Slashdot Mirror
Unprecedented level of Virus Alerts
arpy writes "iTnews reports that according to Trend Micro (makers of PC-cillin), there was a record-breaking level of virus alerts in the first quarter of 2004. In Q1 2003, Trend issued 35 virus warnings. During the same period this year, it issued 232. According to the company's annual virus round-up and forecast (PDF), the number of alerts was pretty much steady for 2001-2003. Particularly noteworthy is that so many of the viruses are variants, not original. Trend's April 2 Weekly Virus Report reveals that of the "Top 10 most prevalent global malware", the top five are all variations of Worm_NETSKY. This would seem to confirm Virus creators are sharing more code."
Especially on IRC. Quite a few IE/mIRC trojans/viruses. Too bad so many users are so clueless and will click anything that looks like it might be porn.
Its reactionary, they cant predict what people will code. Its sad that they give people a false sense of security.
This would seem to confirm Virus creators are sharing more code.
So, do they prefer GPL or BSD license?
A quote from a journal entry from last September:
And so we come to the nightmare scenario. A relatively benign
parasite has infiltrated the general population and suddenly a very
"hot" parasite discovers how to piggy-back that infection. In the
blink of an eye - a day, an hour - 50% of Windows PCs around the
world are destroyed. It can happen, and therefore, it most probably
will.
Ceci n'est pas une signature
that there are lots of pissed off wanna be script kiddies, who are not happy with the way the world is heading, and see it as their duty to try and throw a spanner in the works.
It's a viral license, remember?
Clueless people deserve it. It's not just going to be the clueless... even those running AV software won't be protected from a super-fast-moving virus...
don't many of these viruses use the same vulnerabilities? if that's the case, doesn't that mean a statistic like this should be pointed to not as an indicator of rising numbers of viruses, but as an indicator of the lack of response from the applications being exploited?
:)
i'm not certain that these viruses use the same vulnerabilities, so my second question is pretty heavily weighted on the first
The Windows Virus License, of course, since they're all Windows viruses, of course! ;)
...
Windows Virus End User License Agreement
Licensor, Skrip T. Kidie hereby licenses to you, the licensee, the ability to be infected on a single machine with not more than eight (8) processors by this Windows Virus (hereafter "the Virus").
By reading this, you agree to allow your machine to become infected. We reserve any and all rights without limitation, while you disclaim any purported rights you might have so much as thought you had, including "fair use" rights, and agree to hold licensor harmless for the inevitable destruction of your PC.
In the event you are found in possession of more copies of the Virus than you have license for, you will owe us $699 per violation. Furthermore,
(10 more pages of legalese here)
I just block everything that isn't a document of some sort. Haven't had any problems at my company since.
The unfortunate reality is that some viruses may affect you even if you aren't infected. Massive virus outbreaks are like spam: both generate large amounts of junk traffic that slow everyone's connection.
I've seen some pretty fast-moving viruses get past the very expensive virus-scanner we have at work, but the only one to get by the simple, free, procmail-based one I use at home is the stupid one where you have to open an encrypted zipfile.
. ht ml
./runMyVirus
http://impsec.org/email-tools/procmail-security
Now I have to ask, if users are dumb enough to open a password-protected zipfile in what sure looks like an obvious virus-generated message to me, aren't those users dumb enough to be convinced to chmod +x &&
I think this is evidence that no security system can realy be foolproof. The fools are just too persistent!
When you have 232 virus warnings in a year, you have a wee bit of a problem. When you have 232 alerts in a fourth of a year, you have an industry gone markebonkers. Thats 2 and a half alerts per day. Is it any wonder Joe Average isn't paying attention any more and is getting fried? 232 virus warnings doesn't say to me that there is a problem with viruses, it tells me that there is a problem with whomever is issueing them. They need to re-evaluate what constitutes a warning, and what doesn't. Does BobWanky'sWhoopieWorm_A, BobWanky'sWhoopieWorm_B, and BobWanky'sWhoopieWorm_C, all need separate alerts? Its doubtful. We need to reign in these virus companies, who appear to have gone quite literally bananas, and give them a good smiting.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
AV software seems to do a lot of scanning in a minimum amount of time. Considering the thousands upon thousands of viruses running around the wild, how is AV software able to scan each file so quickly, even if it only looks for specific signatures, it seems that each file would take an inordinate amount of time to scan. However it doesn't.
Can someone give a brief explanation of how anti-virus software is able to scan so many files so quickly?
I have been pwned because my
There are few large virus threats in the past few years. Most of the stuff we see every day is technicall a worm.
Why are we married to calling everything virus related when it is actually the flash-spread of worms that pose the most risk?
The Morris worm was a wakeup call. It was the first large worm, and simultaneously the first Warhol attack. Today, the 'growing threat' is the idea of Warhol-type worms, even though the first such attack was back in the 1980s.
The future of security is probably in the department of protecting against blended threats. AntiVirus software that only deals with stuff on your disk isn't enough anymore. You need, in order of importance:
1. to adopt safer computing practices.
2. Have some type of firewall that limits external access to services you don't actively use.
3. A behavior based IDS (or similar technology)
4. Disk and memory AV (eg, a typical antivirus program)
5. Signature based IDS.
Signature based IDS is least important, especially if you have the firewall in slot 2 that negates most of the use of an IDS. Disk and memory AV is important, but since 99% of all user-originated content comes over the wire these days, the smart money is on 1, 2, and 3.
I suppose step 6 should be "Demand accurate coverage from technically competent news professionals that know the difference between the various threats". If your local anchorman said "Earthquake warning!" and it turns out it was a flood emergency, would you find that acceptable?
On the plus side, we can hope that if The Machines ever get away from us, we can get Jeff or Data or NEO or Ahhnold to load a virus and save us. On the minus side, one of these days someone is going to write something really nasty, and even those of us who don't use Windows will be affected, either through the drag in traffic, bringing down nodes, or the phone calls and other messages.
It would be great to have a system that looks for changes and reports them...oh wait, I already have that.
-cp-
Alaska Bugs Sweat Gold Nuggets
...the data regarding AntiVirus software purchases, firewall purchases, patch downloads, etc for the same period?
Since there was an unusually high number of viruses and alerts, it would be nice to see just how it's being handled on the user end. Were there spikes in Norton Anti-Virus purchases? Or are people getting nailed with virus after virus ( a big clue is that it's mostly just a slightly altered form of the virus ) because they're being typical Joe User and not trying to guard themselves?
Slashdot sucks
And writing them for the same reason for the same people. Money from spammers. Look how many of those new viruses open back doors for proxies and steal email addresses. I don't think that it is so the virus writers can send love notes anonymously.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
Viruses reply on several points of entry, and now use specialised code with predictable behaviour, that cause measurable damage to systems and networks.
One thing, the companies who make money off this certainly do not want this to stop. This isn't a put a tin foil hat on message. Just correlate the line, viruses and profit for these companies. Now, of course, chicken and egg.
Security is going nowhere, patching holes isn't going to save a sinking ship, and myself, I do not want to let the 'everybody else' flaot the security boat for too long now, else they will have enough power just to pay their own people to write the next netsky.
What do you think can be done to remove the threat of viruses trojans and worms in the near future?
Something simple, like an email client that runs with no provileges, in a sandbox, unable to harm the host computer.
Or idiotic employees working *in* a sandbox, with no network connection, and a fisherprice computer.
Yeah, that'd be more useful.
Lets just all keep in our minds these people *profit* from this, and we cannot altogether trust anything they say.
*puts on tin foil hat* erm.
Oh the point, yeah, maybe anti-virus writers should SHARE CODE.
I run a website called politrix of which is my own Sun machine. I recently received the following email and am confused of what to doCan someone please link a book on common sense so I can buy it to figure out why I am suspending my own account. Please hurry! Currently I am writing to this poor man in Africa who's promising me a couple of cool millions, so when I become rich, I will reward you handsomely.
MoFscker
Joe user wants to be infected.
Make something idiot-proof and someone will build a better idiot.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
In a way, the antivirus industry always reminds me of the nobel profession of arms dealing. On the table you provide your clients weapens to "defend" themselves and to archieve and maintain peace. Off the table you know the business only flourishes when there is a war. Of course there is always a war, but your interest is in an all-out war. So what do you do if there is no such an all-out war going on? Don't panic, you simply make your clients believe there is one indeed. As soon as they believe you, you win.
If you don't know what I'm talking about, you shoudl read Vmyths more often.
Quite well from my point of view. A virus went through the scanner three days ago, but the definition file was updated and I haven't seen any other virii go through it again.
This is the "Catched virus top 20" in my mail server for the last few days:
My site
A lot /. readers are not familiar with Windows and may ask what "virus" means in computer science. So in order to better understand this article, here's a short presentation.
:
Virus are popular peer-to-peer sharing systems designed and optimized for Windows platforms.
Great features of these systems over other P2P systems
- It's free software, although the license is often missing.
- They are very well maintained. New versions are released almost every day.
- They are easy to use : no need for a GUI, no need for a CLI, everything is fully automated.
- Updates are also automatic.
- No need to tweak your firewall, popular viruses can work on port 25 using a SMTP-like protocol.
In order to join this community, you just have to run an installer called "outlook.exe". To improve your experience, the "internet explorer" add-on is also recommended.
And how handy, the installer and its add-on are part of the vanilla "Windows" installation CD set. No need to download anything and no registration is required. Very convenient.
Once the installer ("outlook.exe") has been started, an Evolution-like interface pops up. This is bloat, it can be safely ignored. Directly go to the "add contact" panel and fill in email addresses of friends you want to share executable with. Wait a few minutes (check the internet link is ok) et voila, viruses are automatically downloaded, installed and configured.
You know understand why this p2p system is so popular in the Windows world : easy to install, easy to use, and the operating system keeps a lot of unfixed security holes in order to avoid breaking backward-compatibility with older viruses.
{{.sig}}
I work in the 'PC Repair' industry, so this article really is of no news to me, as 90% of my business is pulling this garbage, and SPYWARE out of people's systems. I ask you, slashdot, are virus writers slowly getting in bed with these spyware writing scum suckers? More and more I see systems infested with a few nice worms, especially stuff along the lines of "Trojan.Startpage", the usually nastiness (B(e)agle, Netsky,) and TONS of spyware. Is this a sign that the two are going hand-in-hand, or just a giant example of the general idiocy of users. (I'm betting on both) Spybot/Ad-Aware/AVG only go so far. How are the tech-savvy supposed to protect these people? I've even had people try to claim that ad-aware or AVG INFECTED them a second time, because it wasnt there before, and they're system was working fine aside from mass mailing their friends viruses and throwing popups in their faces.
Will we reach a point when the constant pushing of garbage in users faces will make the internet worthless to the common man?
SPAMMERS...
The worm/virus explosion is because RBLs are WORKING, and spammers are finding less IP space they can operate from. Their only alternative is to infect client PCs and turn them into proxies. Any mail admin can tell you this is what's happening. RBLs are working. Now if we can get the ISPs to enforce their Terms of Service and shut down compromised PCs, along with the authorities who may at some point get off their lazy asses and start putting some of these spammers in jail, we'd have 99% less virus/worm propagation. Occam would agree. Lobby your District Attorneys to stop prosecuting Tommy Chongs and do something in the public interest and the world will be a better place.
Hardly. This is just blaming the victim. A poor policy.
Relying on education and technological cures assumes that malware is a static target, but it's not. If you rely on improving people's understanding of viruses, you simply get viruses that act smarter and look like official emails. If you improve technology, you get viruses that actively target that technology itself (look at the BlackIce incident).
Technological solutions just create an arms race, and we've seen how well that works. Look at your inbox... the grim rise of noisemail is hardly a sign of success.
The solution is to acknowledge the nature of the problem: it follows the same laws as those of organic parasites, and the same solutions may be the only ones that work: perpetual change for the sake of change; trading of resistance; variety in place of standardization.
Ceci n'est pas une signature
I am running Fedora Core 1 w/ kernel 2.6.4 ... There have been these forrester research findings that linux distributions have about the same amount of dangerous vulnerabilities as Windows. When I took a peek at linuxsecurity.com all I found were vulnerabilities in server services like Open SSL, Squid and etc. Though I know those services are important to Linux's current most successful market (Enterprise Server Market). As a user running Fedora and runing services like: X server, cups, vmware and not having any other users but myself. Do I even need to patch? I mean, like X-server has been around for 20 yrs, can't I assume that it pretty much is safe from an external network attack?
One (unfortunate) solution to spam from compromised workstations is for mail servers to refuse to accept SMTP messages from hosts in dialup and DHCP address ranges.
For this I use the Pan-Am Dynamic List (PDL).
I do not deploy Linux. Ever.
My fault, I suppose, for leaving it the demilitarized zone. I'm just so used to Linux though -- the idea that a modern OS would permit such a thing to happen is ridiculous.
virus companies, who appear to have gone quite literally bananas
So have they turned into bananas, or have they just gone to banana rich lands? Sorry, but I can't see how one can literally go bananas.
-Colin
If this is such a problem, why has there been such little effort to actually fix it. There have been reactionary measures (patches, anti-virus), and overkill security that's years away (security at the hardware level). A HUGE chunk of viruses could be wiped out if
a) no more html email. Period. There's no reason for it other than making email look pretty. I've never run into a situtation where an informational email couldn't live without html.
b) No more attachments. Email isn't a file transfer protocol. There are many many many other safe ways to send files. Email was never meant to send binary attachments anyway. The RFC doesn't allow it. To comply, a dirty hack was created in which binary data is turned into plain text. But it's obvious email wasn't meant to be used in that fashion.
c) no more IE. No other piece of software has enabled so many viruses, adware, spyware, and shitware. IE is the malware enabler. I don't care if you use Opera, Mozilla, whatever, because pretty much everything is better than IE.
d) quit blaming the damn users. MS has designed an operating system to be used by the simpliest people on earth. Those whom have absolutly no computer experience at all. How can you blame them then when they open viruses? If you are going to design an operating system to be used by the masses, then you must implement security measures as if the user is clueless, because usually they are. Because you can open a virus without a warning, yet you can't modify your "Windows" directory without a myriad of warnings, makes me wonder how high a priority security really is to MS.
On the one hand, what I see is a 'cool' new trend in virus writing; "Wow! Cool! Like, I can re-script a code which will secure me lots of slave machines! Excellllllent. I want to play, too!"
On the other hand, it also strikes me as very convenient that the web should be pummeled right now when there is such a push to massively control EVERYTHING and EVERYONE on the planet. --How easy would it be for the fine people in black-ops-secret-shmecret-government to release a few hundred viruses into the wild?
Pretty damned easy, I'd say. But to what end?
Simple. Everybody is getting fed up. "Oh, please install new laws which allow us to punish spammers. Oh, please, mighty government, do SOMETHING to control the web so that I can get my email!"
The internet, at the moment, is THE prime source of real information and world-wide communication. You can say here, out in the open, "BUSH IS A LIAR AND A CRIMINAL" And link to a hundred sites which explain -with detailed evidence- exactly why this is so.
Fascist governments don't appreciate this. Machiavelli recommended the swift destruction of dissidents who speak such things, in order to control a kingdom.
230 new script kiddies a month releasing malignant code into the wild, or a handful of unimaginative agents bent on pissing everybody off so much that they start begging for leashes?
I don't know. But it wouldn't surprise me in the slightest to find out that the assholes -once again- are in charge.
-FL
If users are dumb enough to open a password-protected zipfile in what sure looks like an obvious virus-generated message to me, aren't those users dumb enough to be convinced to chmod +x && ./runMyVirus
/home has to be on a separate partition, I use LVM (so that I can resize /home later if needed).
;-)
I have installed several Linux desktops in my workplace (replacing old winboxes). I always mount home as noexec. So even the dump users will be safe. Because
I've been suprised for the positive comments. One user asked me after few days with Linux DT: "What is this machine? It's kind of cute and easy to use!". "It's Fedora, sort of Linux" I replied. "Oh, really? Linux! I've never used Linux before.. Maybe I should have something like this at home, too?"
Anti Virus makers are among the more profitable companies around, sure that they want to make it look like this is a gigantic threat.
...
Companies that
* Use a firewall
* Enforce the use of "RunAs" for all critical operations
* Dont use Outlook
Avoids 99.999999 % of all of viruses
I always get slightly annoyed when people make this statement - viruses on Linux cannot work in the same way that they do on Windows.
Linux and UNIX have insecurities, possibly less than Windows but that's irrelevant here anyway. All software is potentially buggy.
Viruses on Windows spread so rapidly because so many people in the Windows user base run Outlook or Outlook Express which allows viruses to take advantage of exploits in both those programs and in core Windows insecurities. Because so much of the Windows code base is reused, this means that when an exploit is found on Windows XP, it probably also exits in Windows 2000 and might well also exist on Windows 9x. Therefore, when a virus hits, the majority of the Windows user base is at risk.
Linux is completely different. Exploits in Linux (and UNIX-type systems) generally revolve around buffer overflow attacks that cause a daemon program (like ftpd, httpd, etc.) to crash allowing access to a shell prompt, hopefully a root prompt (to the cracker). An attack of this nature depends on that specific daemon being run in the first place, that the cracker can get to the daemon (through any firewalling) in the first place and that the daemon is at the specific version for the exploit to be usable. Even when the cracker has got into that system, he has compromised one system only - sure he might use it as a jump off point to other systems on that network or within that organisation but this is still a limited effect attack.
Also, you need to take into account the UNIX permissions model. Everything you or the system does in UNIX is done at a specific user level. Doing anything as "root" is always dangerous which is why many daemons are run at non-root level - this means that if a system is compromised, the attacker or malevolent program can still only do things at that user level and probably not affect the rest of the system.
Linux and UNIX is prone to attack but the difference is, by it's very nature of customisation and administration detail, no two systems are ever going to be identical - consequently, this type of virus attack can never exist in Linux.
Gentoo Linux - another day, another USE flag.
.better scanning of mail on mail servers combined with better tools for doing that scanning (systems that send "you have a virus" crap are almost as bad as the viruses themselves)
hooks built into windows to detect "potentially nasty" behaviour (for example, modifying a system file, modifying winsock settings, changing the hosts file, making something start at startup, changing the IE homepage etc). When detected, one of 3 things will happen:
1.the action will be completly blocked (if its on a network with central policies and has this blocked)
2.it will ask you for the administrator password (if you are not an administrator or if the system has been set up to ask you even if you are admin)
or 3.it will pop up a nice warning to warn you that what this program wants to do could be bad.
Then, you can either allow it or deny it, depending on the settings.
If you deny it, windows would return an error to whatever program wanted to do it (e.g. if the program called RegCreateKey to create a key, it would return "cant create key" or if you called CreateFileEx to open the file, it would return "cant open file")
Plus, ideally, you would be able to add (but not remove the built in ones) new folders, files and registry keys to the "warnings" list. So for example you could have a writable file share on your system but if someone wanted to write to it, it would ask you first. Or on a network, the admin could block changing the desktop background.
Also, you would (ideally) be able to specify which events to block completly and which events to just warn for.
This alone would be a great help at stopping viruses and spyware.
Also, ISPs should firewall ports used by viruses at the ISP level (this includes ports like SMTP ports used by spam trojan zombies). If you do need one of those ports for legitimate use, they can unblock it. That would help stop trojans and zombies taking up valuable bandwidth (both the users Bandwidth and the ISPs Bandwidth)
Plus, email clients should be modified to not run scripts (better yet, get rid of HTML email completly, its mostly used for SPAM, viruses, scams and crap anyway plus it guzzles more bandwidth than regular text)
These things would:
1.make it harder for spyware/viruses to run automaticly
2.make it harder for spyware/viruses to do nasty things without your concent
3.make it harder for viruses to carry out their payloads (e.g. sending SPAM, DDOS attack etc)
4.make it harder for viruses to get into the inboxes of the cluless n00bs in the first place. And since they dont get notified about the removed virus, they never even know they recieved one.
Also, another (more drastic) step that would work for networks like corporate networks, university networks and such would be to lock anyone who has a virus or whatever out of the network untill they have cleaned their machine. Having a central copy of a toolkit of programs (such as Norton System Works and mabie others) and making them available to people locked out of the network would be a good thing to go with this point (so that when someone goes to central IT and says "my computer says I have been locked out of the network because I have a virus", central IT can hand them a CD with the latest most up-to-date recovery tools on it (anti-virus etc) and a simple set of instructions on how to clean their machine with it.
In the last month and a half, I've literally received about 2 gigabytes of virus/worm mail in my UNIX-based mailbox. (Actually, it's an AIX box at my ISP.)
Anyway, I noticed that most of these come from a rather small set of "From:" addresses, and my (now cancelled) email address, im14u2c@primenet.com, was one of them. Did any of you receive large quantities of email wastage with that forged "From:" address?
Here's a short list of forged From: addresses I saw repeatedly on these virus/worm spam, in decreasing order of occurrence:
I noticed sis.com.tw got hit pretty hard, as did Jeff Garzik! I think they must've scraped these out of the SiS900 driver in the Linux kernel.
I'm regretting that suggestion I made to Ollie on how to speed up his CRC routine.
--JoeProgram Intellivision!
Yes, OS X, BSD, and the various Linux distributions (i.e. Debian, Mandrake, SUSE, or RedHat ). All easy to install, all easy to maintain, all easy to use. OS X comes pre-installed by the OEM and an increasing number of Linux distros are, too.
Furthermore, the layered structure of the OSes and separation of privileges means that these are resistent to future viruses as well as immune to those available today. Yes, apologists and astroturfers like to ignore that as well as blame users. But even if, and that's a big if, market share has more effect than design flaws, it will take quite some time for the virus activity to shift and during that time, businesses and users have come out ahead. Right now, die hard ideologs who refuse to drop a defective product are costing billions of dollars per quarter, a not insignificant number when you think how many jobs could be kept rather than downsized or outsourced in these increasingly bad economic times for the U.S.
How about a little focus? The title should have been "An Unprecedented level of MS Virus Alerts" and steer users off of the hamster wheel. From easy to hard, these are just a few of the many options:
1. Use WordPerfect, StarOffice or OpenOffice instead. 2a. Use Eudora, Evolution, or Pine instead. 2b. Use Mozilla, Firebird, or Opera instead. 3. Use one of the above resistent / immune OSes instead.Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Here's a new anti-virus idea I came up with just now, I'm not sure if anybody else has thought of this before or not but here goes:
.vcf files for the initial distribution to users. It would protect even against new and undetected viruses, would work *immediately* to prevent an outbreak from spreading, and would be next to impossible for virus writers to circumvent; a dictionary-based algorithm for generating random addresses/names could make it nearly impossible for a virus to skip the poison address, and no amount of clever social engineering or code morphing or hacking around a corporate e-mail filter would do any good.
Network admins and ISP's would basically add a "poison e-mail address" to a user's address book (and possibly spoof a few old/sent messages with this address as the sender/recipient). Every user's poison address would be unique, and it would only be used for this virus-prevention system. The name/address/other fields would be populated with random data and the user would be told not to delete this entry from their address book for any reason.
Whenever an e-mail was sent to that poison address, the network administrator (and possibly the user as well) would receive a plaintext, PGP-signed e-mail (with a plaintext URL that they could visit to further authenticate it) informing them that they had a virus; better yet, they could temporarily be disconnected from the network altogether.
Implementing this system would be very easy, a little bit of extra code on an e-mail server and automatically-generated
Am I missing something or would this make a major dent in the e-mail virus problem?
I always mount home as noexec.
/home/luser/runMEnow" will work, even if you mount /home with "-o noexec". Common pitfall...
Not enough: "/lib/ld-linux.so.2
Are sharing code, then it stands to reason that keeping your system proactively patched protects you from more and more virii.
It's getting to the point at the office that all new virii noise on the IDS box is laptops coming in from the VPN. I can see a spike in traffic from one laptop, which gets reported to the Help Desk for cleaning, and the net result to the rest of the (properly patched) network sees NO negative result.
"Draco dormiens nunquam titillandus."
Word processing documents - randomly deleted words like 'no' and 'not', or flipped words like 'always' and 'never'.
Spreadsheets - zeroed out one or two cells
Presentations - Inserted random obscenities and links to unappetizing images
Imagine what would happen if nobody could trust their computers any more. Microsoft would be sued into oblivion, EULA or no EULA.
To a Lisp hacker, XML is S-expressions in drag.
...is because the virus writers are too scared for being caught. Just take a look at the figures of the most virulent worms of the last 2 years. They did infect a substantialy large part of the open Windows systems in the first 10-15 minutes.