Virus Creators Sharing More Code

arpy writes "The Washington Times is carrying a report on a 5% increase in publicly available virus code in 2003 (based on a Symantec report). There are now about seven versions of MyDoom, and at least 14 each of Netsky and Beagle. Explains why my email account is overloaded with these little bastards. PC World is reporting changes in the countries that virus are originating from: Australia shot from 14th place to 5th over the last six months of 2003! The source of these stories seems to be the March 2004 Symantec Internet Security Threat Report." (This last requires registration to download.)

Just because you don't see...

[Denyer]

...one doesn't mean you've never been infected.

Re:Now that there is more code available...

[eraserewind]

Yes, and it caused more damage than the one that it was supposed to be protecting you against. It was the only worm/virus so far to cause a global outage in the company where I work.

Quick fix:

[KodaK]

MailScanner + SpamAssassin + Clamav.

Stops unwanted mail dead.

Finally be able to stop bitching about your inbox.

100% Free.

Small catch: you need your own mailserver. Answer: add procmail to your recipie. Ha, get it?

MailScanner [mailscanner.info]
SpamAssassin [spamassassin.org]
ClamAV [clamav.net]

Re:Learning from nature

[mjh53]

polymorphic viruses did this many many years ago. worms on the other hand, and the recent VB junk presumably are relearning what the ASM writers thought up all that time ago.

Re:never seen a virus in my entire life

[nolife]

I've used antivirus software and have for the last 10 years on my home network (4 heavy internet users using broadband including 2 young teens who will download anything) and the only "virus" I have EVER seen was the eicar test file for my own testing. I did get a few emails to my hotmail and yahoo accounts recently with those password protected zip files but that was it. I get spyware and spam but not viruses or worms.

Cooperation

[mdielmann]

I'm always glad to see programmers cooperating, and even occasionally competing for market share. After all, that will only bring us better products.

But you have to wonder just what we're going to get next when some of these virus writers start working together. We've already seen multiple-vector viruses, better social engineering, and greater adaptability. It's certainly going to keep the anti-virus companies on their toes.

Re:Now that there is more code available...

[devnull17]

As for cleaning out the mal-ware, can anyone tell the difference between the OS and 3rd party stuff?

Not without gaining a pretty good knowledge of Windows internals. Once you've been, um, blessed with such a gift, it becomes pretty obvious what's real and what isn't, at least as far as processes and services go.

That's only useful in diagnosing major problems, though. (Like when MSBlaster went around.) And cleaning things out completely is really tough: most malware automagically respawns all of its components unless you manage to remove all of them simultaneously, and I've even seen tricks played with filehandles that can't be closed without rebooting, upon which everything is reinstalled. Generally, I just run Ad-Aware about once a week. Why spend so much time scouring your machine and googling filenames when there's cheap or free software to do it for you?

Re:Now that there is more code available...

[GTRacer]

Why spend so much time scouring your machine and googling filenames when there's cheap or free software to do it for you?

[KifKroker]Why indeed?[/KifKroker] Periodically, I start my work PC (they admin, but it's still vulnerable) and pull up a process list and printscreen it. From there, I compare to my last baseline to see if anything's changed and why.

Figuring out what was mal-ware and what 7 processes belonged to Novell was interesting. I learned about a couple of questionable services, and I learned more about what bloat-ware MS and Novell have foisted upon me. However, I *ALSO* run AA and Proxo (to keep crap from getting in via ActiveScript or JScript).

If I ever do get permission to admin this thing, I'll know where to swing the axe first!

GTRacer
- Restrictive noob-oriented SysPols suck!

Re:Time to update the antivirus model?

[bgeer]

Try the Procmail Sanitizer [impsec.org]. It works by redirecting suspicious-looking mail to a "quarantine" mailbox so the admin can scan over it and make sure nothing important was lost. It's fast (it manages a pretty heavy email load on a k6/300) and rarely makes mistakes.

I've been using it since about May 2002 and my users are barely even aware of the whole wave of email viruses. Better yet, there have only been IIRC two cases (in two years!) where attachments were incorrectly quarantined, due to legitimate use of MS word macros.

Re:Time to update the antivirus model?

[gmuslera]

I use Anomy Sanitizer [anomy.net] for mail gateways. It just put in quarantine and remove from the original mail what have a banned extensions (.pif/.scr/etc), or are detected by an antivirus (but not cleaned, detection is enough for the automatic part), do some cleanings in the text like removing in the html the dangerous tags, and the end user gets the original messages with a warning for each quarantined attachment.

People are still getting a lot of mail because of virus, but they receive the text (not the dangerous part), and I can recover quarantined attachments if was the antivirus had a false positive or a banned extension file was really meant to be sent. Also happened several times that someone sent files from infected machines without being aware of that or joke programs that could make trouble, where i don't want to let pass the file but yes the text.

Re:Antivirus Advantage

[Bombcar]

I'm waiting for the virus that, in addition to spreading itself, will email out random Word docs found on the hard drive. This is more than a nuisance, it could potentially damage 1000s of companies. Imagine a Word doc getting out that contained corporate secrets.

I believe either the Melissa virus or Sircam already did that.

See Dan's Data [dansdata.com] for more info.

Too far the other way

[RobertB-DC]

Problem is, about 99% of viruses that have come into our firm in the last 6 months have been nothing but virus - no legitimate content. Despite this, our antivirus tool has no option to use its 'knowledge' of the 100% illegitimate messages and simply delete these outright.

My company has configured our PC-based/network-controlled Norton antivirus to be very aggressive in deleting possibly bad content. So aggressive, in fact, that it detected a virus signature in my Eudora .mbx file before Eudora had a chance to move the attachment to the appropriate directory. Poof! My whole Inbox is gone!

The reply from Data Security: "Eudora is not an approved application. Get rid of it." This was back when Outlook would still auto-execute from the preview pane.

Be careful what you ask for... you just might get it. Automatically deleting known bad content sounds fine, but it depends on a support department that's robust and flexible enough to distinguish the good from the bad. Ours was already overworked, starting from the day the VP opened that message from his secret admirer, with the subject "I love you!"