What if you could stop a new virus from zooming through your company —
without waiting for antivirus firms to update their
programs and without waiting for Microsoft's latest patches
to be installed on all your PCs?
One vendor that specializes in helping enterprises patch Windows
has developed a method to do just that. It's called "cratering."
How Cratering Works
Cratering takes advantage of the fact that Windows NT, 2000, XP, and 2003
support a feature known as Access Control Lists (ACLs). These lists, which
reside on PCs and control which files can be accessed,
can be modified by network adminstrators at a distance. With
the proper software tools, an admin can remotely change the ACLs on hundreds or
thousands of PCs in a corporate network without leaving his or her desk.
Using ACLs to halt virus activity has best been described by Leiberman
& Associates, a Beverly Hills, Calif., company that sells enterprise-level
PC management software to do the job. But the technique can also be
performed using free software programs.
How ACLs Can Control Virus Infections
Before we consider those software alternatives, let's first look at the
basic steps in controlling a virus infection using ACLs:
• Virus detection.
If your help desk receives a call that a PC is constantly rebooting or
that some program is consuming 100 percent of its CPU
time, a new virus that wasn't caught by your antivirus software may be
the cause. This was true of the recent MyDoom worm. It was launched
by someone on Jan. 26 and quickly became the fastest-speading
infection of all time, comprising as many as 1 out of every 12 e-mails at
its peak, as measured by e-mail consulting firm
MessageLabs. The worm circulated for about two days before updates
that recognized it were available for various antivirus programs, according
to eEye Digital
Security.
• File access denial.
Viruses work by executing a specific file, which is usually launched
automatically from one of the Run lines in the Windows Registry. When an
infected machine is examined for programs that are running (using the built-in
Windows Task Manager or a similar tool), the virus file can be identified.
• Set ACLs to "Deny."
Using Cacls.exe, a command-line utility built into Windows, or other tools
that are described below, set the ACL for the virus executable to Deny for all
users. This prevents any user, or even the operating system itself,
from running the executable again. To stop the instance that's already
running, reboot the PC. The virus won't start again, even if it's listed
in a Run line of the Registry, because access to the file has been denied.
In a word, the virus has been "cratered."
With network-management tools, the process of setting ACLs on infected
machines and then rebooting them can be automated and run by an
administrator from any location on a network.
Inoculating PCs Against Future Virus Infections
The president of Lieberman & Associates, Phil Lieberman, says he
came up with the idea of cratering when the infamous MSBlaster worm
was wreaking havok with networks around the world last August. The virus
made it impossible for one of the infected machines he examined to
download a patch.
"The network bandwidth it was using was so high that you literally couldn't
get out," Lieberman explains.
He hit upon the idea of preventing the virus executable from running by
denying access to it through ACLs. Once this was done and the PC was rebooted,
the virus couldn't start and the machine could be upgraded by normal means.
The ACL technique, to be sure, is not a substitute for a rigorous regime
of updating Windows and your anti-virus signature files regularly.
Nor would it work on a mass basis against a specialized class of viruses that
generates new file names at random.
But it does lend itself to crisis situations in which a new virus threatens
to overwhelm a corporate network. When your alternatives are (1) disconnecting
your entire company from the Internet, or (2) simply prohibiting a file
with a certain name from running, the latter option is sure to be less
disruptive to your workplace.
Conclusion
Besides the built-in Calcs.exe program mentioned above, Microsoft also
provides Xcalcs, a program that's included with copies of the
Microsoft Windows Resource Kit. Third-party tools such as
SetACL are also available.
More sophisticated network-management suites can automate the setting
of ACLs on PCs across entire domains, along with numerous other tasks.
Lieberman & Associates'
User Manager Pro
software has offered such features since version 4.66, which was released
last August.
To promote this use of ACLs, Lieberman released on Jan. 27 a white paper
on how to defeat the MyDoom virus, along with an older paper entitled
Cratering. Both are available in HTML and PDF form at the LANICU
white paper page.