Cyber Vermin

• 06/14/2000

Like plenty of highly publicized viruses in the past, ILOVEYOU spread faster, at first, than IT professionals could handle. It hit overnight on a Wednesday, infecting hoards of unknowing Windows users by Thursday morning. It took almost a day before any commercial virus definition system could be configured to detect it. By Friday, it had replicated tens of millions of copies of itself all over the world, running ahead of most of our efforts to stop it.

What a mess it left in its wake! Unlike its relatively benign predecessors, ILOVEYOU traversed users' mapped drive directory trees -- both local and network -- trashing millions of picture, sound, and JavaScript files, before anybody knew what hit them. Hundreds of publishing companies lost libraries of graphics files. Thousands of Web masters lost countless man-years of development work. By any standard, ILOVEYOU was a disaster.

How could this have been prevented? I wish I could offer an easy set of rules we could follow to inoculate our networks against such infections, but I'm afraid all I've got are three uncomfortable facts we should all remember.

First, virus outbreaks usually precede the corresponding updates to commercial virus detection packages. Everything moves at near light speed over the Internet these days, and by the time the folks at Symantec and McAfee have even heard of a new virus, it has probably infected thousands of systems worldwide. Given the subsequent hours it takes for you to apply vendor updates and clean your machines, there's simply no way you can count on using any virus detection product to prevent virus outbreaks 100 percent of the time.

Second, viruses are easy to write. ILOVEYOU, for example, was delivered in clear text source form. Almost anybody could read and, with just a little know-how, modify it slightly and retransmit it as a new virus. As of this writing, several copycat versions of ILOVEYOU were making the rounds. Consequently, you can expect copycat virus infections to race around the world, and into your company's network, with increasing frequency.

Finally, viruses spread more easily every day. Each new programming facility added to a popular computing platform, such as Windows NT, offers a fresh way to infect it with viruses. And, despite our best training efforts, users seem to be more willing than ever to double-click strange icons without thinking. Want to wreak havoc worldwide? First, pick your most comfortable development medium -- from Visual Basic, to Office document macros, to Windows Scripting Host. Next, name it "You're a winner," attach it to an e-mail message, and send it to a publicly known distribution list. Congratulations, you're a cyber terrorist.

So, what can we do? Start by making some hard choices. Maybe block all executable e-mail attachments from outside your company, no matter how much people squawk about it. Maybe you need to lock down NT desktops, deterring or preventing them from running any "unsafe" programs at all. At a minimum, check the ACLs on your file server directories to contain the damage an infected user can cause to other users' files. And, every IT organization needs to sharpen its procedures for responding to a new virus infection.

No doubt, I'll get lots of e-mail about all sorts of products you can buy to defend your network from viruses. Bring them on, and maybe I'll list them for you in a future column. But, remember, there's no such thing as a "lights out" network security product. Whatever you buy to help with the task, you'll still need to take an active role in managing your network's virus defenses. And that job starts right now. --Al Cini is a senior consultant with Computer Methods Corp. (Marlton, N.J.) specializing in systems and network integration. Contact him at al.cini@computermethods.com.