ANÁLISIS DE LAS DIFERENCIAS ENTRE RESULTADO CONTABLE Y

Let us now investigate the case in which a system is affected by an infection (due to a malware action). Let us suppose that an antivirus software as well as a firewall have been installed on the operating system. How to act and react in this case? It will depend on whether security software (antiviral programs or other software) have detected the malware activity. In other words, has the attack been detected and identified? If not, an attack launched by a malware is mainly detected due to the damaging effects (payload) which turns out to be a more dangerous – though less frequent – case.

Here are the main measures to take (let us precise that the measures which are not generic will not be described). Considering the large amount of features and constraints inherent to each computer environment, it goes without saying that it would be impossible to envisage all of them. Applying the following measures will deal with the most urgent matters first. However, readers must be warned that the nature of a malware infection for instance may prevent part or whole of these measure from being applied (especially when an infection aims at damaging a system).

In all cases, any malware incident must be reported to the system ad- ministrator and the computer security officer, so that they can take all the precautionary measures to protect the system and subsequently conduct in- vestigation when required. Let us recall for example, that if a vulnerability is discovered by someone with malicious intent, the latter can exploit it for as long as it goes unreported.

Case of a detected malware attack

The antivirus software (or the firewall if we consider the case of a Trojan) has detected a virus. Let us recall that it may however be a false alert whose frequency varies depending on either the type of suspected file (zipped data for instance) or the type of antivirus software. Here follow the main measures to take.

1. Isolating the suspected computer (or suspected computers) from the net- work to prevent further spread. It is absolutely necessary to stop the virus spreading whenever the antivirus software fails to do it – the case where

the antivirus manages to detect a malware but fails to disinfect the com- puter, is unfortunately still frequent. In some cases, closing one or several ports may be enough (e.g. port 135 for the Blaster worm for example) provided that the user knows the precise nature of the infection.

2. Backing up copies of data. It is better to save infected data rather than to potentially lose them. It goes without saying that they will have to be disinfected before being used. Log files which are on the server, will have to be saved as well.

3. Backing up infected files. Users must make sure that the antivirus soft- ware always stores at least one copy of the virus under an harmless form, as a default action (the easiest way to do so is to rename it and put it into quarantine). The main advantage of this practice is that once users get copies of the attack code, they can send them to experts for analysis. Moreover, if users take legal action against the virus author, the copy of the viral code may constitute valuable evidence. In case of damages, insurance companies (for computer risks) may wish to be given a copy as well for their own experts. Let us recall that antivirus software will not reveal the true nature of a given infection, this can only be done by code analysis.

4. Users will have then to use the antiviral program in eradication mode. As a general rule, if total eradication of the virus has succeeded, the computer may be considered as safe. However, some sophisticated infec- tions may use delayed mechanisms (which will only be triggered later) for automatic reinfection. Then, two solutions are possible:

• users perform low level formatting of the hard disk(s) (including boot sectors) and completely reinstall the system. If this solution is indeed appropriate for a single computer, it proves to be inadequate in a case of a server. However, in some very sensitive contexts, no other solution can be envisaged;

• users may consult websites dealing with antivirus software and refer to web pages concerning the infection (the best solution is to cross-check the information from different sites). As a rule, specific disinfectors are available in these web pages. It is also useful to get information about what to do once the infection and eradication are over (post- infection measures).

5. Post-infection and post-eradication measures. They will depend on the nature of the infection. As a first stage, it is strongly recommended to change all the passwords (especially if the infection is due to a worm). Many worms now embed keyloggers designed to steal passwords and

send them via the netwrork. Until the code analysis is made, it remains a safe precaution. As a second step, security patches must be used for software whose weaknesses and critical flaws allowed the infection. The same measure is recommended for images of the system (frequently called

ghost images). As readers know, an infected image which has not been patched will inevitably compromise the system again whenever it is used for cloning the system. The proper solution is to completely replace the image of the system once the attack is over and each time the environ- ment has been updated, especially in terms of security.

6. System/network administrators and computer security officers must therefore carry out an audit of their computer policy and its applica- tion, without forgetting to check their security tools to find the origin of the infection.

7. If the attack has been launched with a purpose (and has been identified as such), it is essential to lodge a complaint even if the virus writer is unknown13. The victim’s sense of civic responsability is vital insofar police or “gendarmerie14” investigations can only be carried out if a complaint has been lodged with these two services. This is the only way to catch virus authors and to clear other people of all suspicion. Moreover, it may be the best way to prevent other people from being infected.

Case of an undetected infection

Let us now consider the case when antivirus software or firewalls fail to detect any viral activity. On the contrary, some unusual activities (like payloads, network slowdown or denial of service) aroused the user’s suspicion about the presence of a potential infection. This case is far more unusual though more serious. Only the system administrator, perharps with outside assistance, can take efficient measures, since only he has the total control over the whole system. Here follow the main measures he must take.

1. Isolating (disconnecting) the system from other networks such as the Internet or other local networks (LANs). Isolating infected computers from clear ones. Special attention must be paid to the database or file 13_{In France, in such a case, one must lodge a complaint against person or persons un-}

known. This action is called “plainte contre X” (literally complaint against Mr. X). Then, investigations can be initiated.

14_{In France, thegendarmerie nationaleis a section of the military, which provides police}

service outside major towns. At the present time, it is one of the two major parts of the French police force.

servers which must be carefully shut down in order both to stop the infective process and prevent any potential payload from being triggered (file deletion, as an example).

2. Saving all the data. As it has already been mentionned, it is better to save infected data rather than lose them completely. Once the antivirus software has been updated, it will be able to process infected data which have been backed up.

3. Analysing fully and carefully the system. At this stage, as antivirus soft- ware failed, the system administrator has to take over. As a general precaution, it is convenient to store an image of the system which is reg- ularly updated as a reference archive15. By using this image, the analysis will be to recover files which have been modified (or added). In the first step, modified files which are not incriminated16, due to their specific, non dangerous format, are put aside. As a second step, identifying in- fected files or files which play a role in the infection (for instance, extra files in the case of companion viruses), will become easier. These files must be saved and sent to the police (and a complaint must be made) for analysis and investigation. It is also vital to send a copy of infected files to CERT offices (Computer Emergency Response Team) or equiva- lent offices.

4. Removing infected files or restoring safe files from backups will make the computer bootable. As a precaution, at an early stage, the computer will not be connected to the network. A period of quarantine is recommended if no information is known about the true nature of the infection. From that time on, the procedure will depend on the results of the viral analysis (some post-infection measures will be needed). At this point, we return to the situation we have just examined.

5.2.5 Conclusion

The risk related to infective power does exist and will constitute a major threat in the future. However, this risk must not just be considered as an isolated problem but must be treated within a broader background that covers network security, applications, protocols, new or “exotic” hardware 15_{We may store file digest produced from hash functions, for every file present in the}

system. But this solution only detects the effects of the infection and not its origin. The best solution consists in considering a complete copy of the whole system and to analyze it byte by byte.

16_{In this respect, we must be very cautious specially when considering the infection mech-}

(like printers, cell phones, pocketPC or other hand computers)... In other words, any protection against viral risk must include and guarantee:

• a constant technological watch. Within any company or any public ad- ministration, the system administrator must take into account both the vulnerabilities which are regularly found in software and are susceptible to be exploited by viral programs, and their respective security patches, that must be applied as soon as the security alerts are published;

• The certainty that system or network administrators and security offi- cer continuously and permanently keep a close watch on systems and networks. They should make sure that a technological monitoring is per- formed round the clock all year long. As an illustrative example, in 2001, the Coderedworms and in 2003, the Sobig-Fand Blaster/Lovsan worms were released and spread during the northern summer. It was no acci- dent that these worms were launched at this period in the year as systems administrators and security officers are likely to be on holidays and con- sequently viral activity is likely to be less controlled during this period. In this field, you cannot afford to lower your guard.

Let us have a look at three eloquent figures: a report stating the vunerabil- ities of the webservers IIS which enabled the Codered Worm to spread [61], as well as its security patch were published a month before the worm at- tacked. Roughly 400,000 servers were affected all over the world. Simi- larly, information about the critical security flaws exploited by the Sap- phire/Slammer worm (January 2003) [25] and the corresponding security patch were available about six months before the Slammer worm spread. Nevertheless, 200,000 servers were infected all over the world. The Fort- night.F worm17, which appeared in 2003, and managed to infect a huge number of computers, used a Outlook vulnerability, detected and patched by Microsoftthree years earlier! An example of technological watch pol- icy is provided in [20]. Any efficient antiviral protection policy requires that administrators and computer security officers subscribe to software com- panies, antiviral publishers moderated mailing lists (information lists) or alert bulletins and consult professional computer security websites (for in- stance [116]). The latter publish in real time the latest news concerning detected vulnerabilities and security alerts.

17_{This variant of theFortnightworm uses Java applets and Javascript code to spread via}

email clients if the latter are set up to manageHTMLfiles. For more details, please refer to theSophoswebsite.