If I asked for a show of hands of who was affected by the Slammer or Code Red worms, a significant percentage of
the hands in the room would go up. Why? Because these two worms are examples of a new breed of malicious code that has been released onto the world's network. The worst part of this is that most virus scanners to date are completely unable to prevent attacks of this measure, even when they have updated and current definition lists.
So what's the issue? Memory-resident only code. The Slammer worm and Code Red are two examples of malicious code that does not write itself to the hard drive of a compromised system. Instead, it installs itself as an active service or process. Most virus scanners are unable to stop this type of attack because they focus on scanning files stored on the hard drive. Those that are capable of detecting in-memory attacks were also rendered useless because the worms acted as system services, and the virus scanners did not have the ability to stop system services. Thus, these bad boys -- even if detected -- could have kept on playing cruelly with your system, right under the watchful eye of your electronic malicious code sentry.
However, numerous antivirus software vendors have learned from these recent outbreaks and have re-tooled their flagship products to erect a new barrier of protection against memory-resident only attacks. Basically, the new features include the ability to scan all active processes, whether initiated by the user account or the system, including all system services, and look for malicious code or suspect activity. Once detected, these new scanners have been granted the ability to stop services that fail the innocence tests.
Before another round of debilitating worm attacks occurs, visit your antivirus vendor's Web site to see if they have improved their product with this new weapon. If they don't offer it, it's time to switch to a vendor that is more up-to-date with malicious code trends. After all, the integrity of your network is at stake -- why rely on a tool that doesn't have all the available features?
About the author
James Michael Stewart is a partner of ITinfo Pros, Inc., a technology-focused writing and training organization.
For more information, visit these resources:
- Virus Prevention Tip: Adding to antivirus software
- Virus Prevention Tip: Are virus scanner updates secure?
- Featured Topic: SQL Slammer update