Software

Why e-mail security means more than installing antivirus software

The recent resurgence of the Bagle worm—now new and improved with a multipart approach designed to disable antivirus updates—means that it's no longer enough to rely soley on antivirus software for all of your e-mail security concerns. Jonathan Yarden investigates this recent innovation from virus writers and offers his suggestions for fighting back.

So far, the worms of summer have managed to catch a lot of people off guard. Individual users weren't the only ones hit by the onslaught of the various Bagle/Mitglieder worms (or whatever the antivirus companies decided to dub them this time). In fact, the latest malware "cocktail" of this enduring worm managed to infest quite a few large corporations as well—much to their surprise, I'm sure.

The most recent manifestation involved a good deal of advanced technology: After creeping into vulnerable systems, the base Bagle variant downloads other dangerous components. Using this "multipart" approach, the worm blocks antivirus updates and disables firewalls and antivirus software.

Bagle/Mitglieder managed to work its way into many corporations before their antivirus software even caught it. In fact, I received quite a few ZIP files that managed to slip past the commercial e-mail filtering system we use where I work.

Several customers called our technical support to complain—they couldn't fathom how they received an e-mail worm or how it infected their system when they had updated antivirus software. Of course, it's important to point out that these same people opened an attachment from an unknown source.

It's worth mentioning that the worm pummeled the systems of those of us who have "catch-all" e-mail accounts for domain names, to a degree that I don't remember seeing recently. Even some of my "spam-trap" e-mail accounts received copies, which elicited a small grin when I realized that many junk e-mailers weren't immune to Bagle/Mitglieder either.

It's no longer enough to depend solely on antivirus software to stop worms. It took some antivirus vendors several days to provide updated virus signatures to customers for the latest Bagle/Mitglieder variants. By then, more than a few people had already opened the attachment, which then disabled their antivirus software before it could receive the update.

While a junk e-mail proxy isn't much of a problem for corporations that have effective firewall systems, that didn't stop the worm from kicking e-mail servers offline or flooding inboxes with junk. The more important issue is why so many machines with "up-to-date" antivirus software—even enterprise antivirus software—fell victim to this worm.

Too many companies have a false sense of security because they believe they're doing everything "by the book" with their e-mail systems—and they think this is sufficient to protect them against worms. Most corporations expect their e-mail security to operate successfully solely with an e-mail antivirus gateway, but that's just not enough.

Some wiser corporations have deployed both e-mail antivirus gateways and desktop antivirus software, which often come from the same antivirus company. Of course, even fewer organizations employ two or more antivirus systems, just to cover their bases. If one system fails or misses an update, the other one can still protect the systems.

Of course, it helps that most antivirus software can automatically download updates when they're available. Companies with multiple layers of both Internet security and desktop security probably didn't experience many Bagle/Mitglieder problems. But keep in mind that the delay between the release of a virus or worm and the availability of antivirus signatures is a critical factor.

This is significant because I'm quite sure we haven't seen the last of these multipart worms. And with this lag between a worm's release and the availability of an update, a bigger question remains: How do you protect your organization's systems?

Convincing users to stop opening e-mail attachments from unknown sources is definitely a good way to start, but good luck getting through to all of them. Of course, it never hurts to make it a policy to treat any e-mail attachment with common malware extensions (such as executables and ZIP files) as hostile until proven otherwise. You can also tell users to immediately check for new antivirus signatures when receiving any unknown files. However, I'm sure you know from experience that you can't force users to do everything you tell them.

In the meantime, it never hurts to cover all your bases. I recommend checking out the VirusTotal Web site, which offers a free, on-demand service you can use to identify hostile attachments before they run rampant on your network. Using several antivirus engines, VirusTotal analyzes suspicious files and facilitates the quick detection of viruses, worms, Trojans, and all kinds of malware detected by antivirus software.

Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.

Editor's Picks