Chapter 19

Virus Protection and Hostile Applets


CONTENTS

The most publicized dangers to an intranet are computer viruses. While the danger is not as extreme as portrayed in the press, nonetheless, the danger is real. Viruses are malicious programs that can cause many different kinds of damage, such as deleting data files, erasing programs, or destroying everything on a hard disk. Not every virus causes damage; some simply flash annoying messages on your screen. Still, any virus attack must be taken very seriously. There's no way of knowing when one has been created out of malicious intent or whether the perpetrator thought it was merely a harmless prank. In most cases, a virus causes real damage.

Viruses pose particular dangers to an intranet. On an intranet all computers are connected to one another, and that means that viruses can quickly spread from one networked computer to another. For example, let's say someone on an intranet gets a virus from a program they've gotten from the Internet via an FTP transfer. That virus will infect that person's computer. Before it does damage, however, and before the person knows an infection has occurred, the file might be shared with someone else by sending it via intranet e-mail. That person in turn might send it to yet someone else, who in turn shares it with another person. In a very short time, hundreds or thousands of computers can be infected. A virus can spread very much like an epidemic spreads.

An even greater danger to an intranet is a virus that infects a network server. The consequences of this can be disastrous. The virus could destroy the server software or its data. This could bring the entire intranet to its knees if the server is one that is vital to the functioning of the intranet. It is even more dangerous if the virus gets loose on a server that hosts corporate databases. The virus could conceivably destroy the entire database.

Other threats to intranets are special viruses called worms. Worms are viruses that have been designed to attack not just individual computers, but an entire network - an intranet, for example. Below, you'll find out more information about worms.

The term virus refers to many different kinds of programs. They usually attack four parts of a computer: its executable program files, its file-directory system that tracks the location of all of a computer's files (and without which, a computer won't work), its boot and system areas that are needed in order to start your computer, and its data files. Viruses usually are found in executable files, such as programs. For many years, it had been thought that viruses could not infect data files. Recently, new "macro" viruses have been written that hide inside a data file. The data file itself is not the culprit, but when something triggers the macro (which is, essentially, a little program file), the virus is let loose to do its damage.

Even more ominous for intranets, viruses can also hide themselves inside Java applets or be Java applets-applications written in a programming language that is expected to be used to build the next generation of interactive Internet and intranet applications. When a Java applet runs on your computer, an executable program is downloaded from an Internet or intranet server to your computer. When that program is on your computer, it runs and your Web browser shows the results of its running-for example, you'll see a news ticker flashing across your screen.

The developers of languages such as Java have done much work to try and make sure that viruses can't infect programs written in the languages. In Java, for example, when the applet downloads to your computer, before it is executed it is put into protected memory so that if it has a virus, it can't infect any part of your computer. Java applets also cannot read from or write to local drives. Some Java developers will tell you that because of security measures like that, there's no way that a virus from a Java applet could infect your computer.

However, other people maintain that there are many security holes in Java through which a variety of viruses can slip through. These people claim that some of these holes will do things such as lock up a keyboard and a mouse, or do more dangerous things, such as allowing a cracker to use Java as a way to circumvent firewall security and slip a virus into an intranet undetected. These kinds of Java applets are often called hostile applets. In fact, some of these hostile applets have been publicly posted on the Internet, with warnings about them, as a way to alert people that Java has dangerous holes in it.

As these hostile applets are made public, those who create the Java language-and other similar Internet programming languages-attempt to plug the holes. That's what happened when a team of computer scientists at Princeton University discovered a serious security flaw that could allow crackers to use Java to attack intranets. Pictured later in this chapter is an illustration of how such an attack could be made. The security flaw has since been patched, but people using older versions of Netscape are vulnerable to it.

Java, as yet, is not a great threat to intranets. It is still not in sufficiently widespread use, and there have yet to be documented attacks spread through using it. Of more immediate concern are several kinds of viruses. Trojan horses are programs that disguise themselves as normal, helpful programs, but do damage to your computer, its data, or your hard disk. For example, someone may download a file that claims to be a financial calculator. When the program was run, it would do calculations. But in the background, it would be doing damage to your computer. The theoretical Java security flaw that the Princeton researchers uncovered was a kind of Trojan horse.

Other viruses are called worms. These viruses are relatively rare, but they are of great concern to those on an intranet. That's because they have been specifically designed to infect networks. They travel between networked computers, replicating themselves along the way. They can attack the networked computers or the network itself. They can also chew up an enormous amount of network resources as they replicate and run. That's what the most infamous worm of all did. It was an Internet worm released on November 2, 1988. It copied itself onto many Internet host computers, and eventually brought huge sections of the Internet to a halt.

The most common viruses hide themselves inside other programs. Many of them can hide in any kind of program. You get this kind of virus by running a program that has the virus inside it. When the program is run, the virus is let loose, and it travels throughout your computer, infecting other program files. Depending on the kind of virus it is, it can attack certain sections of your computer, such as the boot sector, which could damage all your programs and data. Or it could attack other sections of your hard disk. If you don't check regularly for viruses, you may only find out about the infection after it's too late and the damage has been done.

Antiviral software has long been used on individual computers. A scanner checks to see if your computer has any files that have been infected, while an eradication program will wipe the virus from your hard disk. Since viruses pose such a danger to intranets, it is also best to protect against viruses by putting a virus scanner on a server inside a firewall, where that scanner can check every file coming into the intranet for known viruses. This does not eliminate the need for client software to cover such cases as a virus that may travel in a diskette from an external source.

Such a scanner typically doesn't check every single packet coming in, since many types of packets won't be able to have viruses in them. Instead, the scanner checks only those packets sent with certain Internet protocols, such as for e-mail, FTP, and the Web, that may indicate that a binary file is being transferred into the intranet. It looks at only those files, using packet filtering technology similar to that used by filtering routers. It then scans those files for viruses, letting in those files that are virus-free, and stopping any infected files from entering the intranet.

How Intranet Virus Scanning Software Works

Viruses are a major security risk for intranets. They can damage data, occupy and consume resources, and disrupt operations. Program files were the major source of trouble in the past, but new "macro" viruses can hide in data files and launch, for example, when a macro in a word processing program is run. Server-based and client-based virus-scanning software both have roles that help protect the intranet.

  1. A virus hides inside a legitimate program. Until you run the infected program, the virus remains dormant. When you run the infected program, the virus springs into action. Sometimes, the first thing it will do is infect other programs on your hard disk by copying itself into them.
  2. Some viruses place messages called v-markers or virus markers inside programs that they infect, and they help manage the viruses' activities. Each virus has a specific virus marker associated with it. If a virus encounters one of these markers in another program, it knows that the program is already infected, and so doesn't replicate itself there. When a virus cannot find any more unmarked files on a computer, that can signal to the virus that there are no more files to be infected. At this point, the virus may begin to damage the computer and its data. Viruses can corrupt program or data files so that they work oddly, not at all, or cause damage when they run. They can destroy all the files on your computer, change the system files that your computer needs when it is turned on, and cause other types of damage.
  3. Intranet virus scanning software runs on a server in an intranet firewall. The software doesn't check every packet that comes into the intranet for viruses, since that would not be feasible. Instead, it checks only those packets sent with the kinds of Internet services and protocols that indicate that a file may be in the process of being transferred from the Internet to the intranet-commonly, e-mail (which is sent via SMTP, Simple Mail Transfer Protocol), the File Transfer Protocol (FTP), and the World Wide Web (HTTP, Hypertext Transfer Protocol). The software uses packet filtering technology to determine which packets are being sent with these protocols.
  4. When the software finds packets that are sent with SMTP, FTP, or HTTP, it knows it must examine them further, to see if they have viruses in them. Virus scanning software works in many ways. One method of detection is to check files for tell-tale virus markers that indicate the presence of a virus.
  5. Packets not using SMTP, FTP, or HTTP (such as NNTP) are passed through, and the software does not perform any action on them.
  6. If the file is found to be virus-free, it is allowed to pass. If it is found to have a virus, it won't be allowed to pass into the intranet.
  7. Antivirus software should also be run on individual computers inside the intranet because it's possible that a virus can be brought into the intranet by diskettes, for example. In addition to protection against viruses, it can detect viruses, and eradicate any virus that it finds.

How a "Hostile" Java Applet Can Attack an Intranet

The Java programming language can create interactive, multimedia applications (called applets) that can greatly extend the power of the World Wide Web on intranets and the Internet. However, some people believe that it can theoretically be used to attack an intranet. Here is an example of such an attack, which computer scientists at Princeton University discovered was possible due to holes in the Java protection scheme. Since then, this particular hole was covered up, but only if people use specific versions of Netscape which contain the fix. Many computer scientists say that other security holes still exist in Java.

  1. The cracker begins by targeting a specific pair of computers on an intranet, stooge.victim.com, and target.victim.com. One of the computers will be used by the cracker as a jumping off point to attack the other. The cracker knows their IP addresses, 123.123.122.1 for stooge.victim.com, and 123.123.122.2 for target.victim.com.
  2. The cracker's computer's name is www.hackit.com, and its IP address is 114.12.12.12. There is also a "bogus" machine name-a computer that does not exist, but looks to the rest of the Internet as if it does. The bogus machine is called bogus.hackit.com. The cracker creates a DNS mapping from this bogus machine to a pair of IP addresses: the cracker's, 114.12.12.12; and the machine targeted for attack, 123.123.122.2. When a DNS server looks up the bogus machine name to see its IP address, it will see these two IP addresses. Note that the cracker hasn't yet used Java; what has been done so far has commonly been done by crackers on the Internet since well before Java was released.
  3. The intranet that the cracker has targeted is protected by a firewall. Normally, he or she would not be able to break through the firewall to attack the computer with the IP address 123.122.122.2. With a hole the cracker discovered in Java, however, now it can be done.
  4. The cracker creates a "hostile" Java applet and posts it on a page on the World Wide Web. The applet looks as if it's a news ticker, but it in fact is designed to attack the intranet. The cracker sends out an e-mail note to the target intranet, disguised as a press release, inviting people to visit a free news site on the Internet. Stooge.victim.com browses the Internet to the site and comes across the Java applet on www.hackit.com. The applet will download.
  5. The applet appears to be a news ticker, so stooge.victim.com reads the news ticker. In fact, the applet has begun to attack the computer and the intranet.
  6. The applet tries to make a connection to the "bogus" computer created by the cracker, bogus.hackit.com. In order to make the connection, Java uses the DNS mapping created by the cracker. It finds the mapping of 123.123.122.2 and 114.12.12.12 for the name bogus.hackit.com. As a security measure, Java only lets applets contact the server on which they were launched, and no other server. In this case, that server is 114.12.12.12, so Java allows the connection since it sees it in the entry. However, since the first number in the entry is 123.123.122.2, it actually makes the connection to that computer, not to 114.12.12.12.
  7. The Java applet is now connected to the target computer, target.victim.com (123.123.122.2), and can make full use of the intranet's resources, as if it were a trusted computer inside the intranet. That's because the connection was made from inside the intranet, directly from another intranet computer-the attack was made from within the firewall. Using the applet, the cracker can now make a direct connection to 123.123.122.2, as if inside the intranet. A cracker can then probe the intranet's security weaknesses by using a security-probing program like the particularly powerful one called SATAN, and then attack not just the target computer, but the entire intranet.