has stated that it is apparently a genuine episode of cyber-terrorism, and that it might not remain the only one. Remote Explorer really does behave ‘badly’. According to what the spokesman for NAI stated, this virus seems to be capable of compressing the runnable files in such a way that they can no longer be run and carries out cryptography on .txt and .html files so that they can no longer be deciphered. Propagation of the virus (the size of which is about 120 k, a rather unusual one) takes place through Windows NT networks, and takes advantage of the privileges pertaining to Account Administrators. Although it actually hits NT networks, at Network Associates they have pointed out that other platforms, too, can be used as means of transport for the virus, such as Windows 9x, Unix and Netware. The arguments among the vendors concern the way in which NAI tackled the problem. In practice, NAI has been accused by some competitors (and also by the most important international security forums) of not having circulated immediately the virus code, which came to their knowledge following the discovery. In this way they allegedly allowed the virus to spread, albeit involuntarily, and on the other hand they also damaged clients who did not have NAI installed bases on their computers. The spokesman for Network Associates stated, among other things, that this is a normal choice, since it is aimed at preserving first and foremost the integrity of the systems of their own customers. The modules for identifying the actual virus and, in some cases, for getting rid of it, are currently available at the site www.nai.com and at those of other suppliers of virus scanning programs. Personally, I advise readers to use the Windows NT account administrator only in case of truly extraordinary maintenance of the system. I would also like to remind them that it is a common (and always ‘healthy’) precaution to create an administrative account with a different UserID, entrusting it with the true privileges of administration, leaving the administrator UserID the role of mere ‘decoy’.
11
FEATURE Users of Windows NT can check whether have the infection or not as follows: l
l
they
Run the ‘services’ applet from the control panel. Check whether the ‘Remote Explorer’ string is present among the active services. If it is, then the system has been infected.
Or: l
l
Run the program TASKMGR.EXE processes in activity.
and check the
If the files IE403R.SYS or TASKMGR.SYS EXE) are found, the system is infected.
( not
Java viruses The discussion among the experts concerning the Java virus risk dates back to the beginning of last year when Mark LaDue, a well-known American researcher, raised the doubt as to whether it could happen. However, as LaDue himself pointed out at the time, the aspect that was still ‘pending’ was the question as to whether a Java virus could be harmful or not for the computers hit. The first time a Java Virus was discovered was towards the end of 1998, when Symantec’s SARC stated that ‘Strange Brew’ had been discovered and isolated. This was a virus able to affect Java applications with the function of an infector only, so that it was troublesome rather than truly harmful. Strange Brew has been joined recently by another virus, discovered by an Austrian anti-virus manufacturer. BeanHive (this is the name of the agent) is described as more treacherous and difficult to identify than Strange Brew. George Wu , an expert in Ikarus Software (the ISV which issued the advisory) believes that this virus is a serious danger for the endusers of AppletJava, unlike Strange Brew, which due
to its very nature had been defined as “a plaything for developers”. At the time of writing this article, the details of the activity supposed to be carried on by BeanHive, in order to gain possession of the resources of the system, have not been described in detail. It can be considered, however, that with the advent of the new security model adopted by Java 2 (what was called “Jdk 1.2” until a short time ago), the problem should be viewed from two perspectives. Indeed, the new security model is, fundamentally, policy-based. For this reason, regardless of the use of an anti-virus program, an improper set-up of the JVM security mechanism can actually facilitate infections.
Conclusion I will be frank. Many researchers and, above all, readers, scattered all over the world with whom I am in contact (and there are a large number of them), are beginning to suspect that the discovery of most of the viruses reported so far is the result of marketing manoeuvres of the actual manufacturers, and to complain about this. Indeed, countries such as Spain and Austria, where there is no well-rooted tradition of research in this sector, give rise to suspicion on the part of the most ‘knowing’ users who wonder how it is that viruses could have been discovered even before the platforms are actually marketed, or, worse still, that viruses, Trojan horses and so on are reported which, as if by coincidence, are only recognized and eliminated by given products, and so on. Personally, I have never been one to consider these signals from a negative point of view, since it is only too easy, particularly in a competition-based system, to speak badly of one or another competitor. However, it can be said, without second thoughts, that an atmosphere of unwarranted alarm has been created often enough. For this reason, the international bodies concerned with security are often forced to issue urgent advisories in order to explain how things stand to the many users scared by information raining down on them and that is often over-estimated.
12 3723/99/$20.00
Computer Fraud & Security March 1999 0 1999 Elsevier Science Ltd. All rights reserved