Avmal 2

Securing against Viruses, Malware and Email Hoaxes
Programme
NPfIT
Document Record ID Key
Sub-Prog /
Project
Infrastructure
Security
NPFIT-FNT-TO-IG-GPG-0005.01
Prog. Director
Chris Wilber
Status
Approved
Owner
James Wood
Version
2.0
Author
Mark Penny
Version Date
12 February, 2010
th
Securing against Viruses, Malware and Email

Hoaxes
Good Practice Guideline
Crown Copyright 2010

12/02/2010 / Approved / 2.0
Amendment History:
Version
Date
Amendment History
0.1
First draft for comment
0.2
30/08/2005
Second draft for Peer Review
0.4
20/10/2005
Comments from Phil Benn incorporated
1.0
23/02/2006
Technical Author, Sections added
1.1
19/03/2009
Reviewed, revised and updated. Previous author: James Wood
1.2
30/03/2009
Further updates following peer review
1.3
31/03/2009
Further updates following peer review
1.4
06/04/2009
Draft for approval
1.4a
30/09/2009
2 draft for approval following approver comments
2.0
12/10/2010
Document approved.
nd
Forecast Changes:
Anticipated Change
When
Annual Review
February 2011
Reviewers:
This document must be reviewed by the following:
Name
Signature
Title / Responsibility
Date
Infrastructure
Security Team
Version
1.3
James Wood
Head of IT Security
1.4a
Approvals:
This document must be approved by the following:
Name
Signature
James Wood
Title / Responsibility
Date
Head of IT Security
Version
2.0
Distribution:
NHS Connecting for Health Infrastructure Security Team Website
http://nww.connectingforhealth.nhs.uk/infrasec/gpg
Document Status:
This is a controlled document.
Whilst this document may be printed, the electronic version maintained in FileCM is
the controlled copy. Any printed copies of the document are not controlled.
Page 2 of 29

12/02/2010 / Approved / 2.0
Related Documents:
These documents will provide additional information.
Ref no
Doc Reference Number
Title
Version
NPFIT-SHR-QMS-PRP-0015
Glossary of Terms Consolidated.doc
Latest
NPFIT-FNT-TO-IG-GPG-0033
Glossary of Security Terms

Latest
(http://nww.connectingforhealth.nhs.uk/i
nfrasec/gpg)
Page 3 of 29

12/02/2010 / Approved / 2.0
Contents
1
About this Document ...........................................................................................5

1.1
Purpose .........................................................................................................5
1.2
Audience .......................................................................................................5
1.3
Content ..........................................................................................................6
1.4
Disclaimer......................................................................................................6
Introduction..........................................................................................................7
2.1
Anti-virus .............................................................................................................8
3.1
Desktop Software ..........................................................................................8
3.2
Gateway Device Software ...........................................................................11
3.3
Email Server Software .................................................................................12
3.4
File Servers, Standalone Servers and Anti-Virus Exceptions ......................14
3.5
Instant Messaging Services .........................................................................14
3.6
Anti-Virus Policy ..........................................................................................15
Malware and Spyware .......................................................................................17

4.1
User Education ............................................................................................17
4.2
Technical Solutions .....................................................................................18
4.2.1
Active Monitoring
18
4.2.2
Passive Network Monitoring
19
4.2.3
Desktop Security Policies
20
Phishing and Scams ..........................................................................................21

5.1
User Education ............................................................................................21
5.1.1
The 419 Scam
21
5.1.2
Pyramid Schemes, Chain Letters & Fake Notifications
22
5.1.3
Current News Hoax
22
5.1.4
Fake Security software hoax
22
5.1.5
Spear Phishing
23
5.2
A
Background ...................................................................................................7
Technical Solutions .....................................................................................23
Appendix A - Suggested Attachment Block List ...............................................25
Page 4 of 29

12/02/2010 / Approved / 2.0
1 About this Document

1.1 Purpose
The purpose of this document is to establish vendor and product independent
guidelines that will enable organisations to minimise the impact of virus and
malware infections. It also provides preventative recommendations that should
help reduce an organisations exposure to viruses and malware.
Guidance on ensuring the confidentiality and integrity of sensitive information is
detailed in this document including:
The appropriate measures to take in the event of a virus attack or the
discovery of malware on a system or systems.
Dealing with malware and spyware introduced into N3 connected systems
without the knowledge of users.
The minimum standards for anti-virus protection within N3 connected
networks
How to deal with malware, spyware, hoaxes, phishing and scams which
may vary in content but follow a similar overall structure
1.2 Audience
This document assumes a general understanding of the terms virus and
malware It also assumes a general understanding of other computing related
terms.
Further information on information security and related matters is available from
the NHS Connecting for Health Infrastructure Security Team website:
http://nww.connectingforhealth.nhs.uk/infrasec/
Page 5 of 29

12/02/2010 / Approved / 2.0
1.3 Content
This document comprises the following sections/topics:
Description and information on anti-virus products for different types of
platform
Technical solutions for monitoring for malware
The need for an anti-virus policy
The need for user education on viruses, malware and phishing
Descriptions of common phishing attacks and how to spot them
An appendix of attachment types which organisations could consider
blocking because they could be used to deliver malicious payloads
1.4 Disclaimer
Reference to any specific commercial product, process or service by trade name,
trademark manufacturer, or otherwise, does not constitute or imply its
endorsement, recommendation, or favouring by NHS Connecting for Health. The
views and opinions of authors expressed within this document shall not be used
for advertising or product endorsement purposes.
Any party relying on or using any information contained in this document and/or
relying on or using any system implemented based upon information contained in
this document should do so only after performing a risk assessment. It is
important to note that a risk assessment is a prerequisite for the design of
effective security countermeasures. A correctly completed risk assessment
enables an NHS organisation to demonstrate that a methodical process has
been undertaken which can adequately describe the rationale behind any
decisions made. Risk assessments should include the potential impact to live
services of implementing changes.
This means that changes implemented following this guidance are done so at the
implementers risk. Misuse or inappropriate use of this information can only be
the responsibility of the implementer.
Page 6 of 29

12/02/2010 / Approved / 2.0
2 Introduction
This document provides general information on the topics of viruses and malware
together with potential solutions for their proactive detection and eradication. It
covers the concepts of phishing and pharming and what can be done from the
perspective of user education in this regard. The document also details additional
defence-in-depth concepts which can assist in protecting information assets
from harm from viruses and malware.
2.1 Background
Attackers are increasingly utilising viruses and malware in their attempts to
compromise systems, gain unauthorised access to information and to take
control of computer resources - often redirecting these resources for attacks
against other targets.
Spyware and malware is often bundled with legitimate software. When users
install the legitimate software they can also inadvertently install the bundled
spyware affecting the confidentiality and integrity of their systems security. .
The nature of this type of software can present long term issues for security
because it often remains hidden from the user (or poses as a legitimate
application) while continually divulging information from the infected host. The
most effective defences against viruses, malware and hoaxes are those that
combine various technologies and strategies. These range from in-depth
technical solutions to effective user education, preventing the compromise of
these technical solutions.
Page 7 of 29

12/02/2010 / Approved / 2.0
3 Anti-virus
Anti-virus software and related applications can be used as a technical defence
to stop viruses from infecting systems. Such software is generally host based
and runs on the system it is protecting. Anti-virus software can detect many types
of malware. These types include computer viruses, worms and trojan horses as
well as spyware.
A computer virus is a type of malicious software which infects files on a
computer system. A virus may look for specific types of file to infect such as
Word documents; once an infected document is sent to someone else, the virus
then spreads to and infects that persons PC. A resident computer virus can
survive system reboots and operates in the background on the system, looking
for files to infect. A non-resident computer virus only runs when an infected file
is launched.
A worm is a type of malicious software which does not require user interaction
to run. Worms can spread from system to system utilising automated infection
methods and generally exploit un-patched software vulnerabilities in order to
spread. A worm does not steal personal information from systems but simply
exists to spread and cause system problems in relation to integrity and
availability.
A trojan horse is malicious software which on the surface has a legitimate usage
but unbeknownst to the user contains functionality which can be used to steal
sensitive data or perform other unwanted actions.
3.1 Desktop Software

It is frequently possible to deploy anti-virus software solutions, offering varying
degrees of protection, at many different points on the network.
Due to the increasing capabilities of desktop machines and their growing
exposure to the Internet, host based anti-virus software should be deployed as a
bare minimum. A typical feature set would include:
On Access (Memory Resident) scanning.
On Demand scanning.
Scheduled scanning
Heuristic capabilities
Page 8 of 29

12/02/2010 / Approved / 2.0
Automatic updating of definitions and engine.

Integration with email and messaging services.
Logging of all relevant events.
Restriction of amendment of software configuration settings to authorised
personnel only.
It is worth noting that many vendors of traditional anti-virus software solutions
have somewhat diversified in relation to the capabilities of their products in direct
response to the different types of threat which have materialized in recent years.
Many vendors now market their solutions as security suites offering not only
traditional anti-virus detection capabilities but additionally features including:
A software firewall,
Anti-spyware features,
Browser plug-ins for detecting phishing web sites and malicious scripts,
Anti-rootkit features,
USB device control.
Whilst such defence-in-depth features may provide additional protection from a
broad spectrum of threats, the increased size of the products with their additional
performance related demands may mean that on some older systems, system
responsiveness is affected.
Memory resident scanning provides protection for users from external threats
such as malicious sites on the Internet. To provide additional functionality, some
websites may download certain files such as Java Applets or ActiveX objects to
the users computer. These objects may contain malicious code which then
infects the computer. On access scanning allows the anti-virus product to block
this malicious code before it runs.
All desktop machines connected to the network or with access to the Internet
should have anti-virus software installed. The signed Code of Connection or
Information Governance Statement of Compliance (IGSoC)1 details this
requirement.
http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/igsoc
Page 9 of 29

12/02/2010 / Approved / 2.0
Appropriate mechanisms should be in place to ensure virus definition updates

install as soon as available or, if necessary, after stability testing by authorised
personnel.
Software settings should include daily updates distributed from a centrally
provided mechanism. This ensures critical updates will install as soon as
available. Further information can be found in the Patch Management Good
Practice Guideline (GPG) document available from the NHS CFH Infrastructure
Security Team web site.2
Such frequency of updates may not be possible with portable devices - these will
require an automatic check when they access the network and will update as
appropriate. Alternatively, some vendors do provide the facility to update virus
definitions and the anti-virus software direct from systems controlled by the
vendor when a portable device is on the road. This can be useful for devices
which are rarely connected to the organisations network. Remote access
solutions may provide additional mechanisms, to ensure that the standards for
protection are in place on the portable device, before allowing full access to the
network.3
On demand scans allow the user of the machine to scan single files and folders
or groups of files and folders as required. This is useful in situations where files
have been obtained from a 3rd party for example (such as on removable media)
and the user wishes to ensure that the files are free from viruses and malware.
Further information is available in the Remote Access and Remote Management GPG
documents available from the NHS CFH IST web site:
Page 10 of 29

12/02/2010 / Approved / 2.0
Scheduled scans should be performed on a weekly basis and should consist of

a complete and vigorous scan of the machine. This maintains a consistent
baseline of protection.
If possible, schedule this scan to run outside of normal office hours or at a time
which will not disrupt normal working.
For laptops or other portable devices, the scan needs scheduling as normal but
should run as soon as possible following the elapsed time when the scan was
supposed to run.
Many vendors allow their anti-virus products on demand and scheduled scans
to be throttled to only use a specific percentage of processor power. This
therefore impacts user working less when such a scan is running and should be
considered as an option if available and if scans are likely to run when users are
working on their machines.
A Heuristic capability refers to the ability of the anti-virus software to detect
patterns of behaviour on the machine which may represent virus or malware like
activities. This type of capability can be useful for detecting viruses and malware
which are very new and for which the vendor does not have a specific signature
yet available. This further increases the protection that the software can provide.
The downside to this capability is that on occasion, innocent activities can
potentially be flagged as malicious activity (false positive) which can cause
unwanted alerts to be generated.
3.2 Gateway Device Software

The term gateway device refers to any device which is used to route, inspect or
block network traffic. For example, firewalls, proxy servers, remote access
devices, routers, Intrusion Detection Systems (IDS) and so forth.
Due to their exposure, gateway devices are particularly vulnerable to attack and,
if not correctly protected, can potentially act as the initial infection point of a
network. The software installed on gateway devices should have all the features
of the software deployed on desktop machines but should also include server
specific features such as:
Inbound and Outbound traffic monitoring.
Large Traffic Volume Protection.
Heuristic detection mechanisms to detect as yet unidentified viruses in the
wild.
Page 11 of 29

12/02/2010 / Approved / 2.0
Gateway devices require specialist software, expressly designed for operation in

server environments or high load situations.
Desktop software may not be capable of handling the increase in traffic and does
not employ server specific features.
The use of different software (possibly from different vendors) also provides
defence-in-depth; separate solutions are less likely to be as easy to compromise
as one solution across all areas.
Due to the complex nature of attacks, which may spread through the use of
email, web or network vulnerabilities, the gateway must be able to automatically
protect the network when it recognises malicious activity. This heuristic, or
behaviour based defence, allows the software to automatically block suspected
traffic through automatic detection of new viruses or outbreaks. An example of
such a gateway is the web proxy filter. These devices monitor all inbound and
outbound traffic (such as HTTP and FTP protocols) for viruses, malware and
virus-like activity. Provision of such a device provides defence-in-depth when
allied with desktop anti-virus products.
3.3 Email Server Software

Email is a business critical tool that affects how organisations run, both internally
and externally. The widespread usage of and increasing reliance on email leaves
it open to exploitation as a means for the transmission of viruses and phishing
attacks.
In addition to the requirements for server grade anti-virus solutions, email
systems must include specific features that offer additional protection from this
avenue of attack. Email specific features include:
Quarantine of possibly infected files.
Mass mailing protection.
Secured access to logs and quarantined files for audit purposes.
Generic attachment filtering (See Appendix A).
Email content and attachment inspection.
Controls to prevent the forwarding of infected emails.
Page 12 of 29

12/02/2010 / Approved / 2.0
Multiple virus/malware detection engines

If available, it may be prudent to disallow all attachments - apart from those
specified on an allowed list (or whitelist.)
This is relatively easy to maintain and validation against an established case
(e.g. what business need is there for attachment type a, b or c to be transmitted)
can occur on a case by case basis.
Email anti-virus and anti-spam measures must not provide an avenue for indirect
but disruptive attacks, e.g. flooding users with alerts and rejection messages. If
message alerts are used they should:
Provide only minimal information.
Not be sent to the originator of the email - this may lead to information
leakage through error messages.
Commercially available services offering real time updates to email services with
critical or 0-day (zero-day) signatures can sometimes prevent the newest types
of viruses getting through the email gateways.
Signatures for email protection and gateway devices require updating as
frequently as possible.
Standard commercial services can offer hourly push updates to ensure
maximum protection.
Alternatively, commercial 3rd parties exist that provide services for scanning
inbound/outbound e-mail for viruses/malware/phishing scams and so forth.
These systems work by having all e-mail routed via the service provider and
scanned prior to onward delivery to its destination.
For NHS organisations, it is the recommendation of the NHS CFH Infrastructure
Security Team that the e-mail services of NHSMail are used. As well as providing
a standard e-mail platform based on Exchange 2007, NHSMail provides facilities
to detect and respond to malware and spam, attachment blocking and other such
services. More information can be obtained from:
http://www.connectingforhealth.nhs.uk/systemsandservices/nhsmail
Page 13 of 29

12/02/2010 / Approved / 2.0
3.4 File Servers, Standalone Servers and Anti-Virus Exceptions

Apart from dedicated servers (e.g. gateway and email systems), there are often
cases in which an anti-virus solution is desirable but due to possible impacts on
availability and performance of systems, prior consideration is necessary. Cases
may also exist where certified devices may not support additional software due to
their intended purpose, e.g. certified medical devices4.
On Access scanning or memory resident detection mechanisms may adversely
affect high volume servers that demand high availability though enterprise class
anti-virus solutions can go some way to alleviating these concerns. There is also
the possibility that specific files/directories could be excluded from the scanning
regime such that performance is not affected. For example, Microsoft makes
specific recommendations in relation to SQL Server and the types of files and
location of directories which can be excluded from scanning so as not to impact
the system performance.5 It should be noted however that excluding files and
directories means that should excluded files/directories become infected, the
anti-virus solution will not detect the infection.
There will always be some areas unable to support anti-virus, either through
incompatibility with appropriate class software or performance impacts. In such
cases it is often useful to run scheduled scans as frequently as possible during
time periods when resource demand is low. If the system will not support this,
scheduled maintenance periods will be necessary to perform comprehensive and
complete systems scans.
Systems which, due to restrictions, are unable to adopt appropriate anti-virus
measures should be isolated from the network using measures as detailed in
those Good Practice Guidelines relating to secure Local Area Network (LAN)
environments.6 Additionally, these devices require monitoring through increased
auditing and possibly Intrusion Detection Systems (IDS) and/or Intrusion
Prevention Systems (IPS).
3.5 Instant Messaging Services

Instant Messaging services are now readily available through Internet Service
Providers (ISPs), commercial suppliers and often internally within organisations.
The Patch Management GPG provides additional information including statements from the
MHRA on such devices.
5
http://support.microsoft.com/kb/309422
For a complete list of Good Practice Guidelines see

http://nww.connectingforhealth.nhs.uk/infrasec/gpg/.
Page 14 of 29

12/02/2010 / Approved / 2.0
These services allow users to chat in real time, while also giving them the ability
to share files and workspaces.
It is this ability to transmit files, and the possibility that any such transmissions
may bypass established controls, that make instant messaging services a
significant problem area for those tasked with protecting a system from virus
infection. Many anti-virus manufacturers have responded to this situation (via
integration with messaging products or file analysis) with solutions that provide
real time monitoring of files within instant messaging systems. For those using
externally provided IM systems (such as those from Microsoft, Google or Yahoo
for example), there is the additional problem of IM spam and possible phishing
attacks.
If organisations use internal IM systems, they should investigate the features and
facilities provided by the software manufacturer which can be turned on to
minimise the possibility that malicious files could be shared.
Unless absolutely necessary for business functions, the transfer of files using
instant messaging services should be disabled and more robust methods utilised
as an alternative. For example, the NHS Secure File Transfer Service can be
used. More information is available at:
http://nww.connectingforhealth.nhs.uk/infrasec/secure-file (N3 connection
required.)
3.6 Anti-Virus Policy

Although many threats can be combated using technology, the key to a robust
anti-virus policy is empowering each user with the necessary knowledge to help
prevent virus outbreaks.
An anti-virus policy may be a separate entity or integrated within an overall IT
policy. In either case, it should contain a version of the following points:
Do not open attachments from unknown senders.
Do not download software to corporate hardware.
Do not install software, unless provided by your IT department.
Report any suspicions relating to viruses or malicious software to your
IT department immediately.
Page 15 of 29

12/02/2010 / Approved / 2.0
Never disable any anti-virus software on your machine or prevent it

from updating7
Users should be aware of the policies in place. Regular bulletins to staff should
inform them of any new information or updates to policy.
Disciplinary action should be taken against employees who wilfully break the
policy (e.g. disabling anti-virus software or attempting to remove it from their
machine.)
Technical means should be put in place to ensure that users cannot disable or interfere with anti-virus software. Ideally,
this is best implemented by ensuring the principle of least privilege is implemented on user desktop systems. (I.e. users
are not local administrators on their machines.)
Page 16 of 29

12/02/2010 / Approved / 2.0
4 Malware and Spyware

Due to the many possible methods of infection by malware and spyware, an
effective anti-malware strategy requires equally varied levels of protection. Many
types of malware application collect information which may be valuable to
vendors of those applications, such as browsing habits or the popularity of
certain products. This information can then have resale value to the vendor for
marketing purposes and can be sold on to other companies. More sensitive
information can also be stolen by such software including credit card numbers,
credentials for online banking services (often via a keylogger) and so forth.
Some types of malware once installed can be used to provide a remote control
facility to attackers. Once installed, the users system becomes part of a larger
group of compromised systems known as a botnet. These botnets are controlled
centrally and can be used for a variety of purposes such as the sending of spam
e-mail or for performing Distributed Denial of Service (DDoS) attacks on
legitimate web sites.
4.1 User Education

End user education is one of the most effective tools for the prevention of
malware incidents. This should make sure that each user can recognise
suspicious behaviour, will not attempt to circumvent technical solutions by
installing unapproved software, open suspicious attachments or visit websites
designed to spread malware. User education should be an ongoing activity and
should begin when an employee joins an organisation. Multiple methods for
educating users exist including using posters, desk drops, login banners/notices,
formal training sessions and so forth. It is of vital importance that the education
links in with the corporate policies on anti-virus, acceptable use and so forth.
User education is a key weapon in preventing malware attacks. Whereas
previously, visiting certain types of web site or malicious site could result in
attempted infection via malware, there have been a growing number of incidents
where legitimate and well known web sites have been used to spread malware
due to elements of the sites being compromised.
The proper policy and procedure regarding malware might include reference to:
Identifying suspicious attachments.
The reporting procedure for possible incidents.
Page 17 of 29

12/02/2010 / Approved / 2.0
The types of websites which attempt to install malware covertly.

How suspicious behaviour in software can indicate a malware presence.
4.2 Technical Solutions

Solutions offering varying levels of protection and monitoring of malware
behaviour are widely available. However, due to the covert nature of their
existence, detection of new types of malware can be difficult.
When searching for an infection, it is advisable to monitor patterns of behaviour
rather than attempting direct discovery of the software in the first place.
4.2.1 Active Monitoring

Active monitoring of user machines provides real time protection against
malicious processes. There are various, freely available software products that
can actively probe all applications running on a machine which can offer some
protection against this type of attack. If an application demonstrates behaviour
indicating the presence of malware, this type of software should prevent the
application starting.
Active monitoring software should include the following features:
Active process monitoring.
Signature based detection.
Behaviour based detection.
Application/Process quarantine.
Page 18 of 29

12/02/2010 / Approved / 2.0
4.2.2 Passive Network Monitoring

Monitoring at the network level can include Intrusion Detection Systems (IDS),
Intrusion Prevention Systems (IPS) or basic traffic monitoring at the firewall.
Seeking evidence of malicious connection attempts by compromised machines,
from analysis of captured firewall logs, can offer opportunities for taking
corrective action. Many vendors supply management software that will perform
anomaly based detection of suspicious or malicious activities through active
monitoring of log files and traffic reporting information.
Some open source IDS software can accept multiple streams of information and
provide suspicious traffic alerts based on signatures. Similarly, network
monitoring tools can monitor network health and alert network administrators if
they detect increased or unusual traffic behaviour on the network fabric.
Some software offers traffic blocking functionality based on established block
lists. If used in conjunction with traffic logs, the source machine and the type of
software can be identified and proper action taken.
Block lists need to be up to date to ensure that legitimate traffic is not
accidentally blocked, or suspicious traffic allowed (due to the source machine
trying new destinations in an attempt to send captured data).
Page 19 of 29

12/02/2010 / Approved / 2.0
4.2.3 Desktop Security Policies

Combining technological solutions with user education policies can be an
extremely effective solution in preventing potentially hostile applications from
installing and running covertly on a system.
Desktop policies require the attention of every user and should offer guidance on
how to conduct day to day business without exposing the company to
unnecessary risks.
The use of technology to enforce certain desktop policies can be a useful
guarantee of policy compliance. This could encompass remote auditing or even
operating system specific tools that restrict some user activities.
A basic desktop policy should include:
Ensuring that user accounts on systems provide the minimum level of
privilege required by the user for their role. Ideally, no user should
possess local administrator privileges on their computer.
Preventing users from installing or executing unapproved software.
Auditing all desktop systems for unapproved software.
Control of network based resources.
User responsibility for the use and/or misuse of business assets.
Control of unauthorised USB devices
Page 20 of 29

12/02/2010 / Approved / 2.0
5 Phishing and Scams

Social engineering techniques may attempt to convince users to open
attachments that will spread malware infections, or even to divulge sensitive
information such as passwords by replying to email hoaxes.
5.1 User Education

While technological solutions can alleviate some of the risk surrounding email
scams (such as spam traps, spam & phishing filters and the like), the most
effective defence is user education.
Users should be aware of suspicious emails and have the knowledge to identify
risks; including knowing that a well executed hoax or scam can look entirely
legitimate and professional. Users should also be able to recognise important
markers such as:
Large non-related distribution lists.
Requests for information not normally divulged.
Attachments where the icon does not match the supposed file type.
Large numbers of spelling mistakes
Grammatical errors which would be considered abnormal in commercial
communications
URLs to websites within e-mails where the URL and displayed web
address text are different
URLs within e-mails which look similar to the URL of the real web site but
are subtly different (e.g. small alterations to the domain name etc.)
While there are many different subjects, and equally varied formats, for scam and
hoax emails, they often follow similar patterns. The following examples are a
representative selection only:
5.1.1 The 419 Scam
Named after the specific Nigerian criminal code it violates, the 419 scam has had
extensive exposure in the press. Typically revolving around the international
transfer of large sums of money, the sender requests that the user divulges
Page 21 of 29

12/02/2010 / Approved / 2.0
sensitive information (e.g. bank account details) and/or makes upfront monetary
payments.
5.1.2 Pyramid Schemes, Chain Letters & Fake Notifications
A common technique initially used to harvest valid email addresss for spam
email operations. The scammer persuades the user (using financial incentives) to
visit malicious websites or otherwise tricks them into running malware infected
attachments. A well publicised example of this type of scam consisted of an
email sent to many thousands of people, requesting money for an orphaned
terrorist attack victim. Many people entered their bank details to pledge money, it
was only later that the subterfuge was discovered and that those who responded
had revealed their bank details to criminals.
A variant on the above is the fake notification e-mail which claims that it comes
from the users bank and states that the users account will be closed unless the
user goes to a web site and verifies their details. These types of scam can often
be spotted because the fake banking web site linked to requests information
which a bank would never ask for such as PIN number and National Insurance
number.
5.1.3 Current News Hoax
Attackers also use emails claiming to contain detailed information on worldwide
issues, and popular and/or breaking news stories to spread viruses, trojans or
spyware. They can achieve this by tricking users into running malware
applications after masking them within what seems to be a potentially useful
utility.
A related type of hoax is that which arrives in an e-mail and claims that a file on
the users computer is a virus and provides instructions on how to remove the
infected file. These types of hoax also state that the user should forward the email to all contacts in their address book. The file in question referenced in these
hoaxes is usually a system file and therefore benign. An example of this type of
hoax is the infamous Teddy Bear virus.8
5.1.4 Fake Security software hoax
A recent trend has been the emergence of fake security software. The normal
delivery mechanism for such software is via adverts in legitimate web sites or by
visiting certain types of web site. Normally, a pop-up dialog box will appear
claiming that the users PC is infected with viruses or malware and that by
downloading and installing a piece of software they can run a more thorough
check of their PC. Once the software is downloaded and installed, it pretends to
8
http://www.hoax-slayer.com/teddy-bear-virus-hoax.html
Page 22 of 29

12/02/2010 / Approved / 2.0
scan the PC and finds several examples of viruses and malware on the system.
The software then requests payment (via credit or debit card) in order to remove
the viruses and malware found. If the user does not pay for the software, it
repeatedly generates pop up messages warning of virus and malware infection.
Such software often contains techniques to thwart removal. Fake security
software can often be detected and removed by legitimate anti-virus products.
5.1.5 Spear Phishing
This is a type of targeted attack which can focus on specific individuals within an
organisation. The individuals who are the targets are often those who are very
senior within an organisation or whom an attacker would consider to have access
to sensitive and valuable information. Alternatively, targets may be considered or
known to be high net worth individuals.
Spear Phishing attacks often take the form of an e-mail which attempts to
coerce the recipient into either installing or downloading a piece of software.
Once the software is installed, it can monitor keystrokes, spy on and relay
sensitive information viewed by the target and so forth. These e-mails can often
appear to come from senders that the recipient may have communicated with in
the past or may even trust. Thus, such attacks can be very difficult to spot
indeed.
There have also been cases of new (often 0 day) vulnerabilities being used in
spear phishing attacks. Vulnerabilities in Acrobat Reader and Microsoft products
have been targeted in this way as it is more likely that the attack will not be
detected by anti-virus or anti-malware products and will not have been patched.
User education and awareness training is the best way to detect spear phishing
attacks and the advice given in the User Education section above will be of
benefit.
A useful website which provides further information on identity theft, phishing,
scams and hoaxes is Get Safe Online. See: http://www.getsafeonline.org/
5.2 Technical Solutions

Due to the complex nature and diverse subject matter of email based hoaxes and
scams, software designed to prevent this problem may either produce too many
false positives or not be effective enough.
However, many technological solutions are available which offer an additional
layer to user education. Some features which should be included in hoax or
spam email monitoring solution would be:
Page 23 of 29

12/02/2010 / Approved / 2.0
Keyword Searching.
Domain blocking of common hoax sources.
Statistical analysis of content.
Attachment filtering.
In addition, e-mail applications themselves now contain filters which aim to look
for the signs of phishing scams in e-mails received. Any suspected e-mails are
flagged for the users attention and moved to a special folder within the software.
Whilst these solutions are not infallible, they do provide an extra layer of defence
and along with gateway measures and user training are worth using. Software
manufacturers of e-mail applications additionally provide updates for these filters
to further improve their detection capabilities.
The deployment of software which analyses the content of emails for particular
words or patterns (in conjunction with robust anti-virus software) should further
increase the effectiveness of blocking the type of hoaxes which attempt to
convince the user to execute malicious software.
Page 24 of 29

12/02/2010 / Approved / 2.0
A Appendix A - Suggested Attachment Block List

Below is a list of suggested blocked file types in email attachments. To discover the
use of particular file extension Internet resources such as http://www.filext.com may
be useful in associating file types with the relevant program. Please note that the
following is not a comprehensive list and is subject to change.9
File Name
Extension
File type
.ade
Access Project Extension (Microsoft)
.adp
Access Project (Microsoft)
.app
Executable Application
.asp
Active Server Page
.bas
BASIC Source Code
.bat
Batch Processing
.cer
Internet Security Certificate File
.chm
Compiled HTML Help
.cmd
DOS CP/M Command File, Command File for Windows NT
.cnt
Help file index
.com
Command
.cpl
Windows Control Panel Extension (Microsoft)
.crt
Certificate File
.csh
csh Script
.der
DER Encoded X509 Certificate File
.exe
Executable File
List taken from: http://office.microsoft.com/en-us/outlook/HA012299521033.aspx. These attachment

types are blocked by default in Outlook 2007.
Page 25 of 29

12/02/2010 / Approved / 2.0
File Name
Extension
File type
.fxp
FoxPro Compiled Source (Microsoft)
.gadget
Windows Vista gadget
.hlp
Windows Help File
.hpj
Project file used to create Windows Help File
.hta
Hypertext Application
.inf
Information or Setup File
.ins
IIS Internet Communications Settings (Microsoft)
.isp
IIS Internet Service Provider Settings (Microsoft)
.its
Internet Document Set, Internet Translation
.js
JavaScript Source Code
.jse
JScript Encoded Script File
.ksh
UNIX Shell Script
.lnk
Windows Shortcut File
.mad
Access Module Shortcut (Microsoft)
.maf
Access (Microsoft)
.mag
Access Diagram Shortcut (Microsoft)
.mam
Access Macro Shortcut (Microsoft)
.maq
Access Query Shortcut (Microsoft)
.mar
Access Report Shortcut (Microsoft)
.mas
Access Stored Procedures (Microsoft)
.mat
Access Table Shortcut (Microsoft)
.mau
Media Attachment Unit
Page 26 of 29

12/02/2010 / Approved / 2.0
File Name
Extension
File type
.mav
Access View Shortcut (Microsoft)
.maw
Access Data Access Page (Microsoft)
.mda
Access Add-in (Microsoft), MDA Access 2 Workgroup (Microsoft)
.mdb
Access Application (Microsoft), MDB Access Database (Microsoft)
.mde
Access MDE Database File (Microsoft)
.mdt
Access Add-in Data (Microsoft)
.mdw
Access Workgroup Information (Microsoft)
.mdz
Access Wizard Template (Microsoft)
.msc
Microsoft Management Console Snap-in Control File (Microsoft)
.msh
Microsoft Shell
.msh1
Microsoft Shell
.msh2
Microsoft Shell
.mshxml
Microsoft Shell
.msh1xml
Microsoft Shell
.msh2xml
Microsoft Shell
.msi
Windows Installer File (Microsoft)
.msp
Windows Installer Update
.mst
Windows SDK Setup Transform Script
.ops
Office Profile Settings File
.osd
Application virtualized with Microsoft SoftGrid Sequencer
.pcd
Visual Test (Microsoft)
.pif
Windows Program Information File (Microsoft)
Page 27 of 29

12/02/2010 / Approved / 2.0
File Name
Extension
File type
.plg
Developer Studio Build Log
.prf
Windows System File
.prg
Program File
.pst
MS Exchange Address Book File, Outlook Personal Folder File

(Microsoft)
.reg
Registration Information/Key for W95/98, Registry Data File
.scf
Windows Explorer Command
.scr
Windows Screen Saver
.sct
Windows Script Component, Foxpro Screen (Microsoft)
.shb
Windows Shortcut into a Document
.shs
Shell Scrap Object File
.ps1
Windows PowerShell
.ps1xml
Windows PowerShell
.ps2
Windows PowerShell
.ps2xml
Windows PowerShell
.psc1
Windows PowerShell
.psc2
Windows PowerShell
.tmp
Temporary File/Folder
.url
Internet Location
.vb
VBScript File or Any VisualBasic Source
.vbe
VBScript Encoded Script File
.vbp
Visual Basic project file
.vbs
VBScript Script File, Visual Basic for Applications Script
Page 28 of 29

12/02/2010 / Approved / 2.0
File Name
Extension
File type
.vsmacros
Visual Studio .NET Binary-based Macro Project (Microsoft)
.vsw
Visio Workspace File (Microsoft)
.ws
Windows Script File
.wsc
Windows Script Component
.wsf
Windows Script File
.wsh
Windows Script Host Settings File
.xnk
Exchange Public Folder Shortcut
Page 29 of 29

Avmal 2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Avmal 2

Uploaded by

Copyright:

Available Formats

Securing against Viruses, Malware and Email Hoaxes

Document Record ID Key

Securing against Viruses, Malware and Email

Crown Copyright 2010

Securing against Viruses, Malware and Email Hoaxes

12/02/2010 / Approved / 2.0

First draft for comment

Second draft for Peer Review

Comments from Phil Benn incorporated

Technical Author, Sections added

Reviewed, revised and updated. Previous author: James Wood

Further updates following peer review

Further updates following peer review

Draft for approval

2 draft for approval following approver comments

Crown Copyright 2010

Securing against Viruses, Malware and Email Hoaxes

12/02/2010 / Approved / 2.0

Doc Reference Number

Glossary of Terms Consolidated.doc

Glossary of Security Terms

Crown Copyright 2010

Securing against Viruses, Malware and Email Hoaxes

12/02/2010 / Approved / 2.0

About this Document ...........................................................................................5

Desktop Software ..........................................................................................8

Gateway Device Software ...........................................................................11

Email Server Software .................................................................................12

File Servers, Standalone Servers and Anti-Virus Exceptions ......................14

Instant Messaging Services .........................................................................14

Anti-Virus Policy ..........................................................................................15

Malware and Spyware .......................................................................................17

User Education ............................................................................................17

Technical Solutions .....................................................................................18

Passive Network Monitoring

Desktop Security Policies

Phishing and Scams ..........................................................................................21

User Education ............................................................................................21

The 419 Scam

Pyramid Schemes, Chain Letters & Fake Notifications

Current News Hoax

Fake Security software hoax

Technical Solutions .....................................................................................23

Appendix A - Suggested Attachment Block List ...............................................25

Crown Copyright 2010

Securing against Viruses, Malware and Email Hoaxes

12/02/2010 / Approved / 2.0

1 About this Document

Crown Copyright 2010

Securing against Viruses, Malware and Email Hoaxes

12/02/2010 / Approved / 2.0

Crown Copyright 2010

Securing against Viruses, Malware and Email Hoaxes

12/02/2010 / Approved / 2.0

Crown Copyright 2010

Securing against Viruses, Malware and Email Hoaxes

12/02/2010 / Approved / 2.0

3.1 Desktop Software

Crown Copyright 2010

Securing against Viruses, Malware and Email Hoaxes

12/02/2010 / Approved / 2.0

Automatic updating of definitions and engine.

Crown Copyright 2010