Slashdot Mirror
The Virus Squad
dncsky1530 writes "Sydney Morning Herald - The Virus Squad - 'A new species has been discovered. So new, it's still unnamed, but researchers are racing to tag it - before it spreads around the world. For the next 10 to 30 minutes, the computer virus or worm is dissected, analysed and identified... "On the day we detected MyDoom, we did another 18 viruses," says Paul Ducklin, Sophos's head of technology for the Asia-Pacific. "There are about 800 new viruses a month. And the unglamorous bit of our work is often the other 798."'"
How many staff they have. And how well are they doing next to the big boys a-la Symantec ?
Maybe a lot of /. readers are too young to remember real viruses, or to have played around/collected them, but its been a decade since a real infectuous virus has gone around.
If it can't infect any arbitrary EXE file, its not a virus, its a trojan or a worm, depending on wether or not its a moronic user or a security hole that allows it to enter the system.
"There's still a big perception out there that only broadband users need one," Lee says. "Everyone needs a firewall, along with antivirus."
This rings all too true. If forwarding ports for certain applications wasn't such a pain in the ass, I would say make ISPs require firewalls or find a way to have some sort of personal firewall for their connection that they can access from the internet and change the settings on. Just a thought.
This would bring up other problems, but it'd at least stop a lot of problems with trojans and open relays.
How does that go?
"I AM PR3PAr3D T0 0ff3R TH3 2um 0F tHR33 BaGz 0f Ch33zY P00fS 4 a 3l33T P2Ych0!og!st!!!"
"While you clearly have abandonment issues, the practice has been hard up for money lately. Very well, I accept. But first, tell me about your mother."
Look, it doesn't take a psychologist to explain that when you sit the average person in front of a computer, they become a mouse-clicking fool. No amount of emergency IT sessions with the staff explaining precautionary tactics involving attachments is going to change that, and if any psychologist recruitment is necessary it's to explain why the average person keeps clicking attachments to messages in obviously broken English.
That's why blaming software vendors like Microsoft is stupid. Will four ARE YOU SURE YOU WANT TO RUN THIS warnings before allowing the execution of an attachment do any more than three?
Old viruses don't die, it seems, they just run out of potential targets as software choices change and security holes are patched. ... we still occasionally see viruses from 1995," Ducklin says.
"You might think that there are some that will almost certainly never be seen again but it is surprising
There's a reason enough to be on your toes and patch your new install as soon as possible.
Have you ever had the doubt that viruses aren't actually written by bad bad people, but by some mysterious department in some AV company?
Really, i can't imagine that there are so many (800 viruses/month is SO much) evil-programmers that prefer to spend their know-how writing code they will never get paid for, instead of selling their experience to someone who needs it and earn a lot of money..
...safe in the knowledge that the VIRUS SQUAD are dissecting viruses for me AS WE SPEAK!
ACTIVATE TEAM VIRUS SQUAD! GO FOR GLORY!
"There are about 800 new viruses a month. And the unglamorous bit of our work is often the other 798."
Anti-virus vendors that consider a mass outbreak of a worm to be 'glamorous', compared to the 'unglamorous' stuff that doesn't get as much publicity? It might sound daft, but consider that they (should) put the same amount of work into each and every virus - i.e. preventing it - there shouldn't really be an issue with how glamorous something bad is.
Analyse it, deal with it, out the door, next virus is how it should be. I'd hate to think how they'd deal with biological virus outbreaks...
Well, the article hints at some sort of collusion between spammers and the author of MyDoom, but it seems like this would be the exception, even if it's true. The virus writers are in it for the fun, of course (not to mention revenge).
It also seems possible that the antivirus companies themselves are writing the viruses, then charging to protect users against them, but this also seems unlikely, given the police investigations that inevitably follow major virus outbreaks.
Not true...
Your ISP has every business sense to control your hardware, depending on what kind of customer you are.
Road Runner, during the whole fiasco with some horrid worm I can't remember the name of. Started filtering at customer leased line routers, their own and their upstream provider to hold down the bandwidth consumption. They had red lined their bandwidth and it was effecting their entire customer base.
I'm not saying filtering everything at any point is a good idea, but when it comes to critical situations they have every right to slow the progression of an attack.
I used to get annoyed at Port 25 blocking, but after recent spam/virus hoopla has hit I'm rather glad some people are taking steps to curb the issue.
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
Are you a troll or do you just keep up much?
The use of infected systems for spam, web mirrors, traffic laundering, and bases for attacks on others systems has been commonplace for quite some time now not even mentioning the rampant spyware and ad placements these worms make possible.
"If you unblocked port 135 [an access point Blaster targeted] you would be found by Blaster," Lee says, adding that it would just be a matter of time.
This happened when I installed a (legal) copy of Windows 2000 on my GFs old machine. Boom! Infected with Blaster on the first five minutes on the net, trying to D/L a firewall. Not to speak of the servicepacks... It happened so fast, I thought there was something wrong with the modem drivers, I downloaded via an iBook. I spent a lot of time getting that machine up. But as the family of the GF saw what happened, three persons became Apple converts that evening.
My GF now has an iBook and is more productive on a computer than ever.
All that effort and the anti virus companies still haven't figured out a way to share their work with a common signature file. No wonder there is so much drugery.
Its quite ironic that over the years ive downloaded a hell of a lotta dodgy programs from dodgy sites and P2P and never used an anti-virus tool and the only trouble ive had (never used outlook) is when i've connected an unpatched windows machine to the net and been infected in 3 minutes.
This comment does not represent the views or opinions of the user.
I was thinking about how to design the "perfect" virus... I'm not a proficient enough programmer to even begin writing a virus - so don't come a knocking. But it's an interesting thought experiment.
.cpp file and randomly changes one digit per file (imagine if your report to the board now says 9 Million rather than 1 Million... or if your for...next loop is waiting for an incorrect value)
:-)
Here's what I've got so far...
1) Virus initially comes in as an attachment - user opens attachment (relies on non tech-savy people).
2) Virus scans through "Sent Items" and sends itself to every address that has been sent an attachment in the past. Uses a subject line like "Updated [whatever]" (Tech-savy folk might forget basic precautions)
3) Virus scans through every Excel / Word /
4) Virus wipes itself out after 6 hours (most people only update their virus checker >= 24hours. Once signs of the virus have gone it will be hard to know if you have been infected and which files have been compromised)
5) FBI come and arrest me
Seriously... one has to admire the "I Love You" virus, if only for getting so many tech-savvy people to click through... But what really worries me is the viruses we haven't discovered. What if, say, Winamp has a logic bomb in it? How would any of us know until all our data was corrupted?
If a square is really a rhombus, why aren't all triangles purple?
No Blaster affected, NT, 2k, XP, and I think 2003. However, Microsoft refused to put out a patch for NT citing that it was too old to fix or some other bullshit like that.
The guy was listing an awful lot of "virii" found per week.
By the way virii also infect the boot sector and some only infect the boot sector.
But it's all the same.
A virii will attach itself (IE patch) existing software (usually any and all on your system).
A trojen is a self contained infection and dose not spread.
A worm hacks into the target.
I suspect about 90% of the "virii" found are actually trojens. They are the single easiest peace of malicous code that can be created. They are the essence of all the others.
I'm starting to see banner ads for virus scanners touting to go after worms and it's starting to really piss me off.
Here is what I have to say about using a virus scanner for ALL forms of maliware.
Virus: No brainner. Install it let it scan incomming code etc etc. Don't install new software that hasn't been scanned.
The problem with making money on virus scanners.. and updates. Is that new viruses are rare.
It's just not worth it anymore.
People made virii for:
Revenge: Spyware is easier, more effective and produces better results.
Attack a group: FUD is easier and more effective.
a challange: What challange? Not unless your making a Linux virii.
To prove it can be done: Unless your making a Linux or Unix virii everyone knows.
To prove you can do it: Not impressive to script kiddies anymore.
In short the typical reasons for making virii are dead unless your making a Linux virii.
That is why it took so long for Windows to GET any viruses of it's own. All the dos virii were doing the job quite nicely.
So if you want to sell updates you have to go after ALL forms of Malware.
Trojens: Trojens are.. brain dead easy to make. Script kiddys may not be able to make virii but they can make trojens.
I wouldn't be supprised if all those "virii" found were actually just trojens.
By the time an anti-virus company is able to ID a trojen it's done it's dirty work and your left with the floating debree... the infector itself still floating around.
File sharing networks are plugged full of trojens and trojens get updated quickly. Forget virii scanners for this just beware of geeks bearing gifts.
Some commen sense is in order. Don't download pirated versions of software.
Becouse of Microsoft people think making software is where the money is. When (not if) they don't make money they get bitter. Often beliving software piracy is to blame (in some cases it's true) they'll turn to making trojen for hapless victoms.
Don't pirate. Don't download software via P2P file sharing. Download it from the source. Is that so hard?
I can see the BSA spin on this: "Steal software-> Install trojen-> Get hacked-> Lose everything-> Don't look for sympathy from us."
Worms: Worms infect in weeks, days, hours, minuts even seconds.
Todays worms are really pathetic taking days to overtake the network. But it'll take weeks before everyone has a patch to prevent it or update a virus detector.
Anti-virus companys can only act once the virus is released. For worms that is far to late to take action.
Once your infected the worm can update your virus deffs for you. No that's NOT a good thing as any software tool that might stop the worm is flagged as a virus.
Security tools are FAR more effective at stopping worms and also thwart script kiddys who will (once in your system) infect you with trojens, viruses, worms, etc. Some of whom will chew up your virus deffs file.
I don't actually exist.
I received a few emails with attachments which just smelled like worms, although neither the AV checker I had on my Linux system nor one of the online AV checkers identified them as infected. Curious about this, I saved them in a directory and rechecked them from time to time. It wasn't until 3 or 4 months later that the AV checkers fingered them as worms, and worms that had been floating around for almost a year. (I assume a virus writer must have tweaked the code on an existing virus just enough to make its signature unidentifiable as the original worm.)
"You mean, there's nearly 800 new viruses a month? Wow! I'm sure glad I have my copy of '_______' to protect me from having to know what's really going on in the dark and chaotic world just beyond my telephone/cable connection! And now those terrorists are recruiting psychologists, too? To know what I think in order to get me to click on the activate-virus button? Oi, Crikey! The FEAR!!!! Somebody should bomb somebody! Somebody should take away my rights! I'm sure glad I live in Australia which has the back-bone to support our two other brothers in the Axis of Assholes; the U.S. and the U.K.!"
I also noted that the article neatly throws the whistle-blower under the umbrella of suspicion;
Marvelous. If this meme gets out, the public will then, not be allowed, to police itself. Who wants to be the target of an anti-terrorist investigation, after all?
Modern Media is a joke. It takes a conscious effort to remain calm and light-humored while reading this kind of garbage.
-FL
Open Safari. Go to /.
Virus story. Yawn.
Wonder how people can still defend Windows with that "it does what I want" or "it gets the job done" excuse.
Scroll.
Get on with doing what I want and getting the job done.
(posting no bonus. mod off topic if you must. just an aside.)
- I am made of meat.
There may have been 800 new propagating malware programs out there, but I'd be willing to bet that 797 of them were just variants of some existing code. Perhaps anti- "virus" solutions vendors need to classify them this way internally because of their detection methods, but there's no need to feign panic just because some new variant has a different string in it.
I have a problem with the term "virus", because it causes people to view these malware programs as some sort of pathogen, which most are definitely not. The malware does not change its design on its own. Most don't intentionally harm the host computer, either. If I were to classify the most prevalent new malware programs out there, my list would be rather short:
Microsoft Word Macros: Story, Titch, etc. All the same thing. A VB script that attaches itself to an MS Office document. The solution is to either limit what functions can be called from inside MS Office, or give the user a real status and config utility to see what is inside an MS Office document. It's not a "virus", it's just a macro.
Mass-Mailer "Worms": Personally, I think don't like the designation "mass-mailer", I prefer "Outlook for Microsoft Windows Design Flaw Exploiter". These little malware scripts or binaries take advantage of Windows' flawed shell execute functions in conjuction with Outlook's flawed design choice to open automatically every possible data type, instead of just plain text. Every OE malware from Mailissa to Mydoom belongs to this category. Klez could be considered a minor variant because 1) it's binary instead of a script, and 2) it carries with it additional malware programs.
RPC/DOM Worms: Code Red 1 & 2 and the Admin worm (plus all the variants) are all malware programs that effect the same vulnerability. There was another one in this list that caused so much trouble recently, but I can't remember its name.
Internet Explorer as Gateway: All of the "spyware", "adware" and malware that appears in the form of either image formats that exploit vulnerabilities and load code, or malware binaries/ActiveX controls. The latter usually take control of IE and do various naughty things.
Stupid-ware: Sometimes incorrectly called "trojans". Those messages that did not originate from Microsoft but claimed to hold important security updates. It's not a trojan if it doesn't do something useful while it's doing something bad. Just social engineering. Would you take a "cure" from some crazy bum on the street claiming to be a doctor? Oh wait, I forgot, millions of people feed the penis-enlargement spam industry by actually buying those pills.
The only category that worries me is the third, because the vulnerability wasn't obvious to me. The operation of the others is easy to understand, and also easy to avoid. When Mailissa first made an appearance, I promptly banned the use of Outlook and OE as a mail client at work. When we started to get e-mail messages (with attached malware) from the outside, I configured our web-based e-mail client to never display images and to display a warning in big red letters above links to download certain types of attachments. The author of the web-based e-mail is my kind of guy- His program doesn't render HTML, and he steadfastly refuses to make it do so. Klez still managed to get through, but I still have to update our NAT/mail server to scan and dispose of those messages (if only for the fact that they're annoying). I now consider Internet Explorer as a tool only to interf
Fred
"A fool and his freedom are soon parted"
-RMS
if a virus was copyrighted, would anti-virus that worked against it be against DMCA?
They will see no benefit.
Say there are only 5 AV companies.
That's 5 * 800 = 4000 names/variants per month. That's good scaremongering, and more likely to get them a sale by increasing the whole market. Gran doesn't know the two viruses on the news are the same?
Also it would probably take longer to agree on a name than dissect the virus, where the valuable minutes mean money. Companies will go to the fastest response time and spend their money there.
The benefit of a standard name is so small it won't be economically possible in the current marketplace.
$5 / month hosted VPS on linux = awesome!