Virus and Malware Prevention Is an Ongoing Battle

Governments must stay vigilant with IT security as viruses constantly change.

by / November 11, 2009

You don't have to look hard to find examples of public and private organizations that have been hacked by viruses and harmful worms - a quick Internet search will turn up plenty.

The Charlotte Observer in North Carolina reported on Sept. 25, 2009, that 236,000 records at the University of North Carolina at Chapel Hill were compromised by virus activity. The data was from the Carolina Mammography Registry and was being used for a university research project. The intrusion was detected in July, but may have occurred in 2007 and gone undetected for years.

SC Magazine reported in a May 29, 2009, blog post that the personal information of customers at, a provider of mobile equipment batteries, had been exposed and possibly used in identity crimes after a hacker infiltrated a company server. The breach occurred in February and was discovered in March after a customer notified about suspicious activity on a credit card account.

The UK's Daily Mail newspaper reported on Sept. 22 the Clampi virus, a strain of malicious programming that infects computers when a user visits a site containing the code. The virus waits until the user visits a financial site, such as a bank or credit card company, and then captures login and password information. The article claimed that Clampi is spreading quickly across the United States and Britain.

Holes in Armor

These organizations had anti-virus software in place, as most places do, but that wasn't enough. And an August report from Virus Bulletin, a publication informing readers about computer viruses and prevention, offered minimal comfort.

The report revealed that 12 of 35 vendor-submitted anti-virus programs failed to secure a Windows environment in a test run during a recent company review. The 12 products included offerings from big names like PC Tools, CA and Symantec.

While 12 out of 35 is much better than 35 out of 35 - there's still room for improvement. Is just installing an anti-virus program on your system enough?

"That's the safety belt. Putting on a safety belt doesn't stop accidents. So if you think of it in that regard - that's the absolute bare minimum," said Jeff Moss, also known as the Dark Tangent, the founder of the Black Hat and DEFCON computer hacker conferences. He was sworn into the Obama administration's Homeland Security Advisory Council in 2009 and consults federal officials on security measures.

IT security professionals usually have to play catch-up with their adversaries.

"That's just the nature of the beast," Moss said. "It's always easier to attack than defend. It's always easier to destroy than to build. And the nature of our infrastructure is so complicated that it's easier to point out one fatal flaw here or there than it is to rebuild the whole system."

Many anti-virus programs come equipped with an assortment of detection and elimination measures. For example, one scans for known virus or malware signatures in a system. But strains of malicious code come so quickly that the programs can't identify every bad thing that's out there with a signature approach.

"If it's not obsolete already, it will be in the very near future because we see 60,000 new entries [malware signatures] a week. So that is basically a battle we are going to lose in the end," said Righard Zwienenberg, president of the Anti-Malware Testing Standards Organization and an employee of Norman, a Norwegian company that produces malware prevention tools.

"This is a problem for the whole industry, so a new approach has to be found," he said.

Attacks aren't only becoming more dynamic and numerous, they're also increasingly targeted,

which means that a target may be hit by something no one's seen before, called a zero-day attack. Cyber-criminals can keep developing attack software designed to bypass traditional security programs.

"They just buy the 10 most popular anti-virus things, test against them, and then they can tweak their virus to not be detected by anything. Then they go and launch it," Moss said.

But this doesn't mean all hope is lost. It just means that security professionals should ensure that their anti-virus programs use other approaches, and that no anti-virus program works in a vacuum. Of course, even if a program doesn't catch everything, it will likely catch many things, which is better than nothing.

"People have said that anti-virus has been dead for five, six years - that it can't keep up. But there's nothing better to replace it," Moss said.

Weaving a Tight Web

Many infiltrations happen after computer users visit compromised Web sites.

"The big problem when it comes to servers is that the bad guys have found ways to generically try to exploit poor coding in Web site development, and there is a real need for some scrutiny of the Web site code," said Roel Schouwenberg, a senior anti-virus researcher with Kaspersky Lab.

When programmers write Web site code, they might focus more on performance than on integrity - writing code that just does what it's supposed to do and not code that's also hard to crack.

Schouwenberg believes government officials should seek consultants to help scrutinize the code if they can't accomplish this in-house.

"Frankly, I'm a little bit surprised to see so many .gov domains still getting compromised," he said.

One related problem is that there isn't a really big market out there for securing Web sites this way because people are so focused on securing the computers that visit them.

"It's not like you can buy a Web site or server checker that will check everything for you, so maybe there's some development of that we will see pretty soon," he said.

Security and Integrity

When it comes to endpoint security, professionals still rely on standard procedures. The Center for Strategic and International Studies (CSIS) a Washington, D.C.-based nonprofit think tank that researches global government and social issues, published a report, Twenty Important Controls for Effective Cyber Defense and FISMA [Federal Information Security Management Act] Compliance, in August 2009 to advise people how to keep data under lock and key.

Critical Control No. 12 suggests automating anti-malware updates because "relying on policy and user action to keep anti-malware tools up-to-date has been widely discredited, as many users have not proven able to keep such tools up-to-date consistently." And daily monitoring of workstations for anti-malware installation also is recommended to ensure that these tools and their requisite automated updates are everywhere they need to be.

And then there are the Web applications themselves, which can be threats-in-disguise to unsuspecting users. That nifty program or document you downloaded with Adobe Flash or Reader? It might be infected a virus or worm you won't know about until it's too late. But don't blame its creators - someone else came along and stashed some bad code in it.

"With an application-aware firewall, you can create a policy catching that," Moss said.

This echoes Critical Control No. 7 of the CSIS report, which recommends installation of various tools, including Web application security scanning tools, source code testing tools and Web application firewalls to safeguard against compromised applications.

But the SANS Institute, a source for information security training and information, has recommended additional protocols like the "least privilege" security model to mitigate the threat of unknown viruses that other techniques might miss.

"The concept is you give an application the least amount of privileges necessary to do whatever it needs to do. No more," Moss said. "If you install all of your software as an administrator, but then use all of your software as a user and something bad happens, under the user privileges, the outbreak is more contained and you can't do as many things as you could have done had you been running as an administrator."

Moss, Zwienenberg and Schouwenberg all said that implementing a white list - a list of applications, users, e-mail senders and operations that are allowed to interact with or operate within a network - can help tighten security. Conversely a black list - a list of the same sorts of operations and applications that are denied functionality on or access to a system - can also help.

Hilton Collins

Hilton Collins is a former staff writer for Government Technology and Emergency Management magazines.