Slashdot Mirror
Unprecedented level of Virus Alerts
arpy writes "iTnews reports that according to Trend Micro (makers of PC-cillin), there was a record-breaking level of virus alerts in the first quarter of 2004. In Q1 2003, Trend issued 35 virus warnings. During the same period this year, it issued 232. According to the company's annual virus round-up and forecast (PDF), the number of alerts was pretty much steady for 2001-2003. Particularly noteworthy is that so many of the viruses are variants, not original. Trend's April 2 Weekly Virus Report reveals that of the "Top 10 most prevalent global malware", the top five are all variations of Worm_NETSKY. This would seem to confirm Virus creators are sharing more code."
I just block everything that isn't a document of some sort. Haven't had any problems at my company since.
When you have 232 virus warnings in a year, you have a wee bit of a problem. When you have 232 alerts in a fourth of a year, you have an industry gone markebonkers. Thats 2 and a half alerts per day. Is it any wonder Joe Average isn't paying attention any more and is getting fried? 232 virus warnings doesn't say to me that there is a problem with viruses, it tells me that there is a problem with whomever is issueing them. They need to re-evaluate what constitutes a warning, and what doesn't. Does BobWanky'sWhoopieWorm_A, BobWanky'sWhoopieWorm_B, and BobWanky'sWhoopieWorm_C, all need separate alerts? Its doubtful. We need to reign in these virus companies, who appear to have gone quite literally bananas, and give them a good smiting.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
I'm not horribly surprised by the number of viruses and worms flying around right now... and I do see quite a few of them as a Systems Admin for a wholesale ISP.
What does surprise me is WHY these spread. I thought we had taught people time and time again, over and over, "don't open non-document attachments"... "keep your antivirus software updated"... "if you're ever in doubt, call us". Our advice is taken in and actually used once in a while, but it always seems to be thrown aside and forgotten.
I'm still on the search for that magic bullet that won't involve horribly restrictive mail filters or a lobotomy to remove the "OPEN EVERY EMAIL ATTACHMENT I RECEIVE" lobe...
AV software seems to do a lot of scanning in a minimum amount of time. Considering the thousands upon thousands of viruses running around the wild, how is AV software able to scan each file so quickly, even if it only looks for specific signatures, it seems that each file would take an inordinate amount of time to scan. However it doesn't.
Can someone give a brief explanation of how anti-virus software is able to scan so many files so quickly?
I have been pwned because my
...the data regarding AntiVirus software purchases, firewall purchases, patch downloads, etc for the same period?
Since there was an unusually high number of viruses and alerts, it would be nice to see just how it's being handled on the user end. Were there spikes in Norton Anti-Virus purchases? Or are people getting nailed with virus after virus ( a big clue is that it's mostly just a slightly altered form of the virus ) because they're being typical Joe User and not trying to guard themselves?
Slashdot sucks
Mod the above as insightful. I know lots of crap is just trojans to rip off cc info and act as spam relays but the poster is right about the script kiddies and their motivations. It's vandalism. My Wifes box usually gets at least one anti viral update a day (she runs Trend PCcillin.) I use Mandrake 9.2 99.9% of the time but have PC cillin on my W2K partition.
I also think the Anti Virus companies hype this crap too much. But looking at the firewall logs shows to many people just don't get it.
If you don't like what I write don't be a CS and mod it down. Refute it.
Yea I can't spell. So what is your point?
Viruses reply on several points of entry, and now use specialised code with predictable behaviour, that cause measurable damage to systems and networks.
One thing, the companies who make money off this certainly do not want this to stop. This isn't a put a tin foil hat on message. Just correlate the line, viruses and profit for these companies. Now, of course, chicken and egg.
Security is going nowhere, patching holes isn't going to save a sinking ship, and myself, I do not want to let the 'everybody else' flaot the security boat for too long now, else they will have enough power just to pay their own people to write the next netsky.
What do you think can be done to remove the threat of viruses trojans and worms in the near future?
Something simple, like an email client that runs with no provileges, in a sandbox, unable to harm the host computer.
Or idiotic employees working *in* a sandbox, with no network connection, and a fisherprice computer.
Yeah, that'd be more useful.
Lets just all keep in our minds these people *profit* from this, and we cannot altogether trust anything they say.
*puts on tin foil hat* erm.
Oh the point, yeah, maybe anti-virus writers should SHARE CODE.
I work in the 'PC Repair' industry, so this article really is of no news to me, as 90% of my business is pulling this garbage, and SPYWARE out of people's systems. I ask you, slashdot, are virus writers slowly getting in bed with these spyware writing scum suckers? More and more I see systems infested with a few nice worms, especially stuff along the lines of "Trojan.Startpage", the usually nastiness (B(e)agle, Netsky,) and TONS of spyware. Is this a sign that the two are going hand-in-hand, or just a giant example of the general idiocy of users. (I'm betting on both) Spybot/Ad-Aware/AVG only go so far. How are the tech-savvy supposed to protect these people? I've even had people try to claim that ad-aware or AVG INFECTED them a second time, because it wasnt there before, and they're system was working fine aside from mass mailing their friends viruses and throwing popups in their faces.
Will we reach a point when the constant pushing of garbage in users faces will make the internet worthless to the common man?
The program I wrote and use (see sig) treats all email file attachments as 'text files'.
This renders malware safe to handle and/or delete.
For the 'zipped up' malware, one could patch the filename in the zip file to something harmless then extract it.
However, this approach hinges on the requirement that the registry setting for text file processing (.txt) remains uncompromised. Unfortunately, there is one known malware that 'hijacks' that setting when it runs....
On top of that, one must have some sort of firewall program running at all times.
About a week ago or so, my firewall program detected some intrusion attempts from some rather eye opening IP addresses!
I am running Fedora Core 1 w/ kernel 2.6.4 ... There have been these forrester research findings that linux distributions have about the same amount of dangerous vulnerabilities as Windows. When I took a peek at linuxsecurity.com all I found were vulnerabilities in server services like Open SSL, Squid and etc. Though I know those services are important to Linux's current most successful market (Enterprise Server Market). As a user running Fedora and runing services like: X server, cups, vmware and not having any other users but myself. Do I even need to patch? I mean, like X-server has been around for 20 yrs, can't I assume that it pretty much is safe from an external network attack?
The article only says that 6 times as many were written. I wonder if the number of infected users has changed, of if the same number of users now has more infections?
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
Relying on education and technological cures assumes that malware is a static target, but it's not. If you rely on improving people's understanding of viruses, you simply get viruses that act smarter and look like official emails. If you improve technology, you get viruses that actively target that technology itself (look at the BlackIce incident).
Technological solutions just create an arms race, and we've seen how well that works. Look at your inbox... the grim rise of noisemail is hardly a sign of success.
The solution is to acknowledge the nature of the problem: it follows the same laws as those of organic parasites, and the same solutions may be the only ones that work: perpetual change for the sake of change; trading of resistance; variety in place of standardization.
In Soviet Russia, the System-that-looks-for-changes-and-reports-them has YOU!
On a more serious note, forget heuristics for Anti-Virus, wouldn't a firewall be a better solution for today's types of virus? One which works both ways (i.e. ZoneAlarm...not that I'm trying to say that ZoneAlarm is the end all-be all of security software) u know, it asks you for permission before allowing incoming and outgoing connections to the Net....it sure gives those XP users a sense of security, false or not. The age-old solution of (good)Virus-Scanner plus (good)Firewall should take care of most people....
awaiting the troll/flamebait....
My Favourite Meme
I work at a UK University as a sysadmin and the most prevalent viruses around here are Bagle, Netsky and MyDoom. The scary part about it all is that Both Bagle and Netsky are in about their 20th revision (Yes, viruses get upgrades and bugfixes too)
The more recent versions of these viruses are even killing off their 'competitors' - a recent Netsky will kill off any Bagle or MyDoom viruses it finds.
I'm still staggered that people will open email from people they've never heard of, open any attachments therein, entering passwords as they go!
The worst case of virus authors realising the stupidity of the people they were targetting was a virus with an NTP client built-in, so that the timebomb expiry on it would still work, despite the host PC's clock not being set correctly!
perl -e 'print "Just another Perl newbie\n";'
In the last month and a half, I've literally received about 2 gigabytes of virus/worm mail in my UNIX-based mailbox. (Actually, it's an AIX box at my ISP.)
Anyway, I noticed that most of these come from a rather small set of "From:" addresses, and my (now cancelled) email address, im14u2c@primenet.com, was one of them. Did any of you receive large quantities of email wastage with that forged "From:" address?
Here's a short list of forged From: addresses I saw repeatedly on these virus/worm spam, in decreasing order of occurrence:
I noticed sis.com.tw got hit pretty hard, as did Jeff Garzik! I think they must've scraped these out of the SiS900 driver in the Linux kernel.
I'm regretting that suggestion I made to Ollie on how to speed up his CRC routine.
--JoeProgram Intellivision!
Buddy, that's plain immoral. People buy computers and aren't savvy of how they function. Just as most purchase cars but arent very mechanically savvy. Just as most people vote but don;t know much about the mechanics, just as most people use freedom of speech but cant handle the operation of a tank. Look, just because I use free speech and a car and a computer, doesnt mean i therefore either have to be savvy or cant expect the soldier, auto manufacturer and windows to be derelict in their responsibilities. Windows is not linux, it is sold as a desktop for the everyman. Microsoft ought to make it easy to use correctly and force updates. This is abuse. I dont know how to install a lock on the door of my car, GM put it their for me. That's what microsoft should do too. Remember, technology professionals dont have a job when everyone is computer literate. there is no merit to innocent people being abused becuase of a product that is clearly deficient.
Can anyone recommend a free virus scanner for use on Linux? I'd like to scan incoming and outgoing mail on my sendmail server.
Correct me if I'm wrong
Well, I think you are. At least CIH was a real virus, by your definition. Check the technical descripion here.
Nasty one, also - tries to re-flash the BIOS with garbage.
But generally speaking you're right, most of the so-called viruses are actually trojans these days.
Here's a new anti-virus idea I came up with just now, I'm not sure if anybody else has thought of this before or not but here goes:
.vcf files for the initial distribution to users. It would protect even against new and undetected viruses, would work *immediately* to prevent an outbreak from spreading, and would be next to impossible for virus writers to circumvent; a dictionary-based algorithm for generating random addresses/names could make it nearly impossible for a virus to skip the poison address, and no amount of clever social engineering or code morphing or hacking around a corporate e-mail filter would do any good.
Network admins and ISP's would basically add a "poison e-mail address" to a user's address book (and possibly spoof a few old/sent messages with this address as the sender/recipient). Every user's poison address would be unique, and it would only be used for this virus-prevention system. The name/address/other fields would be populated with random data and the user would be told not to delete this entry from their address book for any reason.
Whenever an e-mail was sent to that poison address, the network administrator (and possibly the user as well) would receive a plaintext, PGP-signed e-mail (with a plaintext URL that they could visit to further authenticate it) informing them that they had a virus; better yet, they could temporarily be disconnected from the network altogether.
Implementing this system would be very easy, a little bit of extra code on an e-mail server and automatically-generated
Am I missing something or would this make a major dent in the e-mail virus problem?
I suppose the increased number of viruses, and the killing off of competitors, are probably because it's becoming more and more profitable to write a virus to turn a machine into a zombie and sell the zombie to spammers.
Maybe windows will get its act together in the next service patch and stop making it so easy for the virus writers, but even then there will be a lot of computers on older versions. It would probably be more cost effective to go after the spammer's money source with a serious law enforcement effort than to allow the current virus situation to continue...of course more money to policing efforts means getting that money in a budget, which means public awareness of the problem.
You forgot File Extension Hiding. One of the key weapons in the malware-writers' social engineering attacks. It's time File Extension Hiding was turned off. And time that MS released a patch to disable it for all time.
Phil
What are you talking about? There's been lots of effort in combating the virus problem, namely the products of the major antivirus software vendors like Trend Micro, and Symantec. It's worked extremely well. More and more viruses and worms come out, and the vendors make more and more updates, and sell more licenses. They've become extremely profitable. Since profit = success, this virus problem is obviously well in hand.
I'm guessing that was sarcasm, in which case I totally agree ^^
The problem here is that the viral arms race is a cash cow. It's in Symantec/Trend/McAffee/et. al.'s best interest, financially, to make sure that viruses/worms/malware continue to propagate.
If virus/worm/malware activity suddenly stopped, there'd be little need for the services those companies provide. If, however, the threat multiplied over time, there would be an increased demand for thier services - which in turn would equate to more money in their pockets.
I'm not saying these firms are crooked - I'm also not saying they aren't. All I'm saying is that they have a vested interest in keeping the threat alive, or even increasing its magnitude. Whether they do so or not is neither here nor there.
MS, of course, shoulders a portion of the blame for the problem. OE, after all, is the most effective virus/worm/malware distribution engine *ever*. (Outlook itself not being far behind, but that's part of Office, which most folks actually have to pay for -- OE comes installed with the Windows OS that comes pre0nstalled on most new machines, and hence has a much greater distribution) But then again, if it were secure, given MS's overwhelming marketshare, how would *that* effect the bottom line for the AV companies?
A healthy skepticism about the industry is quite warranted, I think.
>>my question though: how often does joe sixpack buy AV software? do they actually buy anything themselves, or do they rely on their retailers (dell or whoever) to bundle it on their windows boxen?
In my experience many users don't buy/use any software (well, maybe Bonzai Buddy) that wasn't bundled with their PC. I've actually met people who will buy a new PC just to get a new word processor.
To Do: 1. Take over world 2. Pick up Milk and Bread on the way home
I subscribe to one major national newspaper. Every time they write about "a virus" I send the writer and the section editor a quick note reminding them that it is "a Windows virus."
Would you believe, most of the reporters at this particular paper no longer make the mistake, i.e., most articles mention at least once that the latest breakout impacts only Microsoft Windows systems.
The next pasture is always greener
Trojan - executable file that pretends to be something the luser wants but is really malicious.
In this case, why are programs like Gator not removed by anti-virus software? By all definitions, Gator (or is it now Claria) and similar programs are Trojans. If the user knew what it would do to their system, they would have never installed it. Then there are the reports of "drive by downloading". If this isn't trojan activity, then what is?
Word processing documents - randomly deleted words like 'no' and 'not', or flipped words like 'always' and 'never'.
Spreadsheets - zeroed out one or two cells
Presentations - Inserted random obscenities and links to unappetizing images
Imagine what would happen if nobody could trust their computers any more. Microsoft would be sued into oblivion, EULA or no EULA.
To a Lisp hacker, XML is S-expressions in drag.