`
`
`
`
`
`•
`•
`
`
`
`
`
`
`
`< <
`
`
`
`) )
`
`
`
`
`INFORMATION INFORMATION
`TECHNOLOGY
`TECHNOLOGY
`
`LABORATORY LABORATORY
`
`
`
`December 2005
`
`December 2005 December 2005
`
`ADVISING USERS ON INFORMATION TECHNOLOGY BBuulllleettiinn
`
`BuiThtin
`BuiThtin
`
`ADVISING USERS ON INFORMATION TECHNOLOGY ADVISING USERS ON INFORMATION TECHNOLOGY
`
`
`
`Guide to Malware Incident Handling
`PREVENTING AND HANDLING
`Guide to Malware Incident Handling
`PREVENTING AND HANDLING
`Guide to Malware Incident Handling
`PREVENTING AND HANDLING
`Guide to Malware Incident Handling
`PREVENTING AND HANDLING
`and Prevention: Recommendations of
`MALWARE INCIDENTS: HOW TO
`and Prevention: Recommendations of
`MALWARE INCIDENTS: HOW TO
`
`MALWARE INCIDENTS: HOW TO MALWARE INCIDENTS: HOW TO
`
`and Prevention: Recommendations of and Prevention: Recommendations of
`the National Institute of Standards and
`PROTECT INFORMATION
`the National Institute of Standards and
`PROTECT INFORMATION
`PROTECT INFORMATION
`PROTECT INFORMATION
`
`the National Institute of Standards and the National Institute of Standards and
`Technology
`TECHNOLOGY SYSTEMS FROM
`Technology
`TECHNOLOGY SYSTEMS FROM
`TECHNOLOGY SYSTEMS FROM
`TECHNOLOGY SYSTEMS FROM
`Technology
`Technology
`MALICIOUS CODE AND
`MALICIOUS CODE AND
`
`
`MALICIOUS CODE AND MALICIOUS CODE AND
`SOFTWARE
`SOFTWARE
`NIST's Information Technology
`NIST's Information Technology
`
`NIST's Information Technology NIST's Information Technology
`SOFTWARE
`SOFTWARE
`
`Laboratory recently published NIST
`Laboratory recently published NIST
`
`Laboratory recently published NIST Laboratory recently published NIST
`Special Publication (SP) 800-83, Guide to
`Special Publication (SP) 800-83, Guide to
`
`Shirley Radack, Editor Shirley Radack, Editor
`
`Special Publication (SP) 800-83, Guide to Special Publication (SP) 800-83, Guide to
`
`Shirley Radack, Editor Shirley Radack, Editor
`Malware Incident Handling and
`Malware Incident Handling and
`
`Computer Security Division Computer Security Division
`Malware Incident Handling and
`Computer Security Division
`Malware Incident Handling and
`Computer Security Division
`Prevention: Recommendations of the
`Prevention: Recommendations of the
`
`Information Technology Laboratory Information Technology Laboratory
`
`Prevention: Recommendations of the Prevention: Recommendations of the
`
`Information Technology Laboratory Information Technology Laboratory
`National Institute of Standards and
`National Institute of Standards and
`National Institute of Standards and
`
`National Institute of Standards and National Institute of Standards and
`
`National Institute of Standards and National Institute of Standards and
`Technology. The guide assists
`Technology. The guide assists
`
`Technology National Institute of Standards and Technology
`
`technology. The guide assists technology. The guide assists
`
`Technology National Institute of Standards Technology National Institute of Standards
`
`organizations and users in planning and
`organizations and users in planning and
`
`organizations and users in planning and organizations and users in planning and
`The term malware is used to describe
`The term malware is used to describe
`implementing security programs to prevent
`implementing security programs to prevent
`
`The term malware is used to describe The term malware is used to describe
`
`implementing security programs to prevent implementing security programs to prevent
`malicious code and malicious software
`potential malware incidents and to limit
`malicious code and malicious software
`potential malware incidents and to limit
`
`malicious code and malicious software malicious code and malicious software
`
`potential malware incidents and to limit potential malware incidents and to limit
`that are covertly inserted into an
`damage from unforeseen incidents that
`that are covertly inserted into an
`damage from unforeseen incidents that
`
`damage from unforeseen incidents that damage from unforeseen incidents that
`
`that are covertly inserted into an that are covertly inserted into an
`information technology (IT) system to
`might occur.
`information technology (IT) system to
`might occur.
`
`information technology (IT) system to information technology (IT) system to
`might occur.
`might occur.
`
`compromise the confidentiality, integrity,
`compromise the confidentiality, integrity,
`compromise the confidentiality, integrity,
`compromise the confidentiality, integrity,
`Written by Peter Mell of NIST and Karen
`or availability of the data, applications, or
`Written by Peter Mell of NIST and Karen
`or availability of the data, applications, or
`
`Written by Peter Mell of NIST and Karen Written by Peter Mell of NIST and Karen
`
`or availability of the data, applications, or or availability of the data, applications, or
`Kent and Joseph Nusbaum of Booz Allen
`operating system, or to annoy or disrupt
`Kent and Joseph Nusbaum of Booz Allen
`operating system, or to annoy or disrupt
`
`Kent and Joseph Nusbaum of Booz Allen Kent and Joseph Nusbaum of Booz Allen
`operating system, or to annoy or disrupt
`operating system, or to annoy or disrupt
`Hamilton, NIST SP 800-83 discusses the
`the system’s owner. Malware incidents are
`Hamilton, NIST SP 800-83 discusses the
`the system’s owner. Malware incidents are
`Hamilton, NIST SP 800-83 discusses the
`Hamilton, NIST SP 800-83 discusses the
`the system's owner. Malware incidents are
`the system's owner. Malware incidents are
`different types of malware and
`a significant external threat to the security
`different types of malware and
`a significant external threat to the security
`
`a significant external threat to the security a significant external threat to the security
`
`different types of malware and different types of malware and
`recommends prevention and incident
`of many IT systems, often causing
`recommends prevention and incident
`of many IT systems, often causing
`
`of many IT systems, often causing of many IT systems, often causing
`recommends prevention and incident
`recommends prevention and incident
`handling techniques. The appendices
`widespread damage and disruption, and
`handling techniques. The appendices
`widespread damage and disruption, and
`
`widespread damage and disruption, and widespread damage and disruption, and
`
`handling techniques. The appendices handling techniques. The appendices
`provide additional resources on malware
`forcing users and organizations to carry
`provide additional resources on malware
`forcing users and organizations to carry
`
`forcing users and organizations to carry forcing users and organizations to carry
`
`provide additional resources on malware provide additional resources on malware
`prevention and handling methods, and
`out extensive, costly efforts to restore
`prevention and handling methods, and
`out extensive, costly efforts to restore
`out extensive, costly efforts to restore
`prevention and handling methods, and
`out extensive, costly efforts to restore
`prevention and handling methods, and
`include detailed techniques and scenarios.
`system security.
`include detailed techniques and scenarios.
`system security.
`
`system security. system security.
`
`include detailed techniques and scenarios. include detailed techniques and scenarios.
`
`A glossary of the many specialized terms
`A glossary of the many specialized terms
`
`A glossary of the many specialized terms A glossary of the many specialized terms
`Malware includes five categories of
`used in the guide, a list of acronyms, and
`Malware includes five categories of
`used in the guide, a list of acronyms, and
`
`used in the guide, a list of acronyms, and used in the guide, a list of acronyms, and
`Malware includes five categories of
`Malware includes five categories of
`inserted programs: viruses, worms, Trojan
`an extensive reference list of print and
`inserted programs: viruses, worms, Trojan
`an extensive reference list of print and
`inserted programs: viruses, worms, Trojan
`inserted programs: viruses, worms, Trojan
`
`an extensive reference list of print and an extensive reference list of print and
`horses, malicious mobile code, and
`online resources are also provided. The
`horses, malicious mobile code, and
`online resources are also provided. The
`
`horses, malicious mobile code, and horses, malicious mobile code, and
`online resources are also provided. The
`online resources are also provided. The
`blended attacks. Viruses and worms are
`publication is available in electronic
`blended attacks. Viruses and worms are
`publication is available in electronic
`blended attacks. Viruses and worms are
`publication is available in electronic
`blended attacks. Viruses and worms are
`publication is available in electronic
`usually designed to carry out their
`format from NIST’s website:
`usually designed to carry out their
`format from NIST’s website:
`format from NIST's website:
`format from NIST's website:
`usually designed to carry out their
`usually designed to carry out their
`functions without the user’s knowledge.
`functions without the user’s knowledge.
`
`http://csrc.nist.gov/publications/nistpubs/index.http://csrc.nist.gov/publications/nistpubs/index.
`http://csrc.nist.gov/publicationsinistpubs/index.
`http://csrc.nist.gov/publicationsinistpubs/index.
`
`functions without the user's knowledge. functions without the user's knowledge.
`html.
`Blended attacks use a combination of
`Blended attacks use a combination of
`html.
`html.
`
`Blended attacks use a combination of Blended attacks use a combination of
`
`techniques to insert malicious programs.
`techniques to insert malicious programs.
`
`techniques to insert malicious programs. techniques to insert malicious programs.
`Malware: What it is
`Malware also includes other attacker tools
`Malware also includes other attacker tools
`Malware: What it is
`Malware: What it is
`Malware also includes other attacker tools
`Malware also includes other attacker tools
`
`such as backdoors, rootkits, and keystroke
`such as backdoors, rootkits, and keystroke
`
`such as backdoors, rootkits, and keystroke such as backdoors, rootkits, and keystroke
`Malware includes the following major
`
`Malware includes the following major Malware includes the following major
`loggers, and tracking cookies which are
`loggers, and tracking cookies which are
`
`loggers, and tracking cookies which are loggers, and tracking cookies which are
`categories of malicious code and
`used as spyware. Spyware, when inserted
`used as spyware. Spyware, when inserted
`
`categories of malicious code and categories of malicious code and
`used as spyware. Spyware, when inserted
`used as spyware. Spyware, when inserted
`programs:
`into a user’s system, threatens personal
`into a user’s system, threatens personal
`
`programs: programs:
`into a user's system, threatens personal
`into a user's system, threatens personal
`
`privacy and enables the attacker to monitor
`privacy and enables the attacker to monitor
`
`privacy and enables the attacker to monitor privacy and enables the attacker to monitor
`personal activities and to carry out
`personal activities and to carry out
`
`personal activities and to carry out personal activities and to carry out
`financial fraud.
`financial fraud.
`
`financial fraud. financial fraud.
`
`
`
`
`
`
`
`• Viruses are self-replicating codes
`• Viruses are self-replicating codes
`• Viruses are self-replicating codes
`that insert copies of the virus into
`
`that insert copies of the virus into that insert copies of the virus into
`host programs or data files.
`
`host programs or data files. host programs or data files.
`Viruses often result from user
`
`Viruses often result from user Viruses often result from user
`interactions, such as opening a
`interactions, such as opening a
`interactions, such as opening a
`file or running a program, and
`
`file or running a program, and file or running a program, and
`include:
`
`include: include:
`(Continued on Page 2)
`(Continued on Page 2)
`(Continued on Page 2)
`
`ITL Bulletins are published by the Information
`
`ITL Bulletins are published by the Information ITL Bulletins are published by the Information
`Technology Laboratory (ITL) of the National Institute
`
`Technology Laboratory (ITL) of the National Institute Technology Laboratory (ITL) of the National Institute
`of Standards and Technology (NIST). Each bulletin
`
`of Standards and Technology (NIST). Each bulletin of Standards and Technology (NIST). Each bulletin
`presents an in-depth discussion of a single topic of
`
`presents an in-depth discussion of a single topic of presents an in-depth discussion of a single topic of
`significant interest to the information systems
`significant interest to the information systems
`significant interest to the information systems
`community. Bulletins are issued on an as-needed
`community. Bulletins are issued on an as-needed
`community. Bulletins are issued on an as-needed
`basis and are available from ITL Publications,
`basis and are available from ITL Publications,
`basis and are available from ITL Publications,
`National Institute of Standards and Technology, 100
`National Institute of Standards and Technology, 100
`National Institute of Standards and Technology, 100
`Bureau Drive, Stop 8900, Gaithersburg, MD 20899-
`
`Bureau Drive, Stop 8900, Gaithersburg, MD 20899-Bureau Drive, Stop 8900, Gaithersburg, MD 20899-
`8900, telephone (301) 975-2832. To be placed on a
`
`8900, telephone (301) 975-2832. To be placed on a 8900, telephone (301) 975-2832. To be placed on a
`mailing list to receive future bulletins, send your
`
`mailing list to receive future bulletins, send your mailing list to receive future bulletins, send your
`name, organization, and business address to this
`
`name, organization, and business address to this name, organization, and business address to this
`office. You will be placed on this mailing list only.
`office. You will be placed on this mailing list only.
`office. You will be placed on this mailing list only.
`Bulletins issued since August 2004:
`Bulletins issued since August 2004:
`Bulletins issued since August 2004:
`(cid:153) Electronic Authentication: Guidance for
`
`• •
`
`Electronic Authentication: Guidance for Electronic Authentication: Guidance for
`Selecting Secure Techniques, August 2004
`
`Selecting Secure Techniques, August 2004 Selecting Secure Techniques, August 2004
`(cid:153) Information Security Within the System
`Information Security Within the System
`Information Security Within the System
`Development Life Cycle, September 2004
`Development Life Cycle, September 2004
`Development Life Cycle, September 2004
`(cid:153) Securing Voice Over Internet Protocol (IP)
`
`Securing Voice Over Internet Protocol (IP) Securing Voice Over Internet Protocol (IP)
`Networks, October 2004
`
`Networks, October 2004 Networks, October 2004
`(cid:153) Understanding the New NIST Standards and
`Understanding the New NIST Standards and
`Understanding the New NIST Standards and
`Guidelines Required by FISMA,
`
`Guidelines Required by FISMA, Guidelines Required by FISMA,
` November 2004
`November 2004
`November 2004
`(cid:153) Integrating IT Security into the Capital
`Integrating IT Security into the Capital
`Integrating IT Security into the Capital
`Planning and Investment Control Process,
`
`Planning and Investment Control Process, Planning and Investment Control Process,
`January 2005
`
`January 2005 January 2005
`(cid:153) Personal Identity Verification (PIV) of Federal
`Personal Identity Verification (PIV) of Federal
`Personal Identity Verification (PIV) of Federal
`Employees and Contractors: Federal
`Employees and Contractors: Federal
`Employees and Contractors: Federal
`Information Processing Standard (FIPS) 201
`
`Information Processing Standard (FIPS) 201 Information Processing Standard (FIPS) 201
`Approved by the Secretary of Commerce,
`
`Approved by the Secretary of Commerce, Approved by the Secretary of Commerce,
`March 2005
`March 2005
`March 2005
`(cid:153) Implementing the Health Insurance Portability
`Implementing the Health Insurance Portability
`Implementing the Health Insurance Portability
`and Accountability Act (HIPAA) Security Rule,
`
`and Accountability Act (HIPAA) Security Rule, and Accountability Act (HIPAA) Security Rule,
`April 2005
`
`April 2005 April 2005
`(cid:153) Recommended Security Controls for Federal
`Recommended Security Controls for Federal
`Recommended Security Controls for Federal
`Information systems: Guidance of Selecting
`Information systems: Guidance of Selecting
`Information systems: Guidance of Selecting
`Cost-effective Controls Using a Risk-based
`
`Cost-effective Controls Using a Risk-based Cost-effective Controls Using a Risk-based
`Process, May 2005
`
`Process, May 2005 Process, May 2005
`(cid:153) NIST’s Security Configuration Checklists
`NIST's Security Configuration Checklists
`NIST's Security Configuration Checklists
`Program for IT Products, June 2005
`
`Program for IT Products, June 2005 Program for IT Products, June 2005
`(cid:153) Implementation of FIPS 201, Personal Identify
`Implementation of FIPS 201, Personal Identify
`Implementation of FIPS 201, Personal Identify
`Verification (PIV) of Federal Employees and
`
`Verification (PIV) of Federal Employees and Verification (PIV) of Federal Employees and
`Contractors, August 2005
`Contractors, August 2005
`Contractors, August 2005
`(cid:153) Biometric Technologies: Helping to Protect
`
`Biometric Technologies: Helping to Protect Biometric Technologies: Helping to Protect
`Information and Automated Transactions I
`Information and Automated Transactions I
`Information and Automated Transactions I
`Information Technology Systems, September
`
`Information Technology Systems, September Information Technology Systems, September
`2005
`
`2005 2005
`(cid:153) National Vulnerability Database: Helping
`National Vulnerability Database: Helping
`National Vulnerability Database: Helping
`Information Technology System Users and
`
`Information Technology System Users and Information Technology System Users and
`Developers Find Current Information About
`Developers Find Current Information About
`Developers Find Current Information About
`Cyber Security Vulnerabilities, October 2005
`
`Cyber Security Vulnerabilities, October 2005 Cyber Security Vulnerabilities, October 2005
`(cid:153) Securing Microsoft Windows XP Systems:
`
`Securing Microsoft Windows XP Systems: Securing Microsoft Windows XP Systems:
`NIST Recommendations for Using a Security
`
`NIST Recommendations for Using a Security NIST Recommendations for Using a Security
`Configuration Chccklist, November 2005
`Configuration Chccklist, November 2005
`Configuration Chccklist, November 2005
`
`National Institute of Standards and Technology • Technology Administration • U.S. Department of Commerce
`National Institute of Standards and Technology • Technology Administration • U.S. Department of Commerce
`
`
`WIZ, Inc. EXHIBIT - 1021
`WIZ, Inc. EXHIBIT - 1024
`WIZ, Inc. v. Orca Security LTD.
`WIZ, Inc. v. Orca Security LTD.
`
`WIZ, Inc. EXHIBIT - 1021
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`
`
`
`
`
`
`December 2005
`
`December 2005
`• Tracking cookies are persistent
`• Tracking cookies are persistent
`cookies that are accessed by
`cookies that are accessed by
`many websites, allowing a third
`many websites, allowing a third
`party to create a profile of a
`party to create a profile of a
`user’s behavior. Tracking cookies
`user's behavior. Tracking cookies
`are often used in conjunction with
`are often used in conjunction with
`web bugs, which are tiny graphics
`web bugs, which are tiny graphics
`on websites and which are
`on websites and which are
`referenced within the HTML
`referenced within the HTML
`content of a web page or e-mail.
`content of a web page or e-mail.
`The purpose of the graphic is to
`The purpose of the graphic is to
`collect information about the user
`collect information about the user
`viewing the content.
`viewing the content.
`
`Who We Are
`Who We Are
`The Information Technology Laboratory
`The Information Technology Laboratory
`(ITL) is a major research component of the
`(ITL) is a major research component of the
`National Institute of Standards and
`National Institute of Standards and
`Technology (NIST) of the Technology
`Technology (NIST) of the Technology
`Administration, U.S. Department of
`Administration, U.S. Department of
`Commerce. We develop tests and
`Commerce. We develop tests and
`measurement methods, reference data,
`measurement methods, reference data,
`proof-of-concept implementations, and
`proof-of-concept implementations, and
`technical analyses that help to advance
`technical analyses that help to advance
`the development and use of new
`the development and use of new
`information technology. We seek to
`information technology. We seek to
`overcome barriers to the efficient use of
`overcome barriers to the efficient use of
`information technology, and to make
`information technology, and to make
`systems more interoperable, easily usable,
`systems more interoperable, easily usable,
`scalable, and secure than they are today.
`scalable, and secure than they are today.
`Our website is http://www.itl.nist.gov.
`Our website is http://www.itl.nist.gov.
`
`
`
`• Attacker tools might be
`• Attacker tools might be
`delivered to a system as part of a
`delivered to a system as part of a
`malware infection or other system
`malware infection or other system
`compromises. These tools allow
`compromises. These tools allow
`attackers to have unauthorized
`attackers to have unauthorized
`access to or use of infected
`access to or use of infected
`systems and their data, or to
`systems and their data, or to
`launch additional attacks.
`launch additional attacks.
`Popular types of attacker tools
`Popular types of attacker tools
`include:
`include:
`o Backdoors are
`o Backdoors are
`malicious programs that
`malicious programs that
`listen for commands on
`listen for commands on
`a certain TCP or UDP
`a certain TCP or UDP
`port. Most backdoors
`port. Most backdoors
`allow an attacker to
`allow an attacker to
`perform a certain set of
`perform a certain set of
`actions on a system,
`actions on a system,
`such as acquiring
`such as acquiring
`passwords or executing
`passwords or executing
`arbitrary commands.
`arbitrary commands.
`Backdoors include
`Backdoors include
`zombies (also known as
`zombies (also known as
`bots), which are installed
`bots), which are installed
`on a system to cause it to
`on a system to cause it to
`
`o Network service worms
`o Network service worms
`that take advantage of
`that take advantage of
`vulnerabilities in
`vulnerabilities in
`network services to
`network services to
`propagate and infect
`propagate and infect
`other systems.
`other systems.
` Mass mailing worms
`o Mass mailing worms
`that are similar to e-
`that are similar to e-
`mail–borne viruses but
`mail—borne viruses but
`are self-contained, rather
`are self-contained, rather
`than infecting an
`than infecting an
`existing file.
`existing file.
`
` o
`
`
`
`• Trojan horses are self-contained,
`• Trojan horses are self-contained,
`non-replicating programs that
`non-replicating programs that
`appear to be benign, but that
`appear to be benign, but that
`actually have a hidden malicious
`actually have a hidden malicious
`purpose. Trojan horses either
`purpose. Trojan horses either
`replace existing files with
`replace existing files with
`malicious versions or add new
`malicious versions or add new
`malicious files to systems. They
`malicious files to systems. They
`often deliver other attacker tools
`often deliver other attacker tools
`to systems.
`to systems.
`
` Malicious mobile code is
`• Malicious mobile code is
`software with malicious intent
`software with malicious intent
`that is transmitted from a remote
`that is transmitted from a remote
`system to a local system. The
`system to a local system. The
`inserted programs are executed
`inserted programs are executed
`on the local system, usually
`on the local system, usually
`without the user’s explicit
`without the user's explicit
`instruction. Programs delivered in
`instruction. Programs delivered in
`this way can be used by many
`this way can be used by many
`different operating systems and
`different operating systems and
`applications, such as web
`applications, such as web
`browsers and e-mail clients.
`browsers and e-mail clients.
`Although the mobile code may be
`Although the mobile code may be
`benign, attackers use it to
`benign, attackers use it to
`transmit viruses, worms, and
`transmit viruses, worms, and
`Trojan horses to the user’s
`Trojan horses to the user's
`workstation. Malicious mobile
`workstation. Malicious mobile
`code does not infect files or
`code does not infect files or
`attempt to propagate itself, but
`attempt to propagate itself, but
`exploits vulnerabilities by taking
`exploits vulnerabilities by taking
`advantage of the default
`advantage of the default
`privileges granted to mobile code.
`privileges granted to mobile code.
`Languages used for malicious
`Languages used for malicious
`mobile code include Java,
`mobile code include Java,
`ActiveX, JavaScript, and
`ActiveX, JavaScript, and
`VBScript.
`VB Script.
`
` •
`
`• Blended attacks use multiple
`• Blended attacks use multiple
`methods of infection or
`methods of infection or
`transmission. A blended attack
`transmission. A blended attack
`could combine the propagation
`could combine the propagation
`methods of viruses and worms.
`methods of viruses and worms.
`
`
`
`
`
`
`
`
`
`
`o Compiled viruses that
`o Compiled viruses that
`are executed by an
`are executed by an
`operating system. These
`operating system. These
`include file infector
`include file infector
`viruses, which attach
`viruses, which attach
`themselves to executable
`themselves to executable
`programs; boot sector
`programs; boot sector
`viruses, which infect the
`viruses, which infect the
`master boot records of
`master boot records of
`hard drives or the boot
`hard drives or the boot
`sectors of removable
`sectors of removable
`media; and multipartite
`media; and multipartite
`viruses, which combine
`viruses, which combine
`the characteristics of file
`the characteristics of file
`infector and boot sector
`infector and boot sector
`viruses.
`viruses.
` Interpreted viruses that
`o
`Interpreted viruses that
`are executed by an
`are executed by an
`application. These
`application. These
`include macro viruses
`include macro viruses
`that take advantage of
`that take advantage of
`the capabilities of the
`the capabilities of the
`macro programming
`macro programming
`language to infect
`language to infect
`application documents
`application documents
`and document templates;
`and document templates;
`and scripting viruses that
`and scripting viruses that
`infect scripts and are
`infect scripts and are
`understood by scripting
`understood by scripting
`languages processed by
`languages processed by
`services on the operating
`services on the operating
`system.
`system.
`
` o
`
`• Worms are self-replicating, self-
`• Worms are self-replicating, self-
`contained programs that usually
`contained programs that usually
`perform without user
`perform without user
`intervention. Worms create fully
`intervention. Worms create fully
`functional copies of themselves,
`functional copies of themselves,
`and they do not require a host
`and they do not require a host
`program to infect a system.
`program to infect a system.
`Attackers often insert worms
`Attackers often insert worms
`because they can potentially
`because they can potentially
`infect many more systems in a
`infect many more systems in a
`short period of time than a virus
`short period of time than a virus
`can. Worms include:
`can. Worms include:
`
`
`
`2
`2
`
`
`
`IITTLL BBuulllleettiinnss VViiaa EE--MMaaiill
`ITL Bulletins Via E-Mail
`We now offer the option of delivering your ITL
`We now offer the option of delivering your ITL
`Bulletins in ASCII format directly to your e-mail
`Bulletins in ASCII format directly to your e-mail
`address. To subscribe to this service, send an
`address. To subscribe to this service, send an
`e-mail message from your business e-mail
`e-mail message from your business e-mail
`account to listproc@nist.gov with the message
`account to listproc@nist.gov with the message
`subscribe itl-bulletin, and your name, e.g.,
`subscribe itl-bulletin, and your name, e.g.,
`John Doe. For instructions on using listproc,
`John Doe. For instructions on using listproc,
`send a message to listproc@nist.gov with the
`send a message to listproc@nist.gov with the
`message HELP. To have the bulletin sent to
`message HELP. To have the bulletin sent to
`an e-mail address other than the FROM
`an e-mail address other than the FROM
`address, contact the ITL editor at
`address, contact the ITL editor at
`301-975-2832 or elizabeth.lennon@nist.gov
`301-975-2832 or elizabeth.lennon@nist.gov
`
`

`

`
`
`types of utilities and
`types of utilities and
`scripts that can be used
`scripts that can be used
`to probe and attack
`to probe and attack
`systems, such as packet
`systems, such as packet
`sniffers, port scanners,
`sniffers, port scanners,
`vulnerability scanners,
`vulnerability scanners,
`password crackers,
`password crackers,
`remote login programs,
`remote login programs,
`and attack programs and
`and attack programs and
`scripts.
`scripts.
`
`
`
`• Common non-malware threats
`• Common non-malware threats
`associated with malware include
`associated with malware include
`phishing, which uses computer-
`phishing, which uses computer-
`based means to trick users into
`based means to trick users into
`revealing financial information
`revealing financial information
`and other sensitive data. Phishing
`and other sensitive data. Phishing
`attacks frequently place malware
`attacks frequently place malware
`or attacker tools on systems.
`or attacker tools on systems.
`Virus hoaxes, which are false
`Virus hoaxes, which are false
`warning of new malware attacks,
`warning of new malware attacks,
`are another common threat.
`are another common threat.
`
`
`Recommendations for Preventing
`Recommendations for Preventing
`Malware Incidents
`Malware Incidents
`
`Organizations should protect their
`Organizations should protect their
`information and information systems from
`information and information systems from
`malware through their ongoing IT security
`malware through their ongoing IT security
`planning, management, and
`planning, management, and
`implementation activities. NIST
`implementation activities. NIST
`recommends that organizations take the
`recommends that organizations take the
`following actions to prevent malware
`following actions to prevent malware
`incidents and to respond effectively and
`incidents and to respond effectively and
`efficiently to any attacks that might occur.
`efficiently to any attacks that might occur.
`
`Develop and implement an approach to
`Develop and implement an approach to
`malware incident prevention, based on
`malware incident prevention, based on
`the attack methods that are most likely to
`the attack methods that are most likely to
`be used, both currently and in the near
`be used, both currently and in the near
`future. Choose prevention techniques that
`future. Choose prevention techniques that
`are appropriate to the computing
`are appropriate to the computing
`environment and system, and provide for
`environment and system, and provide for
`policy statements, awareness programs for
`policy statements, awareness programs for
`users and IT staff, and vulnerability and
`users and IT staff, and vulnerability and
`threat mitigation efforts.
`threat mitigation efforts.
`
`Ensure that policies support the
`Ensure that policies support the
`prevention of malware incidents and
`prevention of malware incidents and
`provide for user and IT staff awareness,
`provide for user and IT staff awareness,
`vulnerability mitigation, and security tool
`vulnerability mitigation, and security tool
`deployment and configuration. Malware
`deployment and configuration. Malware
`prevention should be stated clearly in
`prevention should be stated clearly in
`policies, which should be as general as
`policies, which should be as general as
`possible to allow for flexibility in
`possible to allow for flexibility in
`implementation and to reduce the need for
`implementation and to reduce the need for
`frequent updates. At the same time, policy
`frequent updates. At the same time, policy
`statements should be specific enough to
`statements should be specific enough to
`make their intent and scope clear and to
`make their intent and scope clear and to
`
`
`December 2005
`
`December 2005
`achieve consistent and effective results.
`achieve con