No. Firewall products are very useful for controlling what comes into or goes out of a network. But a firewall is like a computer (in many cases, a firewall is a specialized computer); it does only what the person who configures it tells it to do.
Firewalls can recognize and stop some types of attacks, but certain attacks exploit the characteristics of the protocols commonly used for legitimate network communications, and a packet might appear to be nothing more than a benign bit of data destined for a computer on the internal network. Trojans, viruses, and worms piggyback into the network as e-mail attachments or through remote file sharing.
Firewalls won’t catch them, but a good antivirus program, frequently updated and set to scan all incoming e-mail, might be able to. Many companies seem to operate under the assumption that installing a firewall is akin to invoking a magic spell that casts a force field of protection around their networks, rendering them completely immune to attack.
Even the best firewall won’t protect against social engineering attacks, nor will it do any good against internal attackers who have physical access to the network. Studies have shown that a large number of network-related crimes are actually “inside jobs.” Be sure to read Chapter 3, where we discuss how firewalls work, so that you understand why they are not the “cure-all” solution to network security that they’re sometimes made out to be.
I think I understand the differences between a virus, a Trojan, and a worm. But what are all these other types of viruses I hear about: stealth viruses, polymorphic viruses, armored viruses, and cavity viruses?
Stealth viruses are able to conceal the changes they make to files, boot records, and the like from antivirus programs. They do so by forging the results of a program’s attempt to read the infected files. A polymorphic virus makes copies of itself to spread, like other viruses, but the copies are not exactly like the original.
The virus “morphs” into something slightly different in an effort to avoid detection by antivirus software that might not have definitions for all the variations. Viruses can use a “mutation engine” to create these variations on themselves. An armored virus uses a technique that makes it difficult to understand the virus code. A cavity virus is able to overwrite part of the infected (host) file while not increasing the length of the file, which would be a tip-off that a virus had infected the file.
The term rootkit was developed as a hacker term, although rootkits can also be used for what some vendors consider valid purposes. For example, if Digital Rights Management (DRM) software is installed and kept hidden, it can control the use of licensed, copyrighted material and prevent the user from removing the hidden enforcement program. However, such usage is no more welcomed than a rootkit that does damage or allows spyware to thrive without detection.
Q: I have an infected system and I cannot figure out what is wrong. Where can I look to find further information on the Internet?
Information about specific viruses and instructions on how to clean an infected system is available at www.symantec.com and www.mcafee.com. Both antivirus vendors provide detailed databases that list and describe known viruses. For more information on viruses, worms, and Trojans, see the article “How Computer Viruses Work,” at www.howstuffworks.com/virus.htm.
A cookie is just a bit of text in a file on your computer, containing a small amount of information that identifies you to a particular Web site, and whatever information that site wanted to retain about you when you were visiting. Cookies are a legitimate tool that many Web sites use to track visitor information. .
For example, they may track your Web surfing habits across many different Web sites without informing you, and then use this data to customize the advertisements you see on Web sites, which typically is considered an invasion of privacy. It is difficult to identify this and other forms of “cookie abuse,” which makes it difficult to decide whether, when, and how to block them from your system. In addition, the acceptable level of shared information varies among users, so it is difficult to create an “anticookie” program to meet everyone’s needs.
Some forms of spyware monitor a target’s Web use or even general computer use and send this information back to the spyware program’s authors for use as they see fit. To fight this kind of problem, a spyware removal tool is obviously helpful, as is a firewall that monitors outgoing connections from your computer. Other forms of spyware take over parts of your Web browsing interface, forcing you to use their own search engines, where they can track your browsing habits and send pop-up advertisements to you at will.
The biggest concern regarding spyware is that most spyware is poorly written or designed. Many people first realize their computer is running spyware when it noticeably slows down or stops responding, especially when performing certain tasks such as browsing Web sites or retrieving e-mail. In addition, poorly written spyware can often cause your computer to function incorrectly even after it has been removed.
Q: Malware has completely taken over my PC and I cannot do anything to fix it. What is the best next step?
You used to be able to clean up most malware infections using various kinds of specialized antivirus and antimalware software. Sadly, this is no longer the case. Once upon a time, malware was written by amateurs and teenagers. But now, many very skilled programmers work on malware, because it is now a money-making business. Malware has become so insidious that it is often impossible to remove without expert or professional help.
You should first attempt to remove an infection with automated tools. If that fails (and most likely it will), there are two classes of antimalware software that you should use. The first is traditional antivirus software, which is very good at handling viruses and worms and not so great at handling newer styles of malware. The other kind of software is antispyware software, which is good at the newer sort of malware but not so good at the old kind. When attempting to clean up an infected system, you should run at least one of each.
If you were running antivirus software when you became infected, you should see whether it was keeping itself up-to-date, or try running a different program. Proven antivirus software companies include Symantec (a.k.a. Norton), McAfee, Panda Software, Trend Micro, F-Secure, Eset (maker of NOD32), and Kaspersky Labs. Many of these companies have free Web-based scanners (ironically based on ActiveX) or downloadable tryout versions.
Antispyware software is a little more difficult. The various antivirus companies have been in business a long time, but antispyware is a new kind of software that was born at the same time as the modern age of malware. Therefore, many antispyware software companies are either incompetent or outright frauds.
It’s been discovered that malware is very quickly outgrowing the capability for automated software to clean it. The automated tools you try may not work, even if you try multiple ones. Therefore, you will probably end up having to get help. Many local computer repair companies can clean infected computers. You may know an expert who is willing to help you. Sometimes the experts will tell you that the best or only way to take care of a really bad infection is to back up your personal data, clean out the computer completely, and start from scratch. They are not lying. Attempting to eradicate an infection by hand can be extremely time-consuming and is often unsuccessful, even for experts.
Q: Do I need additional antimalware and spyware tools, now that Vista and Internet Explorer are supposedly more secure and provide them?
With Windows Vista and Internet Explorer 7, you are definitely more secure than you were using older versions of the OS and Web browser. The fact is that you now get these applications with the base OS instead of having to pay for or download a third-party vendor’s utility. Vista does not come with antivirus software, so you will need to acquire that separately. What Vista does have is a built-in spyware tool that helps prevent “some” malware exploits from taking place. Vista also has a built-in host-based firewall. Make sure that you add antivirus software for full protection.