Virus Creators Sharing More Code

arpy writes "The Washington Times is carrying a report on a 5% increase in publicly available virus code in 2003 (based on a Symantec report). There are now about seven versions of MyDoom, and at least 14 each of Netsky and Beagle. Explains why my email account is overloaded with these little bastards. PC World is reporting changes in the countries that virus are originating from: Australia shot from 14th place to 5th over the last six months of 2003! The source of these stories seems to be the March 2004 Symantec Internet Security Threat Report." (This last requires registration to download.)

Antivirus Advantage

[ziondreams]

Wouldn't the open source of these viruses be an advantage to the Antivirus folks? (Symantec, Norton, etc.) I mean, if they know the basics of the virus, wouldn't it be easier to defend against them? (I don't have much experience in the realm of viruses...just curious!)

GPL

[millahtime]

I wonder if you could get a license for a virus under the GPL???

Learning from nature

[dpilot]

Over the past several years we've learned that bacteria (and even plants?) can be 'promiscuous' about sharing useful genes, such as antibiotic resistance. Software is just catching up.

To continue to stretch the metaphor, apparently the immune system is keyed to stereochemistry of surface molecules. Change surface molecules, fool the immune system until it adapts. Spam has been taking this approach, injecting random text in an attempt to fool Baysean filtering. No doubt virii will learn the same trick. (Break code into mini-object modules, and use a randomizing link-edit step, for instance.)

Re:Now that there is more code available...

[SpaceLifeForm]

Well, now Microsoft plans to have a Windows machine automagically download and patch itself. [informationweek.com]

"The key for customers is getting these patches down," Muglia says. "The biggest issue right now is that when we issue a patch, it can take them weeks to get it installed after they're done testing it. We want it done right away."

Yeah, right. The customer is not going to test first because Microsoft says it's ok?

But it probably won't defrag the harddrive. As for cleaning out the mal-ware, can anyone tell the difference between the OS and 3rd party stuff?

Time to update the antivirus model?

[serene.geek]

Slightly OT, but part of the frustration of this huge spike in virus activity for me is the fact that our antivirus product is still based on a model that is becoming outmoded. The old model strives to protect against situations in which viruses are piggybacking on legitimate content that someone actually wants. As a result, it's strength is:

1. Detect

2. Clean

3. Deliver if cleaned

4. Quarantine if not

Problem is, about 99% of viruses that have come into our firm in the last 6 months have been nothing but virus - no legitimate content. Despite this, our antivirus tool has no option to use its 'knowledge' of the 100% illegitimate messages and simply delete these outright.

In order to avoid the possibility of quarantining legitimate content, we are still detecting and cleaining, which still lets hundreds of confusing messages through to the users.

I know there are other products which will eliminate this kind of traffic altogether, but it seems to me that a few minor changes to (at least our) current antivirus products could dramatically improve the situation for us.

Are the other major mail-server based "pure" antivirus products any better than Mcafee?

Re:Now that there is more code available...

[webtre]

think welchia but downloads from other "infected" machines other than one central location

sorry microsoft

funny but dead serious...

[segment]

One time I got to work and checked our local geek account (where we all joke, pass notes, etc.) and I read this email forwarded by the technical support "Hi I'm writing to know if everything is alright with the system. I'm not getting anymore spam so I wanted to know if there's a problem." I kid you not, the end user was wondering why, they weren't receiving spam. It's difficult to filter too much, because what do you do when someone is constantly complaining about not receive a business proposal coming via way of zip. What happens if by mere coincidence it was flagged as spam, or a virus. That's the problem with filtering, personally I think education is a better resolve, but that's just me.

Computer viruses and Biological viruses

[Seoulstriker]

One was written from the MyDoom worm, and patched the hole after using it to get in.

That sounds freakishly like some biological viruses that recombine its genetic information into the host chromosomes which effectively seals off the cell from further attack by viruses, so that it can do its work safely without interference.

If virus makers actually learn how to recombine their code into standard windows libraries and the code is then free to work without interference, the Windows users wouldn't know that they are actually infected until some future date when their credit card numbers are stolen/hard drives reformatted/etc.


In fact, the whole idea of sharing the code of viruses is similar to the idea of recombinatorial DNA in viruses and bacteria: effective code from one virus can be transferred and incorporated into another virus/bacterium (plasmids) to make an even stronger pathogen. Scary stuff.

Re:email account management

[Macka]

It only has to get out there once and you're (my)doomed! I started my own consulting business 4 years ago. I got a new domain so I had a virgin email address. For 2 years I was very careful about who I gave it to, and whenever i had to give out email addresses online (like for cinema or flight bookings) I'd create an alias and give that out instead. If I started to get spam on that address, I could roast the culprit and then delete the alias. However, one day I went online and posted into an internet newsgroup. I don't know what I was thinking at the time, but I forgot to change my address before submitting the post. I remembered after but it was too late. It was the one and only time I ever did this, but within one week I started getting spam and viruses in my email account for the first time. And slowly but surely it got worse.

Another thing you can't control is e-cards. Some dim witted but well meaning friend decides to send you a card and has to give them your carefully protected email address in order to do so. Not only do the e-card vendors know that it's a valid address, but they also know it's active. I had a run of these about a year ago, and noticed an almost instant increase in the volume of spam I got.

Actually the percentage of spam I used to get with destructive payloads was quite low until recently. Over the last couple of months that shot up to about 30%. There has definitely been an increase in the number of virus authors/hackers out there.

Macka

Re:Now that there is more code available...

[dejohns]

It would also be nice if Microsoft were to take the time to make some form of "Joe Average" tutorial explaining to their users why they become infected

I like The Ten Immutable Laws of Security [microsoft.com] and their Protect your PC [microsoft.com] site.

The good ol' days are over

[kd4evr]

Once, ignoring viruses and anti-virus software, relying on good practices only was a cool hobby; nowdays, it's a disaster waiting to happen, in a large part M$ is to blame.

I retired a box I used from 90-95 and I'm now in the process retiring the 95-04 one. Amazingly, I was able to run MS DOS and Windows 95 without much hassle and without permanent anti-virus-come-to-the-rescue operations.

People borrowing my diskettes (remember the 5 1/4 " floppies ?) did all sorts of things:
- have infected the floppies,
- have goten themselves infected,
- detected viruses on them, etc;
while my back yard remained clean. However, I've had a few strict policies:
- frizbee network: never stick anything into your floppy drive that's "been around" unless you plan to 'format';
- email: do not use MS Outlook, do not open unexpected attachments from people you know, do not touch stuff from people you don't know etc., etc.

Nowdays, using both W2k and Linux, I claim the (don't-check-for-viruses-and-don't-have-any) policy DEAD. At least for MS w/ Outlook and Explorer, a prompt anti-virus solution is a must.

If nimda was the ultimate lesson for typical corporate intranet environments, the Netsky & Bagle definitely break barriers in the category of private, spam-free, home user addresses.

And it's all probably because of this wrong (viruses-happen-to-losers-not-me) additute of just one of my otherwise cool e-mail-buddies that made it all possible for me: watching a bogus email w/ a virus dropping every 2-3 hrs into my private inbox, without a clue who really the sender is or whose set of contacts would correspond to the addresses in the spoofed TO: fields.

I haven't had any trouble with any of the non-M$ boxes I work with. But like it or not, I still have to use some M$ platform and sadly, no prevention is helpful - it cure, cure, cure, all the time...

Binary virus (like binary chemical weapon)

[Anonymous Coward]

What someone really needs to do is make a virus that consists of several parts. Each part by itself would have no effect upon an infected computer except to run at startup and check for the existence of the other pieces.

If the final piece to run determined that all pieces were in place it would abort the startup process and display a dialog box with a button titled "I want to format my hard drive now" and a message saying something like:

"You are a bloody idiot and your computer has been infected with a virus. Not once. Not twice. Not thrice, but FOUR times!

You are too stupid to operate this computer further until you take it and have it professionally cleaned of viruses, trojans, spyware and other malware, have proper antivirus software and a firewall installed, receive some sort of training on keeping the antivirus software updated, and finally, are told in no uncertain terms to not immediately open each and every email attachment and to no longer download and install each and every cute little gorilla, gator, monkey or other furry or scaly creature that promises to make your internet experience ever so much better."

When they then click the "I want to format my hard drive now" button the activated virus would display a second dialog that says "You did not read the button at all did you?" and shut the computer off.

Re:funny but dead serious...

[bjohnson]

What an astonishingly clueful user. They noticed something different about the system and asked you about it!

Treasure this one!

He or she will help make up for the 9,345 others who come to you 'I can't open this file I was sent I keep double clicking on it, but nothing happens...' for the 32,478th time...

Re:The blame for viruses

[pclminion]

Users are generally like people who leave their car unlocked and then complain that their radio is missing when they get back. Yes, they're stupid, but in the end the thief is the guilty one.

I fully agree with this. When I was in high school, I forgot to lock my (piece of shit) car one day in the school parking lot. I didn't see any real reason to lock it anyway, it had no radio, or anything else of value in it. However, somebody opened the door and took my school parking permit.

The school wanted to suspend me for A) Parking without a permit and B) "Facilitating" a crime on campus. Their argument was that if I had locked my doors, the crime would not have been committed, hence I was somehow responsible for it.

Since my mother is very adept at threatening lawsuits and making it sound very scary (she only does this when she's in "momma bear mode," she's not a litigious person), I got out of that one. But the point is, it sounds like a nice idea to hold stupid users responsible for virus and worm outbreaks, but your attitude will quickly change when you end up being one of the stupid users.