see the opportunity. stop the infection.

vectorblog  about  contact

 

 

 

 

 

 

 

 


Worms Blocked by Awareness                    Download PDF

infectionvectors.com

October 2004

 

Many types of Internet worms and mass mailers can be blocked or significantly slowed down as a result of a solid awareness program. Training users to identify abnormal system events and to report unusual network performance will boost virus defense and incident response procedures. The following short descriptions point out the families of worms and specific examples that may have been slowed because of user virus training.

 

Often, users (and entire organizations) feel very secure because anti-virus software is part of their security posture. Many enterprises rely entirely upon this software as the only layer of virus protection in the “defense in depth” strategy. In an organization of any size it is difficult to keep up with and fix every software issue immediately. Anti-virus products are no different from any other package: they sometimes break, are missed during system imaging, are disabled by users, conflict with other software, etc. Sometimes updates cannot be pushed quickly enough to deflect a viral intruder (because of vendor response, network issues, change control processes, or any of the issues described above). If every company that had anti-virus software found 100% effectiveness in their implementations, the worldwide virus costs would be much lower.

 

Many users are also unaware of the impact a virus infection can have on a machine or a network. They may be under the impression that all viruses are written purely to cause havoc on a PC. Teaching users that modern worms are often used to remote control systems, install proxies, and to form large networks of compromised machines may inspire them to take infections more seriously and respect their role as virus defenders.

 

User awareness and training helps block unknown attacks, in much the same way that heuristic-based scan engines can catch viruses based on the actions a program attempts to take. The last section of this brief describes some of the overall benefits of training users on spotting and against opening malicious software.

 

Mass Mailers

 

The most obvious example of worms that would be blocked because of user intervention is the mass mailer. Mailers require a user open an email and then execute an attachment (in most cases) before infecting a local system. Knowing the general strategies of a mass mailer is all that’s required to arm a user against these threats.

 

Along with knowing that many viruses propagate as email attachments, it is important for users to know that they cannot trust any of the information provided by an email: including the From, Subject, and Message body fields.

 

Worms like MyDoom, Beagle, and Zafi would all be deflected by organizations that provide users with anti-virus training.

 

File Share Propagators

 

Worms that spread via file shares require placing a file into publicly accessible folders. Whether it is an office file server or a client’s P2P share directory, to entice the next user to open the malicious program, it needs to place a visible application in front of a user. Training people to be very suspicious of files that have odd names or odd properties (such as seeing a copy of the file with a different extension, as in the case of some Lovgate variants) and to then report them can halt an outbreak before it gets out of hand. Many mass mailers have file share routines (Netsky, Beagle, and Lovgate are examples) as well.

 

When a user identifies a suspicious file and knows to then report it to an information assurance representative, he/she removes the possibility of someone else opening the virus and causing greater harm.

 

Internet Worms

 

Although Internet worms spread by automatically exploiting software weaknesses, they are not completely invisible to end-users. These viruses will often crash services/systems, swallow up CPU cycles making the local machine very sluggish, or produce a tremendous amount of traffic and slow the entire network segment

 

Strange reboots of client machines should be reported to security personnel as well as the system administrators. Slow systems, in single or group cases, should also get the attention of malcode teams, where they may be correlated with a recent virus release.

 

Additional Security Incidents

 

Understanding the basics of how viruses spread and what they are capable of doing will help users identify other attacks. These include:

 

Phishing Scams

 

Knowing that email is inherently untrustworthy will at least give users pause when looking at a request for personal information. Showing real examples of well-produced phishing attacks and how to identify a scam will go a long way.

 

Social Engineering

 

Having the knowledge that attackers find value in all enterprise systems (that there is no “worthless” or insignificant target) should encourage users to guard internal data more closely. An example or two of successful social engineering attacks during the malware training is a wise investment.

 

Intended Results

 

Finally, don’t forget that any detection of a virus should help the security team identify and mitigate network weaknesses. Once a user finds a file share worm and it is cleaned from the respective machine, try to discover how the file arrived in the first place.

 

The overall goal of virus training programs is to reduce the cost of virus cleanup. By giving users the tools to act as a layer in the virus defense strategy, the entire enterprise’s security posture is improved.

 

 

Copyright Ó 2004 infectionvectors.com. All rights reserved.