The Virus Squad

dncsky1530 writes "Sydney Morning Herald - The Virus Squad - 'A new species has been discovered. So new, it's still unnamed, but researchers are racing to tag it - before it spreads around the world. For the next 10 to 30 minutes, the computer virus or worm is dissected, analysed and identified... "On the day we detected MyDoom, we did another 18 viruses," says Paul Ducklin, Sophos's head of technology for the Asia-Pacific. "There are about 800 new viruses a month. And the unglamorous bit of our work is often the other 798."'"

I wonder

[ATAMAH]

How many staff they have. And how well are they doing next to the big boys a-la Symantec ?

Re:I wonder

[prat393]

Well, I have to wonder how well the whole antivirus industry is handling the problem; why release virus signatures instead of just changing the entire underlying security system in the operating system? It's things like viruses that make SELinux seem like a very good idea to me.

Re:I wonder

Sophos has Graham Cluley, and that's all that matters. For those who don't know, Graham Cluley has been a long-time antivirus researcher, and was often teased in viruses written by the female virus/worm author Gigabyte, who was arrested last week.

--
Rate Naked People at FuckMeter! (Not work-safe, but hey, it's Sunday)

Re:I wonder

[BiggerIsBetter]

It's things like SELinux that make the status quo seem like a very good idea to the antivirus industry.

Re:I wonder

[prat393]

Also very true. The antivirus companies themselves aren't interested in fixing everything wrong with computer security; what new false dichotomy do they come up with once "pay us for a subscription or your computer becomes a slave to every halfway-savvy hacker out there"?

Re:I wonder

[aheath]

I've also wondered about this. I suspect it is because it is extremely difficult to change an operating system that is designed with permissive security instead of restrictive security. In Mac OS 1.0 to 9.2, MS-DOS 1.0 to 6.22, and Windows 1.0 to XP anything that is not explicitly forbidden is allowed. Apple addressed operating system security by using a UNIX base to create Mac OS X. I suspect Microsoft will change from a permissive security model to a restrictive security model in Longhorn.

I have been working as a consultant for small office and home office users since being laid of from Intel in 2002. The view from the small office and home office is very different from the view from within the IT industry. I've been working to educate my clients on the importance of regular backups, anti-viral protection and firewall protection. I spent the last two weekends removing viruses from computers that were on cable modem connections with no ant-viral software installed and no firewall installed.

I am starting to think that I need to help my clients to protect their data and make their systems hard targets. I'd like to think that the virus problem will be addressed by operating system changes. However, the reality in the small office and home office is that operating system upgrades are almost always tied to the purchase of a new computer. Third party security products will continue to be important as long as users stick with what works for them today without worrying about what might be available tomorrow.

Re:I wonder

[prat393]

But how often do you run across a computer you have to service with expired virus subscriptions? It seems to happen to me quite a bit. I suppose M$'s virus scanner mentioned earlier on /. might help, but that reeks even more of conspiracy than the current "protection money" setup does.

Rather than bundling a questionably legal virus scanner into their next service pack, Microsoft should perhaps add a tool that helps to lock down permissions on NTFS volumes, creates unpriveleged accounts for users and various services, etc. Even with the multitude of security holes, Windows can be made a lot harder to mess with, if you put a little work into. The key here is privelege seperation.

Re:I wonder

[aheath]

I remember the days when anti-viral software was freeware or shareware. The anti-virus industry will have to adapt when Microsoft includes free anti-virus technology in Windows XP service pack 2. Assuming of course that the XP SP2 anti-virus software is robust and fully featured. Perhaps some of the anti-viral software companies will have to evolve from providing software to providing security conulting.

Some security companies do give back to the community. GRISOFT offers a free version of AVG Anti-Virus 6.0 for single home users. Zone Labs offers a free version of the Zone Alarm firewall.

Do you know of any other companies that offer free anti-viral or firewall software?

Re:I wonder

[merlin65537]

There is AntiVir which provides its software free for personal users, however it's in German only. I've used it on my Win2k system for a few years now. As far as I know it doesn't integrate with any e-mail-clients, but it recognized viruses in attachments as soon as I saved them to disk.

Re:I wonder

[merlin65537]

Well, just found out they do have an English version...

Re:I wonder

[Fex303]

Avast! Antivirus is free for home users. I've been using it for a while now and it's successfully picked up the few viri that have tried to visit my inbox. I've installed it on few machines (parents/friends computers) and I've had no probs so far.

It's got auto-updates, Outlook add-on module, etc. All good. They want some info in lieu of registration, but it's non-spammy/invasive

You can download it from here if you're so inclined.

Disclaimer: I have nothing to do with Avast, beyond being a quite satisfied user of their software.

Re:I wonder

[AbbyNormal]

I used to love AVG's offering and had it installed everywhere...until I upgraded to Win2k. They didn't support Win2k, because it was considered a "business" product. I was a home user, using a "business" prodcut...thought it was a little silly.

Re:I wonder

http://www.free-av.com/

Re:I wonder

[tiger99]

Don't judge their performance against Symantec. The latter did not do very well when the attacks on SCO and the Monopoly were propagated, and their products fail to protect against some quite old virii.

I am yet to be convinced that there is any integrity or sense of morality in the anti-virus industry. The big boys such as Symantec and McAFraud have lost the plot, they are led by marketing men, and their products are distinctly third-rate. Their support departments also lie. As for Panda, well if you want to completely trash your PC, with unremovable entries in the registry, and everything slowed to a complete crawl, well go right ahead and try.

The fundamental problem with Panda, and others, is due to the very basic design error in Windoze. Instead of relying on the file system to protect .exe and .dll files from corruption, by making them all write-protected, Windoze, a fine piece of incompetently designed trash, only works if writing to critical files is allowed (self-modifying code, maybe?), so Panda hooks each .exe in the registry so it grabs it first and scans it, before it is run, every time. The performance loss is enormous and unacceptable. The Incompetent Convicted Monopolist's System File Checker again is checking critical files in the background to see, too late, if they have been changed. A decent OS, not designed by an over-hyped imbecile, write-protects all system files, in the file system, and does not have this problem.

I have not observed this behaviour with either Symantec of McAfraud, but have found that they simply do not work in certain conditions.

Re:I wonder

[SphericalCrusher]

I guess it just takes time and effort... which Microsoft never really wants to give out for free.

Re:I wonder

[tiger99]

Would you really trust an anti-virus feature from the Convicted Monopolist, with their solid, well-proved track record of lies, deception and failure?

In any case it will surely result in them being back in court, because it would be a monopoly, like IE or Media Player.

BTW, I agree that Zone Alarm is good, no defence at all against viruses, because that is not what it does, but definitely the best of the Windoze firewalls, and I use it on my Windoze machine, not the useless firewall built into XP. F-Prot is free for Linux home users, can't remember if they also to Windoze, IIRC they do BSD as well.

To make the OS tolerably secure, M$ would have to rewrite it from scratch, as it would have to run with no write access to any program files or dlls, for a start. Their present pitiful excuse for an OS will forever remain that, ther is no way that it can be secured. Longhorn may be the answer, but by cutting the API set down to less than a quarter of its bloated predecessor, it will break compatibility with everything that went before. Another way of extracting more money from the gullible, only this time it will not work.

I do wonder how they ever managed to get such an over-bloated API set in the first place, clearly the Chief Software Architect was utterly lacking in competence in proper software design.

Re:I wonder

[tiger99]

Yes, AFAIK most computer users are running with expired antivirus subscriptions. Isn't it sad that people behave the way they do?

Your other suggestions are sound, as far as they go, but unfortunately most people will deliberately run with administrator privilege if they can, and there is still the fundamental problem that the OS does not run if system files are write protected. OK they can be protected from regular users, and it helps, but is not sufficient. But, I think you are saying that it should default to the most secure settings out of the box, instead of the opposite. People like us have been saying that for years, to no effect. It will only change if the Monopoly gets new and technically competent management, which up till now they have never had.

Re:I wonder

[poweroff]

IIRC several recent worms have left backdoors on the victim computers.

Does anyone know where a person could get accurate information requied to say, identify infected machines on a network with nmap or somehting similar? The published information from the AV vendors seems a littly "fluffy" in this respect, they would obviously rather sell me something.

I'm in a school setting and am not the Admin so I don't have full control our computers, thought I am trusted and given liberal leeway. I would like to be able to scan for computers that have had their AV software disabled and/or are infected.

Re:I wonder

[Goblin]

Free AVG has never been limited by OS, just by usage. It is licensed only for personal/home use, but you can use it even on Win2k3 if it is on your home computer.

Re:I wonder

[BiggerIsBetter]

FreeAV (AntiVir) is another one. Wasn't Avast! one of Microsoft's takeovers? Free for home users makes sense if it's going to be included in a Service Pack later. I don't suppose they still have a Linux version? I think a lot of companies will have to move more into the Linux/xBSD server arena with their products...

Re:I wonder

[Kilted_Ghost]

While I agree that write protecting OS files might have once been a good idea, it will have little effect on most of the more recent viruses/worms running around right now. Most of them are now there own executables and have no need to modify any of the system .exe or .dll files as far as I know.

Not too mention that as soon as you do write protect them you have to come up with a means of allowing them to be updated by patches and service packs, but not by viruses.

Re:I wonder

Just not using Microsoft software at all will help greatly with the virus problem.

Re:I wonder

[jaavaaguru]

F-Prot antivirus is available for free for home users, and runs on Linux, Windows, BSD, DOS and Solaris. For the Unix-based systems, there is a nice GUI front end called xfprot.

Smoothwall is a "best-of-breed Internet firewall/router, designed to run on commodity hardware, and to give an easy-to-use administration interface to those using it. Built using open source and Free software, it's distributed under the GNU Public License".

Re:I wonder

A completely passive method (will not piss off local admins) is to run port monitoring software on your PC and watch port 3127; Any machine trying to connect to port 3127 is likely to be a Mydoom infected machine. Telnetting to port 3127 on one of these machines will get a login prompt, which indicates an infected zombie monitoring that port for commands. I ran portsentry on a Linux box (had to edit the config file to watch 3127) and within a couple of hours found three infected machines on our local network.

Re:I wonder

[ozbird]

... why release virus signatures instead of just changing the entire underlying security system in the operating system?

Fixing the problem instead of just treating the symptoms would be commercial suicide - why do you think drug companies spend so much money marketing "cold and flu" tablets instead of producing effective vaccines?

Re:I wonder

[BlueStrat]

H+BEDV offers a free antivirus program for home use. There are versions for windows, linux, and even DOS.
http://www.hbedv.com/download/download.htm

Re:I wonder

[spacecowboy420]

This guy is not insightful,

AVG is handling the antivirus for my entire company - but before it was purchased, I needed to test it and ensure it would fit our needs. I used the free version in the testing of a 98, 2k, and xp machine with zero problems.

After 3 months I felt confident enough to make it comapny policy. I purchased the server versions for my windows servers at the time and the client for everyone else. To this date, I have had one infected user and it was because a remote user in Singapore had disabled it.

Re:I wonder

[drsmithy]

Well, I have to wonder how well the whole antivirus industry is handling the problem; why release virus signatures instead of just changing the entire underlying security system in the operating system?

Because it's basically impossible for the OS to tell the difference between the user deliberately performing $TYPICAL_VIRUS_ACTIVITY and a virus doing it ?

Re:I wonder

I'll second that one. I'd tried all the free antivirus solutions before I settled on Avast. Frequent program updates, very good user support forums on their website, and pretty prompt pattern updates too.

Re:I wonder

[cfuse]

Assuming of course that the XP SP2 anti-virus software is robust and fully featured.

Yes, well you know what they say about that ...

Re:I wonder

[RayBender]

Yes, AFAIK most computer users are running with expired antivirus subscriptions. Isn't it sad that people behave the way they do?

Uh, if I just dropped $1000 on a new computer, I get rather pissed off at the suggestion that within a few months I need to start paying some not-insignificant amount of money a month just so the damned thing won't catch a virus and die.

Funny, I don't recall having to subscribe to a freakin' virus protection scheme with my Linux box.

Re:I wonder

[juggy]

I have been using AntiVirus Personal Edition happily for the last 2 years. It's not free as in speech, but for personal/privat use it's free as in beer :-)

Re:I wonder

GRISOFT offers a free version of AVG Anti-Virus 6.0 for single home users.

But what about the home users with girlfriends or wives?

Re:I wonder

Uh, if I just dropped $1000 on a new computer, I get rather pissed off at the suggestion that within a few months I need to start paying some not-insignificant amount of money a month just so the damned thing won't catch a virus and die.

Uh, if I just dropped $10000 on a new car, I get rather pissed off at the suggestion that within a few months a I need to start paying some not-insignificant amount of money a month just so my car won't catch fire or die.

Do you bitch that much when you take your car to the mechanic every few months? What about that insurance money you pay every month? Or the taxes that you pay every month to have local law enforcement?

Most of the AV companies are only charging $20-$50 per year, which is not significant amounts of money compared to the cost of an internet connection or even the price of the computer.

Re:I wonder

[RayBender]

Uh, if I just dropped $10000 on a new car, I get rather pissed off at the suggestion that within a few months a I need to start paying some not-insignificant amount of money a month just so my car won't catch fire or die.

I don't know about you, but the cars I buy tend to run 100,000 miles before they need major maintenance. Gas, oil change etc is one thing. But I don't have to subscribe to anything.

And the fact that Linux boxes pretty much don't suffer from viruses does pretty much show that you can make a machine that way. Just like the Japanese cars showed everyone what pieces of crap American cars were.

Re:I wonder

[AbbyNormal]

Neither is your comment "Insightful". If you actually read the post, is said "USED" to use it on all my machines.

Re:I wonder

[AbbyNormal]

Yes, actually, it was. A year ago actually, in one of their older versions.

Re:I wonder

[spacecowboy420]

I guess you didn't get it. You're not insightful because you're a moron who makes shit up. AVG never had any such restriction.

Re:I wonder

[AbbyNormal]

Parent post: sponsered by Troll Aid. Now with more flava. Way to counter my argument. Asshole , that is sure to gain insighfullness and win any/all arguments.

Slashdot needs to start carding its posters.

Ugh, these aren't viruses...

[tgd]

Maybe a lot of /. readers are too young to remember real viruses, or to have played around/collected them, but its been a decade since a real infectuous virus has gone around.

If it can't infect any arbitrary EXE file, its not a virus, its a trojan or a worm, depending on wether or not its a moronic user or a security hole that allows it to enter the system.

Re:Ugh, these aren't viruses...

[ATAMAH]

>> ... its been a decade since a real infectuous >>virus has gone around. No, it's actually hasn't been that long. http://securityresponse.symantec.com/avcenter/venc /data/cih.html

Re:Ugh, these aren't viruses...

[sheriff_p]

Actually, common industry usage says that worm is a subset of virus. If you want to use your own terminology, fine, just don't inflict it on others :-)

+Pete

Re:Ugh, these aren't viruses...

[przewdnik]

Well, today it's simply not needed to infect executable file. I think real virus can't spread as quickly as mail "virus". And it's a lot harder to write it. And anybody have antivirus program, which detects infections. Real viruses are gone. *sniff* ;)

Re:Ugh, these aren't viruses...

[Jonathan]

If it can't infect any arbitrary EXE file, its not a virus, its a trojan or a worm, depending on wether or not its a moronic user or a security hole that allows it to enter the system.

I agree trojans aren't viruses, but worms are exactly the same thing as EXE viruses except at a bigger scale -- instead of merely infecting EXEs on one system, it infects systems on a network.

Re:Ugh, these aren't viruses...

[interiot]

The main reason we needed to have a copy of the virus in every executable was because we were running on DOS, which doesn't usually support multiple programs running at once. And a lot of networks were little clumps of networked file systems.

Now that the most common OS's support multiple processes at once, and the internet/web/email is the main thing that connects everybody (and writable network file systems are mainly only found in the workplace), viruses have naturally changed.

Re:Ugh, these aren't viruses...

[AndroidCat]

Back then, at lot of them didn't infect executables, but went for boot sectors like STONED. And there are arbitrary EXE infectors around still, but they tend to get noticed and whacked faster than ones that don't.

Re:Ugh, these aren't viruses...

[MrAngryForNoReason]

Old schoool viruses tended to be designed to do damage. They infected as many files on the system as possible often destroying the file in the process.

This approach is counterproductive if you want it to spread. Modern e-mail worms rarely show much evidence of their presence, if it seems like nothing is wrong then the user won't look for a problem. This leaves the worm free to mail itself to thousands of others and the system is added to the long list of compromised machines at the crackers disposal for DDoS attacks or spam relays.

This is the same reason you don't get any 'wipe your hard drive on a certain date' viruses anymore. It isn't about doing damage it is about infecting as many machines as possible either for the 'fame' or to build up nets of infected drone machines for another purpose.

I am surprised the article didn't mention the real reason MyDoom targeted SCO, it was a diversion. Spammers need new drone machines to send spam from but they don't want the backlash from being connected to a virus so they add in a diversion, the attack on SCO. This took the heat off the spammers and placed it firmly on the OSS community. And it worked, kind of, only recently has the spamming 'features' of MyDoom seen any press. For weeks all that was reported was how it was probably created by a OSS zealot lashing out at SCO.

Re:Ugh, these aren't viruses...

[sporty]

An exe is a program that gets executed by your OS. A doc file is now a program that gets executed by Word. Only diff between a clean program and a doc, is a program is mostly used to contain functionality, whereas a doc has info.

But believe me, I've seen docs compiled as exe's to provide their own reader back in the day.

But anyway, what's the diff?

Re:Ugh, these aren't viruses...

[AndroidCat]

They seem to be running down Slashdot's Axis of Evil list for their merkins: SCO, Microsoft, and now the RIAA. We ought to be able to deduce the next MyDumb.n target.

Slashdot could run a poll, but the answer would almost certainly be .. CowboyNeal.

Re:Ugh, these aren't viruses...

[wfberg]

I've given up on teaching people the distinction. Fortunately, end-users also make no distinction between malware (adware and spyware) and virusses, and are baffled that McAfee, Norton and their ilk don't detect them (antivir will find some malware, such as dialers). I hope the AV vendors will keep at this long enough to go out of business altogether.

Re:Ugh, these aren't viruses...

Wiping a million harddrives isn't classified as fame anymore?

Re:Ugh, these aren't viruses...

I think people have been VERY VERY lucky as I recall, Melissa spread via email, but changed the file size on word and excel docs to zero.

This did a lot of damage, while keeping the O/S in place so it can infect more systems.

Re:Ugh, these aren't viruses...

[Tony-A]

Fortunately, end-users also make no distinction between malware (adware and spyware) and virusses {Emphasis added]

The all want to control your computer, and by controlling your computer control you.
They are widespread enough that the virus known as "Norton Anti" comes preinstalled on new Dells.

Re:Ugh, these aren't viruses...

[theCoder]

Who modded this up as *insightful*? Translate this to biology: "parasites are exactly the same thing as biological viruses except at a bigger scale -- instead of merely infecting cells in one body, it (sic) infects bodies in a group (or city/colonly/ecosystem, etc)".

Worms and viruses are both forms of malware, but they are not the same! They may have similar qualities, but they are not "exactly the same". Here's the critical difference -- a virus is not executable by itself. It is just some executable code that knows how to spread itself by infecting other executables (or in some cases, documents that contain executable code, like Word macro viruses). This is analogous to the biological world, where biological viruses are not full (as in independent) life forms (as I understand at least), but just a small amount of DNA in a container cell that knows how to infect a cell and replicate itself. A worm, like a parasite, is a distinct executable (organism) that just happens to need a host in order to run and spread. They are both bad, but they are distictly different.

And the original poster is right -- there hasn't been a large scale outbreak of a real virus in quite some time (probably a combination of malware authors getting lazy, virus scanners getting better, and viruses being more difficult to transmit over the Internet).

Re:Ugh, these aren't viruses...

[Jonathan]

First of all, as a biologist, I would have to classify biological viruses as parasites, although certainly not all biological parasites are biological viruses.

But that's not really the point -- an e-mail worm can't spread by itself -- you need to get the e-mail and open it up and run the attachment (or have a brain-dead mail client that does this automatically). How is this any more "independent" than a computer virus that is only active when you run the infected program?

Re:Ugh, these aren't viruses...

Even more proof,

low UID != high IQ

Re:Ugh, these aren't viruses...

[theCoder]

Interesting point about viruses being a type of parasite. I'm not a biologist myself (any more than high school Biology), but I can see why you would say that. I was referring to larger, multi-celled parasites in my example.

However, you didn't take issue with my assertion that a biological virus is barely alive, and it essentially a bunch of specific DNA in a container. This is much like a computer virus and the biggest distinction between a virus and a worm (though at some point, this analogy becomes stretched). A worm is a piece of malware that is a complete program that is run by the startup scripts (or registry keys) of a system and gernally spreads from one machine to another across a network. A virus is a piece of malware that "infects" other programs and gets *them* to run the virus code whenever the program is run. A computer virus cannot run by itself and generally spreads from program to program (possibly over a network). Of course, a specific piece of malware could exhibit qualities of both (such as a worm that expoits a hole in a server is somewhat like a virus), so the lines can become blurry.

Email "worms" come in two variants -- worms and trojans. Email worms exploit a flaw in the mail handler or mail reader to propogate without user interaction (your brain-dead mail client example). They could be considered true viruses if the exploit was run entirely inside the process space of the exploited program (and didn't download the actual worm code and run that). The second type (MyDoom fits into this category) is a trojan. Much like the Trojan Horse, a trojan program is a program that looks like it should be one thing, but is in fact another. The user is the exploit in this case, and should possibly be beaten with a LART. Trojans are by far the easiest to write, and there is no real defense at the system level against them, since the system must assume that when the user says to run this program, they really want to run this program (though poor interfaces may make it easier to run a trojan).

To get to your question, worms and especially trojans are more independent in computer terms because they execute as separate processes. You say that yourself when you state that the computer virus is only active when you run the infected program. A worm or trojan is active from when it is started. It may use an exploit to get to that point, but that is the crucial difference. This also means that the original program isn't "infected", and thus won't run the malware code if you run the program later (i.e., Outlook won't run MyDoom every time you start Outlook).

HTH!

Half-life of Viruses

[Melvin+Daniels]

"There's still a big perception out there that only broadband users need one," Lee says. "Everyone needs a firewall, along with antivirus."

This rings all too true. If forwarding ports for certain applications wasn't such a pain in the ass, I would say make ISPs require firewalls or find a way to have some sort of personal firewall for their connection that they can access from the internet and change the settings on. Just a thought.

This would bring up other problems, but it'd at least stop a lot of problems with trojans and open relays.

Re:Half-life of Viruses

[BiggerIsBetter]

That would be fairly easy to set up. An ISP could provide a web interface to configure per user "pin holes". Default to blocking all traffic from the customer, and some traffic to the customer (smb traffic, for example), and let them enable things if they need to. Not hard to do at all, as long as arbitrary "thou shalt not use port X" policies aren't brought in along with it.

Re:Half-life of Viruses

[cerberusss]

>>Everyone needs a firewall, along with antivirus
>This rings all too true

That may be true for a Windows machine where controlling the number of open ports is difficult and where you have every piece of software calling home, but on my Linux laptop, I don't run a firewall. I just don't see the need. I've got ssh open and that's it. And X, from which I haven't heard anything since 4.0.

Re:Half-life of Viruses

[Chris_Jefferson]

you sure thats all you have open? willing to share your IP address with us all to check?

I find on linux you tend to have more need for a firewall. Linux will often be running RPC, and like you say X (and I know at least KDE) use ports too that should be firewalled.

Re:Half-life of Viruses

[WhatAmIDoingHere]

My grandmother couldn't do that herself. My aunt has AOL and only knows her computer lets her "do emails". The average user doesn't know what a port is. If everybody is schooled on what to do and how to do it, it would be great.. but until people stop being "lusers" and start knowing what's going on in their "magic interwebnet.com box", that kind of thing won't happen. It is a good idea, but users aren't ready for it yet.

Re:Half-life of Viruses

[BiggerIsBetter]

Users like your grandma don't need to know about that stuff, and certainly wouldn't need to know about ports and routing. Defaults would work just fine for her, and it will protect her from much of the junk on the net. It'll also protect us from her, if she still manages to get infected.

Re:Half-life of Viruses

[Spoing]

1. you sure thats all you have open? willing to share your IP address with us all to check?

   I find on linux you tend to have more need for a firewall. Linux will often be running RPC, and like you say X (and I know at least KDE) use ports too that should be firewalled.

I have to agree with the person you're commenting to.

Firewalls are not useful for an individual system if you don't have things running on ports that can be abused.

Windows does make this very hard, while Linux it is trivial and by default has less running. Turning off the extras is a chore under Windows and can be futile if you fire up an app that opens up a port on demand -- and you don't know about it.

Re:Half-life of Viruses

"Firewalls are not useful for an individual system if you don't have things running on ports that can be abused."

Well, unless some evil program hits you and opens up another port. And that is were the firewall comes in - second line of defense. Even if someone evil manages to open up a rootshell, the packet filter will not allow any connections out or in.

Running an extra packet filter is no risk nor does it use overly system resources. I wouldn't want to leave it off.

Re:Half-life of Viruses

There's certainly a very strong case for all ISPs having anti-spam and antivirus filters on their mail gateways. As far as I'm concerned, this latest wave of email-spread viruses/worms/call-them-what-you will should be considered as another class of spam. Good spam filters should detect some of these viruses as spam before the antivirus vendors have updated patterns out.

Re:Half-life of Viruses

[Spoing]

1. 1. "Firewalls are not useful for an individual system if you don't have things running on ports that can be abused."

   Well, unless some evil program hits you and opens up another port. And that is were the firewall comes in - second line of defense. Even if someone evil manages to open up a rootshell, the packet filter will not allow any connections out or in.

How...

...does that evil program break in and get run if the ports are not in use?

...does the evil program abuse a port if the software using that port is secure?

...do you protect your firewall once the evil program is on the same side as the firewall and all your other apps?

While firewalls are useful at times, they are not magic. They are tools and not always appropriate.

Re:Half-life of Viruses

[cerberusss]

Interesting ports on (x.x.x.x):
(The 1599 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
6000/tcp open X11

Nmap run completed -- 1 IP address (1 host up) scanned in 1 second

I've shut all RPC stuff off. You don't need that unless you're running NFS, which I don't. So, what's the use? You want me to run a firewall for one port? Which is not vulnerable since 3 years?

One virus, many names...

800 viruses a month? And a lot of them get one name from each company? Wonder when they will cooperate and agree on names for each virus?

Re:One virus, many names...

[BlueCup]

I don't see this working, I can't picture Symantec calling up Grisel and saying "Hey, guys, you know that new virus? The one that copies itself billions of times and says hello to the user?... you don't? oh... nevermind... have a good day"

This is a business, and if one finds a virus that the other hasn't, they have the advantage until the other virus companies catch on. No point in sharing the information ahead of time.

Re:One virus, many names...

[timmy0tool]

They will see no benefit.

Say there are only 5 AV companies.
That's 5 * 800 = 4000 names/variants per month. That's good scaremongering, and more likely to get them a sale by increasing the whole market. Gran doesn't know the two viruses on the news are the same?

Also it would probably take longer to agree on a name than dissect the virus, where the valuable minutes mean money. Companies will go to the fastest response time and spend their money there.

The benefit of a standard name is so small it won't be economically possible in the current marketplace.

Re:One virus, many names...

[KStieers]

There has been an off and on effort at naming standarization in the past, but its always been an uphill battle.

VGrep from the Virus Bulletin site (www.virusbtn.com) is a continuously updated tool that cross-references the virus names.

Ken

Huh?

Virus writers seem to be paying more and more attention to what makes people click - and that makes observers like Lee suspicious. "I'm sure these people are recruiting psychologists."

How does that go?

"I AM PR3PAr3D T0 0ff3R TH3 2um 0F tHR33 BaGz 0f Ch33zY P00fS 4 a 3l33T P2Ych0!og!st!!!"

"While you clearly have abandonment issues, the practice has been hard up for money lately. Very well, I accept. But first, tell me about your mother."

Look, it doesn't take a psychologist to explain that when you sit the average person in front of a computer, they become a mouse-clicking fool. No amount of emergency IT sessions with the staff explaining precautionary tactics involving attachments is going to change that, and if any psychologist recruitment is necessary it's to explain why the average person keeps clicking attachments to messages in obviously broken English.

That's why blaming software vendors like Microsoft is stupid. Will four ARE YOU SURE YOU WANT TO RUN THIS warnings before allowing the execution of an attachment do any more than three?

Re:Huh?

[RdsArts]

Of course. It will slow down viruses by exactly one mouseclick.

Sure, it doesn't sound like a lot, but think of it in volume...

Re:Huh?

[Tony-A]

That's why blaming software vendors like Microsoft is stupid. Will four ARE YOU SURE YOU WANT TO RUN THIS warnings before allowing the execution of an attachment do any more than three?

No, I'd put the blame squarely on software vendors like Microsoft. Four ARE YOU SURE YOU WANT TO RUN THIS warnings won't do any good. OneNo amount of emergency IT sessions with the staff explaining precautionary tactics involving attachments is going to change that
You must be doing something wrong. I've done one "emergency session" and that was more of a "heads up". A few years back on the first of the random subject thingees. (Thanks to the Slashdot Early Warning System!)

The computer is your friend? With friends like that you don't need any enemies.
The computer has a problem? That's the nature of computers. It doesn't mean that you have a problem. The computer wants you to run worms/viruses/trojans. There are things called booby-traps. They are designed to catch boobies.
Always blame Microsoft. (Shoot first then ask questions). Effective. Annoyingly effective.
Savvy, well trained users? Maybe, but they've been given the bare minimum of trianing, usually less, so if they are, they've done it on their own.

Re:Huh?

[jaavaaguru]

If the average person in front of a computer had an office suite with VB scripting turned off by default (typing up your homework in Word doesn't require it anyway), and the OS only executed files that were saved to disk and needed the execute permission turned on explicitly (I think Windows using NTFS has this option, but it's always on by default), then the "mouse clicking fools" wouldn't be doing so much harm. This is something that only the OS vendor can fix.

Conflict of interest..

[eddy_crim]

...the only people other than criminals who profit from viruses have a stash of 87000 of the little blighters and clearly a lot of knowledge, i feel a conspiracy coming on...

Re:Conflict of interest..

[MoonFog]

Exactly how does the criminals (I take it you talk about the writer) profit from these viruses ? Most viruses destroy stuff on your computer, gets you access to their machines or starts DOS attacks. That doesn't give the writer much profit does it ?

Re:Conflict of interest..

[prat393]

Well, the article hints at some sort of collusion between spammers and the author of MyDoom, but it seems like this would be the exception, even if it's true. The virus writers are in it for the fun, of course (not to mention revenge).

It also seems possible that the antivirus companies themselves are writing the viruses, then charging to protect users against them, but this also seems unlikely, given the police investigations that inevitably follow major virus outbreaks.

Re:Conflict of interest..

[ashkar]

Are you a troll or do you just keep up much?

The use of infected systems for spam, web mirrors, traffic laundering, and bases for attacks on others systems has been commonplace for quite some time now not even mentioning the rampant spyware and ad placements these worms make possible.

Viruses don't die ..

[MoonFog]

Old viruses don't die, it seems, they just run out of potential targets as software choices change and security holes are patched.
"You might think that there are some that will almost certainly never be seen again but it is surprising ... we still occasionally see viruses from 1995," Ducklin says.

There's a reason enough to be on your toes and patch your new install as soon as possible.

Re:Viruses don't die ..

[TeddyR]

For situations where within 15 mins of powering up a machine, its infected....

I wish that MS would make the service packs/updates in such a way that it would be

1- latest service pack
2- latest critical OS security patches
3- latest IE critical security patches

so that on a new install, all I would need to do is get a CD (burn one even) that contains the above three files.

Make the three files availible from a single location. Update #2 and #3 as soon as a new individual patch is released.

every 6-9 months, incorperate #2 into #1

OR

release them as SP 4 (base)
then as a new OS patch is released, release
SP4.1
SP4.2

etc, so when getting a SP for installation I would just get the latest and be assured that I have all the security patches that have been released (single file)

Re:Viruses don't die ..

[ILEoo]

You can make install CD which includes those latest SP. http://www.betaplace.co.uk/ssp1.asp
(Haven't tried it myself,just read it on news ;)

Re:Viruses don't die ..

[riscthis]

Microsoft have a CD you can get for free containing most of that:

Windows Security Update CD

The Windows Security Update CD will be shipped to you free of charge. This CD includes Microsoft critical updates released through October 2003 and information to help you protect your PC. In addition, you will also receive a free antivirus and firewall trial software CD.

This CD is only available for Windows XP, Windows Me, Windows 2000, Windows 98, and Windows 98 Second Edition (SE).

Obviously it will get out-of-date, but it's a good start...

Interestingly in the UK, I understand that Microsoft have effectively banned computer magazines from carrying copies of the latest patches etc on their cover CDs, preferring users to download from Microsoft directly, which is obviously a major inconvenience for those without broadband.

Re:Viruses don't die ..

[kryptkpr]

You CAN do this, it's called Slipstreaming..

I know for sure you can Slipstream Service Packs and hotfixes, but I'm also pretty sure if you find the correct almost-undocumented-hidden-behind-a-door-that-has- a-sign-saying-"Beware-of-the-Leopard"-in-it switch to pass to the IE updater application, that it will also allow you to Slipstream in IE updates.

Re:Viruses don't die ..

[NeoThermic]

>> so that on a new install, all I would need to do is get a CD (burn one even) that contains the above three files.

And they listen...

Microsoft Secuirty Patch CD

You do have to wait for it to be deliverd (its _free_ ), but it has the latest patches on one CD. Just re-install, and then run the patches from the CD before going online, grab a good firewall & virus scanner, and then do whatever.


NeoThermic

Re:Viruses don't die ..

[thogard]

If Microsfot cared, they would force every software shop to sell or give away copies of this CD. But they don't care that much and won't till they get nailed by a consumer product group.

AV companies?

[m.mascherpa]

Have you ever had the doubt that viruses aren't actually written by bad bad people, but by some mysterious department in some AV company?

Really, i can't imagine that there are so many (800 viruses/month is SO much) evil-programmers that prefer to spend their know-how writing code they will never get paid for, instead of selling their experience to someone who needs it and earn a lot of money..

Re:AV companies?

[benj_e]

programmers that prefer to spend their know-how writing code they will never get paid for, instead of selling their experience to someone who needs it and earn a lot of money

Right, no one would ever write code for the joy of writing it. That's why this OSS fad will never take off...oh wait.

Re:AV companies?

[frdmfghtr]

Really, i can't imagine that there are so many (800 viruses/month is SO much) evil-programmers that prefer to spend their know-how writing code they will never get paid for, instead of selling their experience to someone who needs it and earn a lot of money..

Who is to say that they aren't doing both? Why wouldn't there be any talented IT professionals who create the very problems they are hired to solve? Provides job security, and you KNOW you can solve the problem quickly and look good; after all, you created it.

Re:AV companies?

Poor sophos, I bet they can barely keep up with Symantec's virus producing department.

Re:AV companies?

[tiger99]

That would explain a lot....

The same allegation was made against McAfraud some time ago, and I don't remember then taking anyone to court over it, which may suggest something.

Re:AV companies?

[Reziac]

I've mentioned this before: there was an interview with McA. his own self back around 1989 (probably to plug his book) in which he said something to the effect that it behooved AV companies to generate demand for their products, even if that involved releasing malware themselves. Someone here on /. linked to the article a couple years ago, but last time I went looking for it, I couldn't find it. (Got it archived somewhere, tho.)

Hell no.

[nurb432]

My isp has NO business controlling my own hardware.

The ONLY thing they should be able to do is shut me off totally.

Re:Hell no.

What if you're too stupid to know how to put up a firewall, you idgit?

Grandma Smith doesn't give a shit, so deal with it.

Re:Hell no.

[Cylix]

Not true...

Your ISP has every business sense to control your hardware, depending on what kind of customer you are.

Road Runner, during the whole fiasco with some horrid worm I can't remember the name of. Started filtering at customer leased line routers, their own and their upstream provider to hold down the bandwidth consumption. They had red lined their bandwidth and it was effecting their entire customer base.

I'm not saying filtering everything at any point is a good idea, but when it comes to critical situations they have every right to slow the progression of an attack.

I used to get annoyed at Port 25 blocking, but after recent spam/virus hoopla has hit I'm rather glad some people are taking steps to curb the issue.

Boy I sure will sleep better tonight...

[igloo-x]

...safe in the knowledge that the VIRUS SQUAD are dissecting viruses for me AS WE SPEAK!

ACTIVATE TEAM VIRUS SQUAD! GO FOR GLORY!

Re:Boy I sure will sleep better tonight...

[AndroidCat]

When things get really tough, do they all join into a giant virus-fighting robot?

Re:Boy I sure will sleep better tonight...

Take off every Zig! Move Zig for great justice!

Re:Boy I sure will sleep better tonight...

[gad_zuki!]

Nope, remember we're talking about viruses here. They all join into a very tiny virus-fighting robot with their 12 year old intern Jimmy.

"See Jimmy, this is what we call the CPU."

"Jeepers, its so big!"

"Nope, remember we're tiny."

"Jeepers I forgot!"

Glamorous?

[Aphrika]

"There are about 800 new viruses a month. And the unglamorous bit of our work is often the other 798."

Anti-virus vendors that consider a mass outbreak of a worm to be 'glamorous', compared to the 'unglamorous' stuff that doesn't get as much publicity? It might sound daft, but consider that they (should) put the same amount of work into each and every virus - i.e. preventing it - there shouldn't really be an issue with how glamorous something bad is.

Analyse it, deal with it, out the door, next virus is how it should be. I'd hate to think how they'd deal with biological virus outbreaks...

Re:Glamorous?

I think his point is that they do exactly what you say - analyze it, deal with it, get the fix out the door. Twice a month, though, yahoos outside their business decide that a worm/trojan/virus is "important" enough to cover in the mass media. I suspect they don't go looking for "glamour", but that it instead finds them. Incidentally feeding the ego of the virus writers, of course...

So very, very true.

[nordicfrost]

"If you unblocked port 135 [an access point Blaster targeted] you would be found by Blaster," Lee says, adding that it would just be a matter of time.

This happened when I installed a (legal) copy of Windows 2000 on my GFs old machine. Boom! Infected with Blaster on the first five minutes on the net, trying to D/L a firewall. Not to speak of the servicepacks... It happened so fast, I thought there was something wrong with the modem drivers, I downloaded via an iBook. I spent a lot of time getting that machine up. But as the family of the GF saw what happened, three persons became Apple converts that evening.

My GF now has an iBook and is more productive on a computer than ever.

Re:So very, very true.

[wfberg]

You can click on advanced in the TCP/IP setup during setup, and activate IP filtering, and deny all TCP connections (it blocks inbound only). It doesn't work during booting, so don't be hooked up to the internet during that.

It's inexcusable that things like DCOM even listen to non-localhost connections by default, even moreso as windows NT/2k/XPproper firewalling. The times I've wished for ipchains on these things..

Re:So very, very true.

No, that is an XP only feature. He said he was using Windows 2000, not Windows XP so the built in firewall is not an option.

Re:So very, very true.

[BigBadBri]

OK - so you're a Mac user from the sound of things.

OK - so Microsoft installs NetBIOS over TCP/IP by default.

It's still easy to turn off, and you should have done so before connecting to the Internet. It's primarily Microsoft's fault for having stupid defaults, but turning off the NetBIOS bindings is only commonsense.

Still, your GF is probably better off with an iBook - they are girls machines after all ;-)

Re:So very, very true.

this is helpful, but how do i download my service packs/firewall ?

Re:So very, very true.

[nordicfrost]

OK - so you're a Mac user from the sound of things.

No, I'm a Debian user. Right tools for the right job. At work I use Windows, but I'm buying a Powerbook, because it is a lot more powerful in Photoshop.

OK - so Microsoft installs NetBIOS over TCP/IP by default.

Seems like it. A little bit retarded if you ask me.

I guess I'm at fault for not turning it off. But, as a long time Linux user, I didn't realize exactly how dangerous a default install of w2k really is. I had heard about the Blaster worm, and the IS dept. at my work ran around in circles trying to fix it (Seems like it entered the network via laptops) but since it did not affect me I did not know a lot about it. So turning off NetBIOS wasn't my first thought. The first was to get a proper firewall, then patch the hell out of the installation.

Still, your GF is probably better off with an iBook - they are girls machines after all ;-)

She is very content with it. Now she makes video, writes documents, burns CDs and all that stuff that she did not know how to do on a PC. And we all know that the mens computer is the powerbook! *woof, woof*! ;)

Intelligent filters

[plams]

800 new viruses a month. Takes some manpower to create all the antidotes, and it's hardly likely to ever get that for free. Worms seems to be the real threat now, but it may be possible to create an "intelligent" firewall; e.g. some kind of bayesian filter that can mark network queries as good or bad.

I dont agree.

[nurb432]

If they need to filer, it needs to be done on THEIR equipment. Not mine.

I don't care what agreement, or policy they might have.. A lot of things go on that shouldn't be. People agree to things that are wrong all the time.

They have NO right to mess with MY equipment. That is a privacy and security invasion. Period.

They DO have the right to monitor, and if im broadcasting crap, to shut me off.. on their end.

Their effort doesn't scale well

[Nathaniel]

All that effort and the anti virus companies still haven't figured out a way to share their work with a common signature file. No wonder there is so much drugery.

Re:Their effort doesn't scale well

Why would you want to do that?

First you would no longer have the marketing scam of we got the signature file out there in 5 minutes vs the other guys 1 day.

Second if everyone used the same signature file you can bet that there would be more attacks against the anti-virus software and the the one signature file. No need to find out anti-virus program is being used, just mangle the one file.

Re:Their effort doesn't scale well

[Reziac]

Of course not. Different accuracies (including the quality of their various signature data files) are part of the horn each AV company toots.

If they all used the same signature files, they'd have to rely entirely on having the fastest scanning engine, the best update procedure, or some similarly irrelevant qualification for people to buy theirs above someone elses, or else go into a price war situation (which would inevitably lead to more outsourcing, and we don't want to increase that, do we??)

So while knowing you had ALL known signatures in your AV sig file would be great for the users, the AV companies would be less than thrilled.

(Just to show you how little impressed I am with AV marketing, I still use FProt for DOS. :)

Re:Their effort doesn't scale well

[orkysoft]

Why would having the best update procedure be an irrelevant qualification? This is vital "mouse clicking fools" described in the other posts, because they won't update their signature files unless the update procedure is good (i.e. foolproof).

I'd consider it a vital qualification, because an outdated virus scanner is nearly useless.

Re:Their effort doesn't scale well

[Reziac]

Because what do you do for an encore after everyone has transparent automatic updating? which in fact is how it should work for Joe Sixpack anyway, and already does with current major products.

Unsafe

[t_allardyce]

Its quite ironic that over the years ive downloaded a hell of a lotta dodgy programs from dodgy sites and P2P and never used an anti-virus tool and the only trouble ive had (never used outlook) is when i've connected an unpatched windows machine to the net and been infected in 3 minutes.

Re:Unsafe

[s7uar7]

How do you know? Without anti-virus software, unless a virus is doing something really obvious, such as rebooting your machine, you're not going to. I always find it amusing when I here people say they've been using Norton/McAfee/Whatever for 5 years and never had a virus. That's not their anti virus software, that's just luck. All they can be sure of is they've never had a virus their package can detect. Anti virus software doesn't make you immune from catching them, it just stops them spreading and (hopefully) makes cleaning up easier.

Re:Unsafe

[t_allardyce]

Really? i thought that fixing stupid holes in the OS and not leaving net-bios and other ports open by default would stop most things spreading. Also most windows virus's leave a tell tail sign - they crash!

Re:Unsafe

[jaavaaguru]

I wouldn't go bragging that I'd "never had a virus" unless I'd checked the MD5 Sums of all files to see if they are the same as they were at install time. I'dbe surprised if there's not an app that does this for you on any platform.

Re:Unsafe

[prandal]

With the speed at which Mydoom and Bagle spread all most antivirus software can do is clean up after the fact If, of course, it hasn't been disabled by the virus.

Re:Unsafe

[oobar]

I'm in the same camp as the parent poster. I refuse to go near AV stuff. I have been connected to the net for many, many years and I have yet to be infected. "How do you know that?" you ask? Well, on occasion I have run one of the web-based scanners just to silence naysayers. It has never found a single thing. Since I also don't do the reinstall treadmill, if I had ever been infected once in the last 2 or 3 years it would have shown up.

Step one is never using a MS product for email.

Step two is filtering out all of the junk on the web.

Step three is never clicking on "yes" or "agree" unless you understand what's happening.

Re:Unsafe

Holy Jesus crap.

All you ever do is complain, criticize, and correct. Could you please do something meaningful with your life?

The Perfect Virus..?

[Tryfen]

I was thinking about how to design the "perfect" virus... I'm not a proficient enough programmer to even begin writing a virus - so don't come a knocking. But it's an interesting thought experiment.

Here's what I've got so far...

1) Virus initially comes in as an attachment - user opens attachment (relies on non tech-savy people).

2) Virus scans through "Sent Items" and sends itself to every address that has been sent an attachment in the past. Uses a subject line like "Updated [whatever]" (Tech-savy folk might forget basic precautions)

3) Virus scans through every Excel / Word / .cpp file and randomly changes one digit per file (imagine if your report to the board now says 9 Million rather than 1 Million... or if your for...next loop is waiting for an incorrect value)

4) Virus wipes itself out after 6 hours (most people only update their virus checker >= 24hours. Once signs of the virus have gone it will be hard to know if you have been infected and which files have been compromised)

5) FBI come and arrest me :-)

Seriously... one has to admire the "I Love You" virus, if only for getting so many tech-savvy people to click through... But what really worries me is the viruses we haven't discovered. What if, say, Winamp has a logic bomb in it? How would any of us know until all our data was corrupted?

Re:The Perfect Virus..?

[AndroidCat]

With the professional turn in viruses, I wonder if we'll ever see an automated version of the Make Money Fast scam?

At each hop in the infection, a virus could gather PayPal and other account information from the hard drive. That would be passed along in all the mailings it sends out to other machines, gathering more account info along the way. Once it travelled five hops, it would use the information to send five dollars to the account at the top of its list, remove top account, move the others up, repeat.

The social engineering aspects are huge: "Gee, my computer has been infected, but if I wait until it's infected several other computers before removing it, I could make millions!" It could even come with a reassuring EULA: "This is really legal honest! The FTA said so!"

There are privacy concerns, of course, but if it only passed on the account information required to deposit and not to withdraw money, I'm sure people would feel so much better about it. :^P

Re:The Perfect Virus..?

[gnu-generation-one]

"I was thinking about how to design the "perfect" virus."

(1) Virus intially comes in as an attachment. This is a decoy, we're not going for computers owned by retards this time.

(2) Virus tests for one of the recent linux vulnerabilities. If it gets in, this indicates that we've got someone with a default unpatched install of Mandrake or whatever, who probably imagines they're immune. Plenty of time to proceed.

(3) Virus has a look through the setup files of common FTP programs to obtain website passwords, connects to website, searches for .exe and .tar.gz files, uploads itself in their place. Virus knows that people will download the .tar.gz, configure, make, and install it, then run it without even looking at the source code.

(4) Virus uploads a set of personal data to a hidden file on that website.

(5) Virus goes through the ~/Mail folder, looking for username/password combinations mailed to the person by clueless companies such as maplin.co.uk, who email peoples' passwords in cleartext. Stores a list of all the data it's collected so far.

(6) Virus sets up a backdoor, using port-knocking so that none of the "respond to virus with portscan" tools can find it.

Re:The Perfect Virus..?

[Dexx]

1) Virus initially comes in as an attachment - user opens attachment (relies on non tech-savy people).

When the virus sends itself out, have it send an email containing a simulated conversation between two college students planning a weekend out. Have the conversation end with the comment of sending the pics of the weekend as a slide show or something. Have one of the email addresses (visible in half the replies) be one character off the target email address.

So now our victim sees a conversation between two college students plannig a weekend out and sees reference to attached pictures in a slightly odd format. Follow up immediately with another email in a paniced tone explaining that the pictures were sent to the victim in error due to a typo in the email address and please delete them as they contain some embarrasing half/fully naked pictures.

Now that's a virus that'd spread.

Re:The Perfect Virus..?

an addition to #3, why don't you just tell the virus to start at files that were last modified, that way it destroys the data that the user needs the most, first

Re:The Perfect Virus..?

[jaavaaguru]

3) Virus scans through every Excel / Word / .cpp file and randomly changes one digit per file (imagine if your report to the board now says 9 Million rather than 1 Million... or if your for...next loop is waiting for an incorrect value)

Anyone in a corporate situation where documents and source code have revision/version numbers, and isn't using a source control system is asking for trouble. Any source control system would point out exactly what lines have changed in the file the next time you go to do something with it.

4) Virus wipes itself out after 6 hours (most people only update their virus checker >= 24hours. Once signs of the virus have gone it will be hard to know if you have been infected and which files have been compromised)

After identifying a problem with step 3, simply searching for any other files that have changes in the past few days would be a sensible step, since it would look like someone's been tampering with your files.

Re:The Perfect Virus..?

[phasefx]

The virus is cross-platform and sets up a p2p network with other instances of itself and shares platform-specific binaries and exploits. No need to write other viruses at that point; every behavior and improvement can exist in the "virus-net" p2p network and individual nodes can upgrade themselves from the modules being shared.

Worried about white hat hackers poisoning the network? Use encryption and only accept virus-modules that are "signed" by the virus creators and cadre.

-- Jason

Re:The Perfect Virus..?

[BeerCat]

only accept virus-modules that are "signed" by the virus creators and cadre

How easy would it be to start a software company, get official enough to be a "trusted" source, and then bombard Longhorn users with "genuine, trusted code", that just happens to be a virus. In other words, the Trusted Computing will not get rid of viruses, only "unauthorised" ones

Re:The Perfect Virus..?

but if it got rid of authorized ones, then it would have to get rid of itseld

But wait...

[Toxygen]

Didn't blaster only affect windows XP systems?

Re:But wait...

[The+Analog+Kid]

No Blaster affected, NT, 2k, XP, and I think 2003. However, Microsoft refused to put out a patch for NT citing that it was too old to fix or some other bullshit like that.

Re:But wait...

[Tony-A]

And according to Microsoft's security chief, it there isn't a patch for it, it isn't vulnerable.

Admin rights

[ward.deb]

If Windowsusers just start working under useraccounts with limited rights most virusses won't do any harm because they need admin rights... But 99% of the Windowsusers I know use an account with admin rights... Even better would be not to use Windows at all..

I was wondering

[Felinoid]

The guy was listing an awful lot of "virii" found per week.
By the way virii also infect the boot sector and some only infect the boot sector.
But it's all the same.
A virii will attach itself (IE patch) existing software (usually any and all on your system).
A trojen is a self contained infection and dose not spread.
A worm hacks into the target.
I suspect about 90% of the "virii" found are actually trojens. They are the single easiest peace of malicous code that can be created. They are the essence of all the others.

I'm starting to see banner ads for virus scanners touting to go after worms and it's starting to really piss me off.
Here is what I have to say about using a virus scanner for ALL forms of maliware.

Virus: No brainner. Install it let it scan incomming code etc etc. Don't install new software that hasn't been scanned.
The problem with making money on virus scanners.. and updates. Is that new viruses are rare.
It's just not worth it anymore.
People made virii for:
Revenge: Spyware is easier, more effective and produces better results.
Attack a group: FUD is easier and more effective.
a challange: What challange? Not unless your making a Linux virii.
To prove it can be done: Unless your making a Linux or Unix virii everyone knows.
To prove you can do it: Not impressive to script kiddies anymore.

In short the typical reasons for making virii are dead unless your making a Linux virii.
That is why it took so long for Windows to GET any viruses of it's own. All the dos virii were doing the job quite nicely.

So if you want to sell updates you have to go after ALL forms of Malware.

Trojens: Trojens are.. brain dead easy to make. Script kiddys may not be able to make virii but they can make trojens.
I wouldn't be supprised if all those "virii" found were actually just trojens.
By the time an anti-virus company is able to ID a trojen it's done it's dirty work and your left with the floating debree... the infector itself still floating around.
File sharing networks are plugged full of trojens and trojens get updated quickly. Forget virii scanners for this just beware of geeks bearing gifts.
Some commen sense is in order. Don't download pirated versions of software.
Becouse of Microsoft people think making software is where the money is. When (not if) they don't make money they get bitter. Often beliving software piracy is to blame (in some cases it's true) they'll turn to making trojen for hapless victoms.
Don't pirate. Don't download software via P2P file sharing. Download it from the source. Is that so hard?
I can see the BSA spin on this: "Steal software-> Install trojen-> Get hacked-> Lose everything-> Don't look for sympathy from us."

Worms: Worms infect in weeks, days, hours, minuts even seconds.
Todays worms are really pathetic taking days to overtake the network. But it'll take weeks before everyone has a patch to prevent it or update a virus detector.

Anti-virus companys can only act once the virus is released. For worms that is far to late to take action.
Once your infected the worm can update your virus deffs for you. No that's NOT a good thing as any software tool that might stop the worm is flagged as a virus.

Security tools are FAR more effective at stopping worms and also thwart script kiddys who will (once in your system) infect you with trojens, viruses, worms, etc. Some of whom will chew up your virus deffs file.

Maybe a few /.'ers are too old

[Per+Abrahamsen]

Real viruses, at least to this old fart, are DNA based, and does not run on computers at all.

plate glass window contractor's night shift

[Jayfar]

The was a case several years ago in Manhattan, where a plate glass window replacement contractor was found to have a night crew on special assignment - smashing store windows. Of course they got busted for it.

A couple of years ago...

[cwsulliv]

I received a few emails with attachments which just smelled like worms, although neither the AV checker I had on my Linux system nor one of the online AV checkers identified them as infected. Curious about this, I saved them in a directory and rechecked them from time to time. It wasn't until 3 or 4 months later that the AV checkers fingered them as worms, and worms that had been floating around for almost a year. (I assume a virus writer must have tweaked the code on an existing virus just enough to make its signature unidentifiable as the original worm.)

Sensationalist. As usual. Thanks Australia.

[Fantastic+Lad]

The uninitiated computer user who owns and updates a copy of, "_______ Anti-Virus," must be just shivering!

"You mean, there's nearly 800 new viruses a month? Wow! I'm sure glad I have my copy of '_______' to protect me from having to know what's really going on in the dark and chaotic world just beyond my telephone/cable connection! And now those terrorists are recruiting psychologists, too? To know what I think in order to get me to click on the activate-virus button? Oi, Crikey! The FEAR!!!! Somebody should bomb somebody! Somebody should take away my rights! I'm sure glad I live in Australia which has the back-bone to support our two other brothers in the Axis of Assholes; the U.S. and the U.K.!"

I also noted that the article neatly throws the whistle-blower under the umbrella of suspicion;

"The first point of contact with a new virus may come from an end user - someone bitten by a bug or suspicious of an odd-looking file. "We may hear of it when some victim sends it into a lab, or the virus writer himself - and it's almost always a him - will send it in," Ducklin says.

Marvelous. If this meme gets out, the public will then, not be allowed, to police itself. Who wants to be the target of an anti-terrorist investigation, after all?

Modern Media is a joke. It takes a conscious effort to remain calm and light-humored while reading this kind of garbage.

-FL

Virus story. Yawn. Scroll.

[BiOFH]

Open Safari. Go to /.
Virus story. Yawn.
Wonder how people can still defend Windows with that "it does what I want" or "it gets the job done" excuse.
Scroll.
Get on with doing what I want and getting the job done.

(posting no bonus. mod off topic if you must. just an aside.)

Re:Virus story. Yawn. Scroll.

[nomadic]

Wonder how people can still defend Windows with that "it does what I want" or "it gets the job done" excuse.

I have an anti-virus program, two firewalls, and I don't open strange email attachments. So yes, Windows does what I want and gets the job done.

Re:Virus story. Yawn. Scroll.

You do know that having 2 firewalls offers nothing more than having one, don't you?

Re:Virus story. Yawn. Scroll.

You do know that having 2 firewalls offers nothing more than having one, don't you?

Redundancy. If I misconfigure the router, the software one catches it. If the software one crashes, the hardware one does it.

Re:Virus story. Yawn. Scroll.

[cuban321]

In a corporate envrionment having more than one firewall is a great idea.

Let's say you only have one firewall, maybe a Cisco PIX firewall. If a vulnerability is released for that PIX all of the sudden your entire corporate network is vulnerable (of course this depends on the nature of the vulnerability).

If you have two firewalls (different vendors of course), perhaps the first one is vulnerable but your corporate network is secured. Odds are there won't be a vulnerability for both vendors...

No AV, No Outlook, No Attachments... NO Viruses!

[Kong99]

Forgive me but I have used Windoze for years, I am dual booting Linux though. I have not used an Anti-Virus program in at least 5 years. I have not gotten one Virus in that time. (I use Trend-Micro's free online virus checker every so often just to verify.)

I have had cable modem that entire time. I am behind a hardware firewall, and use ZoneAlarm Pro, I regularly update Windoze.

I attribute not getting viruses to two main reasons. I have not/do not use Outlook, and I NEVER open an attachment in an email unless I requested it. I also only use IE when forced to.

User behavior is the most effective way to avoid Viruses... I guess that's why we need AV for the vast majority of lonely fools who think every email was really just for them!

Why aren't heuristics being concentrated on?

[Denyer]

It seems that identifying virus-like behaviour is of far more general value as far as identifying forthcoming (and current) threats is concerned.

Yet there's presumably little money for anti-virus companies in releasing a few heuristic updates every year, rather than immediate definition sets ever few days.

Not intended as a troll, but how much of anti-vir tech responds to genuine threat and how much is produced for the benefit of marketing the product?

They missed something

Its kind of a shame that the article mention only a few methods of prevention. Here is a slightly larger list.

1) Firewall
2) Virus software
3) Secure your PC.
4) Never run in root or administrator mode.
5) Patch your system.

1,2 and 5 are mention. Roughly patching your system is mention. JIMHO.

Alarmist Rhetoric

[ThisIsFred]

If that is the proper term. I think we've passed the point where we have to give count of every single variant of malware that is in existance. Imagine if we did the same thing with taxonomy:

TAXONOMIST 1: Look! This bird has the same marking, but it's 0.000156mm to the left.

TAXONOMIST 2: Woohoo, it's a new species!

(they high-five eachother)

TAXONOMIST 1: Wow, at this rate we'll be discovering 56,000 new species a year!

There may have been 800 new propagating malware programs out there, but I'd be willing to bet that 797 of them were just variants of some existing code. Perhaps anti- "virus" solutions vendors need to classify them this way internally because of their detection methods, but there's no need to feign panic just because some new variant has a different string in it.

I have a problem with the term "virus", because it causes people to view these malware programs as some sort of pathogen, which most are definitely not. The malware does not change its design on its own. Most don't intentionally harm the host computer, either. If I were to classify the most prevalent new malware programs out there, my list would be rather short:

Microsoft Word Macros: Story, Titch, etc. All the same thing. A VB script that attaches itself to an MS Office document. The solution is to either limit what functions can be called from inside MS Office, or give the user a real status and config utility to see what is inside an MS Office document. It's not a "virus", it's just a macro.

Mass-Mailer "Worms": Personally, I think don't like the designation "mass-mailer", I prefer "Outlook for Microsoft Windows Design Flaw Exploiter". These little malware scripts or binaries take advantage of Windows' flawed shell execute functions in conjuction with Outlook's flawed design choice to open automatically every possible data type, instead of just plain text. Every OE malware from Mailissa to Mydoom belongs to this category. Klez could be considered a minor variant because 1) it's binary instead of a script, and 2) it carries with it additional malware programs.

RPC/DOM Worms: Code Red 1 & 2 and the Admin worm (plus all the variants) are all malware programs that effect the same vulnerability. There was another one in this list that caused so much trouble recently, but I can't remember its name.

Internet Explorer as Gateway: All of the "spyware", "adware" and malware that appears in the form of either image formats that exploit vulnerabilities and load code, or malware binaries/ActiveX controls. The latter usually take control of IE and do various naughty things.

Stupid-ware: Sometimes incorrectly called "trojans". Those messages that did not originate from Microsoft but claimed to hold important security updates. It's not a trojan if it doesn't do something useful while it's doing something bad. Just social engineering. Would you take a "cure" from some crazy bum on the street claiming to be a doctor? Oh wait, I forgot, millions of people feed the penis-enlargement spam industry by actually buying those pills.

The only category that worries me is the third, because the vulnerability wasn't obvious to me. The operation of the others is easy to understand, and also easy to avoid. When Mailissa first made an appearance, I promptly banned the use of Outlook and OE as a mail client at work. When we started to get e-mail messages (with attached malware) from the outside, I configured our web-based e-mail client to never display images and to display a warning in big red letters above links to download certain types of attachments. The author of the web-based e-mail is my kind of guy- His program doesn't render HTML, and he steadfastly refuses to make it do so. Klez still managed to get through, but I still have to update our NAT/mail server to scan and dispose of those messages (if only for the fact that they're annoying). I now consider Internet Explorer as a tool only to interf

Re:Alarmist Rhetoric

[GizmoFreak]

I found any files left on a PC can disappeare overnight with a virus. So, I just got a Biometric USB drive from www.imagenix.com The viruses can collapse the whole network with all the computers on it, but my financial data and source code is safe. It is encrypted in the drive, and I carry it in my shirt pocket everywhere I go. And only MY fingerprint can unlock it (I don't even have to remember a password).

Re:Alarmist Rhetoric

[prandal]

Netscape 7???? No no no! Try Mozilla 1.6 or even 1.7 alpha instead, much much more recent and better (with one or more security holes fixed).

You forgot the other bit about social engineering. FILE EXTENSION HIDING! The latest worms have attachments like xyz.txt.exe with a "text file" icon. With the CRAZY Windows default of file extension hiding, users think these attachments are safe. Poor fools. Microsoft's next service packs should DISABLE file extension hiding once and for all. But of course they won't do that, it's way too obvious.

Violation of DMCA

[Prometheus+Bob]

if a virus was copyrighted, would anti-virus that worked against it be against DMCA?

Re:Sensationalist. As usual. Thanks Australia.

[thogard]

Notice this came out after MS said they were putting AV in their next big service pack? The existing AV compaines have about 18 month left to scare customers into paying them forever or else they will go the way of a very long list of other software players (diskdouble, stac, procomm, qemm, desqview).

This weekend I had a discussion with a market researcher (who clicked on the wrong stuff too many times) and I asked him how the most effective way to sell an AV program would be. His said press releases keeping the public in fear. He will be buying a mac in the next few weeks.

Hordes of the Clueless

[That_Guy_Again]

I work at the ResNet side of a small liberal arts college. Even though we are suppose to be upper teir, its amazing what one hears.

"Oh, I got all of the Windows Updates at the beginning of the year - I should be fine." Then later ... "Why is my internet gone? I think you all need to fix something." (we cut it)

Worms continue to propage on our network due to users like this. One literally cannot install a copy of XP without becoming infected with something while installing the patches.

I can only imagine what Joe Sixpack cable user does.

typical clueless journalist

[SethJohnson]

You can tell by reading the article that they didn't assign their best technical writer to this job.

I started giggling when I read this section:

"A dedicated virtual private network (VPN) connects the various research labs, room-to-room, and the data in transit is encrypted so it's possible to send specimens from one side of the world to the other without the risk of spreading infection."

Uhhh... The VPN just ensures nobody is spying on their communication. This makes it sound like the virus could escape out of transit like a prisoner jumping out of a paddy wagon. Not bloody likely!

Destructive payload

[dcam]

Actually under simulations worms with a destructive payload could still spread well. Check out the following article

The relevant quote is: "At the end of this simulation run, there were 2,774 infected and 1,979 not infected systems left, of an initial 166,730. While this not quite "annihilation", it does mean that within two minutes, 161,977 hosts or about 97% of the vulnerable population were wiped out."

Note, the article is focussed primarily on the spread of worms in a closed network, rather than in Internet.

Re:AV companies? _What about Polymorphic viruses?

[Ken+Erfourth]

I think a lot of the 800 "new" virii may simply be automatic variations created by polymorphic viruses that are slightly rewriting themselves automatically to complicate eradication efforts. I agree 800 a day is a lot of work for human virus writers. On the other hand, look at all the graffiti that is out there. An awful lot of work was put into spraypainting with even less chances of gain than could be hoped for from writing viruses. A lot of graffiti "artists" have also put a lot of time into learning their craft. Aren't there barns that need painting? What are these people thinking?