TMS zl Management and Configuration Guide ST.1.2.100916

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

481

482

483

484

485

486

487

488

489

490

6-8

Intrusion Detection and Prevention

IDS/IPS Concepts

Viruses and Worms

Viruses and worms can spread rampant through an unprotected network and

cause enormous amounts of damage to vital files and network resources. Two

categories of viruses and worms are listed below:

■ Zero-day viruses and worms

Worm and virus attacks initially took days or weeks to spread over a

geographical area, which gave developers time to distribute Cautions and

signature files across the Internet. However, in 2003 and 2004, worms such

as SQLSlammer and Sasser aggressively propagated throughout the world

in a matter of hours, before anyone had time to create a signature to detect

them. These “zero-day” attacks consume incredible amounts of network

resources as they propagate and can use unique code that may not be

detected by most antivirus software. Without a way to detect the new

worm or virus, most networks are left completely vulnerable.

■ Polymorphic/Metamorphic viruses and worms

Some viruses and worms are designed to use self-encryption and self-

alteration to disguise themselves to antivirus software. This is done using

metamorphic code: the code changes itself so that no part remains the

same after the worm or virus replicates. Because the code continually

changes, it is impossible to develop a signature file that can recognize the

mutated virus or worm.

Malware

This broad, general term describes software that is at best a nuisance and at

worst destructive to your network devices. Any software designed to use

network resources or infiltrate network devices without the knowledge or

consent of the device owner is considered malware. You must protect your

network against several types of malware.

■ Adware—software that displays unwanted pop-up ads on an infected

endpoint

■ Spyware—software that keeps a record of Web sites visited, keystrokes,

and other personal information.

■ Trojan horses—programs that offer desirable software enhancements

but that also include adware, spyware, or other malware as an implicit

part of the software package

■ Rootkits—programs that allow an attacker to open network backdoors,

which bypass normal authentication requirements in order to gain access

to a network (See “Backdoors” on page 6-12)