Slashdot Mirror
Unprecedented level of Virus Alerts
arpy writes "iTnews reports that according to Trend Micro (makers of PC-cillin), there was a record-breaking level of virus alerts in the first quarter of 2004. In Q1 2003, Trend issued 35 virus warnings. During the same period this year, it issued 232. According to the company's annual virus round-up and forecast (PDF), the number of alerts was pretty much steady for 2001-2003. Particularly noteworthy is that so many of the viruses are variants, not original. Trend's April 2 Weekly Virus Report reveals that of the "Top 10 most prevalent global malware", the top five are all variations of Worm_NETSKY. This would seem to confirm Virus creators are sharing more code."
Heuristics (probably)
Viruses which have similar mechanisms leave similar signatures (in the case of true viruses; I'm not exactly certain how (or if) it's done for worms).
IANA Anti-Virus Specialist
Quite well from my point of view. A virus went through the scanner three days ago, but the definition file was updated and I haven't seen any other virii go through it again.
This is the "Catched virus top 20" in my mail server for the last few days:
My site
It's really not as bad as you think. A relatively naive approach is to build an automaton based on the virus definitions. It's very much like using Perl regexps to search a ton of documents. You'd be amazed how fast you can do these scans once all you do is read a byte, transition to the next state in the automaton, rinse, repeat.
Of course, you can always look at the source to figure it out.
sigs are a waste of space
While I'm certainly against malicious software (my inbox gets absolutely flooded with these trojans), I think that "virus" writing has really gone down hill in recent years.
.com files to include it's code as they're opened. Compare with current "viruses", which are really no more than trojans. They're several tens of K in size, rely on the user to be stupid and execute it manually and often just add themselves to the list of programs to start on bootup.
In the good old days, viruses were tightly coded programs that often did cool things (undesirable, but still cool, like making all the letters fall off your screen). They would modify existing programs to become carriers - this is the true meaning of a virus, it modifys legitimate code to allow it to propogate.
Remember the Cascade virus, back in 1988? 1701 bytes of code that sits in memory, modifying
Correct me if I'm wrong, but I don't think a real virus has been written since the late 1990's. All current "viruses" are either trojans or worms.
Virus - modifies existing programs to include it's own code.
Trojan - executable file that pretends to be something the luser wants but is really malicious.
Worm - self replicating software that uses a network-accessible vulnerability to propogate to other machines on the network (think Code Red, et al)
http://blog.nexusuk.org
I always get slightly annoyed when people make this statement - viruses on Linux cannot work in the same way that they do on Windows.
Linux and UNIX have insecurities, possibly less than Windows but that's irrelevant here anyway. All software is potentially buggy.
Viruses on Windows spread so rapidly because so many people in the Windows user base run Outlook or Outlook Express which allows viruses to take advantage of exploits in both those programs and in core Windows insecurities. Because so much of the Windows code base is reused, this means that when an exploit is found on Windows XP, it probably also exits in Windows 2000 and might well also exist on Windows 9x. Therefore, when a virus hits, the majority of the Windows user base is at risk.
Linux is completely different. Exploits in Linux (and UNIX-type systems) generally revolve around buffer overflow attacks that cause a daemon program (like ftpd, httpd, etc.) to crash allowing access to a shell prompt, hopefully a root prompt (to the cracker). An attack of this nature depends on that specific daemon being run in the first place, that the cracker can get to the daemon (through any firewalling) in the first place and that the daemon is at the specific version for the exploit to be usable. Even when the cracker has got into that system, he has compromised one system only - sure he might use it as a jump off point to other systems on that network or within that organisation but this is still a limited effect attack.
Also, you need to take into account the UNIX permissions model. Everything you or the system does in UNIX is done at a specific user level. Doing anything as "root" is always dangerous which is why many daemons are run at non-root level - this means that if a system is compromised, the attacker or malevolent program can still only do things at that user level and probably not affect the rest of the system.
Linux and UNIX is prone to attack but the difference is, by it's very nature of customisation and administration detail, no two systems are ever going to be identical - consequently, this type of virus attack can never exist in Linux.
Gentoo Linux - another day, another USE flag.
I always mount home as noexec.
/home/luser/runMEnow" will work, even if you mount /home with "-o noexec". Common pitfall...
Not enough: "/lib/ld-linux.so.2