Sometimes spam, viruses, and other malware filtering at your email gateway isn’t enough. It’s important to keep your host anti-virus signatures up to date, and if you don’t have anti-virus protection at your firewall or on your network at the Internet gateway you should seriously consider it.

Here’s why these items are critical. Some recent malware attacks have used malware embedded in video and audio streams as a transfer. They can gain an initial foothold, so to speak, by managing to get a link to your users in a spam email. If your spam filter doesn’t block the message, a link in the email appears to be a video or audio link, but in fact the destination contains a trojan that is embedded in the content stream.

This method of attack isn’t exactly new. For example, the ZLOB Trojan began making rounds in 2005, and began gaining traction in 2006. Some attacks with it simply involved downloading other viruses or malware. Using a video link, however, for users that have their ActiveX controls set to download codecs automatically means that those users with poor virus protection would automatically download the virus and become infected.

Now, most of us won’t have this problem, right? Surely you and your users would, at a minimum:

1. Have host-based as well as network/perimeter-based anti-virus protection.
2. Keep your anti-virus signatures up-to-date for all your systems.
3. Not have your browsers set to automatically download and install ActiveX controls or codecs.
4. Have users trained, understanding not to install random codecs or ActiveX controls themselves.
5. Have in place strong anti-spam protection that may block messages from domains likely to send these messages.
6. Have perimeter security measures in place that detect and block or intercept malicious content as it appears.
7. Have users trained well on the risks of clicking unknown links, or going in search of suspicious content.
8. Have a proxy or firewall with content filtering in place, with a policy that prohibits visiting or traffic from certain domains known to be sources of malware.
9. Keep your systems patched with the latest security patches from your OS vendor and from your application vendors.
10. Frequently review your security protections and rules in place, and carefully consider before making changes allowing more permissive use and access to and from protected resources.

The most security conscious of us and those that keep current with security risks and trends in security technology may think that all of this is old news, that of course they won’t have any problems–and they may be right. I hope so. However, new small businesses and new business Internet users are appearing all the time. As these businesses grow and expand, they may have transition periods where their deployed technology changes and of course upgrades will happen sometime. At those times, extra vigilance is required. If you are brought on board during a transition period as an email administrator, network administrator or security administrator, be aware that such risks are heightened.

While the attempt to execute malicious code via a codec installation may seem to be old hat, consider that new vulnerabilities appear frequently. Consider that Windows Media Player can play streaming content, and couple that with the recent vulnerability MS09-047, Microsoft Windows Media Playback Memory Corruption Vulnerability. This vulnerability can permit remote code execution. Exactly the sort of vector needed by the sender of the spam we started this discussion with. A maliciously crafted Windows Media Format file pointed to by a link in a spam email. Granted, this vulnerability and other like it have been patched, and if you are up-to-date on your patches it isn’t actually a threat.

Where this can become a problem (and as far as I know it isn’t with this vulnerability) is when the patches interfere or conflict with mission critical applications and can’t be applied, and when system updates (unfortunately including some antivirus and security patches) that may require reboots can’t be done as soon as they are received. Testing and verification may be required in your business (and is a good idea if it’s not part of your routine) before applying new patches and updates. During this window of time, when the attacks are launched on “zero day”, till your patches are applied, your systems may be vulnerable. During this (hopefully brief) time period the sort of attack described at the beginning of this post could actually penetrate your security and wreak havoc. Follow the ten tips listed above, and minimize your vulnerability.