Share this content
Tags:

Step five: Tackling viruses and spam

25th Dec 2005
Share this content
Kashflow logo

In the fifth of his series on information security, Stewart Twynham of Bawden Quinn addresses something that concerns every internet user - how to protect themselves from infections and the growing flood of unwanted emails.

The state of play
Research carried out by Dynamic Markets suggests that 97% of SMEs have implemented some form of anti-virus protection, however the DTI's 2002 security study suggested that 41% of small businesses had suffered a virus attack, with more recent studies suggesting far higher figures.

Based upon these statistics ' it appears that over half of small businesses fail to use anti-virus technology correctly. This article will tackle the problem head on.

We'll also look at Spam ' the scourge of modern day communications. MessageLabs reported that over half of the email it processes for businesses every single day is spam ' a trend that is getting steadily worse, not better.

MYTH: Firewalls and anti-virus do roughly the same thing

Firewalls and anti-virusare two completely different forms of protection, working to solve two very different problems. Imagine an office block. When you enter, you first have to get past a security guard ' who will ensure that you do indeed have a valid appointment with someone on the premises. That's what a firewall does ' controls who enters and leaves the building. Next, although you have a valid appointment, you could be carrying a bomb. You are therefore asked to pass your briefcase through an X-Ray machine. That's what anti-virus does ' examines the data you are carrying to see if there is anything malicious inside. One without the other is a false economy ' they are not interchangeable parts.

How anti-virus works
There are essentially three core techniques used by present-day anti-virus systems, two of which can run on your desktop PC.

Signature based anti-virus A virus is essentially a software program like any other ' and as such has instructions which are unique to that particular program. These unique instructions can be used as a 'signature' to help detect the presence of that program. The anti-virusprogram will normally check for these signatures whenever your computer tries to read or write files to or from a disk, or as part of a 'scan' of your hard drive. Some will also check for viruses whenever your computer is downloading emails.

Key benefits:

  • False positives (where a legitimate file is mistaken for a virus) are low
  • The software can run on your desktop, and is usually fairly cheap

    Downsides:

  • The anti-virussoftware is only as good as your last update
  • New viruses can spread before the signatures are updated.

    Heuristics based anti-virus Virus writers aren't usually the world's best software developers. They share their secrets on-line, and even use 'virus development toolkits' to create new viruses with a few clicks of a mouse. Consequently, large chunks of seemingly different viruses can often use similar instructions.

    A heuristics engine is usually used in addition to a signature based engine, and looks for 'virus like' software ' spotting anything that looks like a potential virus.

    Key benefits:

  • Can spot some viruses before they are written

    Downsides:

  • False positives can be high. A 1% error scanning 10,000 Word documents would keep any IT department busy!
  • The ones that run on your PC are not that good at finding new viruses
  • They can slow your PC's performance

    Internet-level anti-virus (eg MessageLabs) Most virus writers have chosen email as the fastest way of spreading viruses. In addition, some have even used Spamming techniques ' sending the virus to millions of people to give it a jumpstart ahead of the anti-virus companies.

    Internet based anti-virus companies such as MessageLabs combat this by sitting between the email sender and your ISP, and combine signature based anti-virus with sophisticated heuristics engines. Any mass-mailing virus is easily spotted ' the system sees that someone is trying to send a number of very similar attachments in real time, and all such emails are immediately blocked and quarantined before any customer receives them.

    Key benefits:

  • Not signature based ' spots 100% of viruses before they are written
  • Runs on massive computer 'towers' ' so the software can be much more sophisticated than that on your desktop PC
  • No maintenance required
  • System can be extended to block Spam and porn as well

    Downsides:

  • Cost for very small businesses ' minimum £50 per month for the anti-virus only service, for up to 25 users.
  • Only protects against email viruses ' businesses must still deploy some form of desktop/server anti-virus protection

    Common mistakes when deploying anti-virus systems
    These are the common mistakes that we have observed in a number of companies ' often as a result of the company wishing to save a little money. Then end result is that the company ends up spending far more money putting things right, and then still has to go out and invest in the anti-virus products anyway to prevent the same thing happening all over again!

    1. Not updating the signatures
    When a virus is released, anti-virus companies will attempt to create a signature in a matter of hours. Until then, the virus can spread rapidly, and as a result numbers of email infections will often surpass other viruses by an order of magnitude. If you receive 20 viruses on day one, 19 of them could be the 'latest' virus. If you haven't updated your anti-virus software BEFORE you opened up your email system, your anti-virus software will only spot one of those twenty ' and hence is only 5% effective.

    Anti-virus which is a day out of date is, for all practical purposes, completely useless.

    2. Too little, too late
    If you have five desktops, two laptops and one server ' you need anti-virus for five desktops, two laptops and one server. It is our direct experience that companies will perhaps only protect the laptops ' or only the machines used for email or receiving files on disk. This Swiss-cheese approach has one benefit ' it saves a small amount of money up-front, but modern viruses present a 'blended threat' ' spreading through a variety of means ' once they enter your network they can spread to all machines, making eradication difficult. Overall, the cost will be far higher than if you'd done the job properly in the first place.

    It is vital to protect every part of your network, where possible, otherwise that one computer or server you didn't protect will probably become your weakest link, and hence your downfall.

    3. Putting cure before prevention
    You would never put yourself at risk of a serious medical infection just because you knew your GP could administer antibiotics. So why put your network at risk by assuming your anti-virus will kick in, hopefully in time to save your data?

    Anti-virus does exactly what it says on the tin ' it's the last resort before you have to wipe all of your computers and hope your backup tapes are working. Instead, exercise good practices when setting up your network, including:

  • Blocking malicious attachments (such as .exe, .pif, .scr) at your email software, email server or firewall
  • Configuring firewalls to prevent the spread of viruses/worms back outside of your network
  • Patching and updating all software and operating systems
  • Training users not to click on certain attachments, pop-up ads, etc
  • Training users what to do in the event of something unexpected happening, such as an attachment not appearing to open, or a very slow Internet connection
  • Maintaining an acceptable use policy ' banning certain services such as P2P/Kazaa file sharing, preventing downloads of MP3s, pornography etc, which often require dubious 'tools' to be installed. Basically ' ban anything that isn't work related!

    Spam/unsolicited bulk email
    A special note is reserved for Spam, since it's such a big problem for so many users. Spam is any email sent to a user which is unsolicited ' and usually for some bizarre, offensive or non-existent product or service. Spammers are increasingly unlawful ' they have been hijacking insecure computers for years to send millions of emails for free (often computers belonging to home users or small businesses). Over the last few years, however, the subject matter of the Spam itself has become increasingly unlawful, including:

  • Attempts to get people to buy non-existent or inferior services in order to obtain credit card numbers
  • Banking scams ('Please re-enter all your personal details') ' which has even hit Barclays customers in the UK
  • The 'Advanced Fee' 419 Nigerian scam ('Hi, I am an official of XYZ bank, I need your money to help me move several billion dollars out of the country, for which you will get a 20%). This particular scam has resulted in kidnap and death for some of those daft enough to play along.
  • Distributing viruses by Spam
  • Creating viruses to turn PCs into Spam 'bots'

    The reason Spam works is simple. By hijacking the servers and PCs belonging to users, small businesses and small ISPs, Spammers can send millions of emails for free. It only takes one response in that million to turn a profit. And there are always plenty of people daft enough to play along.

    In the coming weeks, we will discuss:
    • Good housekeeping, backup and physical security
    • Training, acceptable use policies and legislation
    • ISPs, Domains, Web design and Hosting
    • The impact of new technology ' VPNs, WiFi, Broadband, et al

    Dealing with Spam ' Step one: Reduce the effects
    Single users and small businesses can opt to download one of the many free/cheap tools available to automatically detect and eliminate spam from inboxes. Mailwasher is pretty neat ' and free for single account use. It allows you to delete spam directly from POP3 mailboxes, saving you from having to download first. Some ISPs also are starting to offer low-cost Spam protection ' if so, use it.

    Slightly larger businesses should opt to use the commercial services from companies like MessageLabs, where combined anti-virus/porn/spam protection costs from £75 per month for up to 25 users. This kind of service comes with service level guarantees far stronger than your ISP can offer, and has a far more sophisticated anti-virus/Spam heuristics engine.

    Just to put the cost in perspective (because many people still complain!): one of our clients was being hammered by viruses and spam and was going to have to upgrade their email server and leased line. This is a 15-user recruitment company, which advertises heavily on the Internet (hence the volume of Spam). Installing MessageLabs cost £150, plus £900 for the annual fee. In that time the service has:

  • Dealt with over 266,000 emails
  • Deleted over 121,000 items of spam (almost 50%)
  • Stopped all 2,500 viruses sent to the company.

    The client estimates that not having to upgrade its email server and leased line has saved literally thousands. The service is also much cheaper and more reliable than most server-based anti-virus/Spam products and requires no maintenance. It has saved as much as ten man-weeks in eliminating the enormous volume of Spam the company was receiving.

    Step two: Prevention
    Spammers work by harvesting or guessing email addresses. You can reduce the amount of Spam you receive by:

  • Being careful when/how you register with online services. If possible, use a hotmail or yahoo account set up purely for registrations, or choose an anonymous service such as Mailinator
  • Don't advertise email addresses on your website ' or limit to password protected areas. If you want customers to contact you, use an online-form with no discernable address, or limit to a specific 'contact' address.
  • Don't use your business email when setting up and buying domain names. Nominet allows 'ex-directory' registration for .co.uk domains, where the details are withheld from internet searches.
  • Where possible, DO NOT OPEN Spam email. Many use 'web beacons', unique graphics and/or other content either embedded into the email or the web pages they direct you to. Just opening the email or web page link is sufficient to tell the spammer your email has been read and your address is live' hence more junk email!
  • NEVER EVER (EVER') use the 'click here to remove your email' option unless you know the company ' this is the easiest way to trick people into confirming their email address!

    I hope that this has been a useful insight into the world of virus and Spam prevention.

    Next week: we look at housekeeping, data backup and physical security. No matter how good your systems and software may be ' getting the most basic things wrong will destroy all of your good work.

    Further reading: Information security series

  • Step 1 - Identify your assets
  • Step 2 - Understanding the threats and vulnerabilities
  • Step 3: Things that turn threats and potential loss into risk
  • Step 4: The firewall
  • Step 5: Tackling viruses and spam
  • Step 6: Good housekeeping
  • Step 7: Training, acceptable use policies and legislation
  • Step 8: Domain name purchase and protection
Tags:

Replies (4)

Please login or register to join the discussion.

avatar
By dclark
18th Sep 2003 09:56

External Testing
If users wish to view a record of the main virus software products and how they've done in an almost continuous 'virus Olympics', goto http://www.virusbtn.com/vb100/about/index.xml

The site correctly says -
"A VB 100% award means that a product has passed our tests, no more and no less. The failure to attain a VB 100% award is not a declaration that a product cannot provide adequate protection in the real world if administered by a professional. We would urge any potential customer, when looking at the VB 100% record of any software, not simply to consider passes and fails, but to read the small print in the reviews"

It does show a few surprises, but also shows how many fail the 100% test as well as those 'not entered' or 'not tested' We've absolutely nothing to do with the site, but find it's results useful for clients......but to be fair the most common reason for virueses getting in is a failure to keep protection up to date

Kind Regards

Daniel Clark
Ryba Macaulay Ltd
[email protected]

Thanks (0)
avatar
By Stewart Twynham
18th Sep 2003 11:20

Re: External Testing
Daniel,

It's an extremely valid point. One of the reasons I'm so reluctant to answer when someone asks me "So, Stewart, what's the best Anti-Virus software, then?" is that they're ALL bad in some way...

What works great on a desktop might be a bad choice for a server. A product that is great at securing Exchange might be the wrong brand for a roaming laptop that needs to update away from the LAN.

Despite what the A/V companies would like people to think, there is no one "perfect" product that covers all bases all of the time.

Stewart
[email protected]

Thanks (0)
avatar
By PaulTBouch
19th Sep 2003 12:04

Those annoying pop ups
A few weeks ago I started to receive pop-ups (15 or 20 a day) from 2 companies offering to sell me software that would stop unsolicited pop ups from appearing for $20 - blackmail !! I couldn't find a way of stopping them with my Norton Firewall, but after a few phone calls I found a simple way to block them as follows

> "Control Panel" --> "Performance and Maintenance" -->
> --> "Administrative Tools" --> "Computer Manager" -->
> --> "Services and Applications" --> "Services"
> then on the right hand side look for "Messenger"
> double click on it and in the StartUp type
> select Disabled instead of Automatic

Thanks (0)
avatar
By Stewart Twynham
19th Sep 2003 16:03

Re: Those annoying pop ups
Paul,

Please be aware that your firewall should be blocking all the TCP/UDP ports used by the messenger service by default. The fact that it isn't suggests that your firewall software isn't working or is misconfigured, leaving your PC open to numerous other potential attacks.

You may wish to try Zone Alarm which can be downloaded for free at http://www.zonelabs.com

Stewart
[email protected]

Thanks (0)