The primary vulnerabilities for end-user workstations are worm, virus, and
Trojan horse attacks
. A worm executes
arbitrary code and installs copies of itself in the infected computer’s memory,
which infects other hosts. A virus is malicious software that is attached to
another program to execute a particular unwanted function on a user's
workstation. A Trojan horse is different only in that the entire application
was written to look like something else, when in fact it is an attack tool.
Worms
The anatomy of a worm attack is as follows:
- The enabling vulnerability – A worm installs itself using an exploit vector
on a vulnerable system.
- Propagation mechanism – After gaining access to devices, a worm replicates
and selects new targets.
- Payload – Once the device is infected with a worm, the attacker has access
to the host – often as a privileged user. Attackers could use a local exploit
to escalate their privilege level to administrator.
Typically, worms are self-contained programs that attack a system and
try to exploit a specific vulnerability in the target. Upon successful
exploitation of the vulnerability, the worm copies its program from the
attacking host to the newly exploited system to begin the cycle again. A virus
normally requires a vector to carry the virus code from one system to another.
The vector can be a word-processing document, an e-mail message, or an
executable program. The key element that distinguishes a computer worm from a
computer virus is that human interaction is required to facilitate the spread
of a virus.
Worm attack mitigation
requires
diligence on the part of system and network administration staff. Coordination
between system administration, network engineering, and security operations
personnel is critical in responding effectively to a worm incident. The
following are the recommended steps for worm attack mitigation:
- Containment
- Inoculation
- Quarantine
- Treatment
Viruses and Trojan Horses
Viruses are malicious software
that is attached to another program to execute a particular unwanted function
on a user’s workstation. An example of a virus is a program that is attached to
command.com (the primary interpreter for Windows systems) that deletes certain
files and infects any other versions of command.com that it can find.
A
Trojan horse is different only in that the entire application was written to
look like something else, when in fact it is an attack tool
. An example of a
Trojan horse is a software application that runs a simple game on the user’s
workstation. While the user is occupied with the game, the Trojan horse mails a
copy of itself to every user in the user’s address book. The other users
receive the game and then play it, thus spreading the Trojan horse.
These
kinds of applications can be contained through the effective use of antivirus
software at the user level and potentially at the network level
. Antivirus
software can detect most viruses and many Trojan horse applications and prevent
them from spreading in the network. Keeping up-to-date with the latest
developments in these sorts of attacks can also lead to a more effective
posture against these attacks. As new virus or Trojan applications are
released, enterprises need to keep up-to-date with the latest antivirus
software and application versions
Complete the quiz questions in Figure
for additional
study.