Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?

Unprecedented level of Virus Alerts 424

arpy writes "iTnews reports that according to Trend Micro (makers of PC-cillin), there was a record-breaking level of virus alerts in the first quarter of 2004. In Q1 2003, Trend issued 35 virus warnings. During the same period this year, it issued 232. According to the company's annual virus round-up and forecast (PDF), the number of alerts was pretty much steady for 2001-2003. Particularly noteworthy is that so many of the viruses are variants, not original. Trend's April 2 Weekly Virus Report reveals that of the "Top 10 most prevalent global malware", the top five are all variations of Worm_NETSKY. This would seem to confirm Virus creators are sharing more code."
This discussion has been archived. No new comments can be posted.

Unprecedented level of Virus Alerts

Comments Filter:
  • by Anonymous Coward on Tuesday April 06, 2004 @02:03AM (#8777175)
    Especially on IRC. Quite a few IE/mIRC trojans/viruses. Too bad so many users are so clueless and will click anything that looks like it might be porn.
    • by Anonymous Coward
      I tried clicking on your post, but all I got were cached pics from goatse. I want my money back!
    • Sharing code (Score:3, Interesting)

      by Anonymous Coward
      Viruses reply on several points of entry, and now use specialised code with predictable behaviour, that cause measurable damage to systems and networks.

      One thing, the companies who make money off this certainly do not want this to stop. This isn't a put a tin foil hat on message. Just correlate the line, viruses and profit for these companies. Now, of course, chicken and egg.

      Security is going nowhere, patching holes isn't going to save a sinking ship, and myself, I do not want to let the 'everybody else'
    • by Anonymous Coward
      it might be porn

      well, where's the link dammit?
    • by andy landy ( 306369 ) <> on Tuesday April 06, 2004 @04:24AM (#8777665) Homepage
      I work at a UK University as a sysadmin and the most prevalent viruses around here are Bagle, Netsky and MyDoom. The scary part about it all is that Both Bagle and Netsky are in about their 20th revision (Yes, viruses get upgrades and bugfixes too)

      The more recent versions of these viruses are even killing off their 'competitors' - a recent Netsky will kill off any Bagle or MyDoom viruses it finds.

      I'm still staggered that people will open email from people they've never heard of, open any attachments therein, entering passwords as they go!

      The worst case of virus authors realising the stupidity of the people they were targetting was a virus with an NTP client built-in, so that the timebomb expiry on it would still work, despite the host PC's clock not being set correctly!
      • I suppose the increased number of viruses, and the killing off of competitors, are probably because it's becoming more and more profitable to write a virus to turn a machine into a zombie and sell the zombie to spammers.

        Maybe windows will get its act together in the next service patch and stop making it so easy for the virus writers, but even then there will be a lot of computers on older versions. It would probably be more cost effective to go after the spammer's money source with a serious law enforceme
  • by Anonymous Coward on Tuesday April 06, 2004 @02:04AM (#8777178)
    Its reactionary, they cant predict what people will code. Its sad that they give people a false sense of security.
    • by Anonymous Coward on Tuesday April 06, 2004 @02:22AM (#8777267)
      I would like to elaborate on that thought. Virus Scanners worked when there wasn't a vast connected network such as the internet. Trojans/worms took a helluva lot more time to propagate where now-a-days they spread extremly fast, a good example would be the DCOM worm. It was a lot more difficult to be infected by a virus such as michelango than today's malware if for no other reason than companies having more time to react.
      • by FireFury03 ( 653718 ) <slashdot@nexusu[ ]rg ['k.o' in gap]> on Tuesday April 06, 2004 @03:42AM (#8777545) Homepage
        While I'm certainly against malicious software (my inbox gets absolutely flooded with these trojans), I think that "virus" writing has really gone down hill in recent years.

        In the good old days, viruses were tightly coded programs that often did cool things (undesirable, but still cool, like making all the letters fall off your screen). They would modify existing programs to become carriers - this is the true meaning of a virus, it modifys legitimate code to allow it to propogate.

        Remember the Cascade virus, back in 1988? 1701 bytes of code that sits in memory, modifying .com files to include it's code as they're opened. Compare with current "viruses", which are really no more than trojans. They're several tens of K in size, rely on the user to be stupid and execute it manually and often just add themselves to the list of programs to start on bootup.

        Correct me if I'm wrong, but I don't think a real virus has been written since the late 1990's. All current "viruses" are either trojans or worms.

        Virus - modifies existing programs to include it's own code.
        Trojan - executable file that pretends to be something the luser wants but is really malicious.
        Worm - self replicating software that uses a network-accessible vulnerability to propogate to other machines on the network (think Code Red, et al)
        • by O2n ( 325189 )
          Correct me if I'm wrong

          Well, I think you are. At least CIH [] was a real virus, by your definition. Check the technical descripion here [].
          Nasty one, also - tries to re-flash the BIOS with garbage.

          But generally speaking you're right, most of the so-called viruses are actually trojans these days.
        • Trojan - executable file that pretends to be something the luser wants but is really malicious.

          In this case, why are programs like Gator not removed by anti-virus software? By all definitions, Gator (or is it now Claria) and similar programs are Trojans. If the user knew what it would do to their system, they would have never installed it. Then there are the reports of "drive by downloading". If this isn't trojan activity, then what is?
    • by core plexus ( 599119 ) on Tuesday April 06, 2004 @02:25AM (#8777280) Homepage
      I remember years ago some were touting heuristic antivirus as the way of the future. Obviously, it didn't work. The idea was to look for certain patterns rather than the actual virus.

      On the plus side, we can hope that if The Machines ever get away from us, we can get Jeff or Data or NEO or Ahhnold to load a virus and save us. On the minus side, one of these days someone is going to write something really nasty, and even those of us who don't use Windows will be affected, either through the drag in traffic, bringing down nodes, or the phone calls and other messages.

      It would be great to have a system that looks for changes and reports them...oh wait, I already have that.


      Alaska Bugs Sweat Gold Nuggets []

    • This comment rings very true, most security software intentionally misleads the user into hiding behind it ($$), rather than trying to educate the user in the proces.

      e.g. "you got the ___ virus, this probably happened becasue you opened an unsage type of email attatchment... etc..."

    • Enter heuristics.

      I don't think it gives a false sense of security, either. I for one know I'd rather have an updated AV scanner running on my machine for when the worm/virus/whatever the hell it is finally starts to propogate through MY network!
    • by bangular ( 736791 ) on Tuesday April 06, 2004 @04:12AM (#8777630)
      If this is such a problem, why has there been such little effort to actually fix it. There have been reactionary measures (patches, anti-virus), and overkill security that's years away (security at the hardware level). A HUGE chunk of viruses could be wiped out if

      a) no more html email. Period. There's no reason for it other than making email look pretty. I've never run into a situtation where an informational email couldn't live without html.

      b) No more attachments. Email isn't a file transfer protocol. There are many many many other safe ways to send files. Email was never meant to send binary attachments anyway. The RFC doesn't allow it. To comply, a dirty hack was created in which binary data is turned into plain text. But it's obvious email wasn't meant to be used in that fashion.

      c) no more IE. No other piece of software has enabled so many viruses, adware, spyware, and shitware. IE is the malware enabler. I don't care if you use Opera, Mozilla, whatever, because pretty much everything is better than IE.

      d) quit blaming the damn users. MS has designed an operating system to be used by the simpliest people on earth. Those whom have absolutly no computer experience at all. How can you blame them then when they open viruses? If you are going to design an operating system to be used by the masses, then you must implement security measures as if the user is clueless, because usually they are. Because you can open a virus without a warning, yet you can't modify your "Windows" directory without a myriad of warnings, makes me wonder how high a priority security really is to MS.

      • by MoP030 ( 599234 ) on Tuesday April 06, 2004 @04:28AM (#8777681)
        a) no more html email. Period. There's no reason for it other than making email look pretty. I've never run into a situtation where an informational email couldn't live without html.
        Maybe you didn't have that that problem and neither do I. But i know a lot of less technically inclined people, who would send an email simply because it is pretty (say, because their new email program has these pretty templates with pictures of hawaii as a background.). Same goes for attachments. Email isn't only used for short, important messages. People use it to socialize, and as such they send stuff they think is funny, pretty or shiny.
        I think viruses over email will stop as soon as sexually transmitted diseases will stop because people stopped to have recreational, unprotected sex.
      • by Grishnakh ( 216268 ) on Tuesday April 06, 2004 @04:43AM (#8777718)
        If this is such a problem, why has there been such little effort to actually fix it. There have been reactionary measures (patches, anti-virus)...

        What are you talking about? There's been lots of effort in combating the virus problem, namely the products of the major antivirus software vendors like Trend Micro, and Symantec. It's worked extremely well. More and more viruses and worms come out, and the vendors make more and more updates, and sell more licenses. They've become extremely profitable. Since profit = success, this virus problem is obviously well in hand.
        • by Genom ( 3868 ) on Tuesday April 06, 2004 @08:29AM (#8778441)
          What are you talking about? There's been lots of effort in combating the virus problem, namely the products of the major antivirus software vendors like Trend Micro, and Symantec. It's worked extremely well. More and more viruses and worms come out, and the vendors make more and more updates, and sell more licenses. They've become extremely profitable. Since profit = success, this virus problem is obviously well in hand.

          I'm guessing that was sarcasm, in which case I totally agree ^^

          The problem here is that the viral arms race is a cash cow. It's in Symantec/Trend/McAffee/et. al.'s best interest, financially, to make sure that viruses/worms/malware continue to propagate.

          If virus/worm/malware activity suddenly stopped, there'd be little need for the services those companies provide. If, however, the threat multiplied over time, there would be an increased demand for thier services - which in turn would equate to more money in their pockets.

          I'm not saying these firms are crooked - I'm also not saying they aren't. All I'm saying is that they have a vested interest in keeping the threat alive, or even increasing its magnitude. Whether they do so or not is neither here nor there.

          MS, of course, shoulders a portion of the blame for the problem. OE, after all, is the most effective virus/worm/malware distribution engine *ever*. (Outlook itself not being far behind, but that's part of Office, which most folks actually have to pay for -- OE comes installed with the Windows OS that comes pre0nstalled on most new machines, and hence has a much greater distribution) But then again, if it were secure, given MS's overwhelming marketshare, how would *that* effect the bottom line for the AV companies?

          A healthy skepticism about the industry is quite warranted, I think.
          • Yep, that was satire. I'm a little disappointed that I got several "insightful" mods but no "funny" since that is what I was aiming for.

            I personally do think these firms are crooked. They're basically parasites, since they depend on malware for their existence. And from statements they've made when asked about the use of Linux in order to be less vulnerable, in which they show that they obviously don't want people running anything besides Windows on their desktops, I think they're dishonest too.
      • Actually, users have a virus.

        It's a nasty disease characterized by this nagging, persistent feeling you know everything about computers and there is nothing you do not know.

        It's called Windowsitis.

        Public Service Announcement:

        Little Girl to her Mom: Mommy what's wrong with daddy?

        Mom (choking back tears): Nothing, dear. Daddy is... having problems.

        Little Girl: But why does he look that way?

        Announcer: Millions of Americans are suffering with a devastating, deblilitating disease. Spilled drin

      • by prandal ( 87280 ) on Tuesday April 06, 2004 @07:46AM (#8778228)
        You forgot File Extension Hiding. One of the key weapons in the malware-writers' social engineering attacks. It's time File Extension Hiding was turned off []. And time that MS released a patch to disable it for all time.

  • Ummmm (Score:5, Funny)

    by soundsop ( 228890 ) on Tuesday April 06, 2004 @02:05AM (#8777182) Homepage

    This would seem to confirm Virus creators are sharing more code.

    So, do they prefer GPL or BSD license?

    • GPL, duh (Score:5, Funny)

      by Anonymous Coward on Tuesday April 06, 2004 @02:09AM (#8777199)
      It's a viral license, remember?
    • Any license as fine, so long as its not a SCO license. :-)

    • the first of April? After all, that would be SO original...
    • by Anonymous Coward on Tuesday April 06, 2004 @02:15AM (#8777235)
      The Windows Virus License, of course, since they're all Windows viruses, of course! ;)

      Windows Virus End User License Agreement

      Licensor, Skrip T. Kidie hereby licenses to you, the licensee, the ability to be infected on a single machine with not more than eight (8) processors by this Windows Virus (hereafter "the Virus").

      By reading this, you agree to allow your machine to become infected. We reserve any and all rights without limitation, while you disclaim any purported rights you might have so much as thought you had, including "fair use" rights, and agree to hold licensor harmless for the inevitable destruction of your PC.

      In the event you are found in possession of more copies of the Virus than you have license for, you will owe us $699 per violation. Furthermore, ...

      (10 more pages of legalese here)
  • A quote from a journal entry from last September []:

    And so we come to the nightmare scenario. A relatively benign
    parasite has infiltrated the general population and suddenly a very
    "hot" parasite discovers how to piggy-back that infection. In the
    blink of an eye - a day, an hour - 50% of Windows PCs around the
    world are destroyed. It can happen, and therefore, it most probably
    • Wait, 50% of Windows PCs being destroyed is a nightmare scenario? I thought that would be more a breath of fresh air?
    • You base your conclusing on a broad sweeping assumption that "it can happen". This theory is flawed. Viruses and worms are combated on many fronts, using multiple strategies. Many college campuses do not allow attatchments of any kind any more, I've heard some companies do the same. Corporate and home firewalls filter out the really nasty stuff at the gateway, before it gets to your precious PCs. A whole lot of companies and K-12 schools still run Windows98 for petes sake; completely immune to the late
      • by 4minus0 ( 325645 ) on Tuesday April 06, 2004 @03:42AM (#8777544)

        You base your conclusing on a broad sweeping assumption that "it can happen". This theory is flawed. Viruses and worms are combated on many fronts, using multiple strategies.

        You are making a broad sweeping assumption as well. Routers with NAT, which offer rudimentary inbound firewalling as a side effect of actually doing NAT, do stop a good bit of the viral attacks such as back orifice etc but they aren't stateful firewalls like you'll see in an enterprise. They don't stop anything from going *out* the pipe. All it takes is a rogue payload on the inside of one of many networks with a big pipe and things get ugly quick! As an aside, I *don't* want my upstream provider filtering my traffic at all though and dropped the last ISP that started that and told them as much.

        You're also assuming that the AV software catches 'everything'. What about the last bout of worms carried by the encrypted zips? I'm in the driver's seat on a dozen or so high traffic mail servers up and down the East Coast of the US and I (and other admins) was caught off guard by this worm. We block (with client permission) every executable attachment known to Microsoft operating systems and a few obscure ones as well. The encrypted zips slid right past qmail-scanner, clamav and a couple home-grown perl scripts we use for filtering. Those worms slid past the big name AV products at places I do other types of work. I will give the ClamAV and the qmail-scanner mailing lists credit wasn't long before there were patches and add-ons for each to drop that worm at the gate, patches came in to the qmail-scanner list within hours of the first sighting of that worm in the wild.

        The encrypted zip ruse was clever, how long before somebody comes up with something similar but more sinister? The only way to stop email-borne viruses completely would be to do as you say and stop all attachments completely. That's not an option for 99% of my clients, just simply not an option. Everytime I read something from one of the guys that works on ClamAV or one of the 'gurus' at the big AV labs about how shitty the code was in the last worm I get twitchy. What's going to happen if somebody that knows what they're doing and has a bit of cleverness up their sleeve as well decides to write the next nasty bug?

    • by alispguru ( 72689 ) <bane&gst,com> on Tuesday April 06, 2004 @09:55AM (#8779158) Journal
      ... would be a virus/Trojan/worm that spread fast, was hard to spot (used very little system resources), and had a payload that modified documents in small ways:

      Word processing documents - randomly deleted words like 'no' and 'not', or flipped words like 'always' and 'never'.

      Spreadsheets - zeroed out one or two cells

      Presentations - Inserted random obscenities and links to unappetizing images

      Imagine what would happen if nobody could trust their computers any more. Microsoft would be sued into oblivion, EULA or no EULA.

    • by Henk Poley ( 308046 ) on Tuesday April 06, 2004 @02:01PM (#8782187) Homepage because the virus writers are too scared for being caught. Just take a look at the figures of the most virulent worms of the last 2 years. They did infect a substantialy large part of the open Windows systems in the first 10-15 minutes.
  • by Anonymous Coward on Tuesday April 06, 2004 @02:07AM (#8777188)
    that there are lots of pissed off wanna be script kiddies, who are not happy with the way the world is heading, and see it as their duty to try and throw a spanner in the works.
    • Mod the above as insightful. I know lots of crap is just trojans to rip off cc info and act as spam relays but the poster is right about the script kiddies and their motivations. It's vandalism. My Wifes box usually gets at least one anti viral update a day (she runs Trend PCcillin.) I use Mandrake 9.2 99.9% of the time but have PC cillin on my W2K partition.

      I also think the Anti Virus companies hype this crap too much. But looking at the firewall logs shows to many people just don't get it.
  • Who cares? (Score:2, Interesting)

    I just block everything that isn't a document of some sort. Haven't had any problems at my company since.
    • Re:Who cares? (Score:3, Informative)

      by LostCluster ( 625375 ) *
      Any form of Microsoft Office document can contain VBA code, and therefore possibly a virus.

      VBA can even be in complied form within an Access Database.
      • Re:Who cares? (Score:3, Insightful)

        by gad_zuki! ( 70830 )
        > Any form of Microsoft Office document can contain VBA code, and therefore possibly a virus.

        How long has Macro security been set to high by default now? 2 years? 3?
    • Re:Who cares? (Score:3, Insightful)

      by omicronish ( 750174 )

      I just block everything that isn't a document of some sort. Haven't had any problems at my company since.

      The unfortunate reality is that some viruses may affect you even if you aren't infected. Massive virus outbreaks are like spam: both generate large amounts of junk traffic that slow everyone's connection.

  • Well, there are even program's that can "make" a virus for you. So it is not strange you get more and more every day. I see it also on my box. How many times i have seen "Netski"... But it's good that the virusses aren't getting any "better". Like screwing up your bios or something like that.
    • Where did all the good low-level viruses go? Goddamnit! You don't impress me with VBScript; you do with assembly! Hell, you could probably even combine the two! Just put the binary data payload in your script, (over)write an executable, and voila! the best of both worlds.

      Not that I condone doing such a thing...
  • two questions... (Score:5, Insightful)

    by vena ( 318873 ) on Tuesday April 06, 2004 @02:14AM (#8777227)
    don't many of these viruses use the same vulnerabilities? if that's the case, doesn't that mean a statistic like this should be pointed to not as an indicator of rising numbers of viruses, but as an indicator of the lack of response from the applications being exploited?

    i'm not certain that these viruses use the same vulnerabilities, so my second question is pretty heavily weighted on the first :)
    • don't many of these viruses use the same vulnerabilities?

      Yes, they do... the recipient of the virus opening up the attachment because they either got fooled ("new virus warning", "mail bounce", etc.) or enticed (porn stuff). Netsky, Bagle, MyDoom didn't exploit a Windows vulnerability. It did the "social engineering" thing to spread.

      if that's the case, doesn't that mean a statistic like this should be pointed to not as an indicator of rising numbers of viruses, but as an indicator of the lack of respon

  • Odd.. (Score:2, Insightful)

    by zcat_NZ ( 267672 )
    A record number of viruses, and yet I've had no trouble with any viruses on my main machine (FreeBSD), my laptop (Debian) or the family computer (Redhat).

  • by Limburgher ( 523006 ) on Tuesday April 06, 2004 @02:16AM (#8777236) Homepage Journal
    I wonder what the numbers will be for the second quater. :)
  • Our company mandates it on all PCs. For about the last month, we seem to have had new virus definition files at least once a day, often twice a day.

    Of course, we've still managed to get viruses through, both from not having the latest update (one Bagle variant got through), and from people not running the virus scanner - on Monday someone who had his/her portable at home at the weekend connected to the office network with NetSky-Q loaded.

  • Calling wolf? (Score:5, Interesting)

    by dj245 ( 732906 ) on Tuesday April 06, 2004 @02:19AM (#8777254) Homepage
    When you have 232 virus warnings in a year, you have a wee bit of a problem. When you have 232 alerts in a fourth of a year, you have an industry gone markebonkers. Thats 2 and a half alerts per day. Is it any wonder Joe Average isn't paying attention any more and is getting fried? 232 virus warnings doesn't say to me that there is a problem with viruses, it tells me that there is a problem with whomever is issueing them. They need to re-evaluate what constitutes a warning, and what doesn't. Does BobWanky'sWhoopieWorm_A, BobWanky'sWhoopieWorm_B, and BobWanky'sWhoopieWorm_C, all need separate alerts? Its doubtful. We need to reign in these virus companies, who appear to have gone quite literally bananas, and give them a good smiting.
  • by kgasso ( 60204 ) <`gro.trolb' `ta' `ossagk'> on Tuesday April 06, 2004 @02:20AM (#8777260) Homepage
    I'm not horribly surprised by the number of viruses and worms flying around right now... and I do see quite a few of them as a Systems Admin for a wholesale ISP.

    What does surprise me is WHY these spread. I thought we had taught people time and time again, over and over, "don't open non-document attachments"... "keep your antivirus software updated"... "if you're ever in doubt, call us". Our advice is taken in and actually used once in a while, but it always seems to be thrown aside and forgotten.

    I'm still on the search for that magic bullet that won't involve horribly restrictive mail filters or a lobotomy to remove the "OPEN EVERY EMAIL ATTACHMENT I RECEIVE" lobe...
  • by ObviousGuy ( 578567 ) <> on Tuesday April 06, 2004 @02:21AM (#8777264) Homepage Journal
    AV software seems to do a lot of scanning in a minimum amount of time. Considering the thousands upon thousands of viruses running around the wild, how is AV software able to scan each file so quickly, even if it only looks for specific signatures, it seems that each file would take an inordinate amount of time to scan. However it doesn't.

    Can someone give a brief explanation of how anti-virus software is able to scan so many files so quickly?
  • by ErichTheWebGuy ( 745925 ) on Tuesday April 06, 2004 @02:22AM (#8777269) Homepage
    ... the top five are all variations of Worm_NETSKY. ... Virus creators are sharing more code.

    It also indicates a couple of other things:
    • Outlook/Outlook Express need to die (or at the very least patched properly)
    • Internet Explorer suffers the above affliction (and by implication, so does Windows as a whole)
    • People never patch their boxes, even when patches are released
    Since I am the "nerd" of the family, I get to make regular house calls to cleanse this shit from people's computers. I gotta say, the article is absolutely right. The number of worms, viruses, etc is insane this year.

    It's only a matter of time until one of these is truly destructive... Perhaps a fortunate side-effect would be the world waking up to why Microsoft software is so horrible.
  • by Chairboy ( 88841 ) on Tuesday April 06, 2004 @02:24AM (#8777275) Homepage
    There are few large virus threats in the past few years. Most of the stuff we see every day is technicall a worm.

    Why are we married to calling everything virus related when it is actually the flash-spread of worms that pose the most risk?

    The Morris worm was a wakeup call. It was the first large worm, and simultaneously the first Warhol attack. Today, the 'growing threat' is the idea of Warhol-type worms, even though the first such attack was back in the 1980s.

    The future of security is probably in the department of protecting against blended threats. AntiVirus software that only deals with stuff on your disk isn't enough anymore. You need, in order of importance:
    1. to adopt safer computing practices.
    2. Have some type of firewall that limits external access to services you don't actively use.
    3. A behavior based IDS (or similar technology)
    4. Disk and memory AV (eg, a typical antivirus program)
    5. Signature based IDS.

    Signature based IDS is least important, especially if you have the firewall in slot 2 that negates most of the use of an IDS. Disk and memory AV is important, but since 99% of all user-originated content comes over the wire these days, the smart money is on 1, 2, and 3.

    I suppose step 6 should be "Demand accurate coverage from technically competent news professionals that know the difference between the various threats". If your local anchorman said "Earthquake warning!" and it turns out it was a flood emergency, would you find that acceptable?
  • Where's... (Score:4, Interesting)

    by TechnologyX ( 743745 ) on Tuesday April 06, 2004 @02:29AM (#8777301) Journal
    ...the data regarding AntiVirus software purchases, firewall purchases, patch downloads, etc for the same period?

    Since there was an unusually high number of viruses and alerts, it would be nice to see just how it's being handled on the user end. Were there spikes in Norton Anti-Virus purchases? Or are people getting nailed with virus after virus ( a big clue is that it's mostly just a slightly altered form of the virus ) because they're being typical Joe User and not trying to guard themselves?
  • Sharing code (Score:5, Insightful)

    by buss_error ( 142273 ) on Tuesday April 06, 2004 @02:29AM (#8777303) Homepage Journal
    This would seem to confirm Virus creators are sharing more code."

    And writing them for the same reason for the same people. Money from spammers. Look how many of those new viruses open back doors for proxies and steal email addresses. I don't think that it is so the virus writers can send love notes anonymously.

  • by segment ( 695309 ) <sil@po[ ] ['lit' in gap]> on Tuesday April 06, 2004 @02:34AM (#8777321) Homepage Journal

    I run a website called politrix of which is my own Sun machine. I recently received the following email and am confused of what to do
    Date: Mon, 06 Apr 2004 12:43:28 -0800 (PST)
    From: root <root! @>
    To: root! @
    Subject: Your Account

    Your account has been suspended due to massive amounts of spam and Mountain Dew spillage on your machine. If you do not open this zip file and click on the password protected zip file you generated, you will suspend your own account.

    Act now this is not a joke of virus! It is as real as Iraq's Weapons of Mass Destruction.

    root! @

    U.S. and Canada: (800) 555-1212
    Outside the U.S. and Canada: +1 (212) 555-1212
    Can someone please link a book on common sense so I can buy it to figure out why I am suspending my own account. Please hurry! Currently I am writing to this poor man in Africa who's promising me a couple of cool millions, so when I become rich, I will reward you handsomely.
  • by henrypijames ( 669281 ) on Tuesday April 06, 2004 @02:38AM (#8777337) Homepage

    In a way, the antivirus industry always reminds me of the nobel profession of arms dealing. On the table you provide your clients weapens to "defend" themselves and to archieve and maintain peace. Off the table you know the business only flourishes when there is a war. Of course there is always a war, but your interest is in an all-out war. So what do you do if there is no such an all-out war going on? Don't panic, you simply make your clients believe there is one indeed. As soon as they believe you, you win.

    If you don't know what I'm talking about, you shoudl read Vmyths [] more often.

  • by chrysalis ( 50680 ) on Tuesday April 06, 2004 @02:51AM (#8777396) Homepage
    A lot /. readers are not familiar with Windows and may ask what "virus" means in computer science. So in order to better understand this article, here's a short presentation.

    Virus are popular peer-to-peer sharing systems designed and optimized for Windows platforms.
    Great features of these systems over other P2P systems :
    - It's free software, although the license is often missing.
    - They are very well maintained. New versions are released almost every day.
    - They are easy to use : no need for a GUI, no need for a CLI, everything is fully automated.
    - Updates are also automatic.
    - No need to tweak your firewall, popular viruses can work on port 25 using a SMTP-like protocol.

    In order to join this community, you just have to run an installer called "outlook.exe". To improve your experience, the "internet explorer" add-on is also recommended.

    And how handy, the installer and its add-on are part of the vanilla "Windows" installation CD set. No need to download anything and no registration is required. Very convenient.

    Once the installer ("outlook.exe") has been started, an Evolution-like interface pops up. This is bloat, it can be safely ignored. Directly go to the "add contact" panel and fill in email addresses of friends you want to share executable with. Wait a few minutes (check the internet link is ok) et voila, viruses are automatically downloaded, installed and configured.

    You know understand why this p2p system is so popular in the Windows world : easy to install, easy to use, and the operating system keeps a lot of unfixed security holes in order to avoid breaking backward-compatibility with older viruses.

  • by Boinger69 ( 673392 ) on Tuesday April 06, 2004 @02:51AM (#8777397)
    I work in the 'PC Repair' industry, so this article really is of no news to me, as 90% of my business is pulling this garbage, and SPYWARE out of people's systems. I ask you, slashdot, are virus writers slowly getting in bed with these spyware writing scum suckers? More and more I see systems infested with a few nice worms, especially stuff along the lines of "Trojan.Startpage", the usually nastiness (B(e)agle, Netsky,) and TONS of spyware. Is this a sign that the two are going hand-in-hand, or just a giant example of the general idiocy of users. (I'm betting on both) Spybot/Ad-Aware/AVG only go so far. How are the tech-savvy supposed to protect these people? I've even had people try to claim that ad-aware or AVG INFECTED them a second time, because it wasnt there before, and they're system was working fine aside from mass mailing their friends viruses and throwing popups in their faces.

    Will we reach a point when the constant pushing of garbage in users faces will make the internet worthless to the common man?
    • by ender81b ( 520454 ) <<moc.aksarbeni> <ta> <dllib>> on Tuesday April 06, 2004 @04:25AM (#8777667) Homepage Journal
      You know what boggles my mind in regards to spyware/virus'?

      I work tech support at a local isp. We have... a fair number of customers (stupid NDA's). And I would say around 10-15% of our calls are virus/spyware related in at least some way.

      But what is really upsetting is this - how can users (somehow) manage to get 225 pieces of spyware and 42 virus' and then NOT be able to install a anti-virus program or spybot? Jesus Christ. It just... fucks with my head. I can't figure out who's to blame in this one.

      The other thing that is extremely upsetting is the utter lack of responsibility taken on by the computer manufactures in regards to spyware/virus'. Here's the deal. User X gets a new PC with their tax refund. User X puts computer on intarweb. 15 minutes later they get blaster, call me and tell me that "the internet broke their computer, can't be anything wrong with it just bought it blah blah blah blah." And then I go to look and, I'll be dammed, the brand spanking new dell they just bought contains 0 patches. No service pack 1, nothing.

      I'm not sure if it's just dell (I think hewlett packard is the same) but both of these manufactures, for home pc's, ship them 100% unpatched. And, of course, they don't have to deal with the tech support of cleaning off spyware/blaster. It's not like it is even the user's fault. If any of you put winxp on a machine (even with the firewall in xp enabled) that wasn't behind NAT/firewall it will get blaster/wachi/nachi in 10 minutes. There's litterally nothing you can do.

      Can we really blame Microsoft for this one? Or even ther user?

      Allright, I think i'm done venting ;).
  • by mabu ( 178417 ) on Tuesday April 06, 2004 @02:53AM (#8777401)

    The worm/virus explosion is because RBLs are WORKING, and spammers are finding less IP space they can operate from. Their only alternative is to infect client PCs and turn them into proxies. Any mail admin can tell you this is what's happening. RBLs are working. Now if we can get the ISPs to enforce their Terms of Service and shut down compromised PCs, along with the authorities who may at some point get off their lazy asses and start putting some of these spammers in jail, we'd have 99% less virus/worm propagation. Occam would agree. Lobby your District Attorneys to stop prosecuting Tommy Chongs and do something in the public interest and the world will be a better place.
    • by Nonesuch ( 90847 ) on Tuesday April 06, 2004 @03:16AM (#8777473) Homepage Journal
      The worm/virus explosion is because RBLs are WORKING, and spammers are finding less IP space they can operate from. Their only alternative is to infect client PCs and turn them into proxies.
      Most of the malware I run across, and many worms, include payloads to turn infected hosts into either an open proxy or more commonly a "bot" (IRC zombie).

      One (unfortunate) solution to spam from compromised workstations is for mail servers to refuse to accept SMTP messages from hosts in dialup and DHCP address ranges.

      For this I use the Pan-Am Dynamic List (PDL) [].

  • blame spammers (Score:2, Insightful)

    by mankei ( 248730 )
    As more people get broadband, it makes sense for spammers to pay someone to write viruses/worms so that more spam can be sent via the infected computers with fat pipes. It's harder to close down the offenders as there are so many, and difficult to trace back to the culprit. As a bonus they can use the zombies to initiate DDoS attacks against anti-spam sites.
  • It makes me wonder. (Score:4, Interesting)

    by LoveTheIRS ( 726310 ) on Tuesday April 06, 2004 @02:56AM (#8777416) Homepage Journal
    I am running Fedora Core 1 w/ kernel 2.6.4 ... There have been these forrester research findings that linux distributions have about the same amount of dangerous vulnerabilities as Windows. When I took a peek at all I found were vulnerabilities in server services like Open SSL, Squid and etc. Though I know those services are important to Linux's current most successful market (Enterprise Server Market). As a user running Fedora and runing services like: X server, cups, vmware and not having any other users but myself. Do I even need to patch? I mean, like X-server has been around for 20 yrs, can't I assume that it pretty much is safe from an external network attack?
    • Just a point of clarification. The X-Windows system has been around for a long time, but I don't believe that the current, most popular implementation, XFree86 has not been around nearly that long. Also, with each new release comes the chance of an extra bug or two.
  • by Rogerborg ( 306625 ) on Tuesday April 06, 2004 @03:22AM (#8777493) Homepage
    Reports lots of virii. Film at, meh.
  • by Fantastic Lad ( 198284 ) on Tuesday April 06, 2004 @04:17AM (#8777643)
    I don't know which way to jump on this one. . .

    On the one hand, what I see is a 'cool' new trend in virus writing; "Wow! Cool! Like, I can re-script a code which will secure me lots of slave machines! Excellllllent. I want to play, too!"

    On the other hand, it also strikes me as very convenient that the web should be pummeled right now when there is such a push to massively control EVERYTHING and EVERYONE on the planet. --How easy would it be for the fine people in black-ops-secret-shmecret-government to release a few hundred viruses into the wild?

    Pretty damned easy, I'd say. But to what end?

    Simple. Everybody is getting fed up. "Oh, please install new laws which allow us to punish spammers. Oh, please, mighty government, do SOMETHING to control the web so that I can get my email!"

    The internet, at the moment, is THE prime source of real information and world-wide communication. You can say here, out in the open, "BUSH IS A LIAR AND A CRIMINAL" And link to a hundred sites which explain -with detailed evidence- exactly why this is so.

    Fascist governments don't appreciate this. Machiavelli recommended the swift destruction of dissidents who speak such things, in order to control a kingdom.

    230 new script kiddies a month releasing malignant code into the wild, or a handful of unimaginative agents bent on pissing everybody off so much that they start begging for leashes?

    I don't know. But it wouldn't surprise me in the slightest to find out that the assholes -once again- are in charge.


  • by Anonymous Coward on Tuesday April 06, 2004 @04:22AM (#8777659)
    Anti Virus makers are among the more profitable companies around, sure that they want to make it look like this is a gigantic threat.

    Companies that ...

    * Use a firewall
    * Enforce the use of "RunAs" for all critical operations
    * Dont use Outlook

    Avoids 99.999999 % of all of viruses
    • Equally as important:

      * Poke any Windows user in the eye with a sharp stick if they leave "Hide file extensions for known file types" set in Explorer.

      * Force Windows users to understand that (with file extensions visible), .bat, .com, .exe, .scr, etc are things that should not be run from email attachments unless they are DEFINITELY trusted sources.

      With those two things and the three you've stated above, there would be little or no need for virus scanners...

  • Solutions to viruses (Score:4, Informative)

    by jonwil ( 467024 ) on Tuesday April 06, 2004 @04:32AM (#8777688)
    .better scanning of mail on mail servers combined with better tools for doing that scanning (systems that send "you have a virus" crap are almost as bad as the viruses themselves)

    hooks built into windows to detect "potentially nasty" behaviour (for example, modifying a system file, modifying winsock settings, changing the hosts file, making something start at startup, changing the IE homepage etc). When detected, one of 3 things will happen:
    1.the action will be completly blocked (if its on a network with central policies and has this blocked) will ask you for the administrator password (if you are not an administrator or if the system has been set up to ask you even if you are admin)
    or will pop up a nice warning to warn you that what this program wants to do could be bad.

    Then, you can either allow it or deny it, depending on the settings.
    If you deny it, windows would return an error to whatever program wanted to do it (e.g. if the program called RegCreateKey to create a key, it would return "cant create key" or if you called CreateFileEx to open the file, it would return "cant open file")

    Plus, ideally, you would be able to add (but not remove the built in ones) new folders, files and registry keys to the "warnings" list. So for example you could have a writable file share on your system but if someone wanted to write to it, it would ask you first. Or on a network, the admin could block changing the desktop background.

    Also, you would (ideally) be able to specify which events to block completly and which events to just warn for.

    This alone would be a great help at stopping viruses and spyware.

    Also, ISPs should firewall ports used by viruses at the ISP level (this includes ports like SMTP ports used by spam trojan zombies). If you do need one of those ports for legitimate use, they can unblock it. That would help stop trojans and zombies taking up valuable bandwidth (both the users Bandwidth and the ISPs Bandwidth)

    Plus, email clients should be modified to not run scripts (better yet, get rid of HTML email completly, its mostly used for SPAM, viruses, scams and crap anyway plus it guzzles more bandwidth than regular text)

    These things would:
    1.make it harder for spyware/viruses to run automaticly
    2.make it harder for spyware/viruses to do nasty things without your concent
    3.make it harder for viruses to carry out their payloads (e.g. sending SPAM, DDOS attack etc)
    4.make it harder for viruses to get into the inboxes of the cluless n00bs in the first place. And since they dont get notified about the removed virus, they never even know they recieved one.

    Also, another (more drastic) step that would work for networks like corporate networks, university networks and such would be to lock anyone who has a virus or whatever out of the network untill they have cleaned their machine. Having a central copy of a toolkit of programs (such as Norton System Works and mabie others) and making them available to people locked out of the network would be a good thing to go with this point (so that when someone goes to central IT and says "my computer says I have been locked out of the network because I have a virus", central IT can hand them a CD with the latest most up-to-date recovery tools on it (anti-virus etc) and a simple set of instructions on how to clean their machine with it.
  • I know I've felt it (Score:4, Interesting)

    by Mr Z ( 6791 ) on Tuesday April 06, 2004 @04:40AM (#8777710) Homepage Journal

    In the last month and a half, I've literally received about 2 gigabytes of virus/worm mail in my UNIX-based mailbox. (Actually, it's an AIX box at my ISP.)

    Anyway, I noticed that most of these come from a rather small set of "From:" addresses, and my (now cancelled) email address,, was one of them. Did any of you receive large quantities of email wastage with that forged "From:" address?

    Here's a short list of forged From: addresses I saw repeatedly on these virus/worm spam, in decreasing order of occurrence:

    • LI>

    I noticed got hit pretty hard, as did Jeff Garzik! I think they must've scraped these out of the SiS900 driver in the Linux kernel. []

    I'm regretting that suggestion I made to Ollie on how to speed up his CRC routine.

  • by SgtChaireBourne ( 457691 ) on Tuesday April 06, 2004 @05:21AM (#8777823) Homepage
    What's worse?
    • an unprecedented level of (MS-related) virus alerts, or
    • the fact that these viruses only affect one line of products from one manufacturer, or
    • the fact that the press gives no coverage of platforms and applications that are immune?

    Yes, OS X, BSD, and the various Linux distributions (i.e. Debian [], Mandrake [], SUSE [], or RedHat [] ). All easy to install, all easy to maintain, all easy to use. OS X comes pre-installed by the OEM and an increasing number of Linux distros are, too.

    Furthermore, the layered structure of the OSes and separation of privileges means that these are resistent to future viruses as well as immune to those available today. Yes, apologists and astroturfers like to ignore that as well as blame users. But even if, and that's a big if, market share has more effect than design flaws, it will take quite some time for the virus activity to shift and during that time, businesses and users have come out ahead. Right now, die hard ideologs who refuse to drop a defective product are costing billions of dollars per quarter [], a not insignificant number when you think how many jobs could be kept rather than downsized or outsourced in these increasingly bad economic times for the U.S.

    How about a little focus? The title should have been "An Unprecedented level of MS Virus Alerts" and steer users off of the hamster wheel. From easy to hard, these are just a few of the many options:

    1. Use WordPerfect, StarOffice or OpenOffice instead.
    2a. Use Eudora, Evolution, or Pine instead.
    2b. Use Mozilla, Firebird, or Opera instead.
    3. Use one of the above resistent / immune OSes instead.
  • by mclove ( 266201 ) on Tuesday April 06, 2004 @05:21AM (#8777825)
    Here's a new anti-virus idea I came up with just now, I'm not sure if anybody else has thought of this before or not but here goes:

    Network admins and ISP's would basically add a "poison e-mail address" to a user's address book (and possibly spoof a few old/sent messages with this address as the sender/recipient). Every user's poison address would be unique, and it would only be used for this virus-prevention system. The name/address/other fields would be populated with random data and the user would be told not to delete this entry from their address book for any reason.

    Whenever an e-mail was sent to that poison address, the network administrator (and possibly the user as well) would receive a plaintext, PGP-signed e-mail (with a plaintext URL that they could visit to further authenticate it) informing them that they had a virus; better yet, they could temporarily be disconnected from the network altogether.

    Implementing this system would be very easy, a little bit of extra code on an e-mail server and automatically-generated .vcf files for the initial distribution to users. It would protect even against new and undetected viruses, would work *immediately* to prevent an outbreak from spreading, and would be next to impossible for virus writers to circumvent; a dictionary-based algorithm for generating random addresses/names could make it nearly impossible for a virus to skip the poison address, and no amount of clever social engineering or code morphing or hacking around a corporate e-mail filter would do any good.

    Am I missing something or would this make a major dent in the e-mail virus problem?
  • by Matey-O ( 518004 ) * <> on Tuesday April 06, 2004 @08:02AM (#8778296) Homepage Journal
    Are sharing code, then it stands to reason that keeping your system proactively patched protects you from more and more virii.

    It's getting to the point at the office that all new virii noise on the IDS box is laptops coming in from the VPN. I can see a spike in traffic from one laptop, which gets reported to the Help Desk for cleaning, and the net result to the rest of the (properly patched) network sees NO negative result.
  • by Tuxedo Jack ( 648130 ) on Tuesday April 06, 2004 @08:28AM (#8778432) Homepage
    I admit, I use Windows, but I'm migrating to Mandrake, so lighten up here if this sounds like the typical "pissed-off ex-Windows user."

    If you're a tech, and you do work on people's PCs, tell them about these. There is no excuse not to have these measures implemented on each and every PC in the world.

    1: Routers. If you have a broadband connection and _any_ box, be it Windows or Linux, there is no damn reason _not_ to have a router with the newest firmware revisions and a _changed_ administrative password (not admin/admin like on so many Linksys WLANs I've found on my PubTrans rides home). It will stop about ninety-nine percent of outside attacks at that level.

    Even a cheap-ass Linksys BEFSR41v3 will do wonders to stop outside attacks ($50 at Fry's, by the way). I know; I'm running one of those on my home LAN.

    2: Remove IE/OE or keep them from integrating into the kernel in any way, shape, or form. As is, they're too tightly twined with explorer.exe and as such, that open the door for a _world_ of pain (CoolWebSearch, anyone?).

    Recommended alternatives: Firefox (though it has issues with PDFs in Windows), K-Meleon, Opera, Firebird, Mozilla, Eudora (light mode _ONLY_ unless you're going to pay for it; it included Cydoor spyware in earlier versions), Thunderbird, et cetera.

    3: Get a decent antivirus program and software firewall in addition to your external measures. Grisoft's AVG is free and it updates on pretty much a daily basis, and ZoneAlarm is free if they don't want something better (like a spare AIX UNIX box between their machines and the Internet).

    That's enough for the casual home user.

    Hell, if you don't protect your PC, you don't deserve to have it.

No extensible language will be universal. -- T. Cheatham