Protecting Your PC From Viruses
Oct. 26, 2004 — -- If there's a new computer "worm" on the Internet and no one knows about it, can it still be stopped before widespread damage is done? Maybe.
Past online outbreaks, such as Sasser, Nimda and Mydoom, have shown that malicious programmers are getting better at creating their malicious software, or malware. Security experts say online infections are occurring at alarming faster rates, infecting millions of computers in matters of minutes, not days as in previous outbreaks.
To help stem so-called zero-day infections -- rapid outbreaks of new, undiscovered malware -- security experts are taking a more proactive tact of protecting PCs.
Sana Security Inc. of San Mateo, Calif., has introduced a new defensive software program for PCs called Attack Shield WS. The software is designed to protect Windows PCs much in the same way the human body detects and fights against disease.
"As an infant, you're born with an innate immune system consisting of cells evolved to look for the common coatings of harmful bacteria," said Steven Hofmyer, founder and chief scientist at Sana Security. "The idea here is similar in that it looks for patterns of unusual computer behavior and not the worm itself."
Once installed on a PC, the software tracks what are considered "normal" operations for the computer. It also monitors vital areas of the computer's memory used by the Windows operating system and other legitimate software.
By watching how a PC is suppose to behave, "what we're really looking for are the behaviors that [typical] worms use that ordinary programs don't need to use," said Hofmyer.
For example, a worm might try to use a computer's e-mail program to automatically infect other PCs. And while there might be several different ways a worm could access that part of the e-mail software, Attack Shield would detect that some program is asking the PC to perform an unusual activity -- such as generating and sending an abnormal amount of e-mail -- and interrupt it.
Such capability is different from most current antivirus systems, which are based on so-called signatures -- software code that specifically describes how each bug interacts with a PC's programs. Since experts have to take apart each piece of malware to come up with its appropriate "antidote," Hofmyer says antivirus programs alone can't stop new bugs from spreading on "zero day," when they make their debut on the Net.
What's more, the signature-less-based defense may mean less hassle for PC users, who face the daunting task of keeping abreast of the latest online security threats. And that could be music to the ears of those who need to manage large computer networks.
Robert Taylor, chief information officer and director of information technology for Fulton County, Ga., recalls vividly the computer headache brought on by the Blaster worm in August 2003.
Only 30 of the county's 6,000 computers were infected with the bug. But that small number of infected PCs was enough to bring the entire network down for four days. Further analysis after the incident found the initial culprit was a single laptop that didn't have the latest security updates.
"In a typical antivirus solution, you have to download new definition practically every week because there are new threats all the time," said Taylor. "What Sana does, it's preventative."
While behavior-based monitoring software for individual desktop computers is a new step for individual online security, it has been used in larger corporate network settings. In fact, Sana's Attack Shield is an offshoot of the company's intrusion protection software for corporate customers.
Brendan Hannigan, executive vice president of product development and marketing at Q1 Labs in Waltham, Mass., says software such as the company's QRadar works best at that level. And he thinks that anomalous behavior detection software, such as Q1 Labs' QRadar, will probably have the most impact on the network level for now.
