Unprecedented level of Virus Alerts

arpy writes "iTnews reports that according to Trend Micro (makers of PC-cillin), there was a record-breaking level of virus alerts in the first quarter of 2004. In Q1 2003, Trend issued 35 virus warnings. During the same period this year, it issued 232. According to the company's annual virus round-up and forecast (PDF), the number of alerts was pretty much steady for 2001-2003. Particularly noteworthy is that so many of the viruses are variants, not original. Trend's April 2 Weekly Virus Report reveals that of the "Top 10 most prevalent global malware", the top five are all variations of Worm_NETSKY. This would seem to confirm Virus creators are sharing more code."

Re:Who cares?

[LostCluster]

Any form of Microsoft Office document can contain VBA code, and therefore possibly a virus.

VBA can even be in complied form within an Access Database.

Re:Question about AV software

[bersl2]

Heuristics (probably)

Viruses which have similar mechanisms leave similar signatures (in the case of true viruses; I'm not exactly certain how (or if) it's done for worms).

IANA Anti-Virus Specialist

Re:Clam AV

[ag0ny]

Amidst all this, anyone know how clam AV (open source virus scanning engine, and 3rd fastest updater) is holding up?

Quite well from my point of view. A virus went through the scanner three days ago, but the definition file was updated and I haven't seen any other virii go through it again.

This is the "Catched virus top 20" in my mail server for the last few days:

ares:/var/spool/qmailscan# cat quarantine.log |awk -F"\t" '{ print $5 }' |sort |uniq -c |sort -nr |head -20
27111 Worm.SomeFool.P
19574 Worm.SomeFool.Gen-1
11220 Worm.SomeFool.Gen-2
3967 Worm.SomeFool.Q
1233 Worm.Dumaru.A
1078 Worm.SCO.A
751 Worm.Sobig.F
329 Disallowed characters found in MIME headers
315 Worm.Bagle.U
275 Worm.SomeFool.I
274 Disallowed breakage found in header name - potential virus
164 Disallowed content found in MIME attachment - potential virus
127 Worm.Dumaru.K
123 Worm.Mydoom.F
104 Worm.Bagle.Gen-zippwd
101 Worm.Klez.H
93 Worm.Bagle.Gen-zippwd-2
85 Worm.Bagle.N
76 Worm.Bagle.Gen-1
51 Worm.VB.C

Re:viruses hold only part of the blame

[Gogo Dodo]

It wasn't until the P & Q variants of the Netsky worm that it exploited the MIME header flaw in Outlook. Before variants P & Q, the worm relied on the recipient opening the attachment.

Netsky.B write-up [symantec.com]

Re:Question about AV software

[X]

It's really not as bad as you think. A relatively naive approach is to build an automaton based on the virus definitions. It's very much like using Perl regexps to search a ton of documents. You'd be amazed how fast you can do these scans once all you do is read a byte, transition to the next state in the automaton, rinse, repeat.

Of course, you can always look at the source [clamav.net] to figure it out.

Re:It makes me wonder.

[kidgenius]

Just a point of clarification. The X-Windows system has been around for a long time, but I don't believe that the current, most popular implementation, XFree86 has not been around nearly that long. Also, with each new release comes the chance of an extra bug or two.

Worms seed proxy/relay farms

[Nonesuch]

The worm/virus explosion is because RBLs are WORKING, and spammers are finding less IP space they can operate from. Their only alternative is to infect client PCs and turn them into proxies.

Most of the malware I run across, and many worms, include payloads to turn infected hosts into either an open proxy or more commonly a "bot" (IRC zombie).

One (unfortunate) solution to spam from compromised workstations is for mail servers to refuse to accept SMTP messages from hosts in dialup and DHCP address ranges.

For this I use the Pan-Am Dynamic List (PDL) [pan-am.ca].

Beyond AV: Application Behavior Enforcement

[Nonesuch]

Application behavior enforcement for Microsoft Windows was capable of preventing the various MS-RPC exploits, before they were discovered, by preventing the RPC listener from doing any system calls that did not fit the "model" of what the service should do in normal circumstances.

...even those running AV software won't be protected from a super-fast-moving virus...

The next step beyond simple pattern-matching virus scanners is mechanisms to to model the good behavior of processes, and terminate a process if it goes outside those bounds.

On OpenBSD and other Unix-like operating systems there is the free Systrace [systrace.org].

Windows and Solaris users can pay Cisco around $800 per server for "Cisco Security Agent" (Formerly Okena), which does the same thing as systrace, but with a nicer GUI and some packet filtering (I do not work for Cisco, I do not sell software.)

Workstation licenses were around $35 per seat.

When I tried to convince a Fortune 500 corporation of the value of deploying this type of security, the answer I received was "But this doesn't protect against SQL injection or Cross Site Scripting!"

So yes, Clueless people deserve it...

Linux and worms

[Nonesuch]

There have been worms for Linux, but the installed userbase of unprotected systems has not been sufficient to let them obtain a good foothold on the Internet. Same goes for Solaris worms.

The "saving grace" of unpopular Unix operating systems is not so much the small installed base (the Microsoft claim) as it is the fact that generally these systems are installed by users with half a clue.

In the case of MacOS, it doesn't hurt that the default OS X installation has no remotely accessible listening ports.

When I took a peek at linuxsecurity.com all I found were vulnerabilities in server services like Open SSL, Squid and etc. Though I know those services are important to Linux's current most successful market (Enterprise Server Market). As a user running Fedora and runing services like: X server, cups, vmware and not having any other users but myself. Do I even need to patch

If you have network services visible to the Internet (listening ports not behind a strong firewall and/or filter policy) you need to patch.

If you run clients (web browser,mail reader, ftp, etc) that communicate out to the Internet, you need to patch.

Lastly, you will want to stay up-to-date with patches for vulnerabilities in the kernel (particularly the IP stack) as well as the most common libraries (OpenSSL, etc).

I mean, like X-server has been around for 20 yrs, can't I assume that it pretty much is safe from an external network attack?

No.
You'd want to take all possible steps to protect your X services from external attack. This includes not only keeping updated on patches, but also potentially taking steps to ensure that the server is only accessible (only ever accessed) through an encrypted tunnel.

If that tunnel is ssh (the most common method for X forwarding) then you'd also need to stay up to date on client and server vulnerabilities in both SSH and the underlying SSL libraries.

For a MS-Windows users, this is as simple as clicking "Windows Update" and hitting "Accept" a few times. I'm not sure if any of the Linux distros have gotten the process simplified to that extent?

Re:Virus scanners suck

[FireFury03]

While I'm certainly against malicious software (my inbox gets absolutely flooded with these trojans), I think that "virus" writing has really gone down hill in recent years.

In the good old days, viruses were tightly coded programs that often did cool things (undesirable, but still cool, like making all the letters fall off your screen). They would modify existing programs to become carriers - this is the true meaning of a virus, it modifys legitimate code to allow it to propogate.

Remember the Cascade virus, back in 1988? 1701 bytes of code that sits in memory, modifying .com files to include it's code as they're opened. Compare with current "viruses", which are really no more than trojans. They're several tens of K in size, rely on the user to be stupid and execute it manually and often just add themselves to the list of programs to start on bootup.

Correct me if I'm wrong, but I don't think a real virus has been written since the late 1990's. All current "viruses" are either trojans or worms.

Virus - modifies existing programs to include it's own code.
Trojan - executable file that pretends to be something the luser wants but is really malicious.
Worm - self replicating software that uses a network-accessible vulnerability to propogate to other machines on the network (think Code Red, et al)

Re:Question about AV software

[Anonymous Coward]

Take the dragon book, and read the chapter about finite state automaton.

Basically, all you have to build is an automaton that will change state after each byte read from a file. Final states are:

<END-OF-FILE-NO-VIRUS>
<VIRUS-000>
<VIRUS-001>
<VIRUS-nnn>

Intermediary states are built to represent partial discover of virus.

Each virus is represented by a signature, which is the presence of some specific(s) string (eventually at specific places).

Building the automaton is non-trivial, but the theory is well understood and the resulting automata will not take much more than the size of the file.

If you have the unix or gnu tools, software for building such automata is [f]lex. Under freebsd, for instance:

%cat v.l
%%
"SIGVIRA" { printf( "Virus A\n" ); }
"SIGVIRB" { printf( "Virus B\n" ); }
"CSIG" { printf( "Virus C\n" ); }
. {}
%%

%flex -ov.c v.l
%cc v.c -o v -ll
%echo "THISHAVENOVIRUSABORC" | ./v

%echo "THISHAVEACSIGNIFICATVIRUSINSIDE" | ./v
Virus C

%
Nothing rocket science here.

Hope that helps,

--fred

Re:Good

[jbrax]

If users are dumb enough to open a password-protected zipfile in what sure looks like an obvious virus-generated message to me, aren't those users dumb enough to be convinced to chmod +x && ./runMyVirus

I have installed several Linux desktops in my workplace (replacing old winboxes). I always mount home as noexec. So even the dump users will be safe. Because /home has to be on a separate partition, I use LVM (so that I can resize /home later if needed).

I've been suprised for the positive comments. One user asked me after few days with Linux DT: "What is this machine? It's kind of cute and easy to use!". "It's Fedora, sort of Linux" I replied. "Oh, really? Linux! I've never used Linux before.. Maybe I should have something like this at home, too?" ;-)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Solutions to viruses

[jonwil]

.better scanning of mail on mail servers combined with better tools for doing that scanning (systems that send "you have a virus" crap are almost as bad as the viruses themselves)

hooks built into windows to detect "potentially nasty" behaviour (for example, modifying a system file, modifying winsock settings, changing the hosts file, making something start at startup, changing the IE homepage etc). When detected, one of 3 things will happen:
1.the action will be completly blocked (if its on a network with central policies and has this blocked)
2.it will ask you for the administrator password (if you are not an administrator or if the system has been set up to ask you even if you are admin)
or 3.it will pop up a nice warning to warn you that what this program wants to do could be bad.

Then, you can either allow it or deny it, depending on the settings.
If you deny it, windows would return an error to whatever program wanted to do it (e.g. if the program called RegCreateKey to create a key, it would return "cant create key" or if you called CreateFileEx to open the file, it would return "cant open file")

Plus, ideally, you would be able to add (but not remove the built in ones) new folders, files and registry keys to the "warnings" list. So for example you could have a writable file share on your system but if someone wanted to write to it, it would ask you first. Or on a network, the admin could block changing the desktop background.

Also, you would (ideally) be able to specify which events to block completly and which events to just warn for.

This alone would be a great help at stopping viruses and spyware.

Also, ISPs should firewall ports used by viruses at the ISP level (this includes ports like SMTP ports used by spam trojan zombies). If you do need one of those ports for legitimate use, they can unblock it. That would help stop trojans and zombies taking up valuable bandwidth (both the users Bandwidth and the ISPs Bandwidth)

Plus, email clients should be modified to not run scripts (better yet, get rid of HTML email completly, its mostly used for SPAM, viruses, scams and crap anyway plus it guzzles more bandwidth than regular text)

These things would:
1.make it harder for spyware/viruses to run automaticly
2.make it harder for spyware/viruses to do nasty things without your concent
3.make it harder for viruses to carry out their payloads (e.g. sending SPAM, DDOS attack etc)
4.make it harder for viruses to get into the inboxes of the cluless n00bs in the first place. And since they dont get notified about the removed virus, they never even know they recieved one.

Also, another (more drastic) step that would work for networks like corporate networks, university networks and such would be to lock anyone who has a virus or whatever out of the network untill they have cleaned their machine. Having a central copy of a toolkit of programs (such as Norton System Works and mabie others) and making them available to people locked out of the network would be a good thing to go with this point (so that when someone goes to central IT and says "my computer says I have been locked out of the network because I have a virus", central IT can hand them a CD with the latest most up-to-date recovery tools on it (anti-virus etc) and a simple set of instructions on how to clean their machine with it.

Re:Related to Spy/Adware?

[paj1234]

> If any of you put winxp on a machine (even with
> the firewall in xp enabled) that wasn't behind
> NAT/firewall it will get blaster/wachi/nachi
> in 10 minutes. There's litterally nothing you
> can do.

Ender, just switch off the "Windows DCOM" service. The "Windows DCOM" service is the thing that lets Blaster/Wachi/Nachi in. Turn off "Windows DCOM" and the machine won't be affected. Download Steve Gibson's "Windows DCOM Switch Off Tool" from:

http://www.grc.com/dcom/

While you're at it, also turn off "Windows Messenger Service" and "Universal Plug and Play Service". This stops future worms that target those services.

http://www.grc.com/stm/ShootTheMessenger.htm
ht tp://www.grc.com/UnPnP/UnPnP.htm

Re:Good

[O2n]

I always mount home as noexec.

Not enough: "/lib/ld-linux.so.2 /home/luser/runMEnow" will work, even if you mount /home with "-o noexec". Common pitfall...

Re:Heuristic antivirus

[Tuxedo Jack]

Grisoft.

Free.

Until they start charging for it, at least, but it's free for the moment.

For those of you who don't know but run Windows anyways...

http://www.grisoft.com

Re:Good

[Anonymous Coward]

Try that on a recent version of 2.4 or 2.6. You may find that it is no longer the case.

The patch [google.com] is from December, and it obviously got merged, since I can see it in my copy of mm/mmap.c from 2.4.25. It also appears to be in 2.6.3, albeit in a slightly different form [seclists.org].

Obviously you still have to worry about this on older kernels, but at least it's fixed in current systems.