Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
Corrective Actions
The best defense in this case is overall vigilance and thoroughness. Here's what to do:
Register your software to get alerts and updates from your vendors. Every reputable vendor publishes patches to keep applications and other programs current. Keep track of vendor alerts and apply patches in a reasonable period of time and in a consistent fashion.
Consider using non-mainstream applications and platforms, to make system infection more difficult.
If it's vital that programs be sent via email, nothing that can be executed as a program should be sent through email without being examined on a "sandbox" system that can contain an outbreak.
Show your employees and staff what can happen if they drop their guard. Perform demonstrations and hold regular updates to your security policies. To prevent hoaxes from spreading, don't let users propagate this information on their own.
Do regular IT audits, just in case.
Here are some examples from the Nimda attack on what to look out for and how to prevent or remedy the results if your system is assaulted.
NOTE
Believe or not, Nimda is still active in the wild after being released in September 2001, and still propagates itself over the Net even though fixes are widely available.
W32.Nimda.A@mm is a mass-mailing worm that utilizes many methods to spread itself. The name of the virus, by the way, comes from reversing the spelling of the word admin. The worm works like this. From an infected system, the worm sends itself out by email and then searches for an open network, attempts to copy itself to unpatched or already vulnerable Microsoft IIS web servers, and infects both the local files and the files on remote networks. Click here for information on this exploit, as well as a patch for computers running Windows NT 4.0 Service Packs 5 and 6a or Windows 2000 Gold or Service Pack 1.
When the worm arrives by email, it does its dirty work by using a MIME exploit. This allows the virus to be executed by just by reading or previewing the file. Information and a patch for this exploit can be found here.
In the event that you visit a compromised web server, you'll be prompted to download an .eml (Outlook Express) email file, which contains the worm as an attachment. Don't. As an added precaution, you can disable the file download in your Internet Explorer Internet security zones to prevent this from happening. Also, the worm will create an open network share on the infected computer, allowing access to the system. During this process, the worm creates the Guest account with Administrator privileges. Information and a patch for this exploit can be found here.
Finally, click here to stay up to date on the Microsoft product flaws.
You can't rewrite the code or redesign the hardware of your vendor-supplied products, but you can be diligent about installing vendor-supplied patches and upgrades and keeping up to date on the security alerts for the applications and network hardware you use in your organization.