Unprecedented level of Virus Alerts 424
arpy writes "iTnews reports that according to Trend Micro (makers of PC-cillin), there was a record-breaking level of virus alerts in the first quarter of 2004. In Q1 2003, Trend issued 35 virus warnings. During the same period this year, it issued 232. According to the company's annual virus round-up and forecast (PDF), the number of alerts was pretty much steady for 2001-2003. Particularly noteworthy is that so many of the viruses are variants, not original. Trend's April 2 Weekly Virus Report reveals that of the "Top 10 most prevalent global malware", the top five are all variations of Worm_NETSKY. This would seem to confirm Virus creators are sharing more code."
There are some nasty ones (Score:3, Insightful)
Virus scanners suck (Score:3, Insightful)
And it's not going to go away soon... (Score:5, Insightful)
And so we come to the nightmare scenario. A relatively benign
parasite has infiltrated the general population and suddenly a very
"hot" parasite discovers how to piggy-back that infection. In the
blink of an eye - a day, an hour - 50% of Windows PCs around the
world are destroyed. It can happen, and therefore, it most probably
will.
Or it could prove... (Score:3, Insightful)
Re:Good (Score:5, Insightful)
"making" a virus is not hard (Score:2, Insightful)
two questions... (Score:5, Insightful)
i'm not certain that these viruses use the same vulnerabilities, so my second question is pretty heavily weighted on the first
Odd.. (Score:2, Insightful)
Re:Who cares? (Score:3, Insightful)
I just block everything that isn't a document of some sort. Haven't had any problems at my company since.
The unfortunate reality is that some viruses may affect you even if you aren't infected. Massive virus outbreaks are like spam: both generate large amounts of junk traffic that slow everyone's connection.
Re:Good (Score:5, Insightful)
http://impsec.org/email-tools/procmail-security
Now I have to ask, if users are dumb enough to open a password-protected zipfile in what sure looks like an obvious virus-generated message to me, aren't those users dumb enough to be convinced to chmod +x &&
I think this is evidence that no security system can realy be foolproof. The fools are just too persistent!
Re:Virus scanners suck (Score:5, Insightful)
viruses hold only part of the blame (Score:3, Insightful)
It also indicates a couple of other things:
It's only a matter of time until one of these is truly destructive... Perhaps a fortunate side-effect would be the world waking up to why Microsoft software is so horrible.
Should we still call them Virus alerts? (Score:5, Insightful)
Why are we married to calling everything virus related when it is actually the flash-spread of worms that pose the most risk?
The Morris worm was a wakeup call. It was the first large worm, and simultaneously the first Warhol attack. Today, the 'growing threat' is the idea of Warhol-type worms, even though the first such attack was back in the 1980s.
The future of security is probably in the department of protecting against blended threats. AntiVirus software that only deals with stuff on your disk isn't enough anymore. You need, in order of importance:
1. to adopt safer computing practices.
2. Have some type of firewall that limits external access to services you don't actively use.
3. A behavior based IDS (or similar technology)
4. Disk and memory AV (eg, a typical antivirus program)
5. Signature based IDS.
Signature based IDS is least important, especially if you have the firewall in slot 2 that negates most of the use of an IDS. Disk and memory AV is important, but since 99% of all user-originated content comes over the wire these days, the smart money is on 1, 2, and 3.
I suppose step 6 should be "Demand accurate coverage from technically competent news professionals that know the difference between the various threats". If your local anchorman said "Earthquake warning!" and it turns out it was a flood emergency, would you find that acceptable?
Re:Good (Score:2, Insightful)
Most of my files from the Linux machines are backed up on my FreeBSD machine; neither Linux nor FreeBSD are guaranteed secure, but the chances of both machines being vulnerable at the same time is exceptionally remote.
Sharing code (Score:5, Insightful)
And writing them for the same reason for the same people. Money from spammers. Look how many of those new viruses open back doors for proxies and steal email addresses. I don't think that it is so the virus writers can send love notes anonymously.
Re:Virus scanners suck (Score:2, Insightful)
I don't think it gives a false sense of security, either. I for one know I'd rather have an updated AV scanner running on my machine for when the worm/virus/whatever the hell it is finally starts to propogate through MY network!
Antivirus Software Makers vs. Arms Dealers (Score:5, Insightful)
In a way, the antivirus industry always reminds me of the nobel profession of arms dealing. On the table you provide your clients weapens to "defend" themselves and to archieve and maintain peace. Off the table you know the business only flourishes when there is a war. Of course there is always a war, but your interest is in an all-out war. So what do you do if there is no such an all-out war going on? Don't panic, you simply make your clients believe there is one indeed. As soon as they believe you, you win.
If you don't know what I'm talking about, you shoudl read Vmyths [vmyths.com] more often.
Re:viruses hold only part of the blame (Score:2, Insightful)
Dude, no need for the "quotes" when you actually are a nerd.
This is because of one simple thing... (Score:4, Insightful)
The worm/virus explosion is because RBLs are WORKING, and spammers are finding less IP space they can operate from. Their only alternative is to infect client PCs and turn them into proxies. Any mail admin can tell you this is what's happening. RBLs are working. Now if we can get the ISPs to enforce their Terms of Service and shut down compromised PCs, along with the authorities who may at some point get off their lazy asses and start putting some of these spammers in jail, we'd have 99% less virus/worm propagation. Occam would agree. Lobby your District Attorneys to stop prosecuting Tommy Chongs and do something in the public interest and the world will be a better place.
Comment removed (Score:2, Insightful)
People deserve it? (Score:4, Insightful)
Relying on education and technological cures assumes that malware is a static target, but it's not. If you rely on improving people's understanding of viruses, you simply get viruses that act smarter and look like official emails. If you improve technology, you get viruses that actively target that technology itself (look at the BlackIce incident).
Technological solutions just create an arms race, and we've seen how well that works. Look at your inbox... the grim rise of noisemail is hardly a sign of success.
The solution is to acknowledge the nature of the problem: it follows the same laws as those of organic parasites, and the same solutions may be the only ones that work: perpetual change for the sake of change; trading of resistance; variety in place of standardization.
Re:WARNING - DO NOT GO TO THIS URL (Score:1, Insightful)
Re:Odd.. (Score:2, Insightful)
Not enough (Score:5, Insightful)
My fault, I suppose, for leaving it the demilitarized zone. I'm just so used to Linux though -- the idea that a modern OS would permit such a thing to happen is ridiculous.
Company that profits from virii reports (Score:3, Insightful)
Ugh (Score:5, Insightful)
So have they turned into bananas, or have they just gone to banana rich lands? Sorry, but I can't see how one can literally go bananas.
-Colin [colingregorypalmer.net]
About every week I get a virus emailed to me. (Score:1, Insightful)
Re:And it's not going to go away soon... (Score:5, Insightful)
You base your conclusing on a broad sweeping assumption that "it can happen". This theory is flawed. Viruses and worms are combated on many fronts, using multiple strategies.
You are making a broad sweeping assumption as well. Routers with NAT, which offer rudimentary inbound firewalling as a side effect of actually doing NAT, do stop a good bit of the viral attacks such as back orifice etc but they aren't stateful firewalls like you'll see in an enterprise. They don't stop anything from going *out* the pipe. All it takes is a rogue payload on the inside of one of many networks with a big pipe and things get ugly quick! As an aside, I *don't* want my upstream provider filtering my traffic at all though and dropped the last ISP that started that and told them as much.
You're also assuming that the AV software catches 'everything'. What about the last bout of worms carried by the encrypted zips? I'm in the driver's seat on a dozen or so high traffic mail servers up and down the East Coast of the US and I (and other admins) was caught off guard by this worm. We block (with client permission) every executable attachment known to Microsoft operating systems and a few obscure ones as well. The encrypted zips slid right past qmail-scanner, clamav and a couple home-grown perl scripts we use for filtering. Those worms slid past the big name AV products at places I do other types of work. I will give the ClamAV and the qmail-scanner mailing lists credit though...it wasn't long before there were patches and add-ons for each to drop that worm at the gate, patches came in to the qmail-scanner list within hours of the first sighting of that worm in the wild.
The encrypted zip ruse was clever, how long before somebody comes up with something similar but more sinister? The only way to stop email-borne viruses completely would be to do as you say and stop all attachments completely. That's not an option for 99% of my clients, just simply not an option. Everytime I read something from one of the guys that works on ClamAV or one of the 'gurus' at the big AV labs about how shitty the code was in the last worm I get twitchy. What's going to happen if somebody that knows what they're doing and has a bit of cleverness up their sleeve as well decides to write the next nasty bug?
Re:Who cares? (Score:3, Insightful)
Re:Who cares? (Score:3, Insightful)
How long has Macro security been set to high by default now? 2 years? 3?
Re:Windows Virus End User License Agreement (Score:2, Insightful)
Comment removed (Score:5, Insightful)
Re:Phht. (Score:1, Insightful)
It's symbolism dude. Busting hidden computers (even though these may hold every micron of your life's detail) doesn't make for much news copy. Blowing up the two tallest buildings in a prominent skyline on the other hand.....
Pearl Harbor of the web. . ? (Score:5, Insightful)
On the one hand, what I see is a 'cool' new trend in virus writing; "Wow! Cool! Like, I can re-script a code which will secure me lots of slave machines! Excellllllent. I want to play, too!"
On the other hand, it also strikes me as very convenient that the web should be pummeled right now when there is such a push to massively control EVERYTHING and EVERYONE on the planet. --How easy would it be for the fine people in black-ops-secret-shmecret-government to release a few hundred viruses into the wild?
Pretty damned easy, I'd say. But to what end?
Simple. Everybody is getting fed up. "Oh, please install new laws which allow us to punish spammers. Oh, please, mighty government, do SOMETHING to control the web so that I can get my email!"
The internet, at the moment, is THE prime source of real information and world-wide communication. You can say here, out in the open, "BUSH IS A LIAR AND A CRIMINAL" And link to a hundred sites which explain -with detailed evidence- exactly why this is so.
Fascist governments don't appreciate this. Machiavelli recommended the swift destruction of dissidents who speak such things, in order to control a kingdom.
230 new script kiddies a month releasing malignant code into the wild, or a handful of unimaginative agents bent on pissing everybody off so much that they start begging for leashes?
I don't know. But it wouldn't surprise me in the slightest to find out that the assholes -once again- are in charge.
-FL
Re:Heuristic antivirus (Score:5, Insightful)
No, it did (does) work. It was simply more profitable to sell a program that requires frequent updates for each new threat. See e.g. Better antivirus software is worse than a virus? [vmyths.com]
Why ? Because someone makes money on it ! (Score:4, Insightful)
Companies that
* Use a firewall
* Enforce the use of "RunAs" for all critical operations
* Dont use Outlook
Avoids 99.999999 % of all of viruses
Re:Solve the damn problem (Score:5, Insightful)
I think viruses over email will stop as soon as sexually transmitted diseases will stop because people stopped to have recreational, unprotected sex.
Re:Who cares? (Score:1, Insightful)
Re:Solve the damn problem (Score:4, Insightful)
What are you talking about? There's been lots of effort in combating the virus problem, namely the products of the major antivirus software vendors like Trend Micro, and Symantec. It's worked extremely well. More and more viruses and worms come out, and the vendors make more and more updates, and sell more licenses. They've become extremely profitable. Since profit = success, this virus problem is obviously well in hand.
Re:Not enough (Score:2, Insightful)
It's absolutely ridiculous that a three year old piece of software might have a remotely exploitable hole. It's a good thing that none of these UNIX-clones from three years ago had a remotely exploitable sshd switched on by default, right?
As is always the case, user-stupidity led to your infection.
Comment removed (Score:3, Insightful)
What's worse? Press fails to cover immune apps/OS (Score:4, Insightful)
Yes, OS X, BSD, and the various Linux distributions (i.e. Debian [debian.org], Mandrake [mandrakesoft.com], SUSE [suse.com], or RedHat [redhat.com] ). All easy to install, all easy to maintain, all easy to use. OS X comes pre-installed by the OEM and an increasing number of Linux distros are, too.
Furthermore, the layered structure of the OSes and separation of privileges means that these are resistent to future viruses as well as immune to those available today. Yes, apologists and astroturfers like to ignore that as well as blame users. But even if, and that's a big if, market share has more effect than design flaws, it will take quite some time for the virus activity to shift and during that time, businesses and users have come out ahead. Right now, die hard ideologs who refuse to drop a defective product are costing billions of dollars per quarter [globetechnology.com], a not insignificant number when you think how many jobs could be kept rather than downsized or outsourced in these increasingly bad economic times for the U.S.
How about a little focus? The title should have been "An Unprecedented level of MS Virus Alerts" and steer users off of the hamster wheel. From easy to hard, these are just a few of the many options:
Re:I guess the soltuion is easy then... (Score:3, Insightful)
As more and more computer illeterate people switch to Linux, viruses will become a problem too:
The point here is that your average Linux user is technically much more competent than the average Windows user. Viruses on Linux are having a hard time, not only because of the superior security model of Unix-like systems, but also because those systems are having better admins and users!
Re:A really effective solution (Score:2, Insightful)
Their internet access gets cut off then you get a nice irate phone call about their internet access going offline after hitting the send button.
Re:Heuristic antivirus (Score:2, Insightful)
Re:I guess the soltuion is easy then... (Score:4, Insightful)
Re:Solve the damn problem (Score:3, Insightful)
It's a nasty disease characterized by this nagging, persistent feeling you know everything about computers and there is nothing you do not know.
It's called Windowsitis.
Public Service Announcement:
Little Girl to her Mom: Mommy what's wrong with daddy?
Mom (choking back tears): Nothing, dear. Daddy is... having problems.
Little Girl: But why does he look that way?
Announcer: Millions of Americans are suffering with a devastating, deblilitating disease. Spilled drinks, sitting in potato chip crumbs, eyes wide open, goofy smile on their face as they point and click for hours on end.
You see what it is doing to him, but can you see what it is doing to your family?
Through the American Windowsitis Association, millions of Americans are getting help. Through therapy and bans on purchases of crackers and coffee, training to use the off button, those Americans are leading useful, productive lives.
So give. And give generously to the AWA.
Little girl, huging her Dad, napping on the couch with a baseball game blaring on the TV: I am so glad I have you back, Daddy.
If more and more virii (Score:4, Insightful)
It's getting to the point at the office that all new virii noise on the IDS box is laptops coming in from the VPN. I can see a spike in traffic from one laptop, which gets reported to the Help Desk for cleaning, and the net result to the rest of the (properly patched) network sees NO negative result.
Three simple measures to reduce risk. Duh. (Score:3, Insightful)
If you're a tech, and you do work on people's PCs, tell them about these. There is no excuse not to have these measures implemented on each and every PC in the world.
1: Routers. If you have a broadband connection and _any_ box, be it Windows or Linux, there is no damn reason _not_ to have a router with the newest firmware revisions and a _changed_ administrative password (not admin/admin like on so many Linksys WLANs I've found on my PubTrans rides home). It will stop about ninety-nine percent of outside attacks at that level.
Even a cheap-ass Linksys BEFSR41v3 will do wonders to stop outside attacks ($50 at Fry's, by the way). I know; I'm running one of those on my home LAN.
2: Remove IE/OE or keep them from integrating into the kernel in any way, shape, or form. As is, they're too tightly twined with explorer.exe and as such, that open the door for a _world_ of pain (CoolWebSearch, anyone?).
Recommended alternatives: Firefox (though it has issues with PDFs in Windows), K-Meleon, Opera, Firebird, Mozilla, Eudora (light mode _ONLY_ unless you're going to pay for it; it included Cydoor spyware in earlier versions), Thunderbird, et cetera.
3: Get a decent antivirus program and software firewall in addition to your external measures. Grisoft's AVG is free and it updates on pretty much a daily basis, and ZoneAlarm is free if they don't want something better (like a spare AIX UNIX box between their machines and the Internet).
That's enough for the casual home user.
Hell, if you don't protect your PC, you don't deserve to have it.
Re:And yet still reports don't mention Microsoft (Score:3, Insightful)
Why would that matter? In the 80s, all of the worms, viruses and exploits were for UNIX machines, becuase that's what the Internet was.
Now, the Internet is Windows boxen, so that's what the virus writers are targeting.
Pointing out that 'all those worms are targeted at windows!' is like pointing out that thieves target rich people.
Open source (Score:2, Insightful)
Re:I guess the soltuion is easy then... (Score:2, Insightful)
No, they wont, and never will. Viruses on Windows are a problem because of sloppy coding, too many ports are open by default, poor privilege separation, and ease of auto-execution. Now while there might be plenty of sloppy coding in modern Linux distributions, none of them suffer from the other three problems. And while yes its possible to write a script that would send out an email with the script attached to everyone in your address book, you'd have to jump through more hoops to do so. Each hoop greatly reduces the number of people that will be susceptible to the virus.
often it really is a case of uneducated users
And even more often its a case of Microsoft having an insecure operating system by default. What annoys me is the people who say "its the responsibility of the administrator to make sure its secure." For servers, yes that's true. But there is no excuse for not having a desktop operating system be secure out of the box.
The only thing that privilege separation under Linux does is prevent the user from listening on ports under 1024 to open backdoors.
AND from altering/destroying the operating system, AND from messing with the files of other users on the system. Both of those things are very easily done with Windows as the default is to have the first user be an Administrator.
The only thing separating us from Windows users at the moment are the small market share, and the fact that most Unix users are somewhat more clueful about computers.
No, unless someone writes an suid mail client for linux that executes attachments, it wouldn't matter if Linux had 100% marketshare and every user was an idiot, it still wouldn't have but a fraction of a percentage of the problems that Windows continues to have.
Re:Solve the damn problem (Score:3, Insightful)
I personally do think these firms are crooked. They're basically parasites, since they depend on malware for their existence. And from statements they've made when asked about the use of Linux in order to be less vulnerable, in which they show that they obviously don't want people running anything besides Windows on their desktops, I think they're dishonest too.
The only reason this hasn't happened... (Score:4, Insightful)
Knowledge. (Score:3, Insightful)
Wow. I guess I keep forgetting that Bush's psychopathic nature is not always commonly recognized. This seems amazing to me, but then I forget sometimes what it is like to be caught within the fog of manufactured reality. That's the nature of the psychopath, after all, but it takes two to tango.
I would strongly encourage you to do some reading and research into the matter. After all, you are the only one there is who can be depended upon to grow your knowledge structure. It would be a good idea to explore beyond old boundaries, especially now when the information is there for the taking. This may soon not be the case!
Good luck to you!
-FL