Slashdot Mirror


Unprecedented level of Virus Alerts

arpy writes "iTnews reports that according to Trend Micro (makers of PC-cillin), there was a record-breaking level of virus alerts in the first quarter of 2004. In Q1 2003, Trend issued 35 virus warnings. During the same period this year, it issued 232. According to the company's annual virus round-up and forecast (PDF), the number of alerts was pretty much steady for 2001-2003. Particularly noteworthy is that so many of the viruses are variants, not original. Trend's April 2 Weekly Virus Report reveals that of the "Top 10 most prevalent global malware", the top five are all variations of Worm_NETSKY. This would seem to confirm Virus creators are sharing more code."

28 of 424 comments (clear)

  1. There are some nasty ones by Anonymous Coward · · Score: 3, Insightful

    Especially on IRC. Quite a few IE/mIRC trojans/viruses. Too bad so many users are so clueless and will click anything that looks like it might be porn.

  2. Virus scanners suck by Anonymous Coward · · Score: 3, Insightful

    Its reactionary, they cant predict what people will code. Its sad that they give people a false sense of security.

    1. Re:Virus scanners suck by Anonymous Coward · · Score: 5, Insightful

      I would like to elaborate on that thought. Virus Scanners worked when there wasn't a vast connected network such as the internet. Trojans/worms took a helluva lot more time to propagate where now-a-days they spread extremly fast, a good example would be the DCOM worm. It was a lot more difficult to be infected by a virus such as michelango than today's malware if for no other reason than companies having more time to react.

  3. And it's not going to go away soon... by heironymouscoward · · Score: 5, Insightful

    A quote from a journal entry from last September:

    And so we come to the nightmare scenario. A relatively benign
    parasite has infiltrated the general population and suddenly a very
    "hot" parasite discovers how to piggy-back that infection. In the
    blink of an eye - a day, an hour - 50% of Windows PCs around the
    world are destroyed. It can happen, and therefore, it most probably
    will.

    --
    Ceci n'est pas une signature
    1. Re:And it's not going to go away soon... by 4minus0 · · Score: 4, Insightful

      You base your conclusing on a broad sweeping assumption that "it can happen". This theory is flawed. Viruses and worms are combated on many fronts, using multiple strategies.

      You are making a broad sweeping assumption as well. Routers with NAT, which offer rudimentary inbound firewalling as a side effect of actually doing NAT, do stop a good bit of the viral attacks such as back orifice etc but they aren't stateful firewalls like you'll see in an enterprise. They don't stop anything from going *out* the pipe. All it takes is a rogue payload on the inside of one of many networks with a big pipe and things get ugly quick! As an aside, I *don't* want my upstream provider filtering my traffic at all though and dropped the last ISP that started that and told them as much.

      You're also assuming that the AV software catches 'everything'. What about the last bout of worms carried by the encrypted zips? I'm in the driver's seat on a dozen or so high traffic mail servers up and down the East Coast of the US and I (and other admins) was caught off guard by this worm. We block (with client permission) every executable attachment known to Microsoft operating systems and a few obscure ones as well. The encrypted zips slid right past qmail-scanner, clamav and a couple home-grown perl scripts we use for filtering. Those worms slid past the big name AV products at places I do other types of work. I will give the ClamAV and the qmail-scanner mailing lists credit though...it wasn't long before there were patches and add-ons for each to drop that worm at the gate, patches came in to the qmail-scanner list within hours of the first sighting of that worm in the wild.

      The encrypted zip ruse was clever, how long before somebody comes up with something similar but more sinister? The only way to stop email-borne viruses completely would be to do as you say and stop all attachments completely. That's not an option for 99% of my clients, just simply not an option. Everytime I read something from one of the guys that works on ClamAV or one of the 'gurus' at the big AV labs about how shitty the code was in the last worm I get twitchy. What's going to happen if somebody that knows what they're doing and has a bit of cleverness up their sleeve as well decides to write the next nasty bug?

      --
      You've got an easy breezy wind at your back...most of the time.
  4. Or it could prove... by Anonymous Coward · · Score: 3, Insightful

    that there are lots of pissed off wanna be script kiddies, who are not happy with the way the world is heading, and see it as their duty to try and throw a spanner in the works.

  5. Re:Good by LostCluster · · Score: 4, Insightful

    Clueless people deserve it. It's not just going to be the clueless... even those running AV software won't be protected from a super-fast-moving virus...

  6. two questions... by vena · · Score: 4, Insightful

    don't many of these viruses use the same vulnerabilities? if that's the case, doesn't that mean a statistic like this should be pointed to not as an indicator of rising numbers of viruses, but as an indicator of the lack of response from the applications being exploited?

    i'm not certain that these viruses use the same vulnerabilities, so my second question is pretty heavily weighted on the first :)

  7. Re:Who cares? by omicronish · · Score: 3, Insightful

    I just block everything that isn't a document of some sort. Haven't had any problems at my company since.

    The unfortunate reality is that some viruses may affect you even if you aren't infected. Massive virus outbreaks are like spam: both generate large amounts of junk traffic that slow everyone's connection.

  8. Re:Good by YetAnotherDave · · Score: 5, Insightful

    I've seen some pretty fast-moving viruses get past the very expensive virus-scanner we have at work, but the only one to get by the simple, free, procmail-based one I use at home is the stupid one where you have to open an encrypted zipfile.

    http://impsec.org/email-tools/procmail-security. ht ml

    Now I have to ask, if users are dumb enough to open a password-protected zipfile in what sure looks like an obvious virus-generated message to me, aren't those users dumb enough to be convinced to chmod +x && ./runMyVirus

    I think this is evidence that no security system can realy be foolproof. The fools are just too persistent!

  9. Should we still call them Virus alerts? by Chairboy · · Score: 4, Insightful

    There are few large virus threats in the past few years. Most of the stuff we see every day is technicall a worm.

    Why are we married to calling everything virus related when it is actually the flash-spread of worms that pose the most risk?

    The Morris worm was a wakeup call. It was the first large worm, and simultaneously the first Warhol attack. Today, the 'growing threat' is the idea of Warhol-type worms, even though the first such attack was back in the 1980s.

    The future of security is probably in the department of protecting against blended threats. AntiVirus software that only deals with stuff on your disk isn't enough anymore. You need, in order of importance:
    1. to adopt safer computing practices.
    2. Have some type of firewall that limits external access to services you don't actively use.
    3. A behavior based IDS (or similar technology)
    4. Disk and memory AV (eg, a typical antivirus program)
    5. Signature based IDS.

    Signature based IDS is least important, especially if you have the firewall in slot 2 that negates most of the use of an IDS. Disk and memory AV is important, but since 99% of all user-originated content comes over the wire these days, the smart money is on 1, 2, and 3.

    I suppose step 6 should be "Demand accurate coverage from technically competent news professionals that know the difference between the various threats". If your local anchorman said "Earthquake warning!" and it turns out it was a flood emergency, would you find that acceptable?

  10. Sharing code by buss_error · · Score: 4, Insightful
    This would seem to confirm Virus creators are sharing more code."

    And writing them for the same reason for the same people. Money from spammers. Look how many of those new viruses open back doors for proxies and steal email addresses. I don't think that it is so the virus writers can send love notes anonymously.

    --
    Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
  11. Antivirus Software Makers vs. Arms Dealers by henrypijames · · Score: 5, Insightful

    In a way, the antivirus industry always reminds me of the nobel profession of arms dealing. On the table you provide your clients weapens to "defend" themselves and to archieve and maintain peace. Off the table you know the business only flourishes when there is a war. Of course there is always a war, but your interest is in an all-out war. So what do you do if there is no such an all-out war going on? Don't panic, you simply make your clients believe there is one indeed. As soon as they believe you, you win.

    If you don't know what I'm talking about, you shoudl read Vmyths more often.

  12. This is because of one simple thing... by mabu · · Score: 3, Insightful

    SPAMMERS...

    The worm/virus explosion is because RBLs are WORKING, and spammers are finding less IP space they can operate from. Their only alternative is to infect client PCs and turn them into proxies. Any mail admin can tell you this is what's happening. RBLs are working. Now if we can get the ISPs to enforce their Terms of Service and shut down compromised PCs, along with the authorities who may at some point get off their lazy asses and start putting some of these spammers in jail, we'd have 99% less virus/worm propagation. Occam would agree. Lobby your District Attorneys to stop prosecuting Tommy Chongs and do something in the public interest and the world will be a better place.

  13. People deserve it? by heironymouscoward · · Score: 3, Insightful

    Hardly. This is just blaming the victim. A poor policy.

    Relying on education and technological cures assumes that malware is a static target, but it's not. If you rely on improving people's understanding of viruses, you simply get viruses that act smarter and look like official emails. If you improve technology, you get viruses that actively target that technology itself (look at the BlackIce incident).

    Technological solutions just create an arms race, and we've seen how well that works. Look at your inbox... the grim rise of noisemail is hardly a sign of success.

    The solution is to acknowledge the nature of the problem: it follows the same laws as those of organic parasites, and the same solutions may be the only ones that work: perpetual change for the sake of change; trading of resistance; variety in place of standardization.

    --
    Ceci n'est pas une signature
  14. Not enough by Mark_MF-WN · · Score: 4, Insightful
    I was setting up a W2k box once, and in the five minutes between the first boot and the installation of ZoneAlarm, a worm installed itself via NetBIOS.

    My fault, I suppose, for leaving it the demilitarized zone. I'm just so used to Linux though -- the idea that a modern OS would permit such a thing to happen is ridiculous.

  15. Ugh by CGP314 · · Score: 4, Insightful

    virus companies, who appear to have gone quite literally bananas

    So have they turned into bananas, or have they just gone to banana rich lands? Sorry, but I can't see how one can literally go bananas.


    -Colin

  16. Solve the damn problem by bangular · · Score: 4, Insightful

    If this is such a problem, why has there been such little effort to actually fix it. There have been reactionary measures (patches, anti-virus), and overkill security that's years away (security at the hardware level). A HUGE chunk of viruses could be wiped out if

    a) no more html email. Period. There's no reason for it other than making email look pretty. I've never run into a situtation where an informational email couldn't live without html.

    b) No more attachments. Email isn't a file transfer protocol. There are many many many other safe ways to send files. Email was never meant to send binary attachments anyway. The RFC doesn't allow it. To comply, a dirty hack was created in which binary data is turned into plain text. But it's obvious email wasn't meant to be used in that fashion.

    c) no more IE. No other piece of software has enabled so many viruses, adware, spyware, and shitware. IE is the malware enabler. I don't care if you use Opera, Mozilla, whatever, because pretty much everything is better than IE.

    d) quit blaming the damn users. MS has designed an operating system to be used by the simpliest people on earth. Those whom have absolutly no computer experience at all. How can you blame them then when they open viruses? If you are going to design an operating system to be used by the masses, then you must implement security measures as if the user is clueless, because usually they are. Because you can open a virus without a warning, yet you can't modify your "Windows" directory without a myriad of warnings, makes me wonder how high a priority security really is to MS.

    1. Re:Solve the damn problem by MoP030 · · Score: 5, Insightful
      a) no more html email. Period. There's no reason for it other than making email look pretty. I've never run into a situtation where an informational email couldn't live without html.
      Maybe you didn't have that that problem and neither do I. But i know a lot of less technically inclined people, who would send an email simply because it is pretty (say, because their new email program has these pretty templates with pictures of hawaii as a background.). Same goes for attachments. Email isn't only used for short, important messages. People use it to socialize, and as such they send stuff they think is funny, pretty or shiny.
      I think viruses over email will stop as soon as sexually transmitted diseases will stop because people stopped to have recreational, unprotected sex.
      --
      the most sexp i get is my paren-mode.
    2. Re:Solve the damn problem by Grishnakh · · Score: 3, Insightful

      If this is such a problem, why has there been such little effort to actually fix it. There have been reactionary measures (patches, anti-virus)...

      What are you talking about? There's been lots of effort in combating the virus problem, namely the products of the major antivirus software vendors like Trend Micro, and Symantec. It's worked extremely well. More and more viruses and worms come out, and the vendors make more and more updates, and sell more licenses. They've become extremely profitable. Since profit = success, this virus problem is obviously well in hand.

    3. Re:Solve the damn problem by Badanov · · Score: 3, Insightful
      Actually, users have a virus.

      It's a nasty disease characterized by this nagging, persistent feeling you know everything about computers and there is nothing you do not know.

      It's called Windowsitis.

      Public Service Announcement:

      Little Girl to her Mom: Mommy what's wrong with daddy?

      Mom (choking back tears): Nothing, dear. Daddy is... having problems.

      Little Girl: But why does he look that way?

      Announcer: Millions of Americans are suffering with a devastating, deblilitating disease. Spilled drinks, sitting in potato chip crumbs, eyes wide open, goofy smile on their face as they point and click for hours on end.

      You see what it is doing to him, but can you see what it is doing to your family?

      Through the American Windowsitis Association, millions of Americans are getting help. Through therapy and bans on purchases of crackers and coffee, training to use the off button, those Americans are leading useful, productive lives.

      So give. And give generously to the AWA.

      Little girl, huging her Dad, napping on the couch with a baseball game blaring on the TV: I am so glad I have you back, Daddy.

      --
      Dawn of the Dead
  17. Pearl Harbor of the web. . ? by Fantastic+Lad · · Score: 4, Insightful
    I don't know which way to jump on this one. . .

    On the one hand, what I see is a 'cool' new trend in virus writing; "Wow! Cool! Like, I can re-script a code which will secure me lots of slave machines! Excellllllent. I want to play, too!"

    On the other hand, it also strikes me as very convenient that the web should be pummeled right now when there is such a push to massively control EVERYTHING and EVERYONE on the planet. --How easy would it be for the fine people in black-ops-secret-shmecret-government to release a few hundred viruses into the wild?

    Pretty damned easy, I'd say. But to what end?

    Simple. Everybody is getting fed up. "Oh, please install new laws which allow us to punish spammers. Oh, please, mighty government, do SOMETHING to control the web so that I can get my email!"

    The internet, at the moment, is THE prime source of real information and world-wide communication. You can say here, out in the open, "BUSH IS A LIAR AND A CRIMINAL" And link to a hundred sites which explain -with detailed evidence- exactly why this is so.

    Fascist governments don't appreciate this. Machiavelli recommended the swift destruction of dissidents who speak such things, in order to control a kingdom.

    230 new script kiddies a month releasing malignant code into the wild, or a handful of unimaginative agents bent on pissing everybody off so much that they start begging for leashes?

    I don't know. But it wouldn't surprise me in the slightest to find out that the assholes -once again- are in charge.


    -FL

  18. Re:Heuristic antivirus by 1u3hr · · Score: 5, Insightful
    I remember years ago some were touting heuristic antivirus as the way of the future. Obviously, it didn't work. The idea was to look for certain patterns rather than the actual virus.

    No, it did (does) work. It was simply more profitable to sell a program that requires frequent updates for each new threat. See e.g. Better antivirus software is worse than a virus?

  19. Why ? Because someone makes money on it ! by Anonymous Coward · · Score: 4, Insightful

    Anti Virus makers are among the more profitable companies around, sure that they want to make it look like this is a gigantic threat.

    Companies that ...

    * Use a firewall
    * Enforce the use of "RunAs" for all critical operations
    * Dont use Outlook

    Avoids 99.999999 % of all of viruses

  20. What's worse? Press fails to cover immune apps/OS by SgtChaireBourne · · Score: 3, Insightful
    What's worse?
    • an unprecedented level of (MS-related) virus alerts, or
    • the fact that these viruses only affect one line of products from one manufacturer, or
    • the fact that the press gives no coverage of platforms and applications that are immune?

    Yes, OS X, BSD, and the various Linux distributions (i.e. Debian, Mandrake, SUSE, or RedHat ). All easy to install, all easy to maintain, all easy to use. OS X comes pre-installed by the OEM and an increasing number of Linux distros are, too.

    Furthermore, the layered structure of the OSes and separation of privileges means that these are resistent to future viruses as well as immune to those available today. Yes, apologists and astroturfers like to ignore that as well as blame users. But even if, and that's a big if, market share has more effect than design flaws, it will take quite some time for the virus activity to shift and during that time, businesses and users have come out ahead. Right now, die hard ideologs who refuse to drop a defective product are costing billions of dollars per quarter, a not insignificant number when you think how many jobs could be kept rather than downsized or outsourced in these increasingly bad economic times for the U.S.

    How about a little focus? The title should have been "An Unprecedented level of MS Virus Alerts" and steer users off of the hamster wheel. From easy to hard, these are just a few of the many options:

    1. Use WordPerfect, StarOffice or OpenOffice instead. 2a. Use Eudora, Evolution, or Pine instead. 2b. Use Mozilla, Firebird, or Opera instead. 3. Use one of the above resistent / immune OSes instead.
    --
    Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
  21. Re:I guess the soltuion is easy then... by mst76 · · Score: 3, Insightful
    I always get slightly annoyed when people make this statement - viruses on Linux cannot work in the same way that they do on Windows.
    I get even more annoyed when people make this statement. What you mainly address are remote exploits, (like MS DCOM), but the majority of these reported "virusses" are just mass mailers. They can work on Unix almost exactly like on Windows. We used to lay the blame on Outlook autoexecution (although this is now either off by default, or will be). Nobody has been crazy enough to write a Unix mail client that auto-saves attachments with chmod a+x and executes them. But as the latest round of password protected zip virusses has shown, often it really is a case of uneducated users. The only thing that priviledge separation under Linux does is prevent the user from listening on ports under 1024 to open backdoors. But unless you prevent the users from sending mail, it can spread in exactly the same way, namely by SMTP. The only thing separating us from Windows users at the moment are the small market share, and the fact that most Unix users are somewhat more clueful about computers. Both these may change in the coming years.
  22. If more and more virii by Matey-O · · Score: 3, Insightful

    Are sharing code, then it stands to reason that keeping your system proactively patched protects you from more and more virii.

    It's getting to the point at the office that all new virii noise on the IDS box is laptops coming in from the VPN. I can see a spike in traffic from one laptop, which gets reported to the Help Desk for cleaning, and the net result to the rest of the (properly patched) network sees NO negative result.

    --
    "Draco dormiens nunquam titillandus."
  23. The only reason this hasn't happened... by Henk+Poley · · Score: 4, Insightful

    ...is because the virus writers are too scared for being caught. Just take a look at the figures of the most virulent worms of the last 2 years. They did infect a substantialy large part of the open Windows systems in the first 10-15 minutes.