Appendix C: Understanding Security Risks
Overview of common security risks: viruses, malware, spyware, grayware, and web threats.
Terminology
Computer security is a rapidly changing subject. Administrators and information security professionals invent and adopt various terms and phrases to describe potential risks or uninvited incidents to computers and networks. Some of these terms refer to real security risks and some refer to annoying or unsolicited incidents.
Trojans, viruses, malware, and worms are examples of terms that are used to describe real security risks. Joke programs, spyware, and grayware are terms that are used to describe incidents that might be harmful, but are sometimes simply annoying and unsolicited. CPM can protect Exchange servers against all of the incidents that are described in this appendix.
Internet Security Risks
| Threat Type | Characteristics |
|---|---|
| Denial-of-Service (DoS) attack | A DoS attack happens when a mail server’s resources are overwhelmed by unnecessary tasks. Preventing the scanning of files that decompress into very large files helps prevent this problem from happening. |
| Phish | Unsolicited email that requests user verification of private information, such as credit card or bank account numbers, with the intent to commit fraud. |
| Spyware and Grayware | Technology that aids in gathering information about a person or organization without their knowledge. |
| Trojan Horse Program | Malware that performs unexpected or unauthorized, often malicious, actions. Trojans cause damage, unexpected system behavior, and compromise system security, but unlike viruses and other types of malware, they do not replicate. |
| Viruses and Malware | A program that carries a destructive payload, and replicates - spreading quickly to infect other systems. By far, viruses and malware remain the most prevalent threat to computing. |
| Worm | A self-contained program or set of programs that are able to spread functional copies of itself or its segments to other computer systems, typically through network connections or email attachments. |
| Other Malicious Codes | Scanning detects some malicious code that is difficult to categorize, but pose a significant threat to Exchange. This category is useful when you want CPM to take an action against a previously unknown threat type. |
| Packed files | Potentially malicious code in real-time compressed executable files that arrive as email attachments. IntelliTrap scans for packing algorithms to detected packed files. Enabling IntelliTrap allows administrators to take user-defined actions on infected attachments, and to send notifications to senders, recipients, or administrators. |
Viruses and Malware
A computer virus or malware program is a segment of code with the ability to replicate by infecting files. When a virus or malware infects a file, it attaches a copy of itself to the file in such a way that when the file executes, the virus or malware also runs. When this happens the infected file becomes capable of infecting other files. Like biological viruses, computer viruses and malware can spread quickly and are often difficult to eradicate.
In addition to replication, some computer viruses and malware share another commonality: a damage routine that delivers a payload. While payloads might display only messages or images, they can also destroy files, reformat your hard disk, or cause other damage. Even if the virus does not contain a damage routine, it can cause trouble by consuming storage space and memory, and degrading computer performance.
| Type | Description |
|---|---|
| File | File viruses and malware can come in different types—there are DOS viruses and malware, Windows viruses and malware, macro viruses and malware, and script viruses and malware. All of them share characteristics but infect different types of host files or programs. |
| Boot | Boot viruses and malware infect the partition table of hard disks and boot sector of hard disks and diskettes. |
| Script | Script - Script viruses and malware are written in script programming languages, such as
Visual Basic Script and JavaScript and are usually embedded in HTML documents. VBScript (Visual
Basic Script) and Jscript (JavaScript) viruses and malware make use of Microsoft's Windows Scripting
Host to activate themselves and infect other files. Since Windows Scripting Host is available on
Windows 98, Windows 2000 and other Windows operating systems, the viruses and malware can be
activated simply by double-clicking a *.vbs or *.js file from Windows Explorer. What is so special about script viruses and malware? Unlike programming binary viruses and malware, which requires assembly-type programming knowledge, virus and malware authors program script viruses and malware as text. A script virus can become functional without low-level programming and with code as compact as possible. It can also use predefined objects in Windows to make accessing many parts of the infected system easier (for example, for file infection, for mass-mailing). Furthermore, since the code is text, it is easy for others to read and imitate the coding paradigm. Because of this, many script viruses and malware programs have several variants. For example, shortly after the "I love you" virus appeared, antivirus vendors found modified copies of the original code, which spread themselves with different subject lines, or message bodies. |
Whatever their type, the basic mechanism remains the same. A virus contains code that explicitly copies itself. In the case of file viruses and malware, it usually entails making modifications to gain control when a user accidentally executes the infected program.
After the virus code finishes execution, it typically passes control back to the original host program to give the impression that nothing is wrong with the infected file.
Take note that there are also cross-platform viruses/malware. These types of virus and malware programs can infect files on different platforms (for example, Windows and Linux). However, such programs are rare and seldom achieve 100% functionality.