Slashdot Mirror


Unprecedented level of Virus Alerts

arpy writes "iTnews reports that according to Trend Micro (makers of PC-cillin), there was a record-breaking level of virus alerts in the first quarter of 2004. In Q1 2003, Trend issued 35 virus warnings. During the same period this year, it issued 232. According to the company's annual virus round-up and forecast (PDF), the number of alerts was pretty much steady for 2001-2003. Particularly noteworthy is that so many of the viruses are variants, not original. Trend's April 2 Weekly Virus Report reveals that of the "Top 10 most prevalent global malware", the top five are all variations of Worm_NETSKY. This would seem to confirm Virus creators are sharing more code."

17 of 424 comments (clear)

  1. And it's not going to go away soon... by heironymouscoward · · Score: 5, Insightful

    A quote from a journal entry from last September:

    And so we come to the nightmare scenario. A relatively benign
    parasite has infiltrated the general population and suddenly a very
    "hot" parasite discovers how to piggy-back that infection. In the
    blink of an eye - a day, an hour - 50% of Windows PCs around the
    world are destroyed. It can happen, and therefore, it most probably
    will.

    --
    Ceci n'est pas une signature
    1. Re:And it's not going to go away soon... by 4minus0 · · Score: 4, Insightful

      You base your conclusing on a broad sweeping assumption that "it can happen". This theory is flawed. Viruses and worms are combated on many fronts, using multiple strategies.

      You are making a broad sweeping assumption as well. Routers with NAT, which offer rudimentary inbound firewalling as a side effect of actually doing NAT, do stop a good bit of the viral attacks such as back orifice etc but they aren't stateful firewalls like you'll see in an enterprise. They don't stop anything from going *out* the pipe. All it takes is a rogue payload on the inside of one of many networks with a big pipe and things get ugly quick! As an aside, I *don't* want my upstream provider filtering my traffic at all though and dropped the last ISP that started that and told them as much.

      You're also assuming that the AV software catches 'everything'. What about the last bout of worms carried by the encrypted zips? I'm in the driver's seat on a dozen or so high traffic mail servers up and down the East Coast of the US and I (and other admins) was caught off guard by this worm. We block (with client permission) every executable attachment known to Microsoft operating systems and a few obscure ones as well. The encrypted zips slid right past qmail-scanner, clamav and a couple home-grown perl scripts we use for filtering. Those worms slid past the big name AV products at places I do other types of work. I will give the ClamAV and the qmail-scanner mailing lists credit though...it wasn't long before there were patches and add-ons for each to drop that worm at the gate, patches came in to the qmail-scanner list within hours of the first sighting of that worm in the wild.

      The encrypted zip ruse was clever, how long before somebody comes up with something similar but more sinister? The only way to stop email-borne viruses completely would be to do as you say and stop all attachments completely. That's not an option for 99% of my clients, just simply not an option. Everytime I read something from one of the guys that works on ClamAV or one of the 'gurus' at the big AV labs about how shitty the code was in the last worm I get twitchy. What's going to happen if somebody that knows what they're doing and has a bit of cleverness up their sleeve as well decides to write the next nasty bug?

      --
      You've got an easy breezy wind at your back...most of the time.
  2. Re:Good by LostCluster · · Score: 4, Insightful

    Clueless people deserve it. It's not just going to be the clueless... even those running AV software won't be protected from a super-fast-moving virus...

  3. two questions... by vena · · Score: 4, Insightful

    don't many of these viruses use the same vulnerabilities? if that's the case, doesn't that mean a statistic like this should be pointed to not as an indicator of rising numbers of viruses, but as an indicator of the lack of response from the applications being exploited?

    i'm not certain that these viruses use the same vulnerabilities, so my second question is pretty heavily weighted on the first :)

  4. Re:Good by YetAnotherDave · · Score: 5, Insightful

    I've seen some pretty fast-moving viruses get past the very expensive virus-scanner we have at work, but the only one to get by the simple, free, procmail-based one I use at home is the stupid one where you have to open an encrypted zipfile.

    http://impsec.org/email-tools/procmail-security. ht ml

    Now I have to ask, if users are dumb enough to open a password-protected zipfile in what sure looks like an obvious virus-generated message to me, aren't those users dumb enough to be convinced to chmod +x && ./runMyVirus

    I think this is evidence that no security system can realy be foolproof. The fools are just too persistent!

  5. Re:Virus scanners suck by Anonymous Coward · · Score: 5, Insightful

    I would like to elaborate on that thought. Virus Scanners worked when there wasn't a vast connected network such as the internet. Trojans/worms took a helluva lot more time to propagate where now-a-days they spread extremly fast, a good example would be the DCOM worm. It was a lot more difficult to be infected by a virus such as michelango than today's malware if for no other reason than companies having more time to react.

  6. Should we still call them Virus alerts? by Chairboy · · Score: 4, Insightful

    There are few large virus threats in the past few years. Most of the stuff we see every day is technicall a worm.

    Why are we married to calling everything virus related when it is actually the flash-spread of worms that pose the most risk?

    The Morris worm was a wakeup call. It was the first large worm, and simultaneously the first Warhol attack. Today, the 'growing threat' is the idea of Warhol-type worms, even though the first such attack was back in the 1980s.

    The future of security is probably in the department of protecting against blended threats. AntiVirus software that only deals with stuff on your disk isn't enough anymore. You need, in order of importance:
    1. to adopt safer computing practices.
    2. Have some type of firewall that limits external access to services you don't actively use.
    3. A behavior based IDS (or similar technology)
    4. Disk and memory AV (eg, a typical antivirus program)
    5. Signature based IDS.

    Signature based IDS is least important, especially if you have the firewall in slot 2 that negates most of the use of an IDS. Disk and memory AV is important, but since 99% of all user-originated content comes over the wire these days, the smart money is on 1, 2, and 3.

    I suppose step 6 should be "Demand accurate coverage from technically competent news professionals that know the difference between the various threats". If your local anchorman said "Earthquake warning!" and it turns out it was a flood emergency, would you find that acceptable?

  7. Sharing code by buss_error · · Score: 4, Insightful
    This would seem to confirm Virus creators are sharing more code."

    And writing them for the same reason for the same people. Money from spammers. Look how many of those new viruses open back doors for proxies and steal email addresses. I don't think that it is so the virus writers can send love notes anonymously.

    --
    Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
  8. Antivirus Software Makers vs. Arms Dealers by henrypijames · · Score: 5, Insightful

    In a way, the antivirus industry always reminds me of the nobel profession of arms dealing. On the table you provide your clients weapens to "defend" themselves and to archieve and maintain peace. Off the table you know the business only flourishes when there is a war. Of course there is always a war, but your interest is in an all-out war. So what do you do if there is no such an all-out war going on? Don't panic, you simply make your clients believe there is one indeed. As soon as they believe you, you win.

    If you don't know what I'm talking about, you shoudl read Vmyths more often.

  9. Not enough by Mark_MF-WN · · Score: 4, Insightful
    I was setting up a W2k box once, and in the five minutes between the first boot and the installation of ZoneAlarm, a worm installed itself via NetBIOS.

    My fault, I suppose, for leaving it the demilitarized zone. I'm just so used to Linux though -- the idea that a modern OS would permit such a thing to happen is ridiculous.

  10. Ugh by CGP314 · · Score: 4, Insightful

    virus companies, who appear to have gone quite literally bananas

    So have they turned into bananas, or have they just gone to banana rich lands? Sorry, but I can't see how one can literally go bananas.


    -Colin

  11. Solve the damn problem by bangular · · Score: 4, Insightful

    If this is such a problem, why has there been such little effort to actually fix it. There have been reactionary measures (patches, anti-virus), and overkill security that's years away (security at the hardware level). A HUGE chunk of viruses could be wiped out if

    a) no more html email. Period. There's no reason for it other than making email look pretty. I've never run into a situtation where an informational email couldn't live without html.

    b) No more attachments. Email isn't a file transfer protocol. There are many many many other safe ways to send files. Email was never meant to send binary attachments anyway. The RFC doesn't allow it. To comply, a dirty hack was created in which binary data is turned into plain text. But it's obvious email wasn't meant to be used in that fashion.

    c) no more IE. No other piece of software has enabled so many viruses, adware, spyware, and shitware. IE is the malware enabler. I don't care if you use Opera, Mozilla, whatever, because pretty much everything is better than IE.

    d) quit blaming the damn users. MS has designed an operating system to be used by the simpliest people on earth. Those whom have absolutly no computer experience at all. How can you blame them then when they open viruses? If you are going to design an operating system to be used by the masses, then you must implement security measures as if the user is clueless, because usually they are. Because you can open a virus without a warning, yet you can't modify your "Windows" directory without a myriad of warnings, makes me wonder how high a priority security really is to MS.

    1. Re:Solve the damn problem by MoP030 · · Score: 5, Insightful
      a) no more html email. Period. There's no reason for it other than making email look pretty. I've never run into a situtation where an informational email couldn't live without html.
      Maybe you didn't have that that problem and neither do I. But i know a lot of less technically inclined people, who would send an email simply because it is pretty (say, because their new email program has these pretty templates with pictures of hawaii as a background.). Same goes for attachments. Email isn't only used for short, important messages. People use it to socialize, and as such they send stuff they think is funny, pretty or shiny.
      I think viruses over email will stop as soon as sexually transmitted diseases will stop because people stopped to have recreational, unprotected sex.
      --
      the most sexp i get is my paren-mode.
  12. Pearl Harbor of the web. . ? by Fantastic+Lad · · Score: 4, Insightful
    I don't know which way to jump on this one. . .

    On the one hand, what I see is a 'cool' new trend in virus writing; "Wow! Cool! Like, I can re-script a code which will secure me lots of slave machines! Excellllllent. I want to play, too!"

    On the other hand, it also strikes me as very convenient that the web should be pummeled right now when there is such a push to massively control EVERYTHING and EVERYONE on the planet. --How easy would it be for the fine people in black-ops-secret-shmecret-government to release a few hundred viruses into the wild?

    Pretty damned easy, I'd say. But to what end?

    Simple. Everybody is getting fed up. "Oh, please install new laws which allow us to punish spammers. Oh, please, mighty government, do SOMETHING to control the web so that I can get my email!"

    The internet, at the moment, is THE prime source of real information and world-wide communication. You can say here, out in the open, "BUSH IS A LIAR AND A CRIMINAL" And link to a hundred sites which explain -with detailed evidence- exactly why this is so.

    Fascist governments don't appreciate this. Machiavelli recommended the swift destruction of dissidents who speak such things, in order to control a kingdom.

    230 new script kiddies a month releasing malignant code into the wild, or a handful of unimaginative agents bent on pissing everybody off so much that they start begging for leashes?

    I don't know. But it wouldn't surprise me in the slightest to find out that the assholes -once again- are in charge.


    -FL

  13. Re:Heuristic antivirus by 1u3hr · · Score: 5, Insightful
    I remember years ago some were touting heuristic antivirus as the way of the future. Obviously, it didn't work. The idea was to look for certain patterns rather than the actual virus.

    No, it did (does) work. It was simply more profitable to sell a program that requires frequent updates for each new threat. See e.g. Better antivirus software is worse than a virus?

  14. Why ? Because someone makes money on it ! by Anonymous Coward · · Score: 4, Insightful

    Anti Virus makers are among the more profitable companies around, sure that they want to make it look like this is a gigantic threat.

    Companies that ...

    * Use a firewall
    * Enforce the use of "RunAs" for all critical operations
    * Dont use Outlook

    Avoids 99.999999 % of all of viruses

  15. The only reason this hasn't happened... by Henk+Poley · · Score: 4, Insightful

    ...is because the virus writers are too scared for being caught. Just take a look at the figures of the most virulent worms of the last 2 years. They did infect a substantialy large part of the open Windows systems in the first 10-15 minutes.