Virus talk ========== by Kurt Keller Everybody knows that viruses are nasty creatures. In the real world many can cause pain and disease, can be a hazard to our health and in the extreme a threat to our life. Their electronic cousins generally have less impact on our physical life. They crash computers, erase harddrives and steal email addresses. But nothing of this threatens our life - usually. Usually? Well, computer viruses very well can threaten the physical world, though indirectly. Imagine what could happen if due to such a small piece of malicious code your employer's personnel department loses track of how much they should pay you at the end of the month? Or worse: all the records of your bank account are erased? Disastrous: a hospital loses all the data about its patients? You are not infected, but I got a virus from you ------------------------------------------------ Viruses become cleverer all the time. This can be quite nasty. At work, recently complaints about viruses or unrequested mail coming from our site are on the rise. This even though we take anti virus measures for our 5000+ users serious. As it turns out, these infected mails are not being sent by any of our users at all. So what happens? Addressbooks have been in use for ages, even before everyone had a computer sitting on the desk both at home and at the office. Usually you can't remember the addresses of all your correspondents. So it's common to jot them down into an addressbook. The electronic version of these are even more convenient as you can create aliases and you don't need to bother copying the address information into your email software, just type the alias and that's it. Very easy, a real time saver. In order to use this convenience, of course you will have most of the addresses you use in the addressbook. We already had to get used to viruses spying into our email addressbooks and picking out information from there. They use the addresses in there to spread out further; our correspondents are the next victims. Now the latest mutants of these electronic robbers and waylayers even go a step further. In order to hide even better they do not only use the entries in our addressbooks for selecting victims, they now even use these addresses at random as sender addresses. So if my computer is infected with such a virus, and my friend Tom, working for IBM, and my other friend Jack, working for Citibank, both have an entry in my email addressbook, such a virus could send infected mail to Tom which looks as if it was coming from Jack. Of course rumours will start immediately, saying that Citibank is infected with a virus, even though, in fact, both Citibank and IBM are clean but my home PC is the culprit. It comes worse still. Recently certain viruses also use file attachments at random. They simply select any one file on the harddisk and attach it to an infected email. Just a couple of weeks ago we had a call from a company saying that they repeatedly got virus infected email from some address, but with attached copies of bank statements issued by our bank. Alarm bells going off. If such mail was in fact coming from within our organization, this could mean not only big legal trouble, but also a lot of negative publicity if the gossip papers got hold of it. The customer said he never uses a computer for banking transactions and it was completely impossible he had such a file on his harddrive. Apparently, at the bank nobody had got such a file either. Where the heck was this copy of a real bank statement coming from? Thanks to the sharp eyesight of a colleague we could finally find out what had happened. Two letters which should be 'ff' actually were interpreted as 'tt' in the file in question. This is a typical error when converting scanned files; if the file had come from the bank, this kind of error should not happen, as such files would not be scanned from paper, but produced directly from the database. Actually, the customer had the paper statement scanned by a friend because he had to mail it to abroad as a confirmation of payment. The scanned file was sent directly from his friend's computer and our customer never actually had that file on his own computer. Unfortunately the computer of his friend was unknowingly infected by a virus and, Murphy's law applies, the virus chose exactly the file of the scanned bank statement to be used as attachment in virus mail. You might want to be careful what kind of information you process with your computer... Vaccination costs - Disinfection cost more ------------------------------------------ These days it is more than just bad practice to have no anti virus software installed on your desktop. Every day lots of money in form of lost productivity and lost data goes down the drain due to viruses. Tell me, how much did you pay for your PC? How much did you pay for your software? And how much costs a virus scanner these days? Peanuts compared to what you pay for all your other hardware and software. Anti virus software should be as common place as seatbelts in a car. Don't depend on any centrally installed virus gateway only. With tunnelling technology such as we use more and more, sometimes without knowing, such centrally installed virus scanners miss more and more traffic. Even simple HTTPS sessions can not be monitored by them. A locally installed and activated anti virus scanner on each workstation is absolutely mandatory these days. There are lots of products and may of them are fine. But while not too long ago you could get away with some product that had only monthly manual updates I surely recommend something which updates itself automatically at least daily. Aggressive viruses can spread around the world in a matter of hours and by the time you read about it in the papers, it might already be hard at work on your machine. What you also should check for is whether the product scans only certain filetypes. If so, leave it on the shelf and turn your eyes toward something which can be configured to scan all file types. Not only executable files and filetypes with macro commands embedded are vulnerable nowadays; even PDF, JPEG and other filestypes can be contaminated and abused. Times when you exactly knew when a new file entered your computer are definitely over. With virtually any computer on the planet connected to some type of network, files flow into your computer and leave it constantly; even an email or a webpage is a file. Good luck just about any of the anti virus software does now constantly check memory and accessed files for malicious code. If the product you're eying does not, you probably mistook a computer museum for a computer shop. I can't give any specific recommendation and no product will give you 100% protection, but 90% protection already goes a very long way. Using a bit of common sense and a grain of paranoia, possibly coupled with two different scanning engines, you might even get 98% protection. For the remaining 2% you'll have to depend on your luck. In the references section you'll find a couple of links to anti virus software vendors. A final word about hoaxes. Most of the time, if you get an email saying that this and that virus has been let loose and you should warn all your friends, it is a hoax. Don't waste valuable bandwidth forwarding such mail to everyone. In a company environment forward the message only to your anti virus administrator or to your help desk but to nobody else. If you want to check out whether this news is really true, the best bet will be to have a look at the webpage of some anti virus software vendors. They usually also have a list with these hoaxes. References ---------- F-Secure http://www.f-secure.com/ Kaspersky Lab http://www.kaspersky .com/ McAfee Security http://www.mcafee.com/ Norman http://www.norman.com/ Symantec http://www.symantec.com/ Panda Software http://www.pandasoftware.com/ Trend micro http://www.trendmicro.com/ Sophos http://www.sophos.com/ PINBOARD http://www.pinboard.com/ HighTechSamurai http://kurt.www.pinboard.com/