Fighting Malicious Mobile Code in a Windows Environment

My boss has a saying, "Why would anyone continue to do the same thing over and over and expect different results?" Yet most of the PC world continues to use antivirus scanners and end-user education as their primary means to protect against malicious mobile code (viruses, worms, trojans, etc.). These methods don't work. They have never worked in the past and they will not work in the future. The International Computer Security Association Labs reported the following findings in their industry-respected Computer Virus Prevalence Survey 2000:

• The average surveyed business experienced 160 malicious code encounters per 1,000 machines per year.

• More than half the businesses surveyed experienced a virus disaster.

• Median downtime from a malicious code incident was 21 hours.

• More than 88 percent of surveyed respondents said they had all the PCs protected with antivirus software.

When you read statistics like that you quickly realize that the status quo isn't good enough. Don't get me wrong, antivirus scanners are great tools. They're just not the complete solution. Scanners by their very nature are not great at recognizing new malicious code threats. Even with automated signature updates and with detection-response times under a few hours, antivirus vendors are hard put to stop the latest email worm from spreading around the world. And if you have a network of any size, you already know how hard it is to keep all the scanning clients up to date.

Visit security.oreilly.com for a complete list of O'Reilly's books about computer security.

End-user education doesn't work either. No matter how many times you inform users about all the latest antivirus recommendations, there will always be a certain percentage of users who will forget your advice. They throw caution to the wind and open every email, click on every attachment, and download dubious programs. And it only takes one infected machine to expose the entire network.

Preventing Malicious Mobile Code

So, how do you prevent malicious mobile code? Follow these five principles:

Related Reading Malicious Mobile Code Virus Protection for Windows By Roger A. Grimes Table of Contents Index Sample Chapter Read Online--Safari Search this book on Safari:   Only This Book All of Safari Code Fragments only

1. Assume that antivirus scanners won't work all the time and that end users will ignore everything you say.

2. Focus on how malicious mobile code spreads, the mechanisms it uses to do its dirty work, and prevent it from infecting a PC and spreading.

3. When you put in a defense, assume that it will sometimes fail, and put at least one safety checkpoint in place.

4. Make sure every PC under your control has been modified appropriately, and take extra care to modify new PCs.

5. Create and test a rapid response plan for malicious code emergencies that get by in spite of your defense efforts. Infections will happen, so be prepared to wipe them out quickly.

The rest of this article will focus on the modifications that should be made to every Windows PC to prevent malicious code from infecting and spreading.

Note: None of these recommended changes should be made without thoroughly testing in your environment.

Ten Steps to Protect Against Malicious Mobile Code

1. Install an antivirus scanner. Although an antivirus scanner is not a complete solution, it is a pretty good defense tool. If used appropriately (by installing them on the company's email servers and end-user desktops), they are a significant step in preventing malicious mobile code.

2. Disable booting from drive A:. Go into your BIOS setup and disable booting from Drive A:. This will prevent pure boot sector viruses from taking control of your PC.

3. Install the latest software versions and patches. Every new version of software fixes old security holes and provides new protection mechanisms. Get on mailing lists and newsgroups to make sure you get notified of security patches. These days worms are automating attacks to exploit new security holes (i.e. Code Red worm), so wait only a few days before applying the new security patch to make sure the vendor didn't release a buggy patch. Also, use the vendor's default security settings, or higher.

4. Rename or delete dangerous executables. Rename (preferred) or delete rarely used executables that can be used by malicious mobile code for harm. These include: FORMAT.COM, SYS.COM, DEBUG.EXE, REGEDIT.EXE, REGEDT32.EXE, WSCRIPT.EXE, and CSCRIPT.EXE. I like renaming executables instead of deleting them because files can easily be used again by knowing the new names.

   Note:

   • Installing new software, upgrades, and patches can reinstall now missing executables.

   • Computer utilities like Norton Disk Doctor will often reassociate renamed files when they are called upon.

   • The newer versions of Windows will often restore protected system files, although there are ways to defeat this behavior depending on the version of Windows you use.

5. Remove Windows Scripting Host (WSH) file associations. WSH is a Microsoft program used by many types of malicious mobile code. Files ending in .hta, .js, .jse, .vbs, .vbe, .wsh, .wsc, and .wsf, should have their opening action reassociated with some harmless program, like NotePad.

   Note: In Windows 98, open Windows Explorer, choose Tools -> Folder Options -> File Types, choose the appropriate file extension type, choose Open under Actions -> Edit, and change WSCRIPT.EXE to NOTEPAD.EXE.

6. Make file extensions visible. It is safe to run nonexecutable file content, such as JPGs, MPGs, GIFs, WAVs, etc. You just need to make sure they aren't executables in disguise. Most Windows versions will hide known file extensions. Thus, a seemingly innocuously named file, PICTURE.JPG, may be PICTURE.JPG.EXE. In Windows Explorer, look for the file extension hiding option under Folder Options.

   Note: Some file extensions, like .shs (scrap object file) have to be modified in the Windows registry in order to display.

7. Remove unnecessary programs and services. Most PCs have at least a handful of programs and services running that the user doesn't know about, and in many cases, doesn't need. Explore the obvious start-up areas (CONFIG.SYS, AUTOEXEC.BAT, CONFIG.NT, AUTOEXEC.NT, WIN.INI, SYSTEM.INI, Start-up folders and groups, and the start-up areas in your registry), looking for programs that should not be there. I use MSCONFIG.EXE in the latest versions of Windows and SYSEDIT in older versions for quick looks. In your registry, look under HKEY_LM\Software\Microsoft\Windows\CurrentVersion\Run or Run Services. Delete program entries you are sure you don't need.

   Note: There are several other areas where autostarting programs can hide in the registry, but the above registry key is the most popular.

8. Use a firewall. Install and learn how to use a firewall. Nothing is more inviting to malicious hackers than a PC with all its TCP/IP ports open to the Internet.

9. Install Outlook Security Patch. If you run Outlook 98 or 2000, installing Microsoft's Outlook Security Patch can automatically prevent many types of popular malicious mobile code from attacking your PC. Although I highly recommend applying this patch, it does have its negatives. Be sure to read O'Reilly author Tom Syroid's four-part article, Beware the Briar Patch: Outlook's Latest Security Update, first.

   Note: There are several ways to access restricted files once the patch is applied, although none are elegant.

10. Nothing beats a good back up. Make sure important data and programs exist in two places simultaneously. Often by the time you notice malicious mobile code, the damage is done. A good back up takes away a lot of stress.

Following these guidelines will take you a long way toward protecting your system from malicious mobile code. Some readers might question the many steps and hours required to protect each PC, but imagine the repeated lost productivity spent fighting multiple malicious code outbreaks. Most companies I visit have had one malicious code disaster after another. If they are lucky, they are only down one or two days after each attack. Every client that has followed my advice has reported significantly less malicious code outbreaks. The vast majority of them have had no incidences since my visit. One of my biggest success stories called me up a few months later to take me out to an appreciation lunch. So, now I've got a saying of my own, "Get taken to lunch instead of being out to lunch."

Roger A. Grimes is the principal of a firm specializing in client/server networking technologies. He has been providing professional antivirus consulting services for nine years. His clients have included some of the nation's largest banks, universities, and the U.S. Navy. He has also written dozens of magazine and newspaper articles on technical subjects.

Related Reading Malicious Mobile Code Virus Protection for Windows By Roger A. Grimes Table of Contents Index Sample Chapter Read Online--Safari Search this book on Safari:   Only This Book All of Safari Code Fragments only

Return to security.oreilly.com