Viruses and Windows NT
What Is a Computer Virus?
"Computer virus" is a phrase that strikes fear into the hearts of both computer professionals and end users. What is a virus, and more importantly, how can it affect Windows NT?
To define what a computer virus is, let's start with the definition of a common virus taken from the Oxford American Dictionary: "a very simple organism[el]capable of causing disease." If you extrapolate this to the computer world, you get a good definition of a computer virus: "a very simple piece of software code, written with the intent of causing system malfunctions." This is fairly generalized, but it is an accurate description for our purposes.
Although today there are literally thousands of computer viruses, they have all sprung up in the last few years. It wasn't until the later half of the 1980s that computer viruses began to appear. Many of the first viruses were written as proof of concept, not always with ill intent in mind.
How Do Computer Viruses Spread?
Just as human viruses spread with contact, so do computer viruses. If you want to avoid catching a virus, you could simply hide out in your house and have no interaction with other people. Similarly, if you want to prevent any chance of your computer catching a virus, you can keep it from communicating with other computers by never connecting it to a network and never inserting a floppy disk or CD-ROM. But, quite frankly, that takes most of the use, and all of the fun, out of using a computer. Computer connectivity is becoming an increasingly important medium in our information-based society, and simply disassociating yourself is not a solution.
How do viruses spread? I defined a virus as a simple piece of code that does unwanted and often malicious things. How does this code get into someone's computer? Usually this is accomplished by piggybacking onto another piece of useful, or good, code. For instance, you write a piece of virus code and then attach it to a game. Whenever the game is loaded, you have the viral code look around the hard drive for other programs. The code then copies parts of itself into the start-up routines of these other programs. Now these other programs are infected. Attaching a piece of viral code onto a piece of software that is otherwise attractive is a common method of distribution.
To make matters worse, there are other ways of spreading viruses that many people don't know about. A piece of viral code can be stored anywhere where there are instructions that will be executed by a computer. This includes the boot record of a disk, as well as macro functions, including those in office automation applications such as Microsoft Office.
The Myth of Viruses and Windows NT
To set the record straight, Windows NT is not immune to viruses in any way. Too many people have to find this out the hard way before taking action. The misconceptions of NT's alleged virus resistance mostly come from exaggerated tales of NT's Hardware Abstraction Layer (HAL). The HAL prevents software routines from writing directly to hardware, thus making NT resistant to one of the more common techniques used by viruses to assist in their propagation. Also, because NT prevents one 32-bit application from accessing the memory space of another 32-bit application, Windows NT can prevent viruses that spread by loading into memory and then watching for other programs to load.
To many people, that might sound pretty good. The problem is viruses that employ additional schemes in their pursuit of mayhem. Even hinting that NT might in some way be virus-proof gives people the wrong impression. As Windows NT Server and NT Workstation become more prevalent in the marketplace, so will the number of NT-specific viruses.
What Is Protected in NT Server?
When you talk about protecting Windows NT Server against viruses, there are actually two distinct roles that need to be addressed: NT as a file server and NT as a workstation.
Most people use Window NT Server in some capacity as a file server. Even systems that also act primarily as applications servers usually play at least a minor role as a file server. Because most viruses infect files and are transmitted by accessing or executing an infected file, one primary duty is to ensure that NT Server is not used as a medium to transmit viruses. It is also important to understand the consequences of viruses passing through NT Server and how it's done. For instance, imagine you are connected to an NT Server from a Windows 95 client and your system gets infected by a virus called X. If the task of virus X is to propagate by infecting all executables on all mounted volumes, it might first infect your local hard disk and then move to volumes mounted from the NT Server. If you have write permission to any executables on the server, such as in a public region, the virus could infect those files. Then when someone else on the network accesses the infected files from the server, their computer could become infected as well. So the virus spreads. In this instance, the NT Server is merely a host to the virus, and the virus cannot harm the NT Server.
However, because Windows NT Server can also be used as a workstation console to execute standard programs, you also have to worry about the possibility of infecting the server from the console. In this instance, you might install a utility on the NT Server console and not realize that the utility has been infected by a virus. Unlike the previous instance, you can actually harm the NT system itself. Additionally, depending on the rights of the user you were logged in as at the time of infection, the virus could infiltrate other files on the server. When a client accesses one of these infected files, it too could become infected. Thus the virus spreads.
Types of Computer Viruses
For these purposes, I classify viruses into five major types, based on the environment in which they were designed to function. They are MBR viruses, DOS viruses, Windows 3.x viruses, native Windows NT viruses, and macro viruses. In each of the sections, I address how the viruses in that area typically spread, and more importantly, how they could possibly affect Windows NT.
Master Boot Record (MBR) Viruses
The vast majority of viral infections come from boot sector viruses. These are pieces of viral code that attach themselves to the boot sector of a floppy or hard disk. This boot sector normally contains a small piece of code that is executed when the disk is booted. A boot sector virus typically spreads by attaching a copy of itself onto the boot sector of all currently mounted local diskssuch as your hard disk and any floppy disks. Additionally, the boot sector virus keeps a small piece of code resident in memory that is used to infect other disks that are inserted into the computer, thus spreading itself.
The boot sector virus is loaded before any operating system code, and therefore can be considered operating system independent, running on any Intel-compatible system designed for running MS-DOS.
However, there are problems with boot sector viruses and Windows NT. First, when you install Windows NT, it uses its own boot sector code, which differs from the standard DOS code. Most boot sector viruses expect a standard piece of boot code and make assumptions based on this expectation. The problem is when your NT system gets a boot sector virus and you try to boot your system. Depending on the virus, one of two things happens.
If the virus actually makes radical changes to the boot sector (such as encrypting the partition information) when it passes control to Windows NT for the operating system to begin loading, NT loads a virtualized piece of code that continues the boot process. This differs from traditional DOS methods, where the operating system relies on BIOS-level calls, which the virus traps and then passes correct information back to the OS, enabling it to boot. However, because NT doesn't rely on these BIOS-level calls, the virus is cut out of the loop. Because the virus has altered the boot information, usually by encryption, NT is unable to continue the boot process and typically dies with a blue screen error message.
The second kind of boot sector virus is similar to the first, except it does not actually make changes to the boot information. In this case, when NT begins loading, it completely ignores the viral code, because it uses its own virtualized code, thus rendering the virus impotent. Unfortunately, this kind of boot sector virus is less common than the previous.
How can NT get infected by a boot sector virus? Typically, there are two ways to get infected by a boot sector virus. The first is by using an infected disk (usually a floppy disk) that drops the virus onto your system. However, when NT is alive, it cannot be infected in this manner because the infection process actually requires writing directly to the hardware, something that is disabled by NT's Hardware Abstraction Layer (HAL). The second way of spreading a boot sector virus is to boot a system from an infected disk. Unfortunately, this often happens because of a user's mistake. More often than not, a user works with a floppy disk, forgets the disk is in the drive, and restarts the system. If this disk is infected and the system reads the boot code, the virus is replicated onto your local hard drives, thus infecting your system. Because NT is not alive at this point, it cannot protect itself. To help guard against this, you might want to disable booting from floppy disks if your hardware supports such an option.
Although MBR viruses account for the largest number of infections, they don't account for the largest number of viruses. DOS-based viruses actually make up the largest segment of the virus population. You can further split DOS viruses into two categories: those that load a portion of code into memory, where it can continue to infect other programs, and those that perform their functions only when they are executed.
This distinction is made to identify what effects the viruses can have on Windows NT. The first group, which loads a memory-resident piece of code, was very effective under DOS and Windows 3.x. Because all applications shared a common memory space, which was fully accessible, a simple memory-resident virus could simply "hang out" and infect things at its leisure. This was often done by intercepting various DOS calls and manipulating them in some way. However, things work a little differently under Windows NT, so it is important to realize what can happen. Beginning with version 3.5, NT can run 16-bit programs in a shared address space with other 16-bit programs, or in its own 32-bit virtual DOS machine (VDM). By default, all 16-bit applications run together in a shared VDM. This means that a virus that loads itself as a memory-resident program can affect any other 16-bit application that runs in the shared memory space. However, the virus is completely unaware of any 32-bit processes that are also running on the system and is completely unable to interfere with their operation. Additionally, if you run all 16-bit applications in their own memory space, a virus of this type cannot do its job properly.
However, the situation is a little different with the second type of virus. This other kind of virus typically sits attached to a seemingly normal program or utility and spreads itself, or performs unwanted actions, only when you run the utility. These are often referred to as Trojan horse viruses. Although you can have viruses that work in a combination of these two ways, typically virus writers focus on one or the other distribution methods. Very often these viruses perform some sort of direct file manipulation. This takes the form of either corrupting data on the system or replicating its viral code onto other executable files, further spreading the infection. NT is very susceptible to this kind of attack. The main way to limit the impact of this kind of attack is to make sure you never use unknown programs when you are logged on as an administrative user. More importantly, you should limit the kinds of actions you perform at the server's console and limit the access you grant people from the network to the minimum level required. Additionally, you should be sure to install a good virus-scanning program to help watch for these kinds of viruses. See the section, "Commercial Virus Detection Packages," later in this appendix for information on choosing an appropriate virus detection program.
Windows 3.x Viruses (16-Bit)
Several viruses out there are targeted for the Windows 3.x environment. Most of these work at least partially, even under Windows NT. This is because NT offers many services that provide down-level compatibility with Windows 3.x. For the most part, these viruses are limited in the same way as the DOS viruses mentioned in the previous section.
Windows 3.x viruses can directly affect only other 16-bit programs running in the same VDM. However, the virus can still alter data, as long as it doesn't try to do so by directly writing to the hardware, and the current user has access permissions to modify the file targeted by the virus.
Native Windows NT Viruses (32-Bit)
As of this writing, there are no known viruses that specifically target Windows NT. This could mean either that none have yet been written or that someone has written and released one that was unsuccessful in propagating itself in the outside world.
A virus targeted for Windows NT could take many forms, including a device driver, a dynamic link library (DLL), or a standard executable. Because all these forms contain code segments that get executed, often by the operating system itself, infection through one of these avenues could spread rapidly.
From the server standpoint, it makes sense to set rules and limits as to who can log onto the server's console and what kinds of actions are permitted from the console. Remember, simply denying that NT can become infected does nothing but increase the likelihood that you will become infected.
Macro viruses are the fifth type of virus I discuss here. Until recently, the macro languages included with most applications were not powerful or robust enough to support writing an effective virus. However, many of the more advanced applications that are being developed today include built-in programming capabilities that rival some of the larger development packages. This has recently been demonstrated by the various strains of Microsoft Word viruses, including the so-called Word Concept and Word Nuclear viruses. These viruses transport themselves through Microsoft Word documents. When opened in Word, they perform various actions, including spreading themselves into the user's installation of Word, thus preparing to infect all future documents on the system.
An additional concern is that macro viruses can be cross-platform. The Word Concept virus has the claim to fame of being the first prominent cross-platform virus, because it can infect both Windows and Macintosh systems.
Because most application macro languages support passing execution to an external shell, such as COMMAND.COM or CMD.EXE, the power of the macro virus is not limited to the constraints of the macro language itself.
Additional Ways to Protect Against Viruses
Using a good anti-virus package is a defense against viruses. However, there is always the possibility that somehow a virus can sneak past your defenses. Following are some ways you can help reduce your risk of infection or help recover your data if your system does get infected by a virus.
Perform Regular Backups
One of the best ways to help protect your system against viruses is to implement an effective backup solution. No matter what kind of virus detection software you use, there is always the possibility that a virus could go undetected and you could lose all your data. By incorporating a virus protection strategy into your backup plans, you have a much greater chance of recovering your data if a virus does penetrate your server.
When planning for this contingency in your backup strategy, here are a few points you should note:
- Remember that most viruses (with the major exception of MBR viruses) live inside standard files. When you back up these files to tape, the virus tags along for the ride. This means that when you restore it from tape, the virus is restored as well. If you are recovering from tape after suffering a viral invasion, you should always check your system to make sure you are not re-infecting it.
- Make sure you don't recycle your tapes too often. Some people use simple tape rotation strategies where they use the same tapes each week. This can be dangerous if your files do get infected by a virus. Depending on the type of viral infection, you might not discover the infection for weeks, or even months. By then, the virus might have caused irrecoverable damage.
For more information about backing up your system, refer to Chapter 23.
Create an Emergency Boot Disk
If your system is successfully attacked by a Master Boot Record (MBR) virus, NT most likely cannot boot. (For more information about why this is, see the earlier section on MBR viruses.) If your MBR is infected by a virus, you can use an emergency boot disk to get Windows NT up and running. Once NT has begun the boot process, a boot sector virus cannot cause any further damage. I repeat for emphasis: A boot sector virus cannot cause any further damage once NT is booted. This sentence pertains to boot sector viruses only. Other types of viruses can continue to cause further problems, even after NT has booted. Although this gives you the ability to get NT working again, and potentially keep it working until a more convenient time when you can take it down to remove the virus, you should remove the virus as soon as possible! After you have successfully booted NT with the emergency boot disk, you should back up the system before trying to remove the virus.
Please see Chapter 23 for more information on creating an emergency boot floppy disk for Windows NT Server.
Keep Your Emergency Repair Disk Updated
Remember that the Emergency Repair Disk contains the most important files that give a unique identity to your NT system. It contains parts of the boot system, as well as key components of the Registry. If your system is attacked by a virus and rendered unable to boot properly, having an up-to-date Emergency Repair Disk is invaluable for getting your system back up and running. Use the RDISK.EXE program to update your Emergency Repair Disk or to create a new one. For more information on creating and using the Emergency Repair Disk, refer to Chapter 23.
Remember, there is a difference between the Emergency Repair Disk and the emergency boot disk referred to in the previous section.
The emergency boot disk contains the key components that enable NT to begin the load process and then hand off control to the appropriate NT installation on your system. It does not contain any of the key registry components that could be useful in reconstructing a corrupted system. This disk is useful if somehow the bootstrap information cannot find a valid NT installation where it expects to.
In contrast, the Emergency Repair Disk is not a bootable disk. To use it, you must boot with the NT installation disk set and choose options to recover your system. This disk is invaluable if your NT installation itself is somehow corrupted.
Using NTFS along with properly implemented security settings can help stop the spread of viruses. NTFS enables you to restrict a user's access to a single file or directory. This restriction is enforced if the file is accessed from the network or if it is accessed locally. However, NT cannot prevent access to FAT or HPFS partitions from the local system.
Additionally, when accessing HPFS and FAT volumes from a remote system, access restrictions can be assigned only for the entire share at a time. If a user needs to write to a single file on the share, the whole share must be created with write permissions for that user. If you use NTFS, you can restrict a user's write access to all the files expect the one he or she needs to be able to write to.
Log On with an Unprivileged Account
If you want to protect yourself as much as possible from potential Trojan horse viruses, do not use a privileged user account for your day-to-day work. If you execute a Trojan horse virus, the virus has the same level of user privileges as you do. If you have administrative privileges, so does the virus. However, if you are using an unprivileged account, the virus's actions are more limited. For instance, if you were using a privileged account, the virus could potentially create a new user and grant it administrative rights. This account could later be used to further infiltrate your system. If you weren't using a privileged account, the virus could not have performed these actions.
If you must use a privileged user account, never run anything other than the standard administrative utilities or other utilities of known origin that you are sure you can trust!
Warning: It's easy to write a WordBasic or Visual Basic macro that can make changes to the NT user database, so be careful about even opening seemingly innocuous files in Microsoft Word or Excel. To help protect yourself, you might want to use the Word Viewer or disable automatic macro execution in any program that supports macros.
Potential New Viruses
Unfortunately, the future promises more viruses, not less. With the number of computers increasing every day, as well as the increasing penetration of computers into the corporate environment, viruses will become the preferred method of espionage and revenge. More powerful multiplatform development tools, as well as prebuilt virus templates, make it easy for anyone with minimal knowledge to create a computer virus. Additionally, as you automate your computing environment through the use of macros, interactive online environments, and more complex personal agents that make your life easier, you also open yourself to new outside threats.
Commercial Virus Detection Packages
Unlike MS-DOS and Windows 3.x, Microsoft does not ship Windows NT with any type of anti-virus software. To make matters worse, until recently very few virus packages supported Windows NT. Fortunately, many vendors have come forward to help fill that gap. Today, several virus packages support Windows NT.
How to Evaluate an Anti-Virus Package
Before deciding what anti-virus package you want for your system, you should ask yourself a few questions to make sure you get a package that best fits your needs. When evaluating a virus package for Windows NT, here are some questions you will probably want to ask:
- Is it a native Windows NT program? Ideally, you want a package that was made specifically for Windows NT. Some 16-bit Windows- and DOS-based virus scanning packages run on Windows NT, with varying degrees of success. Make sure your package was specifically made for NT.
- Does it run as a service? What you really want is a virus detection engine that installs itself as a Windows NT service. This allows greater flexibility when configuring your system. If it does not install as a service, you need to leave a user logged onto the system for the virus scanner to run.
- Is it intended for workstation or server operations, or both? A package that provides both gives you the most security. What does this really mean? Windows NT Server is actually providing you with two functions. Its primary function is to provide file services for users on the network. You want a virus solution that constantly scans files as users access them from the network. Many virus products enable you to adjust the level of scanning separately for incoming and outgoing files, as well as specify what actions should be taken if a virus is discovered.
The second function of NT Server is that of a workstation. You want a virus scanner that helps protect you when you log onto the NT Server console. Ideally, it automatically scans any disks you insert for viruses, as well as scanning any programs you run to ensure they are virus-free. Remember what I talked about earlier: If you're logged on as the administrator and run a program, if that program is infected with a virus, the virus is running with administrative privileges!
- How does the licensing work? Some virus scanners for NT make you pay a fee for each server you run it on. However, some also have additional costs per workstation that accesses the server. Make sure you understand and are willing to abide by the virus maker's pricing policy before choosing to go with their package. Remember, good virus protection can be costly!
- How is the virus scanner going to impact the rest of your system's security? Make sure you understand what permissions the virus scanner needs to do its job. Most virus scanners that install as an NT service create a special user account for their use. Find out what privileges this account needs and how this will impact the security of your system.
- What kind of viruses does this package protect against? Most of the virus protection vendors are fairly diligent about updating their software to detect the latest viruses. However, you need to understand the limitations of what it will not detect. For instance, many vendors still do not detect macro viruses, such as the cross-platform Word Concept virus that infects Microsoft Word documents. Also, many of the packages do not detect Macintosh viruses. If you are using NT Server to provide file services to Macintosh clients, you want to make sure to choose a package that provides support for Macintosh viruses.
- What kind of support and service will you get? You want to look for a company that has a history of providing quality Windows NT software. Additionally, you should choose a company with a track record of regularly updating their virus detection database.
- What processor platforms does it support? If you are using non-Intel platforms to run NT Server, make sure your platform is supported. You might be surprised how many work only on the Intel platform.
A List of Available Virus Protection Software for Windows NT
Following is a list of some of the more common packages on the market with Windows NT support. The level of functionality between the different products varies greatly, so use the questions listed here as a guideline when evaluating these packages for your use.