Unprecedented level of Virus Alerts 424
arpy writes "iTnews reports that according to Trend Micro (makers of PC-cillin), there was a record-breaking level of virus alerts in the first quarter of 2004. In Q1 2003, Trend issued 35 virus warnings. During the same period this year, it issued 232. According to the company's annual virus round-up and forecast (PDF), the number of alerts was pretty much steady for 2001-2003. Particularly noteworthy is that so many of the viruses are variants, not original. Trend's April 2 Weekly Virus Report reveals that of the "Top 10 most prevalent global malware", the top five are all variations of Worm_NETSKY. This would seem to confirm Virus creators are sharing more code."
Re:Who cares? (Score:3, Informative)
VBA can even be in complied form within an Access Database.
Re:Question about AV software (Score:5, Informative)
Viruses which have similar mechanisms leave similar signatures (in the case of true viruses; I'm not exactly certain how (or if) it's done for worms).
IANA Anti-Virus Specialist
Re:Clam AV (Score:4, Informative)
Quite well from my point of view. A virus went through the scanner three days ago, but the definition file was updated and I haven't seen any other virii go through it again.
This is the "Catched virus top 20" in my mail server for the last few days:
Re:viruses hold only part of the blame (Score:3, Informative)
Netsky.B write-up [symantec.com]
Re:Question about AV software (Score:5, Informative)
Of course, you can always look at the source [clamav.net] to figure it out.
Re:It makes me wonder. (Score:3, Informative)
Worms seed proxy/relay farms (Score:4, Informative)
One (unfortunate) solution to spam from compromised workstations is for mail servers to refuse to accept SMTP messages from hosts in dialup and DHCP address ranges.
For this I use the Pan-Am Dynamic List (PDL) [pan-am.ca].
Beyond AV: Application Behavior Enforcement (Score:2, Informative)
On OpenBSD and other Unix-like operating systems there is the free Systrace [systrace.org].
Windows and Solaris users can pay Cisco around $800 per server for "Cisco Security Agent" (Formerly Okena), which does the same thing as systrace, but with a nicer GUI and some packet filtering (I do not work for Cisco, I do not sell software.)
Workstation licenses were around $35 per seat.
When I tried to convince a Fortune 500 corporation of the value of deploying this type of security, the answer I received was "But this doesn't protect against SQL injection or Cross Site Scripting!"
So yes, Clueless people deserve it...
Linux and worms (Score:1, Informative)
The "saving grace" of unpopular Unix operating systems is not so much the small installed base (the Microsoft claim) as it is the fact that generally these systems are installed by users with half a clue.
In the case of MacOS, it doesn't hurt that the default OS X installation has no remotely accessible listening ports.
If you have network services visible to the Internet (listening ports not behind a strong firewall and/or filter policy) you need to patch.If you run clients (web browser,mail reader, ftp, etc) that communicate out to the Internet, you need to patch.
Lastly, you will want to stay up-to-date with patches for vulnerabilities in the kernel (particularly the IP stack) as well as the most common libraries (OpenSSL, etc).
No.You'd want to take all possible steps to protect your X services from external attack. This includes not only keeping updated on patches, but also potentially taking steps to ensure that the server is only accessible (only ever accessed) through an encrypted tunnel.
If that tunnel is ssh (the most common method for X forwarding) then you'd also need to stay up to date on client and server vulnerabilities in both SSH and the underlying SSL libraries.
For a MS-Windows users, this is as simple as clicking "Windows Update" and hitting "Accept" a few times. I'm not sure if any of the Linux distros have gotten the process simplified to that extent?
Re:Virus scanners suck (Score:5, Informative)
In the good old days, viruses were tightly coded programs that often did cool things (undesirable, but still cool, like making all the letters fall off your screen). They would modify existing programs to become carriers - this is the true meaning of a virus, it modifys legitimate code to allow it to propogate.
Remember the Cascade virus, back in 1988? 1701 bytes of code that sits in memory, modifying
Correct me if I'm wrong, but I don't think a real virus has been written since the late 1990's. All current "viruses" are either trojans or worms.
Virus - modifies existing programs to include it's own code.
Trojan - executable file that pretends to be something the luser wants but is really malicious.
Worm - self replicating software that uses a network-accessible vulnerability to propogate to other machines on the network (think Code Red, et al)
Re:Question about AV software (Score:1, Informative)
Basically, all you have to build is an automaton that will change state after each byte read from a file. Final states are:
<END-OF-FILE-NO-VIRUS>
<VIRUS-000>
<VIRUS-001
<VIRUS-nnn>
Intermediary states are built to represent partial discover of virus.
Each virus is represented by a signature, which is the presence of some specific(s) string (eventually at specific places).
Building the automaton is non-trivial, but the theory is well understood and the resulting automata will not take much more than the size of the file.
If you have the unix or gnu tools, software for building such automata is [f]lex. Under freebsd, for instance:
%cat v.l
%%
"SIGVIRA" { printf( "Virus A\n" ); }
"SIGVIRB" { printf( "Virus B\n" ); }
"CSIG" { printf( "Virus C\n" ); }
. {}
%%
%flex -ov.c v.l
%cc v.c -o v -ll
%echo "THISHAVENOVIRUSABORC" |
%echo "THISHAVEACSIGNIFICATVIRUSINSIDE" |
Virus C
%
Nothing rocket science here.
Hope that helps,
--fred
Re:Good (Score:3, Informative)
I have installed several Linux desktops in my workplace (replacing old winboxes). I always mount home as noexec. So even the dump users will be safe. Because
I've been suprised for the positive comments. One user asked me after few days with Linux DT: "What is this machine? It's kind of cute and easy to use!". "It's Fedora, sort of Linux" I replied. "Oh, really? Linux! I've never used Linux before.. Maybe I should have something like this at home, too?"
Comment removed (Score:5, Informative)
Solutions to viruses (Score:4, Informative)
hooks built into windows to detect "potentially nasty" behaviour (for example, modifying a system file, modifying winsock settings, changing the hosts file, making something start at startup, changing the IE homepage etc). When detected, one of 3 things will happen:
1.the action will be completly blocked (if its on a network with central policies and has this blocked)
2.it will ask you for the administrator password (if you are not an administrator or if the system has been set up to ask you even if you are admin)
or 3.it will pop up a nice warning to warn you that what this program wants to do could be bad.
Then, you can either allow it or deny it, depending on the settings.
If you deny it, windows would return an error to whatever program wanted to do it (e.g. if the program called RegCreateKey to create a key, it would return "cant create key" or if you called CreateFileEx to open the file, it would return "cant open file")
Plus, ideally, you would be able to add (but not remove the built in ones) new folders, files and registry keys to the "warnings" list. So for example you could have a writable file share on your system but if someone wanted to write to it, it would ask you first. Or on a network, the admin could block changing the desktop background.
Also, you would (ideally) be able to specify which events to block completly and which events to just warn for.
This alone would be a great help at stopping viruses and spyware.
Also, ISPs should firewall ports used by viruses at the ISP level (this includes ports like SMTP ports used by spam trojan zombies). If you do need one of those ports for legitimate use, they can unblock it. That would help stop trojans and zombies taking up valuable bandwidth (both the users Bandwidth and the ISPs Bandwidth)
Plus, email clients should be modified to not run scripts (better yet, get rid of HTML email completly, its mostly used for SPAM, viruses, scams and crap anyway plus it guzzles more bandwidth than regular text)
These things would:
1.make it harder for spyware/viruses to run automaticly
2.make it harder for spyware/viruses to do nasty things without your concent
3.make it harder for viruses to carry out their payloads (e.g. sending SPAM, DDOS attack etc)
4.make it harder for viruses to get into the inboxes of the cluless n00bs in the first place. And since they dont get notified about the removed virus, they never even know they recieved one.
Also, another (more drastic) step that would work for networks like corporate networks, university networks and such would be to lock anyone who has a virus or whatever out of the network untill they have cleaned their machine. Having a central copy of a toolkit of programs (such as Norton System Works and mabie others) and making them available to people locked out of the network would be a good thing to go with this point (so that when someone goes to central IT and says "my computer says I have been locked out of the network because I have a virus", central IT can hand them a CD with the latest most up-to-date recovery tools on it (anti-virus etc) and a simple set of instructions on how to clean their machine with it.
Re:Related to Spy/Adware? (Score:2, Informative)
> the firewall in xp enabled) that wasn't behind
> NAT/firewall it will get blaster/wachi/nachi
> in 10 minutes. There's litterally nothing you
> can do.
Ender, just switch off the "Windows DCOM" service. The "Windows DCOM" service is the thing that lets Blaster/Wachi/Nachi in. Turn off "Windows DCOM" and the machine won't be affected. Download Steve Gibson's "Windows DCOM Switch Off Tool" from:
http://www.grc.com/dcom/
While you're at it, also turn off "Windows Messenger Service" and "Universal Plug and Play Service". This stops future worms that target those services.
http://www.grc.com/stm/ShootTheMessenger.htm
h
Re:Good (Score:5, Informative)
Not enough: "/lib/ld-linux.so.2
Re:Heuristic antivirus (Score:4, Informative)
Free.
Until they start charging for it, at least, but it's free for the moment.
For those of you who don't know but run Windows anyways...
http://www.grisoft.com
Re:Good (Score:1, Informative)
The patch [google.com] is from December, and it obviously got merged, since I can see it in my copy of mm/mmap.c from 2.4.25. It also appears to be in 2.6.3, albeit in a slightly different form [seclists.org].
Obviously you still have to worry about this on older kernels, but at least it's fixed in current systems.