Protecting Your PC From Viruses

Oct. 26, 2004 — -- If there's a new computer "worm" on the Internet and no one knows about it, can it still be stopped before widespread damage is done? Maybe.

Past online outbreaks, such as Sasser, Nimda and Mydoom, have shown that malicious programmers are getting better at creating their malicious software, or malware. Security experts say online infections are occurring at alarming faster rates, infecting millions of computers in matters of minutes, not days as in previous outbreaks.

To help stem so-called zero-day infections -- rapid outbreaks of new, undiscovered malware -- security experts are taking a more proactive tact of protecting PCs.

Sana Security Inc. of San Mateo, Calif., has introduced a new defensive software program for PCs called Attack Shield WS. The software is designed to protect Windows PCs much in the same way the human body detects and fights against disease.

"As an infant, you're born with an innate immune system consisting of cells evolved to look for the common coatings of harmful bacteria," said Steven Hofmyer, founder and chief scientist at Sana Security. "The idea here is similar in that it looks for patterns of unusual computer behavior and not the worm itself."

Proper PC Behavior

Once installed on a PC, the software tracks what are considered "normal" operations for the computer. It also monitors vital areas of the computer's memory used by the Windows operating system and other legitimate software.

By watching how a PC is suppose to behave, "what we're really looking for are the behaviors that [typical] worms use that ordinary programs don't need to use," said Hofmyer.

For example, a worm might try to use a computer's e-mail program to automatically infect other PCs. And while there might be several different ways a worm could access that part of the e-mail software, Attack Shield would detect that some program is asking the PC to perform an unusual activity -- such as generating and sending an abnormal amount of e-mail -- and interrupt it.

Such capability is different from most current antivirus systems, which are based on so-called signatures -- software code that specifically describes how each bug interacts with a PC's programs. Since experts have to take apart each piece of malware to come up with its appropriate "antidote," Hofmyer says antivirus programs alone can't stop new bugs from spreading on "zero day," when they make their debut on the Net.

Skipping Signature Snafus

What's more, the signature-less-based defense may mean less hassle for PC users, who face the daunting task of keeping abreast of the latest online security threats. And that could be music to the ears of those who need to manage large computer networks.

Robert Taylor, chief information officer and director of information technology for Fulton County, Ga., recalls vividly the computer headache brought on by the Blaster worm in August 2003.

Only 30 of the county's 6,000 computers were infected with the bug. But that small number of infected PCs was enough to bring the entire network down for four days. Further analysis after the incident found the initial culprit was a single laptop that didn't have the latest security updates.

"In a typical antivirus solution, you have to download new definition practically every week because there are new threats all the time," said Taylor. "What Sana does, it's preventative."

A Place on the Net

While behavior-based monitoring software for individual desktop computers is a new step for individual online security, it has been used in larger corporate network settings. In fact, Sana's Attack Shield is an offshoot of the company's intrusion protection software for corporate customers.

Brendan Hannigan, executive vice president of product development and marketing at Q1 Labs in Waltham, Mass., says software such as the company's QRadar works best at that level. And he thinks that anomalous behavior detection software, such as Q1 Labs' QRadar, will probably have the most impact on the network level for now.

"On a huge enterprise network, the [behavior-monitoring software] can learn everything that is going on in that network," said Hannigan. And that, he said, could help stop other security breaches.

For example, the QRadar system could detect when a computer within a corporate network tries to access certain parts of the system -- say the drive that stores sensitive company information. If the computer has never accessed that part of the system before, it could be a sign that an employee may be stealing corporate secrets.

Using More Than One Defense

Both Hofmyer and Hannigan say that while behavior detection tools are good steps forward for computer security, they aren't without their weaknesses.

For example, Hofmyer says Attack Shield won't protect users from other avenues of attacks, such as flaws in Web-browsing software, used by hackers. But he says Sana is working on other signature-less modules that might address those and other security concerns.

As such, security experts continue to advise that the best security setup will be a multilayered defense, much like the physical security at an airport.

"When you go [to an airport], there are security agents that screen you, checking that you don't have box cutters or knives or explosives when you go through the metal detectors. That's a signature-based system," said Hannigan. "But even when you pass that checkpoint, there are cameras and agents that watch you in the terminal. That's monitoring for suspicious behavior."

And while no defense is foolproof, additional tools in the unending war against hackers are always welcomed, says Fulton County's Taylor.

"The only way to be 100 percent secure is to unplug your PC from the Net and turn your box off," said Taylor. "Since that's not going to happen, we are always looking for multiple solutions to keep ourselves protected."