As a user, you can prepare for a virus infection by creating backups of the legitimate original software and data files on a regular basis. These backups will help to restore your system should it ever be necessary. Activating the write-protection notch on a floppy disk (after you have backed up the software and files) will help to protect against a virus on your backup copy.
You can also help to prevent against a virus infection by using only software that has been received from legitimate, secure sources. Always test software on a “test” machine prior to installing it on any other machines to help ensure that it is virus free.
remote server can now connect to your computer. Hackers have advanced tools to determine what systems are running remote control Trojans. After this specially designed port scanner finds your system, all of your files are open for that hacker. Two common Trojan horse remote control programs are Back Orifice and NetBus.
Back Orifice consists of two key pieces: a client application and a server application.The way Back Orifice works is that the client application runs on one machine and the server application runs on a different machine.The client application connects to another machine using the server application. However, the only way for the server application of Back Orifice to be installed on a machine is to be deliberately installed.This means the hacker either has to install the server application on the target machine, or trick the user of the target machine into doing so. Hence, the reason why this server application is com- monly disguised as a Trojan horse. After the server application has been installed, the client machine can transfer files to and from the target machine, execute an application on the target machine, restart or lock up the target machine, and log keystrokes from the target machine. All of these operations are of value to a hacker.
The server application is a single executable file, just over 122 kilobytes in size.The application creates a copy of itself in the Windows system directory and adds a value containing its filename to the Windows Registry under the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
The specific Registry value that points to the server application is config- urable. By doing so, the server application always starts whenever Windows starts, and therefore is always functioning. One additional benefit of Back Orifice is that the application will not appear in the Windows task list, rendering it invisible to the naked eye.
Worms
What is a worm? A worm is a self-replicating program that does not alter files but resides in active memory and duplicates itself by means of computer net- works.Worms use facilities of an operating system that are meant to be automatic and invisible to the user. It is common for worms to be noticed only when their uncontrolled replication consumes system resources, which then slows or halts other tasks. Some worms in existence not only are self-replicating, but also con- tain a malicious payload.Worms can be transmitted in one of two ways, either by e-mail or through an Internet chat room. Recent high-profile worms in 2001
have included the SirCam and Nimda variants, which used the infected client’s address book to send a random file from the user’s hard drive to everyone in the address list.The success of these worms, as well as other attacks such as Code Red, have led Internet consulting firms such as Gartner to recommend “…that enterprises ... immediately investigate alternatives to IIS, including moving Web applications to ... iPlanet and Apache…” (www.gartner.com/ DisplayDocument?id=340962).
These worms are an evolution of the “I Love You” bug that infected servers in May 2000.The “I Love You” bug was first detected in Europe and then in the United States.The initial analysis on the bug quickly determined that it is Visual Basic code that comes as an e-mail attachment named Love-Letter-For-
You.txt.vbs.When a user clicked on the attachment, the virus used Microsoft Outlook to send itself to everyone in the user’s address book.The virus then con- tacted one of four Web pages in the Philippines. From the contacted Web page, a Trojan horse was then downloaded, win-bugsfix.exe, which collected usernames and passwords stored on the user’s system. It then sent all of the usernames and passwords to an e-mail address.
As discussed earlier in the virus section of this chapter, developers can’t really do anything to protect against a worm attack. Nor can they write tighter code to prevent a worm attack on their machines or those of the end users.The most successful way to prevent a worm attack is awareness and knowledge. As a user, do not open e-mails from unknown sources and do not download attachments from sources that are not trusted.The prevention of worms is truly in the end- users’ hands. Network administrators should be ready to educate their users on the best ways to ensure that a worm does not self-replicate through the entire network.