Worms and Trojans

In the next of his weekly series for Cambridge Network members, BS7799 and IT governance expert Alan Calder explains the ABCs of business security and compliance. This week he looks at worms and Trojans.

Worms and Trojans: what are they, what do they do, where do they come from and how do we stop them?

A worm is a piece of self-propagating malicious code (ie it spreads itself; it doesn’t use e-mail as its method of transport) that exploits one or more specific vulnerabilities in a software system or application. Code Red, Slammer, Nimda and Blaster were all worms. The spread of Code Red, in July 2001, doubled once every 37 minutes and eventually infected some 359,000 hosts. The computer population infected by Slammer (also known as Sapphire) on January 25th 2003 doubled every 8.5 seconds and more than 90% of vulnerable hosts were infected within ten minutes.

A Trojan is neither a virus nor a worm; it is likely to be spread by e-mail (the e-mail might, for instance, claim to be an emergency patch from Microsoft) and it relies on user action to download onto a computer. A Trojan is an “apparently useful program containing hidden functions” that can exploit the privileges of the computer user. It usually requires manual intervention for installation, although this is equally usually disguised, perhaps hidden within an adware package. Once a Trojan has been installed, it can be used by a third party to gain remote access to the computer.

Worms can bring computer systems to a halt. Airline reservation systems, ATM systems, corporate systems and even the Internet itself have all been stopped or radically slowed by a worm’s bandwidth consumption.

Trojans provide an attacker with backdoor access to your computer – or computer system - either to use the computer (for instance, as part of a zombie ‘botnet’ to attack other computers – in a distributed denial of service attack) or to steal information (such as passwords) stored on that computer.

Loss of bandwidth, loss of customer service capability and workforce downtime – spread sometimes over several days - are all standard results of a worm attack. The costs –usually indirect - to victim organizations can be substantial.

Trojan infestation can be more damaging; loss of proprietary information, covert (and malicious) remote access to or control of your computer system, and theft of confidential data, such as passwords, can all lead to financially significant damages.

Anti-virus software is simply inadequate as a single defence against either worms or Trojans. Anti-virus software is essential for dealing with viruses, some worms and some Trojans. The essential component of your anti-worm defence is a first class firewall, kept up to date, and configured for minimal Internet passage. The essential component of your anti-Trojan defence is an always-on application like Microsoft’s antispyware software (currently in free beta test). You need to install firewalls and antispyware on your Internet gateway and on individual computers, to deal with possible infections travelling in portable media such as USB sticks, CD-Roms, etc.

You should know where to get, for when you need them, useful anti-Trojan detect and destroy tools, and you should use an anti-virus software supplier that provides daily updates and which is quick at providing worm-removal tools. Oh, and you should train users not to download or execute files that they did not ask for and which they have any reason for doubting – particularly files that have a .exe file extension.

Next week: Blended Threats

Alan Calder’s company provides businesses with consultancy support and advice on governance and information security. Visit www.itgovernance.co.uk/page.service, e-mail alan@itgovernance.co.uk or telephone + 44 845 070 1750