First published: 01st June 1995
By Allan G. Dyer M.Sc.(tech) B.Sc. AIDPM MIAP MHKCS, Head of F-PROT Technical Support, Yui Kee Co. Ltd.
Local Area Networks are very common in businesses, what special threat do viruses form to them? This question can be divided into two: What happens when an ordinary virus gets loose on a network?, Are there network specific viruses?
To answer the second question first, there are no common network specific viruses. Viruses that make use of network features are technically possible, one example is Jerusalem.GP1, this captures Novell Netware login packets and transmits the passwords to a particular node address. Fortunately, this does not work on Netware version 2.x or later.
Another technical possibility would be to write a virus that ran on a fileserver, for example, an NLM virus for Novell Netware. However, such a virus would not spread very well, there are far fewer Netware fileservers than there are DOS machines, and Network Administrators do not exchange NLM's in the same way as DOS programs are often exchanged. Add to this the fact that the tools and skills for creating NLM's are far less widely available than the corresponding DOS tools, and the gap between a technical possibility and a likely attack to worry about widens.
Ordinary Viruses
Suppose an ordinary virus infects a workstation on a network, what happens next will depend on what the virus is and how the network was set up.
If the virus concerned is a boot sector virus, it will infect the local hard disk and, generally, every floppy disk used in that machine. It will not travel via the network to another workstation. A network, then, will slow the spread of boot sector viruses, as people who can use a network to transfer information will use floppy disks less.
Suppose it is a file virus (fig. 1), a user at workstation A runs an infected program (VIRUS.EXE) from a floppy disk. The virus becomes resident in the memory of workstation A and tries to infect programs that are run. Programs on the local hard disk will become infected. When the user executes a program from the fileserver, the virus will attempt to infect it. It will succeed if the user has write-access to the program on the fileserver. Viruses can easily get around the DOS "Read-Only" file attribute, they can simply change it, and change it back after they have infected the program, but a virus cannot do the same on a network disk if the user does not have the right to do it.
If user A does have the right, then the file will be infected and the other workstations will become infected when they run the infected file. In this situation, the virus will spread faster on a network than on a collection of unconnected machines. The worst case is when the LOGIN.EXE program becomes infected, all users will then infect their machine the next time they login!
From this is can be seen that the System Administrator holds the key to security throughout the network. Most System Administrators make program directories read-only for ordinary users, this will prevent those users from infecting the programs if their machine becomes infected. However, the System Administrator has write access to ALL files, so if his/her machine becomes infected, all users will become infected very quickly. For this reason, I would recommend these guidelines for System Administrators:
- Only give users write access where they need it.
- Have two user names, one with full System Administrator rights, the other with ordinary user rights. Only use the full, System Administrator user name when you need those rights. This is useful for other reasons, such as protecting against accidents or software bugs, and testing newly installed software with the same rights that ordinary users have.
- Only login as System Administrator from workstations you know to be clean (check the anti-virus software is running correctly).
- Scan incoming software with at least two good scanners.
- Beware of users copying programs (infected or not) to directories intended for data.
Some file viruses will not be able to infect across a network at all, these are viruses that directly access or modify the disk structure, such as DIR II.
Another point to remember is that, even if a virus cannot modify programs on the fileserver, it still might corrupt data files. A virus on a workstation is still a threat to everyone's data, and should still be hunted down and destroyed. Some anti-virus software has useful network features and capabilities, such as sending messages to the administrator when a virus is found on a workstation or logging off workstations that do not have the anti-virus software loaded.
This discussion has concentrated on client-server rather than peer-to-peer networks (such as Windows for Workgroups), but the same principle holds: A virus trying to infect files across the network will be restricted to the same rights as the user who executed the virus. Denying write-access rights to program files is therefore a good idea.
A good System Administrator can greatly reduce the effect of virus incidents on an organisation, a bad one can make the situation much worse.