2008 International Symposium on Ubiquitous Multimedia Computing

Malware and Antivirus Deployment for Enterprise IT Security

Nadejda Belbus Vasilyevna1), Sang-Soo Yeo2), Eun-Suk Cho3), Jeon-Ah Kim4)

1)
Tashkent University of Information Technologies, Tashkent, Uzbekistan
2)
R&D Department, BTWorks Inc., Seoul, Korea
3)
School of Multimedia, Hannam University, Daejoen, Korea
4)
Dept. of Computer Education, Kwandong University, KangNung, Korea
nbelbus@mail.ru, ssyeo@btworks.co.kr, eunsukk@empal.com, clara@kd.ac.kr

Abstract pernicious than other forms of information security

Threats to information security are spreading, from
both outside and within an organization. Computer
security has evolved so as the methods of
identification, detection, and prevention of malware,
only to be followed by a new set of threats that
circumvent those safeguards. Internet and wide
availability of toolsets and documentation exacerbates
this problem by making malware development easy. As
blended threats continue to combine multiple types of
attacks into single and more dangerous payloads,
newer threats are emerging. Phishing, pharming,
spamming, spoofing, spyware, and hacking incidents
are increasing at an alarming rate despite the release
of breakthrough security defense products. A multi-
layered, integrated approach using different security
products in conjunction with well-defined security
policies and antivirus software will form the
foundation for effective enterprise security
management.
(IS) vulnerabilities in that its impact is generally not
confined to one or a few entities; rather, it is normal
for a large number of organizations to be affected at
once, to a substantial degree.
2. Malware and Its Impact
Malware is short for malicious software and is
typically used as a catch-all term to refer to the class of
software designed to cause damage to any device, be it
an end-user computer, a server, or a computer network.
Software is considered malware based on the
perceived intent of the creator rather than any
particular features. Malware includes computer
viruses, worms, trojan horses, most rootkits, spyware,
dishonest adware, and other malicious and unwanted
software. The number of Malware has increased since
its breakthrough in 1986 due to new technologies
specially the internet.

Keyword: Antivirus, Malware Prevention, Table. 1 Time taken by Virus to become

Information Security, Enterprise Security prevalent over years (Source: Orshesky, 2002)

Name of Year of Time taken

Type
1. Introduction malware creation to spread
form 1990 boot sector virus 3 years
Enterprise deployment refers to uniform concept 1995 word macro virus 4 months
distribution, operation, administration, and Melissa 1999 e-mail enabled 4 days
maintenance of a common solution across all
word macro
departments in a given organization. The strategies and
teachings from this chapter apply to all organizations, Love
2000 e-mail enabled 5 hours
large and small, as long as an enterprise deployment Letter
solution is used. The increased use of the information script
superhighway has been accompanied, inevitably, by a Slammer 2003 SQL worm 10 minutes
commensurate increase in the incidence and impact of
malware outbreak. A malware attack is more

978-0-7695-3427-5/08 $25.00 © 2008 IEEE 252

DOI 10.1109/UMC.2008.58
 Antivirus software has been the chief defense
mechanism since the proliferation of viruses started.
Most antivirus solutions are comprehensive security
solutions that can be centrally monitored. They can
also be configured to remove administrative rights
from client machines. Antivirus programs normally
manage the life cycle of viruses in four steps:
1. Prevention of virus outbreak;
2. Containment of virus outbreak;
3. Restoration of the affected nodes; and
4. Reporting and alerting all the complementing
perimeter security systems.
3. Antivirus Solution: The Layered
Approach
The inherent complexity of enterprise networks
demands a common security framework for all the
entities involved in such a network, as has been
discussed in the earlier sections. We present a generic
three-layered approach:
Layer 1: Gateway and content security
Layer 2: Intranet servers
Layer 3: Desktops and user community
Figure 1. The 3-Layered Defense
3.1 Layer 1- Gateway and content security
It deals with the Internet visible servers as well as
the DMZ network of an organization. It can be further
subdivided into gateway traffic and content security.
3.1.1Gateway Traffic. The antivirus solution in the
gateway security layer (GSL) complements the
protection provided by of the firewall and DMZ
253
configuration. Typically this layer has firewall and e-
mail servers that are exposed to the public Internet.
Layer 1 features “firewall logs” that play a
significant role in antivirus deployment. Malware is
frequently aimed at exploiting certain ports in the
target machine and using them to broadcast itself, and
these Firewall logs in Layer 1 can be “parsed” for such
attempts. This security management control process
could be customized based on past experience and
current activity.
3.1.2 Content Scanning. The content-scanning
function of Layer1 processes e-mail attachments, scans
e-mails for specific text, identifies spam based on e-
mail content, and provides blacklisting services that
were not included in the firewall filters. The scanning
function is not confined to incoming traffic —
malware originating within the organization is also
addressed by the content scanning function of Layer 1.
3.2 Layer 2 - Intranet servers
Layer 1 dealt with e-mail and proxy servers placed
in the DMZ network. We now address the next layer in
the security of the enterprise — e-mail servers, file
servers, and proxy servers hosted on the organizational
intranet. Given that the major medium of virus
propagation is e-mail, antivirus solutions for e-mail
servers demand special attention.
Antivirus software should be installed on both e-
mail servers and client machines, and should be
selected based on the e-mail software used. Most
organizations now provide remote-access capability to
Layer 2 e-mail servers, either through a virtual private
network (VPN), a remote access server (RAS), or
Webmail.
3.3 Layer 3 - Desktops and user community
Layer 3, the innermost layer is the one that has
traditionally received maximum attention. The
scanning issues for file servers in Layer 2 hold good
for desktops as well, thanks to the increase in storage
space and processing speed. The use of Webmail,
instant messaging tools, peer-to-peer file sharing,
shared permissions in the intranet, and downloads from
the Internet are all possible sources of virus infection.
Access to such services should be addressed while
formulating the organization’s security policy. It is
highly desirable that automated scans be configured
for user machines and that administrator privileges on
those machines be unavailable to lay users. This helps
ensure that critical antivirus programs are not
uninstalled and that the user does not install any new
programs or tools.
4. Patch Deployment in Enterprise
Network
Effective patch management includes several
critical elements, such as top management support,
standardized policies, dedicated resources, risk
assessment, testing, distribution of patches, and
monitoring the effectiveness of patch deployment. The
following facts illustrates the seriousness of the current
situation:
ƒ According to the FBI and Carnegie Mellon
University, more than 90% of all security breaches
involve a software vulnerability caused by a
missing patch that the IT department already
knows about.
ƒ On January 25, 2003, the Slammer worm triggered
a global Internet slowdown and caused
considerable harm through network outages and
other unforeseen consequences. Some of the
reported incidents due to its impact were: shutting
down of a 911 emergency call center, cancellation
of airline flights, failure of ATMs, and disruption
of important systems at nuclear power plant
facilities.
ƒ During the summer of 2003, the Blaster threat
appeared a full 27 days after the associated
vulnerability was announced through a critical
security bulletin by Microsoft and a patch was
made available by that company. Clearly, had this
time been used in simple patch-deployment, much
of the impact of that worm could have been
mitigated.
4.1 Patch Management — Common Mistakes
and Solutions
Patch management has become expensive and time-
consuming for most enterprises. Common mistakes are
incompatible patches, defective patches, neglect to
patch and patches containing vulnerabilities
themselves.
4.2 Antispyware for Enterprise Network
Spyware is fast emerging as a major concern, and
new enterprise anti-spyware tools are helping network
254
security managers eradicate this malware. Advanced
anti-spyware tools targeted at the enterprise market
typically feature centralized management tools and
automatic update services.
5. Mechanics of Malware and Antivirus
Software
This section attempts to provide an understanding
of the mechanics of the working of a virus and of
antivirus software. A real-life example may be salutary
to this purpose.
5.1 Pattern Recognition
Pattern file recognition examines key suspect areas
and uses the virus pattern file to compare and detect
viruses.
5.2 Integrity Checking (Check-Summing)
This is another old method in which the antivirus
program builds an initial record of the status (size,
time, date, etc.) of all the files on the hard disk.
5.3 X-Raying
This is a method of virus detection that uses a set of
techniques that enables us to see a picture of the virus
body, seeing through the layer of encryption.
5.4 32-Bit Viruses and PE File Infectors
This infects files in 32 bit OS. PE file-infectors
work in various ways, change the entry point to that
specific section to run themselves each time the host
file gets executed.
5.5 Entry Point Obscuring
Unlike the PE File Infectors, it places a "Jump-to-
Virus" instruction somewhere in the middle of the file
code section.
5.6 Encrypted Virus
These feature the encryption technology in virus
writing that hides the fixed signature by encrypting the
scrambling virus, making it unrecognizable to the
antivirus software.
5.7 Polymorphic Viruses
A polymorphic virus features a scrambled virus
body, a decryption routine of encryptedviruses, and a
third component called a "mutation engine" in
encrypted form.
5.8 Heuristic-Based Generic Decryption and
Emulation
This enhancement of generic decryption employs
"heuristics", a generic set of rules that helps
differentiate non-virus from virus behavior.
5.9 Anti-Emulation
Viruses use anti-emulation techniques to defeat the
generic heuristics detection process by themselves
detecting if emulation is in progress.
5.10 Anti-Debugging
Anti-debugging techniques are small pieces of code
that have no overall effect on the virus when it is run
under conditions bereft of antivirus scanning
techniques.
5.11 Retrovirus
Retrovirus is a computer virus that specifically tries
to bypass or hinder the operation of antivirus
programs. The attack may be generic or specific to a
known product, is also known as anti-antivirus.
5.12 Backdoor
A program that surreptitiously allows access to a
computer ’ s resources (files, network connections,
configuration information, etc.) via a network
connection is known as a backdoor or remote-access
Trojan.
6. Antivirus Engine and Database
Antivirus scanners generally include an antivirus
(AV) engine and a virus-detection database. These two
components are normally integrated into a single unit.
However, in some antivirus software products, the
engine only serves as a loader for the database, and it
is here that all the functionality is implemented.
255
7. Conclusion
These past years were bustled with serial computer
virus outbreaks. It also saw an increase in bot
programs and the incidence of spam and phishing, as
well as in spyware and adware generation, indicating
the determination of hackers to invade and undermine
every popular Internet application and device and
exploit every available security loophole. Outdated
forms and methods of attacks have been replaced with
newer, more effective methods that can ensure greater
reach and effectiveness. Based on the current trend,
some of the future forecasts regarding malware are:
Smarter blended threats are increasingly wreaking
havoc and will continue to present a challenge to
enterprise security. Spam mails and phishing will
continue to be a major concern in e-mail usage, while
newer malware like pharming viruses are emerging.
Internet relay chat (IRC), peer-to-peer (P2P)
communication will continue to be weak security links
and new file-swapping technologies continue to raise
new concerns. Social engineering is emerging as one
of the biggest challenges, as there is no technical
defense against the exploitation of human weaknesses.
The time between vulnerability disclosure and release
of malware exploiting the vulnerability continues to
get shorter, requiring more proactive assessment tools
and constant vulnerability assessment of the enterprise
networks.
References
[1] Sharman, R., Krishna, K.P., Rao, H.R., Upadhyaya, S.
(2006) Malware and Antivirus Deployment for
Enterprise Security
[2] Argaez, E. D. (2004). How to prevent the online
invasion of spyware and adware.
[3] Banes, D. (2001). How to stay virus, worm and Trojan
free - without anti-virus software.
[4] Capek, P. G., Chess, D. M. , & White, S. R. (2003,).
Merry Christmas: An early network worm. Security &
Privacy Magazine, IEEE, 1(5), 26-34.
[5] CSI/FBI. (2004). 9th CSI/FBI Annual computer crime
and security survey. CSI Institute.
[6] Dacey, R. F. (2003, September 10). Information
security: Effective patch management is critical to
mitigating software vulnerabilities. Testimony Before
the Subcommittee on Technology Information Policy,
Intergovernmental Relations, and the Census, House
Committee on Government Reform. U.S. GAO-03-
1138T.
[7] Ferrie, F. P. a. P. (2004, September 8-9). Principles and
practise of x-raying. Paper presented at the Virus
Bulletin Conference, Jersey, UK.