Professional Documents
Culture Documents
253
uninstalled and that the user does not install any new security managers eradicate this malware. Advanced
programs or tools. anti-spyware tools targeted at the enterprise market
typically feature centralized management tools and
automatic update services.
4. Patch Deployment in Enterprise
Network
5. Mechanics of Malware and Antivirus
Effective patch management includes several Software
critical elements, such as top management support,
standardized policies, dedicated resources, risk This section attempts to provide an understanding
assessment, testing, distribution of patches, and of the mechanics of the working of a virus and of
monitoring the effectiveness of patch deployment. The antivirus software. A real-life example may be salutary
following facts illustrates the seriousness of the current to this purpose.
situation:
5.1 Pattern Recognition
According to the FBI and Carnegie Mellon
University, more than 90% of all security breaches Pattern file recognition examines key suspect areas
involve a software vulnerability caused by a and uses the virus pattern file to compare and detect
missing patch that the IT department already viruses.
knows about.
5.2 Integrity Checking (Check-Summing)
On January 25, 2003, the Slammer worm triggered
a global Internet slowdown and caused This is another old method in which the antivirus
considerable harm through network outages and program builds an initial record of the status (size,
other unforeseen consequences. Some of the time, date, etc.) of all the files on the hard disk.
reported incidents due to its impact were: shutting
down of a 911 emergency call center, cancellation 5.3 X-Raying
of airline flights, failure of ATMs, and disruption
of important systems at nuclear power plant This is a method of virus detection that uses a set of
facilities. techniques that enables us to see a picture of the virus
body, seeing through the layer of encryption.
During the summer of 2003, the Blaster threat
appeared a full 27 days after the associated
5.4 32-Bit Viruses and PE File Infectors
vulnerability was announced through a critical
security bulletin by Microsoft and a patch was
This infects files in 32 bit OS. PE file-infectors
made available by that company. Clearly, had this
work in various ways, change the entry point to that
time been used in simple patch-deployment, much
specific section to run themselves each time the host
of the impact of that worm could have been
file gets executed.
mitigated.
5.5 Entry Point Obscuring
4.1 Patch Management — Common Mistakes
and Solutions Unlike the PE File Infectors, it places a "Jump-to-
Virus" instruction somewhere in the middle of the file
Patch management has become expensive and time- code section.
consuming for most enterprises. Common mistakes are
incompatible patches, defective patches, neglect to 5.6 Encrypted Virus
patch and patches containing vulnerabilities
themselves. These feature the encryption technology in virus
writing that hides the fixed signature by encrypting the
4.2 Antispyware for Enterprise Network scrambling virus, making it unrecognizable to the
antivirus software.
Spyware is fast emerging as a major concern, and
new enterprise anti-spyware tools are helping network
254
5.7 Polymorphic Viruses 7. Conclusion
A polymorphic virus features a scrambled virus These past years were bustled with serial computer
body, a decryption routine of encryptedviruses, and a virus outbreaks. It also saw an increase in bot
third component called a "mutation engine" in programs and the incidence of spam and phishing, as
encrypted form. well as in spyware and adware generation, indicating
the determination of hackers to invade and undermine
5.8 Heuristic-Based Generic Decryption and every popular Internet application and device and
Emulation exploit every available security loophole. Outdated
forms and methods of attacks have been replaced with
This enhancement of generic decryption employs newer, more effective methods that can ensure greater
"heuristics", a generic set of rules that helps reach and effectiveness. Based on the current trend,
differentiate non-virus from virus behavior. some of the future forecasts regarding malware are:
Smarter blended threats are increasingly wreaking
havoc and will continue to present a challenge to
5.9 Anti-Emulation enterprise security. Spam mails and phishing will
continue to be a major concern in e-mail usage, while
Viruses use anti-emulation techniques to defeat the newer malware like pharming viruses are emerging.
generic heuristics detection process by themselves Internet relay chat (IRC), peer-to-peer (P2P)
detecting if emulation is in progress. communication will continue to be weak security links
and new file-swapping technologies continue to raise
5.10 Anti-Debugging new concerns. Social engineering is emerging as one
of the biggest challenges, as there is no technical
Anti-debugging techniques are small pieces of code defense against the exploitation of human weaknesses.
that have no overall effect on the virus when it is run The time between vulnerability disclosure and release
under conditions bereft of antivirus scanning of malware exploiting the vulnerability continues to
techniques. get shorter, requiring more proactive assessment tools
and constant vulnerability assessment of the enterprise
5.11 Retrovirus networks.
255