KLEZ.H: From Propagation to Prevention

This study reviews the properties of the Klez.H worm, key findings from a set of infection experiments, and some of the network security tools needed to detect Klez.H infection. Both reported results and new unreported findings from this study show that Klez.H exploits several known SANS/FBI Top 20 List of vulnerabilities to propagate and infect local and remote computers on a Local Area Network. These include a sleep / wake routine for scanning the network for new files and directories to infect, creation and deletion of stealth processes for file infection, creation of root level shares with Full Control Permissions for Everyone, and the creation of a back door internet-bot on port 1027. The experimental results of this study highlight that virus protection involves not only the downloading and updating of a new virus signature, but also the deployment of secondary security measures beyond antivirus patterns and scanning routines. These secondary security measures include user training / awareness, patching of known software vulnerabilities, and disabling of exploitable controls at the application and operating system level (such as those identified by the SANS/FBI Top 20 List of vulnerabilities). Finally, this study suggests the ongoing need through non-repudiation, authenticity and encryption tools to provide comfort to email recipients that their email is virus-free.