On virus signatures and application layer filtering
We all know that it is vital to protect our systems from viruses and outside intruders. If we fail to do so, our beloved systems are very likely to end up as nodes in a botnet, have their contents read and altered; you name it. So, to prevent that from happening, we install virusscanners and firewalls, trusting in the fact that this will save us from eternal digital damnation. But do we know how these applications save us from our disastrous fate ? Perhaps you do, perhaps you don't. If you do, feel free to read on and correct me on any gaps. If you don't, well, also read on and allow me to shed some light on the wondrous world of security.
Viruses
Everything in a computer, be it hard- or software, is made by human hands. Though it isn't possible for a logical system to make a mistake, in practice such a system is still the end-result of human engineering and to err is human. A typo in code, a subroutine that is badly written and provides access to subsystems through global parameters; the options are endless.
People who makes viruses know this. To be more precise, they thrive on it. Using their technical skills (I am NOT counting scriptkiddies, these should be given a whack on the wrist and sent home to mommy), they create an often very simple little program called a virus. This virus abuses errors in (most often) software to give the maker access to systems he or she wasn't supposed to have access to. Often, these viruses open up little backdoors for their maker to gain control of the system (a concept often used in botnets).
Thankfully, there are also good people in this world and they all make virusscanners. We all know that there are various forms of scanners, ranging from high-end to consumerlevel. They all have their benefits and downsides. Some are expensive, others are hell to use. But, quite frankly, the most important aspect of these programs (in my not so humble opinion) is: updates.
You see, while people who make viruses strife to abuse errors in code, people who make virusscanners strife to protect your system. They do this by using virus signatures. This can be best defined as a fingerprint of the virus. This fingerprint is often a unique binary pattern associated with the virus. It can be the specific code that abuses the errors in the system, or it can be the trademark of the virus. For example, a few years ago the digital world was cruelly ravaged up the proverbial behind by the I Love You virus. This virus, containing a Visual Basic script, spread itself throughout the world in a tempo that had rarely been seen before, abusing a weakness in Microsoft Outlook. Various international companies were struck by this, causing productivity in certain areas to fall to completely zero for a while.
The signature for this virus isn't very hard to guess; the title. The virus spread itself through an e-mail, containing an attachment, with the title of the mail being: I Love You. The makers of virusscanners swiftly reacted to this by adding a virus definition to their software, using the 'I Love You'-subject as a signature.
Of course, not all companies reacted to this immediately. As the maker of a virusscanner provides its users with a new definition database every once in a while, it's a pretty tricky situation if the company that provides your free, shiny and simple virusscanner doesn't update its definitions for another month. In the world of Internet and viruses, a month is a very, very long time..
Application layer filtering
Naturally, there are other ways to gain access to a remote system. Many protocols and programs throughout time have had a certain vulnerability in their code that provided an outside attacker with the means to gain remote control. For example, in IIS 5.0 on Windows 2000 it was possible for an outside attacker to cause a buffer overflow by sending an overly large packet to the .printer ISAPI. It may, or may not, surprise you that an OS like Windows (and for that matter, any other application and OS) often contains many of these 'bugs'; if it's built by human hands, there will always be an error somewhere, you can count on that.
Whereas 'older' firewall-software only filtered traffic based on, for example, IP addresses and ports, modern firewalls have expanded their repertoire to the data sent and received itself (the application layer). While the data passes through the firewall application, an application layer filter inspects the traffic to ensure that no malicious code is inserted into the data. If a deviation is found, the TCP connection is immediately broken down before it leaves the firewall (known as in-line scanning). A variation is that the data passes through the firewall but also takes the normal path to the system. Therefore, the traffic will reach both the host and the firewall. The firewallsystem will reset the connection but will be too late, as the traffic has also reached the host already (known as promiscious scanning). The first form is also known as IPS (Intrusion Prevention System), the latter is known as IDS (Intrusion Detection System). The better your firewall, the more advanced it will be in the area of IPS/IDS and application layer filtering. Microsoft ISA Server, for example, provides various mechanisms in this area. Your ZoneAlarm Personal edition from, say, 2003, will be less adequate..
So why doesn't everyone just use the best possible firewall- and virussoftware ?!
Easy. The best solutions are a) more expensive b) often harder to configure and c) require a good understanding of exactly what is going on and what the impact of a situation might be. A sysadmin at a multinational is more likely to employ the best solutions than your 70-year old aunt who can barely find the Power-button on her PC.
Conclusion
As technology advances, the complexity of threats also progresses. Every day, new viruses are created and fresh, shiny bugs are found and exploited. If you value your system and the data on it, and would like not be prosecuted for being part of a botnet that launches a full-scale attack on, say, the Pentagon, you'll want to keep up to date. Not just in the technical sense of advanced software, but also on the practical side of security. It is, in this area of computer science, always better to be safe than sorry, even if that might mean you'll have to put some more effort into securing your system and/or using it. Believe me, it's worth it.