CERT^® Incident Note IN-2003-01

Malicious Code Propagation and Antivirus Software Updates

Recent reports to the CERT/CC have highlighted two chronic problems:

• The speed at which viruses are spreading is increasing. This echoes the trend toward faster propagation rates seen in the past few years in self-propagating malicious code (i.e., worms). Beginning with the Code Red worm (CA-2001-19, CA-2001-23) in 2001 up through the Slammer worm (CA-2003-04) earlier this year, we have seen worm propagation times drop from hours to minutes.

  A similar trend from weeks to hours has emerged in the virus (i.e., non-self-propagating malicious code) arena. The effectiveness of antivirus software suffers as a result. Several recent malicious code incidents involving variants of W32/BugBear and W32/Sobig have achieved widespread propagation at rates significantly faster than many previous viruses. This increased speed is, unfortunately, also faster than many antivirus signatures can be identified and updated, regardless of the update method (including automated signature updates). The CERT/CC has received reports of successful W32/Sobig.E compromises from users whose signatures were up to date for the prior versions of W32/Sobig.

  Signature-based antivirus software is not the only type of antivirus software at risk: antivirus software that uses heuristics to determine malicious behavior may be circumvented by malicious code that employ new techniques. They should not be unconditionally trusted either, as they may not always block malicious code from executing. Additionally, we are aware of instances where corrupted antivirus software updates have caused the software to be disabled without the user's knowledge.

• In a number of the reports, users who were compromised may have been under the incorrect impression that merely having antivirus software installed was enough to protect them from all malicious code attacks. This is simply a mistaken assumption, and users must always exercise caution when handling email attachments or other code or data from untrustworthy sources.

In general, it is important to remember that while antivirus software vendors continue to improve the speed and reliability of their signature update mechanisms, there will always be some window of time when a system does not contain signatures to detect a particular worm or virus. Several recent research papers that have placed estimates on the magnitude of "worst-case scenario" malicious code propagation rates also illustrate the risk to systems during the window of time before signatures are available.[1][2]

Solutions

Apply "defense in-depth"

As mentioned above, it is not sufficient to rely solely on antivirus software for complete protection. Therefore, we recommend users apply a strategy of "defense in-depth" (where several layers of security or access controls are used) when considering ways to protect their computers from attackers. Although it may not be practical for all users, another way of achieving defense in-depth is to use diverse software and operating systems when possible. Some additional ways of improving security beyond the use of antivirus software follow.

In addition to following the steps outlined in this section, the CERT/CC encourages home users to review the "Home Network Security" and "Home Computer Security" documents.

Run and maintain an antivirus product

While an up-to-date antivirus software package cannot protect against all malicious code, for most users it remains the best first-line of defense against malicious code attacks.

Most antivirus software vendors release frequently updated information, tools, or virus databases to help detect and recover from malicious code, including W32/Bugbear.B and W32/Sobig.E. Therefore, it is important that users keep their antivirus software up to date. The CERT/CC maintains a partial list of antivirus vendors.

Many antivirus packages support automatic updates of virus definitions. The CERT/CC recommends using these automatic updates when available.

Do not run programs of unknown origin

Never download, install, or run a program unless you know it to be authored by a person or company that you trust. Email users should be wary of unexpected attachments, while users of Internet Relay Chat (IRC), Instant Messaging (IM), and file-sharing services should be particularly wary of following links or running software sent to them by other users, as these are commonly used methods among intruders attempting to build networks of distributed denial-of-service (DDoS) agents.

Disable or secure file shares

Best practice dictates a policy of least privilege. For example, if a Windows computer is not intended to be a server (i.e., share files or printers with others), "File and Printer Sharing for Microsoft Networks" should be disabled.

For computers that export shares, ensure that user authentication is required and that each account has a well-chosen password. Furthermore, consider using a firewall to control which computer can access these shares.

By default, Windows NT, 2000, and XP create certain hidden and administrative shares. See the HOW TO: Create and Delete Hidden or Administrative Shares on Client Computers for further guidelines on managing these shares.

Deploy a firewall

The CERT/CC also recommends using a firewall product, such as a network appliance or a personal firewall software package. In some situations, these products may be able to alert users to the fact that their machine has been compromised. Furthermore, they have the ability to block intruders from accessing backdoors over the network. However, no firewall can detect or stop all attacks, so it is important to continue to follow safe computing practices.

Recovering from a system compromise

If you believe a system under your administrative control has been compromised, please follow the steps outlined in

Steps for Recovering from a UNIX or NT System Compromise

References

1. Paxson, V., Staniford, S., Weaver, N. "How to 0wn the Internet in Your Spare Time" http://www.icir.org/vern/papers/cdc-usenix-sec02/index.html
2. Moore, D., Paxson, V., Savage, S., Shannon, S., Staniford, S., Weaver, N. "The Spread of the Sapphire/Slammer Worm" http://www.cs.berkeley.edu/~nweaver/sapphire/

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

http://www.cert.org/

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Copyright ©2003 Carnegie Mellon University.