Remember the days when the PC magazines all used to review pre-release software, find some bug or other, and say this will be fixed in time for the final release? Except the bugs never were fixed come the final version?
Now, if you'd had a defence-in-depth policy you'd have had a box running MailScanner with ClamAV and another virus scanner scanning all emails. Updating patterns hourly. That's what we did and none got through to cause any damage. Relying on just one virus scanner with daily or less frequent updates is professional negligence. A new worm can flood the net within a few hours. Virus patterns need to be released as soon as a virus is detected, not daily, weekly, or to any other arbitrary schedule. There are lessons in all this for the antivirus vendors and end users.
I'll second that, MailScanner is brilliant - but get the current beta 4.28.4 or later which can block password-protected.zips. There's top-notch support in the MailScanner FAQ and via the mailing list.
That's why any halfway decent mail filtering software will block content based on file type, not file extension. In the windoze world, of course, the two are often seen as synonymous, which gets very dangerous when users are presented with readme.txt.exe, complete with text-file icon, with the.exe part hidden (Windoze defaults suck).
For the zillionth time, I say, IT IS TIME FOR MICROSOFT TO ISSUE A SECURITY PATCH FOR ALL ITS OSES WHICH PERMANENTLY DISABLES FILE EXTENSION HIDING.
Netscape 7???? No no no! Try Mozilla 1.6 or even 1.7 alpha instead, much much more recent and better (with one or more security holes fixed).
You forgot the other bit about social engineering. FILE EXTENSION HIDING! The latest worms have attachments like xyz.txt.exe with a "text file" icon. With the CRAZY Windows default of file extension hiding, users think these attachments are safe. Poor fools. Microsoft's next service packs should DISABLE file extension hiding once and for all. But of course they won't do that, it's way too obvious.
With the speed at which Mydoom and Bagle spread all most antivirus software can do is clean up after the fact If, of course, it hasn't been disabled by the virus.
Re:How did this virus spread so easily?
on
SCO Offline
·
· Score: 2, Insightful
You forgot to mention that Microsoft hides file extensions anyhow (why, why, why?). That's what the social engineering aspect of these worms relies on.
Time for Microsoft to issue a set of critical security patches which DISABLE FOR ALL TIME file extension hiding.
ClamAV had the patterns for MyDoom at 22:00 GMT the day MyDoom appeared. McAfee's updates appeard on our mail gateway 6 hours later (we update hourly).
Furthermore, ClamAV detected the B variant straight away, McAfee needed tonight's 4320 DATs.
I'd recommend McAfee's standalone disinfector Stinger to everybody. It's a small executable which detects and cleans the most common viruses. Version 1.9.7 disinfects this beast (needs a reboot).
Time taken for a new virus to wreak considerable havoc? A few hours.
Time taken for antivirus vendors to release detection patterns? Considerably longer than a few hours.
And while we're on this subject, why do antivirus vendors still insist on a weekly pattern update schedule? For God's sake NAI / Symantec and whoever else indulges in these archaic practices, pattern updates are required as soon as a new virus is detected. Forget the "you'll have to wait for next week's" DAT files to come out approach, it only serves to spread viruses, not eradicate them.
By default, Avast! autoupdates (patterns and program) whenever you connect to the net, and every 8 hours or so thereafter. Autoupdates are incremental, so the time taken to update is low, even for dial-up users. I see that AVG has only just implemented incremental updates.
I'd seen rather too many people who had nothing but problems with AVG in the past, and too many viruses slipping past AVG.
But your mileage may vary. It didn't stay on my PC for long, and nor did Antivir. Both caused problems here. So far, Avast! 3 and 4 on this PC have proven to be solid.
Slashdot Mirror
Remember the days when the PC magazines all used to review pre-release software, find some bug or other, and say this will be fixed in time for the final release? Except the bugs never were fixed come the final version?
It always makes me think of "The Zone" in Andrei Tarkovsky's movie Stalker
Now, if you'd had a defence-in-depth policy you'd have had a box running MailScanner with ClamAV and another virus scanner scanning all emails. Updating patterns hourly. That's what we did and none got through to cause any damage. Relying on just one virus scanner with daily or less frequent updates is professional negligence. A new worm can flood the net within a few hours. Virus patterns need to be released as soon as a virus is detected, not daily, weekly, or to any other arbitrary schedule. There are lessons in all this for the antivirus vendors and end users.
I'll second that, MailScanner is brilliant - but get the current beta 4.28.4 or later which can block password-protected .zips. There's top-notch support in the MailScanner FAQ and via the mailing list.
But the real purpose of MyDoom is to create zombie machines for spamming.
while (1) {
Are you sure? Or was it to create zombie machines for seeding other viruses? Which in turn create zombie machines for spamming.
}
That's why any halfway decent mail filtering software will block content based on file type, not file extension. In the windoze world, of course, the two are often seen as synonymous, which gets very dangerous when users are presented with readme.txt.exe, complete with text-file icon, with the .exe part hidden (Windoze defaults suck).
For the zillionth time, I say, IT IS TIME FOR MICROSOFT TO ISSUE A SECURITY PATCH FOR ALL ITS OSES WHICH PERMANENTLY DISABLES FILE EXTENSION HIDING.
Sighs...
Netscape 7???? No no no! Try Mozilla 1.6 or even 1.7 alpha instead, much much more recent and better (with one or more security holes fixed).
You forgot the other bit about social engineering. FILE EXTENSION HIDING! The latest worms have attachments like xyz.txt.exe with a "text file" icon. With the CRAZY Windows default of file extension hiding, users think these attachments are safe. Poor fools. Microsoft's next service packs should DISABLE file extension hiding once and for all. But of course they won't do that, it's way too obvious.
With the speed at which Mydoom and Bagle spread all most antivirus software can do is clean up after the fact If, of course, it hasn't been disabled by the virus.
This is continually raised, for example here, here, and why it's a bad idea anyway
And so on...
Microsoft's great feature, put there expecially for virus writers' social engineering attacks (well, there is no other real use).
.zip files and you see abcdef.txt.exe (or .pif), etc.
.txt file.
Look inside those
Muggins end user opens what (s)he's been tricked into thinking is a
Boom.
If Microsoft is at all serious about security they'd issue a patch for all their operating systems disabling this "feature" for all time.
You forgot to mention that Microsoft hides file extensions anyhow (why, why, why?). That's what the social engineering aspect of these worms relies on.
Time for Microsoft to issue a set of critical security patches which DISABLE FOR ALL TIME file extension hiding.
Like that'll ever happen....
Phil
Once a day is not enough! (I wish!)
When the orginal MyDoom.A came out, we were catching them with ClamAV 5 hours before McAfee's patters came out. A similar thing with MyDoom.B.
Update your patterns hourly, as a minimum.
Even that's not enough with a mass vectored attack in which thousands of compromised PCs used to distribute a new virus at the same time.
Antivirus vendors are going to have to rethink.
We need rapid responses to newly detected viruses.
Waiting hours for updated detection patterns isn't good enough, or soon won't be.
ClamAV had the patterns for MyDoom at 22:00 GMT the day MyDoom appeared. McAfee's updates appeard on our mail gateway 6 hours later (we update hourly).
Furthermore, ClamAV detected the B variant straight away, McAfee needed tonight's 4320 DATs.
Well done, ClamAV team.
I know, but ClamAV got it anyhow - impressive!
Stinger 1.9.9, McAfee's standalone disinfector for this and the other most common "out there" viruses is now out.
ClamAV, the Open Source virus scanner, caught it on our email gateway this afternoon, whilst McAfee's uvscan with the 4319 DATs didn't find a thing.
A big thanks to the ClamAv team.
Phil
Slashdot hasn't posted my story yet....
We detected MyDoom.B around 15:00 GMT today - ClamAV (opensource rules), McAfee 4319 DATs didn't.
Preliminary analysis at Internet Storm Centre.
Most AV vendors have new patterns out now.
Phil
I'd recommend McAfee's standalone disinfector Stinger to everybody. It's a small executable which detects and cleans the most common viruses. Version 1.9.7 disinfects this beast (needs a reboot).
I read this tomorrow.. erm yesterday..
Time flies like an arrow...
(with a stopwatch? With tomato ketchup?)
There's already (an out of date) HOWTO on this:
Red Hat Enterprise Linux Rebuild mini-HOWTO
Time taken for a new virus to wreak considerable havoc? A few hours.
Time taken for antivirus vendors to release detection patterns? Considerably longer than a few hours.
And while we're on this subject, why do antivirus vendors still insist on a weekly pattern update schedule? For God's sake NAI / Symantec and whoever else indulges in these archaic practices, pattern updates are required as soon as a new virus is detected. Forget the "you'll have to wait for next week's" DAT files to come out approach, it only serves to spread viruses, not eradicate them.
Revenge is sweet :-) And no, I don't mean we should try to emulate Darl McBride's personality, either.
Phil
By default, Avast! autoupdates (patterns and program) whenever you connect to the net, and every 8 hours or so thereafter. Autoupdates are incremental, so the time taken to update is low, even for dial-up users. I see that AVG has only just implemented incremental updates.
I'd seen rather too many people who had nothing but problems with AVG in the past, and too many viruses slipping past AVG.
But your mileage may vary. It didn't stay on my PC for long, and nor did Antivir. Both caused problems here. So far, Avast! 3 and 4 on this PC have proven to be solid.
Their support forums are excellent too.
AVG is total rubbish compared to Avast!, which is also free for personal use. Highly recommended.
I also recommend the image viewer IrfanView, the Filezilla ftp client and server, Audacity, The GIMP for Windows, the ConText text editor, the KiXtart scripting tool, GAIM for Windows, and that's just for starters.
Google has a list here.
Amazing what searching for "Openoffice mirrors" turns up.
Phil