Computer viruses spread through the action of the human operator.
As a sample, the "Melissa" virus spread because users who received
Melissa-infected e-mail opened the documents and chose to run
the macros within the documents.
On the other hand, hackers break into machines independent of human
operators. If you turn on a machine (that is connected to the Internet),
but do nothing, you cannot contract a virus, but a hacker can still
break into your machine.
For example, roughly 10% of home users enable "File and Print Sharing"
under Windows. If you are one of these users, a hacker from anywhere
in the world (such as Russia, New Zealand, Turkey, etc.) can connect
to your machine and read all the files from it. If your Internet
connection seems slow and your hard disk is very active, this might be
happening to you.
The important thing to remember is the Internet is a
two-way connection. While you are downloading a file from a web site,
a hacker from Siberia may simultaneously be browsing your hard disk.
This can happen even if you've never contacted a web site in Siberia.
Moreover, hackers aren't particularly targeting your machine. Much
like how viruses spread in an automated fashion (with some human help),
hackers run 'bots (robots/automated programs) that scan random Internet
addresses looking for vulnerabilities. Each 'bot targets a different
vulnerability. For example, a hacker in Siberia may run a "File and Print Sharing"
attack script when they go to bed, and when they wake up they print
out a list of thousands of machines the 'bot found during the night.
They then start other 'bots that scour the machines looking for
passwords, credit-card numbers, on-line stock info, personal letters,
and so forth.
An important distinction between intrusion countermeasures and virus
scanners is what they look at. A virus scanner examines all the files
on your hard disk and checks to see if any of the files have been infected by a virus.
Intrusion countermeasures like Defender look at all the network
traffic going into and out of a machine, looking to see if that
network traffic is hostile. Virus scanners defend the machine
by "cleaning" the viruses out of the files. Defender protects
the machine by blocking the hostile network traffic. One aspect
of this is that for a virus scanner to work, you must already
have been compromised, whereas Defender stops the machine from
being compromised in the first place (though you should remember
that Defender will not stop virus attacks unless
they are network based).
Defender is an automated defense system to stop both the 'bots
as well as real attempts by hackers. It runs in the background
requiring no intervention
on your part to operate. Just install it and forget about it.
If you are interested, it does list the attacks it found that
were directed against your computer. We find that the average
dial-up user is scanned by a 'bot about once per month, whereas
the average cable-modem subscriber is scanned about once per day
(hackers are looking to compromise computers connected via fast
links so that they can use them to attack other computers).
There are many similarities, though, between virus scanners
and intrusion countermeasures like Defender. Both require frequent,
automated updates: virus scanners require the latest signatures and
intrusion countermeasures need defensive programs against the
latest hacker techniques.
There is also some slight overlap between the products. Some viruses
have a networking component, where they attempt to spread automatically
via the Internet. Defender can stop some of these. Similarly, some
hacker attacks attempt to install "backdoor" programs once they
have compromised a machine. Virus scanners can detect and "cleanse"
the machine of some of these programs.
