Late in 2004, viruses took a turn for the worse, intensifying interest in network and host security. The Scob Trojan (aka Download.ject) and the various Sasser（Figure 1） worm variants are more sophisticated than previous viruses, while Scob's payload is especially dangerous.

《图一: Sasser worm infected》

Outbreaks of the Scob Trojan（Figure 2） have serious implications for both businesses and individuals. Scob is a keystroke logger that records whatever the user types into his or her computer, and sends it over the Internet to a hacker. Information such as an online banking login, user name and password, PIN (Personal Identification Number), even a network login name and password are no longer secure and confidential.

《图二: Scob Trojan locates the System folder and copies itself to that location.》

Such keystroke loggers have disturbing implications for businesses. When banking data gets compromised and customers lose money through these malicious attacks, who bears the liability? If the infected PC or laptop was operating behind a company firewall, should the company bear part of the blame - and the liability?

The implications for government agencies and the military are even more serious, because potentially people's their lives could be at risk. For this reason, the US-CERT (Computer Emergency Response Team) has issued an advisory calling for people to stop using Microsoft's Internet Explorer and switch to another web browser.

You Are Not Alone

Security problems can be more acute in SOHO's and smaller offices, which tend to be less strict that big corporations in enforcing virus scanning and updating their virus signature files. With smaller IT budgets and teams, they are more vulnerable because they have neither the time, money nor resources to keep out such sophisticated attacks.

Modes of Transmission

The ubiquity of viruses and worms propagated by email may have contributed to the browser "blind-spot". The Scob Trojan exploits a weakness in Microsoft's Internet Explorer, that allows a script to be executed on the user's machine simply by viewing a website. Because the threat comes not from obviously fake websites or sites with dubious content (example: pornography and bootleg software sites), but from reputable sites that have been compromised, such as the Kelley Blue Book automobile pricing guide, the virus circumvents typical website filtering mechanisms in firewalls. This mode of attack caught Microsoft by surprise, prompting the company to issue a configuration change in lieu of a fix to be released later.

The Scob Trojan is essentially a "binary agent" method of attack, that is, it requires two conditions - a compromised website and browser vulnerability - in order to work. This level of sophistication in a virus is quite frightening. Previous viruses required action on the user's part, such as clicking an attachment or permitting a download, but Scob requires neither. Because the payload is not in the email, virus and spam filtering on email servers simply would not work.

The Russian website that received keystroke information from infected machines was quickly shut down, but the precedent had already been set. Typically, when new virus methods are "developed", they herald more attacks, even though anti-virus companies may have already developed detection and removal strategies and/or software.

A little history and modern medicine

Security problems have been with us from the early days of computing. The Michelangelo virus, on DOS, predated the Internet, spreading through shared floppy disks. Transmission was slow because there were few companies and organisations using networks. With the Internet, transmission is a lot easier and the infection can spread rapidly to more computers.

Anti-virus software is understood by a vast majority of system administrators, as a "host-only" solution. That is, the anti-virus software is installed on PCs, laptops and servers by system administrators, scans are executed on the machine itself and virus updates have to be downloaded manually on to the system.

This is a difficult strategy to implement and maintain, as any system administrator will attest. Typically users are difficult to train to perform periodic virus scans and signature updates, and are prone to clicking attachments and infecting their own systems. The problem escalates dramatically for larger companies where technology professionals are usually stretched thin by the demands of the information infrastructure and often give a low priority to maintaining security on individual PCs. Yet these are the single weakest link in the company network.

A better strategy involves stopping viruses and spam at the gateway, and there are products available that offer these solutions. The concept is, if you can stop most of the malicious content "out there" from entering your network, the security situation on individual PCs and laptops becomes far more manageable. System administrators can concentrate on just one, or a few, servers or network appliances, instead of tens or hundreds of user workstations.

Performance anxiety

Although a few companies already offer this gateway solution, many users see it as comprising several servers running different security products, such as a content-filtering server, a firewall, an Intrusion Detection System (IDS) server. This approach is expensive, but is sometimes necessary because commodity servers cannot handle the performance requirements of high-bandwidth networks.

In contrast, ASIC-accelerated, all-in-one network security appliance solutions. These appliances provide anti-virus, content filtering, IDS/IPS, and firewall services in one box. Performance is not compromised because of the ASIC hardware, which is dedicated hardware for the security functions. Licensing and costs are kept low because the customer no longer has to pay for different security products.(作者为Fortinet Vice President for Asia Pacific)

《图三: ASIC security appliance solutions》

Seven tips for protecting your organization

1. If you receive an email or a website that asks for your credit card information, or online banking password, or any personal information, and it looks suspicious (i.e. a so-called "phishing scam"), you can check against the Anti-Phishing website at http://www.antiphishing.org/（Figure 4）. If you click on the Phishing Archive link, you can see a list of all recorded phishing emails. Each item is linked in turn to more information about the scam, including a screenshot that you can compare with your email or the website to which you were redirected.

《图四: Anti-Phishing website http://www.antiphishing.org/》

2. Some websites are not who they claim to be. If you look at the URL (the address bar in your browser), you can sometimes spot a discrepancy. For example, if you expect to be on the Citibank website, you should see a URL that has "citibank.com" in the URL, not "citi.com" or "web-citi.com". Also, if the URL displays just numbers, it probably does not belong to the company.

3. If the website requires you to download a file in order to view the page, be very careful. A lot of websites run Flash and Java applets, and if your web browser does not have them installed you may get the dialog box. But if you know that Flash and Java are already installed and the website asks to install something else, do not click "Yes" unless you really know what you are doing.

4. One thing that gives "phishing" and fake websites away, especially if they try to imitate an actual reputable company's website is that the English used is sometimes ungrammatical, has spelling errors, or sounds clumsy. Most reputable companies employ professional copywriters who would not make such elementary mistakes.

5. Install an anti-virus firewall with deep packet inspection. This takes most of the burden off the employees, because your first line of defence (the firewall) will also scan data for malicious content. This includes email as well as downloadable content. You should also get a product that does automated push updates, so that you don't have to worry when your network administrator is on leave.

6. You can encourage users to use non-Microsoft browsers, like Mozilla, for normal email browsing and use Internet Explorer ONLY for certain sites that really require it. Make a list of allowable sites for Internet Explorer and use Mozilla for everything else.

7. Install or activate anti-spam software on the mail server. A lot of mail servers now have support for RBLs (Realtime Blackhole Lists) which contain a list of known IP addresses and host names from which spam originates.