Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Virus Creators Sharing More Code

timothy posted more than 10 years ago | from the therefore-a-witch dept.

Security 205

arpy writes "The Washington Times is carrying a report on a 5% increase in publicly available virus code in 2003 (based on a Symantec report). There are now about seven versions of MyDoom, and at least 14 each of Netsky and Beagle. Explains why my email account is overloaded with these little bastards. PC World is reporting changes in the countries that virus are originating from: Australia shot from 14th place to 5th over the last six months of 2003! The source of these stories seems to be the March 2004 Symantec Internet Security Threat Report." (This last requires registration to download.)

cancel ×

205 comments

Sorry! There are no comments related to the filter you selected.

FP? (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8588119)

FP?

Now that there is more code available... (5, Funny)

djeaux (620938) | more than 10 years ago | (#8588120)

...when will someone write a worm that infects vulnerable Windows (or Linux, for that matter) boxen & surreptitiously applies all the latest security patches, cleans out the mal-ware & defrags the hard drive?

The folks whose machines are that vulnerable probably need a little "housekeeping" help...

Re:Now that there is more code available... (5, Funny)

Necrobruiser (611198) | more than 10 years ago | (#8588167)

applies all the latest security patches, cleans out the mal-ware & defrags the hard drive?

What? And put all of us MCSEs out of work?

Damn. I knew my job was gonna get outsourced....

Re:Now that there is more code available... (5, Funny)

Anonymous Coward | more than 10 years ago | (#8588625)

Damn. I knew my job was gonna get outsourced....

Suddenly all of those "go away or I will replace you with a very small shell script" t-shirts start to make a lot more sense...

Re:Now that there is more code available... (4, Insightful)

Nurseman (161297) | more than 10 years ago | (#8588177)

...when will someone write a worm that infects vulnerable Windows (or Linux, for that matter) boxen & surreptitiously applies all the latest security patches, cleans out the mal-ware & defrags the hard drive?

Didn't someone try that with This Worm [symantec.com]
I dont like the idea of someone running code on someone elses machine, even if they are a clueless newbie

Re:Now that there is more code available... (4, Informative)

eraserewind (446891) | more than 10 years ago | (#8588375)

Yes, and it caused more damage than the one that it was supposed to be protecting you against. It was the only worm/virus so far to cause a global outage in the company where I work.

Re:Now that there is more code available... (0)

Anonymous Coward | more than 10 years ago | (#8588531)

Why did it cause damage?

Re:Now that there is more code available... (5, Insightful)

PhrostyMcByte (589271) | more than 10 years ago | (#8588213)

I've seen a few viruses that do this. One was written from the MyDoom worm, and patched the hole after using it to get in.

While the person who wrote it had good intensions, the network traffic turned out to be devastating for some businesses, and caused more trouble than leaving it alone would have.

Not to mention, it is still illegal. Just like going into a sub7 zombie to remove the trojan that is ddosing you is illegal.

Re:Now that there is more code available... (5, Interesting)

SpaceLifeForm (228190) | more than 10 years ago | (#8588224)

Well, now Microsoft plans to have a Windows machine automagically download and patch itself. [informationweek.com]

"The key for customers is getting these patches down," Muglia says. "The biggest issue right now is that when we issue a patch, it can take them weeks to get it installed after they're done testing it. We want it done right away."

Yeah, right. The customer is not going to test first because Microsoft says it's ok?

But it probably won't defrag the harddrive. As for cleaning out the mal-ware, can anyone tell the difference between the OS and 3rd party stuff?

Re:Now that there is more code available... (0)

Anonymous Coward | more than 10 years ago | (#8588362)

The customer is not going to test first because Microsoft says it's ok?
That's not what he said. Read it again.

Re:Now that there is more code available... (3, Informative)

devnull17 (592326) | more than 10 years ago | (#8588674)

As for cleaning out the mal-ware, can anyone tell the difference between the OS and 3rd party stuff?

Not without gaining a pretty good knowledge of Windows internals. Once you've been, um, blessed with such a gift, it becomes pretty obvious what's real and what isn't, at least as far as processes and services go.

That's only useful in diagnosing major problems, though. (Like when MSBlaster went around.) And cleaning things out completely is really tough: most malware automagically respawns all of its components unless you manage to remove all of them simultaneously, and I've even seen tricks played with filehandles that can't be closed without rebooting, upon which everything is reinstalled. Generally, I just run Ad-Aware about once a week. Why spend so much time scouring your machine and googling filenames when there's cheap or free software to do it for you?

Re:Now that there is more code available... (5, Funny)

O2n (325189) | more than 10 years ago | (#8588240)

Actually the danger is not the 5% more virus code available, it's more about the 35% more windows [slashdot.org] code on the loose.

Re:Now that there is more code available... (1, Interesting)

webtre (717698) | more than 10 years ago | (#8588302)

think welchia but downloads from other "infected" machines other than one central location

sorry microsoft

How do you know it hasn't been done? (1)

A nonymous Coward (7548) | more than 10 years ago | (#8588349)

You said "surreptitiously" ... how do you know it hasn't been done? Maybe just one of the good guys floating around can't clean up PCs faster than the bad guys release new viruses.

Re:Now that there is more code available... (4, Insightful)

segment (695309) | more than 10 years ago | (#8588430)


It's been done. What I don't understand is, why most Antivirus software does not scan after installing update by default. It would also be nice if Microsoft were to take the time to make some form of "Joe Average" tutorial explaining to their users why they become infected, often leaving up to sysadmins, network engineers, etc., who deal with the users often taking on the role of "Microsoft Antivirus Engineer". I would be curious to see some statistics on how much money is lost (real hard facts) from business such as Internet Service Providers, and other vendors who have to waste time explaining to people what is going on, what is a spoof, and why it's pretty much delegated to 99.999999% of the times, Microsoft.

MS should spend some money doing some quick media for the not-so-clueful to explain why management@whitehouse.gov wants them to open foo.zip. Sure people should be more aware, but that's not going to happen to avgjoe, and sally homemaker who spends a total of 2 hours a week on a machine to answer an email from her son in college.

Re:Now that there is more code available... (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#8588481)

I don't know, maybe because the last 5 big viruses were NOT SECURITY HOLES! They preyed on user stupidity to click an file that would execute. The same thing could and would happen in Linux if someone wrote a virus for it.

Clue in, thanks.

Retro Virus (1)

mrnick (108356) | more than 10 years ago | (#8588682)

Well, sounds like a good idea but I think such a program would more aptly be called a retro virus.

Nick Powers

UGH previous message went to wrong place (1)

mrnick (108356) | more than 10 years ago | (#8588703)

Sorry about that! my BAD!

Nick Powers

Antivirus Advantage (5, Interesting)

ziondreams (760588) | more than 10 years ago | (#8588126)


Wouldn't the open source of these viruses be an advantage to the Antivirus folks? (Symantec, Norton, etc.) I mean, if they know the basics of the virus, wouldn't it be easier to defend against them? (I don't have much experience in the realm of viruses...just curious!)

Re:Antivirus Advantage (4, Insightful)

millahtime (710421) | more than 10 years ago | (#8588154)

"Wouldn't the open source of these viruses be an advantage to the Antivirus folks? (Symantec, Norton, etc.) I mean, if they know the basics of the virus, wouldn't it be easier to defend against them?"

I don't bvelieve it's a problem where the antivirus software can't detect and do something about them but more of a fact that many computers aren't up to date on virus definitions, have many security holes and the like. If you keep norton antivirus up to date sure it can detect them but if it hasn't been updated in 2 years your screwed and there are many people with computers like that.

Re:Antivirus Advantage (5, Insightful)

whaley (6071) | more than 10 years ago | (#8588313)

there's probably more script kiddies out there who could create a 'new' virus from the source code than there are antivirus analyzers who have trouble unpacking & disassembling a new virus.

About not updating antivirus, well when people get a Norton Antivirus (with 60-day subscription) with their new pc, they're bound to assume it will still do its job after those 60 days.

The good thing is that more and more ISPs are using scanners like ClamAV to scan mails before they reach the customer.

Re:Antivirus Advantage (4, Insightful)

RailGunner (554645) | more than 10 years ago | (#8588198)

Wouldn't the open source of these viruses be an advantage to the Antivirus folks? (Symantec, Norton, etc.) I mean, if they know the basics of the virus, wouldn't it be easier to defend against them? (I don't have much experience in the realm of viruses...just curious!)

Well, yes, the open source nature of the virus would help the anti-virus folks. Just like a compressed-air nail gun can help you build a house faster. But.. what good is any tool if you don't know how to use it? Why is my inbox flooded with the "I send you this file" virus? Because, even though the AV folks do a good job of killing viruses, most people are too stupid to realize that they need to update the signature files for the scanner to remain effective. These same folks are the ones that are too stupid to realize that you shouldn't open up email attachments without scanning it first, and making sure it was expected.

The blame of virus propogation tends to exist between the chair and the keyboard...

The blame for viruses (5, Insightful)

Baron_Yam (643147) | more than 10 years ago | (#8588367)

Users are generally like people who leave their car unlocked and then complain that their radio is missing when they get back.

Yes, they're stupid, but in the end the thief is the guilty one.

Virus writers are a great justification for the total elimination of privacy on the Internet. Imagine if you could use ISP logs to trace a virus right back to the first transmission, and then to the source. You could find the prick, drag him to the city limits, and dangle his corpse from a tree as a warning.

Sadly, while I wouldn't mind executing the jerks who assault our information infrastructure, I do value my semi-privacy.

Re:Antivirus Advantage (0)

Anonymous Coward | more than 10 years ago | (#8588244)

ummm, many of these "viruses" are open source. instead of just running the attachment, try looking at it in an editor.

The easiest method is with signatures (1)

SmallFurryCreature (593017) | more than 10 years ago | (#8588671)

This is basically just looking at a file and seeing if it has the same fingerprint as a known virus. Just like fingerprints it only works when a match is found in your database/virus definition file. If I take your fingerprints I can match them against the police database to see if you are known. It tells me if you are a known criminal. It does not tell me if you are a new criminal/virus.

So a new virus can only be detected when it is discovered and its signature put into your database. This takes time. Since modifying the signature is easy to do each new version of MyDoom requires a new signature and therefore an update.

The other method is too look at patterns in the code but this is a lot harder.

Ballmer & Gates are right (5, Funny)

Anonymous Coward | more than 10 years ago | (#8588131)

Open Source software really is viral!

GPL (1, Interesting)

millahtime (710421) | more than 10 years ago | (#8588195)

I wonder if you could get a license for a virus under the GPL???

Re:Ballmer & Gates are right (3, Funny)

tangent3 (449222) | more than 10 years ago | (#8588623)

Notice the article mentioned that virus writers are *sharing* source codes, not *opening* source codes. That means they are using the SharedSource(tm) concept, not open source! Now I wonder who came up with this SharedSource thing....

I for one (3, Funny)

Anonymous Coward | more than 10 years ago | (#8588133)

salute our new scr1pt k1dd13 overlords

Re:I for one (0, Flamebait)

relrelrel (737051) | more than 10 years ago | (#8588193)

How on earth do you figure that virus writers are "scr1pt k1dd13", that's pretty moronic by definition.

If they're clever enough to code a virus, then they're not scr1pt k1dd135.

Re:I for one (1)

gowen (141411) | more than 10 years ago | (#8588571)

But if they rely on someone elses code to write a virus they are script kiddies (which is what this article is about). That's pretty much the definition of a script kiddie; people who use others scripts to cause damage because they haven'y the brains to do it themselves.

My contribution to the Virus community (0, Funny)

Anonymous Coward | more than 10 years ago | (#8588137)

msgbox("you have a virus")

Re:My contribution to the Virus community (0)

Anonymous Coward | more than 10 years ago | (#8588239)

For Windows, that'd be (from a command prompt):

net send (pc_name) You have a virus.

Hours of fun.

Re:My contribution to the Virus community (0)

Anonymous Coward | more than 10 years ago | (#8588584)

Hum. That's not very scary. Now this is scary:
Agent1.Characters.Load('virus', 'Clippit.acs');

MyCharacter := Agent1.Characters['virus'];
MyCharacter.Show(0);
MyCharacter.Set_SoundEffectsOn(True);
MyCharacter.MoveTo(LogoAppForm.Left+50, LogoAppForm.Top+200, 100);
MyCharacter.Play('Wave');
MyCharacter.Speak('You''ve got Clippy virus!', '');
MyCharacter.Play('Greet');
MyCharacter.Play('RestPose');

Biggest virus with shared source code (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8588138)

That'd have to be Linux.

Re:Biggest virus with shared source code (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8588370)

all GPL code is viral

Re:Biggest virus with shared source code (0)

g0dfath3r (538412) | more than 10 years ago | (#8588501)

"all GPL code is viral" Your windows b0xen will be assimilated.. resistance is futile.

Open Source bad? (3, Funny)

Talence (4962) | more than 10 years ago | (#8588142)

Looks like we found at least one area where going the Open Source route is bad :-)

Re:Open Source bad? (1)

PhrostyMcByte (589271) | more than 10 years ago | (#8588265)

Don't give Balmer ammo. The GPL is already viral, imagine the new "evidence" him and Gates could present to all the countries switching to OSS.

Doesnt mean too much trouble (5, Insightful)

moberry (756963) | more than 10 years ago | (#8588144)

Any little kiddie who is going to copy a virus and change some code around isnt going to get very far, because the virus scanner is still going to pick it up. It would involve magor changes to change the virus enough for the scanner not to pick it up as the orignal virus. Just look at the last few varients of MyDoom, they hardly made a dent. As long as end users have updated scanners it should not pose as much of a problem.

you're wrong (5, Insightful)

segment (695309) | more than 10 years ago | (#8588301)


they hardly made a dent. As long as end users have updated scanners it should not pose as much of a problem Obviously you probably are not in the system administration field, ISP field, or anything similar. Right now I work in the ISP field, and you have no idea of the nuisances cause by the same repetitive viruses going on right now. Try explaining to Joe Blow common users why they're receiving messages from management, staff, security@someisp.com telling them their account will be terminated if they don't open foo file. Most don't know what a spoof is, and most don't understand why their dial up connections are now giving them errors.

Along with antivirus sofware which - some go through autoupdates, try explaining to users why they need to run their antivirus software after an update. See most people outside of the geek world would believe that an autoupdate from Symantec, or McAfee or others is automagically going to take care of itself, and it's not. Sure people here may know, but not everyone is Top Geek.

Whenever I talk to friends who don't know much about computing I try to liken it to human diseases and medicine, and those vaccination shots Americans have to take as kids going to school: "If you had diabetes you need insulin, if you go to the pharmacy and get that insulin but bring it home and put it on the table, your doing nothing. Think of an autoupdate from an antivirus company as doing just that. You got the medicine now, why leave it on the table. You have to use it." Most of the times they understand afterwards and ask silly things like well why doesn't the program do it itslef. Some antivirus software does after some configuration some doesn't.

For anyone to think that; someone outside of the computing - is going to have an understanding of this, you're wrong. If this were the case, there would be no more viruses. People are too trusting and naive sometimes, and no antivirus software is not going to detect anything. Has anyone not seen viruses that disable firewalls, antivirus software altogether, because I know I have dealth with people becoming infected with such. You can't base your experience with that of Joe Blow, it's apples and oranges.

just waking... (2, Insightful)

segment (695309) | more than 10 years ago | (#8588353)


Let me clarify this since I'm just waking up...

no antivirus software is not going to detect anything. I meant to type, no antivirus software is going to detect EVERYTHING. If this were the case, newer versions of Netsky and Bagel would get by, which is why most virus makers tweak code little by little, and another variant becomes a nuisance. Netsky and Bagle prove this. Right now there are who knows how many variants of it.

Re:Doesnt mean too much trouble (1)

Haydn Fenton (752330) | more than 10 years ago | (#8588537)

"It would involve magor changes to change the virus enough for the scanner not to pick it up as the orignal virus"

Not true. Although I may be wrong, I was under the impression that the majority of AVs use a 'signature' to detect virii (in executable form). By signature I mean the AV checks a certain set of bytes in the program, say six or so, in a certain place.
After reading an article on AV software a while back I have a fairly good understanding of how to get around those checks (I won't explain completely for obvious reasons) but it involves finding and changing the order of those signature bytes so the program functions in exactly the same way yet isn't detected by the AV. The article went into much more depth and made it easy for most people to bypass AV detection.
The article is probably a couple of years old by now and that technique may no longer work, just thought it was worth a mention.

"Publicly available" virus code? (0)

Anonymous Coward | more than 10 years ago | (#8588147)

Um... isn't wide public exposure kind of the point of a virus?

uh oh ... (5, Funny)

Average_Joe_Sixpack (534373) | more than 10 years ago | (#8588156)

"Virus Creators Sharing More Code"

Does this mean Norton and McAfee are going to merge companies ?

Re:uh oh ... (0)

webtre (717698) | more than 10 years ago | (#8588347)

laugh all you want but that would be the scariest day of my life (other than SCO winning litigation)

Perhaps there should be an award (2, Insightful)

spidergoat2 (715962) | more than 10 years ago | (#8588162)

For the creators of an original virus. It might be a little incentive for these people to at least come up with something new......... Nah, never mind.

Re:Perhaps there should be an award (1)

thedillybar (677116) | more than 10 years ago | (#8588365)

In other news, Microsoft has announced a new competition for who can send out the most spam mail in a 24-hour period...

Each team will be allowed 48 hours to hack the hell out of every machine on the planet, followed by a 24 hour period when the mailing must actually occur.

Prizes are yet to be determined.

You want some viral code? (2, Funny)

ObviousGuy (578567) | more than 10 years ago | (#8588163)

Download Linux. It's one virus you'll be glad you caught.

They don't have to give it away to share (5, Insightful)

31415926535897 (702314) | more than 10 years ago | (#8588173)

The nature of most viruses and worms means that they are shared quite ubiquitously. If you have received any of these viruses, then you have the code that makes them work. It's not hard to reverse engineer most code, and it's even easier if the language is something like VB script.

I remember getting the Anna Kornukova virus 4 years ago and just inspecting the script to see exactly how it worked. It would not be tough for a script kiddie to take that and modify it enough to get past virus filters. I'm sure there is virus code sharing, and I'm sure it's increasing, but if you really want to get your hands on the code, the author doesn't even need to intend to share it, he already has!

never seen a virus in my entire life (0)

mec_cool (757885) | more than 10 years ago | (#8588181)

the only time I installed an anti virus, it whipped my hard drive. Since then I decided never to care about virus again and I've never seen any. Any similar experiences among /.ers ?

Re:never seen a virus in my entire life (1)

Professr3 (670356) | more than 10 years ago | (#8588207)

McAfee ate all my security tools. Bummer. Now, I turn it off whenever I run something like nMap.

Just because you don't see... (2, Informative)

Denyer (717613) | more than 10 years ago | (#8588210)

...one doesn't mean you've never been infected.

Re:never seen a virus in my entire life (2, Insightful)

Anonymous Coward | more than 10 years ago | (#8588219)

I've sworn by that policy for a long time, I checked it not too long ago, and guess what? No viruses. I've come to the conclusion that anybody with moderate computer sense is, to a degree, invulnerable.

Re:never seen a virus in my entire life (2)

dolphinling (720774) | more than 10 years ago | (#8588250)

Pretty much the same here. Don't bother with Anti-virus if you're smart enough not to need them. Firewalls, though, are a must if you're on Windows, as network security holes don't require any stupidity on your part at all to exploit.

Re:never seen a virus in my entire life (1)

mec_cool (757885) | more than 10 years ago | (#8588269)

no firewall either here... sometimes I wonder if the popup crap that populates my computer is a virus ?

Re:never seen a virus in my entire life (1)

spectrokid (660550) | more than 10 years ago | (#8588311)

So that is you who is sending me all these "I have your password" emails?

Re:never seen a virus in my entire life (3, Funny)

HarveyBirdman (627248) | more than 10 years ago | (#8588457)

>the only time I installed an anti virus, it whipped my hard drive.

Pffft! Silly rabbit! You we're supposed to set it to puree.

>Since then I decided never to care about virus again and I've never seen any.

Must be some quantum thing.

>Any similar experiences among /.ers ?

My hard drive once crashed, and in the random noise I found a sequel to King Lear.

Re:never seen a virus in my entire life (2, Informative)

nolife (233813) | more than 10 years ago | (#8588492)

I've used antivirus software and have for the last 10 years on my home network (4 heavy internet users using broadband including 2 young teens who will download anything) and the only "virus" I have EVER seen was the eicar test file for my own testing. I did get a few emails to my hotmail and yahoo accounts recently with those password protected zip files but that was it. I get spyware and spam but not viruses or worms.

5% increase in publicly available virus code (4, Insightful)

henrygb (668225) | more than 10 years ago | (#8588192)

5% is not very much in one year. "Virus code will double in 14 years" does not make much of a stunning headline compared with Moore's Law or spam rates of increase.

It suggests that anti-virus programs should be able to cope (if people bothered to use them).

Learning from nature (4, Interesting)

dpilot (134227) | more than 10 years ago | (#8588203)

Over the past several years we've learned that bacteria (and even plants?) can be 'promiscuous' about sharing useful genes, such as antibiotic resistance. Software is just catching up.

To continue to stretch the metaphor, apparently the immune system is keyed to stereochemistry of surface molecules. Change surface molecules, fool the immune system until it adapts. Spam has been taking this approach, injecting random text in an attempt to fool Baysean filtering. No doubt virii will learn the same trick. (Break code into mini-object modules, and use a randomizing link-edit step, for instance.)

Re:Learning from nature (1, Insightful)

Anonymous Coward | more than 10 years ago | (#8588386)

Virii aren't learning shit, humans are.

Re:Learning from nature (2, Informative)

mjh53 (186864) | more than 10 years ago | (#8588466)

polymorphic viruses did this many many years ago. worms on the other hand, and the recent VB junk presumably are relearning what the ASM writers thought up all that time ago.

I don't have any. (4, Funny)

dj245 (732906) | more than 10 years ago | (#8588205)

Explains why my email account is overloaded with these little bastards.

You must have lots of friends and or family. I suggest you get a lesser life form companion and lose all ties to other sentient beings. Especially dumb ones with computers.

Re:I don't have any. (1)

GNUman (155139) | more than 10 years ago | (#8588536)

I know you're joking =) However, I haven't gotten ONE single Beagle, Netsky or MyDoom. And I do know lots of people.

Neither have our clients, though we do have thousands [virus] reported blocked on our e-mail server. I guess it just depends on how well you configure your mail server and antivirus.

On a side note, I also have several accounts on hotmail and yahoo, and I haven't gotten any on them either. OTOH, maybe all my complaining to my friends/family about stupid people opening attachments indiscriminately (sp?) and using outlook is finally working!

I wonder... (2, Funny)

lofoforabr (751004) | more than 10 years ago | (#8588211)

if this "virus writers sharing more code" has something to do with the recent windows source code leak.
I mean... if windows source is leaked and widespread, that's gotta be the ultimate virus source code spread in the latest years.

Ladies and Gentleman... WE GOT THEM! (5, Funny)

Anonymous Coward | more than 10 years ago | (#8588217)

It's so obvious.. all we have to do is trick these virus writers into putting some SCO code into one of these viruses. They can put it between /** **/.. it doesn't matter. If they do that, SCO will pursue them to the ends of the earth!

Time for Lan and Megaman.EXE.. (-1, Troll)

PhilippeT (697931) | more than 10 years ago | (#8588227)

to do some NetBatling.

O wait im confusing the real world with a Gameboy Advance Game again.

Move along nothing to see here.

Re:Time for Lan and Megaman.EXE.. (1)

Pumpernickle (720937) | more than 10 years ago | (#8588248)

Sure there is! Haven't you seen Uplink [ambrosiasw.com] ? :)

No.. (1, Funny)

lukewarmfusion (726141) | more than 10 years ago | (#8588238)

Explains why my email account is overloaded with these little bastards.

Your account is overloaded because your mail server sucks. Don't you have a virus scan?

I don't get any virus emails at all. Hmm.

Time to update the antivirus model? (5, Interesting)

serene.geek (674420) | more than 10 years ago | (#8588255)

Slightly OT, but part of the frustration of this huge spike in virus activity for me is the fact that our antivirus product is still based on a model that is becoming outmoded. The old model strives to protect against situations in which viruses are piggybacking on legitimate content that someone actually wants. As a result, it's strength is:

1. Detect

2. Clean

3. Deliver if cleaned

4. Quarantine if not

Problem is, about 99% of viruses that have come into our firm in the last 6 months have been nothing but virus - no legitimate content. Despite this, our antivirus tool has no option to use its 'knowledge' of the 100% illegitimate messages and simply delete these outright.

In order to avoid the possibility of quarantining legitimate content, we are still detecting and cleaining, which still lets hundreds of confusing messages through to the users.

I know there are other products which will eliminate this kind of traffic altogether, but it seems to me that a few minor changes to (at least our) current antivirus products could dramatically improve the situation for us.

Are the other major mail-server based "pure" antivirus products any better than Mcafee?

Trend Micro's ScanMail with eManager - MUCH BETTER (0)

Anonymous Coward | more than 10 years ago | (#8588403)

Blows McAfee and Norton out of the water. I can't believe it's not more well known than it is, maybe because it is a little pricier. But then McAfee and Norton have been jacking up their prices higher and higher with every new wave of Microsoft viruses that hit the Internet too.

We're blocking MS executable attachments like BATs, CMDs, PIFs and SCRs, scanning the crap out of EXEs and ZIPs, and now using eManager spam rules to filter out most worm-bearing emails since their subject lines and bodies contain matchable text patterns.

funny but dead serious... (3, Interesting)

segment (695309) | more than 10 years ago | (#8588465)


One time I got to work and checked our local geek account (where we all joke, pass notes, etc.) and I read this email forwarded by the technical support "Hi I'm writing to know if everything is alright with the system. I'm not getting anymore spam so I wanted to know if there's a problem." I kid you not, the end user was wondering why, they weren't receiving spam. It's difficult to filter too much, because what do you do when someone is constantly complaining about not receive a business proposal coming via way of zip. What happens if by mere coincidence it was flagged as spam, or a virus. That's the problem with filtering, personally I think education is a better resolve, but that's just me.

Re:Time to update the antivirus model? (1)

Cytotoxic (245301) | more than 10 years ago | (#8588416)

Problem is, about 99% of viruses that have come into our firm in the last 6 months have been nothing but virus - no legitimate content. Despite this, our antivirus tool has no option to use its 'knowledge' of the 100% illegitimate messages and simply delete these outright.
This is a huge problem. Every time a new permutation shows up, a flood of "I just got this email that..." messages come through to IT. Followed by a flurry of messages that say "this is the anti-virus software telling you that it..." Of course, it is usually the same few people who have to ask again.
I have a personal solution for the flood of virus removal messages - because I have several public email addresses (like webmaster), I use SpamBayes to automatically shunt these as if they were spam.

Yes! Get Sybari's Antigen (1)

hajibaba (468067) | more than 10 years ago | (#8588610)

We've been running Antigen at my company for at least 3 years. It uses multiple scanning engines on each email. We can also block any attachments that we want (based on file extensions). As a result, we haven't gotten hit with a single e-mail virus in the entire time it's been running. We receive hundreds of viruses a day(recently thousands thanks to MyDoom and Bagle), but it blocks every one.

The product, not the Virus (0)

myownkidney (761203) | more than 10 years ago | (#8588283)

I think this whole study overlooks one key aspect. If the product in question, MS Windows, had fewer holes, then there would be less scope for virus development.

But this is not at all the case. The real damage, IMHO, is not when virus writers share the code, it is when they share the information on vulnerabilities.

The sharing of the code only helps the script kiddies. They can be easily taken care of. But not the clever guys who learn about, and then exploit, vulnerabilities.

Please wake me up... (4, Insightful)

tangent3 (449222) | more than 10 years ago | (#8588292)

...when Symantec puts out a report that viruses are on the decline. I'm not saying that viruses are on the rise or on the decline or are not a danger to users, but I will definitely take such reports with a punch of salt, coming from a company which stands a lot to gain by scaring internet users with predictions of rise in virus attacks.

"Open" viruses (4, Funny)

andy666 (666062) | more than 10 years ago | (#8588320)

I think that open source viruses are the way to go. GPL them and apply modern ideas from software engineering. Well documented viruses would be handy, both for filtering and to aid future virus designers.

email account management (3, Insightful)

ATAMAH (578546) | more than 10 years ago | (#8588339)

"Explains why my email account is overloaded with these little bastards."

Well, partially it could also be to do with the fact that you are not careful about where your email address ends up. I have been as strict as possible about people not including me in their outlook/outlook expresss address books, or not including me on the mailing lists if i knew that participants are not security minded people. And i never had any sobigs, mydooms or the likes in my inbox yet i did use that account for emailing :). I know its not a 100% protection but it helps, obviously.

Re:email account management (2, Interesting)

Macka (9388) | more than 10 years ago | (#8588575)


It only has to get out there once and you're (my)doomed! I started my own consulting business 4 years ago. I got a new domain so I had a virgin email address. For 2 years I was very careful about who I gave it to, and whenever i had to give out email addresses online (like for cinema or flight bookings) I'd create an alias and give that out instead. If I started to get spam on that address, I could roast the culprit and then delete the alias. However, one day I went online and posted into an internet newsgroup. I don't know what I was thinking at the time, but I forgot to change my address before submitting the post. I remembered after but it was too late. It was the one and only time I ever did this, but within one week I started getting spam and viruses in my email account for the first time. And slowly but surely it got worse.

Another thing you can't control is e-cards. Some dim witted but well meaning friend decides to send you a card and has to give them your carefully protected email address in order to do so. Not only do the e-card vendors know that it's a valid address, but they also know it's active. I had a run of these about a year ago, and noticed an almost instant increase in the volume of spam I got.

Actually the percentage of spam I used to get with destructive payloads was quite low until recently. Over the last couple of months that shot up to about 30%. There has definitely been an increase in the number of virus authors/hackers out there.

Macka

Re:email account management (0)

Anonymous Coward | more than 10 years ago | (#8588582)

Sounds as though you don't talk to many people then. Do tell how you force them not to put your address in their address book. Besides which, recent viruses have simply searched the entire disc so even if your mail to them was stored as a text file, it could still be picked up.

Ooh, Ooh, Over Here! (-1, Troll)

dupper (470576) | more than 10 years ago | (#8588371)

I've got TEH ULTAR L33T!!1!!11! virus code, right here:

Wave off mommy and her next round of cookies and get your pimply, 13-year old ass outside. Then, you just might grow a pair of biceps, and be able to take a baseball bat to the target computer. That would be TEH FUTAR HAX0RING!!1!1!!1

SCO (0)

Mr. Certainly (762748) | more than 10 years ago | (#8588376)

Now where's the SCO when you really need them?

Morse Code?!? (2, Funny)

mikewren420 (264173) | more than 10 years ago | (#8588401)

I first read the artile title as 'Virus Creators Sharing Morse Code' --- As a ham radio operator, I was appalled. First BPL, now this! :)

Quick fix: (4, Informative)

KodaK (5477) | more than 10 years ago | (#8588417)

MailScanner + SpamAssassin + Clamav.

Stops unwanted mail dead.

Finally be able to stop bitching about your inbox.

100% Free.

Small catch: you need your own mailserver. Answer: add procmail to your recipie. Ha, get it?

MailScanner [mailscanner.info]
SpamAssassin [spamassassin.org]
ClamAV [clamav.net]

It's inspiring! (3, Funny)

HarveyBirdman (627248) | more than 10 years ago | (#8588421)

It's so wonderful when people share and allow those less fortunate to benefit from their own hard work and experience. This must one of the thousand points of light of which the President's dad spoke.

This must be a direct result of Mel Gibson's "The Passion Of The Christ". This holy movie has inspired a new culture of charity that is reaching down even to the virus writers, who so selflessly test the security of the world's computers so that we may all sleep more soundly, or... something.

*sniff* It gets me right here.

No, here. A little to the left. A little more.

Now scratch.

Aahhh....

Re:It's inspiring! (0)

Anonymous Coward | more than 10 years ago | (#8588566)

Your president's dad was obviously precognitive and could forsee this era of global sharing and coming together... It's a shame you couldn't elect him again so he could forsee even more loveliness...


*sniff* - I just imagine the virus writers all tucked into their beddie-byes, snoozing blissfully away instead of wracking their little brains on how to spread maliciousness...


Share and enjoy I guess has been adopted - funny how life imitates art...

In other news... (5, Funny)

galen (24777) | more than 10 years ago | (#8588422)

...legitimate programmers continue to reinvent the wheel.

Open Source (3, Funny)

OSgod (323974) | more than 10 years ago | (#8588460)

at it's best -- these things have been peer reviewed quite well by now :)

if any virus creator is reading this... (2, Funny)

WormholeFiend (674934) | more than 10 years ago | (#8588479)

I have a message for you:

Screw you and the trojan horse you rode in on.
-

5% more he? (0)

Anonymous Coward | more than 10 years ago | (#8588498)

Does that include "real" virus code, such as the stuff in 40Hex (a popular virus zine a decade ago) or is that just "pseudo" viruses (really trojans written in VB or whatnot).

Computer viruses and Biological viruses (5, Interesting)

Seoulstriker (748895) | more than 10 years ago | (#8588505)

One was written from the MyDoom worm, and patched the hole after using it to get in.

That sounds freakishly like some biological viruses that recombine its genetic information into the host chromosomes which effectively seals off the cell from further attack by viruses, so that it can do its work safely without interference.

If virus makers actually learn how to recombine their code into standard windows libraries and the code is then free to work without interference, the Windows users wouldn't know that they are actually infected until some future date when their credit card numbers are stolen/hard drives reformatted/etc.


In fact, the whole idea of sharing the code of viruses is similar to the idea of recombinatorial DNA in viruses and bacteria: effective code from one virus can be transferred and incorporated into another virus/bacterium (plasmids) to make an even stronger pathogen. Scary stuff.

Cooperation (2, Informative)

mdielmann (514750) | more than 10 years ago | (#8588520)

I'm always glad to see programmers cooperating, and even occasionally competing for market share. After all, that will only bring us better products.

But you have to wonder just what we're going to get next when some of these virus writers start working together. We've already seen multiple-vector viruses, better social engineering, and greater adaptability. It's certainly going to keep the anti-virus companies on their toes.

Sharing (2, Funny)

FiskeBoller (536819) | more than 10 years ago | (#8588527)

Gee, and I always heard that re-use is a good thing!

So now this is open source too (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#8588587)

Great....I always knew open source was viral..

Pfft... (2, Funny)

Vampyre_Dark (630787) | more than 10 years ago | (#8588635)

People can come up with statistics to prove anything. 7 percent of all people know that.

Computer Virus (3, Funny)

g0bshiTe (596213) | more than 10 years ago | (#8588659)

It's natural selection.

Those PC's that succumb and die from infections, leave only the strongest PC's to repopulate the earth. It's happened all throughout nature since time began. Consider this the "electronic black plague".

Great for cross-platform (3, Funny)

chrysalis (50680) | more than 10 years ago | (#8588661)

That's great news.

Viruses is closed-source, proprietary software that only runs on Windows.

A lot of nice guys are trying all day long to send me ".pif" files so that I can have fun, but I keep clicking and clicking again, nothing happens on my OpenBSD box. It's so disappointing.

Thanks to these opensource virus, I will probably soon be able to enjoy a /usr/ports/virus/ directory with viruses that will run natively on my operating system.

Great, I will now be able to chat with friends "hey what ? You still don't have Baggle 8.3XP ? Haha sucker, I got it for 3 days !".

RABBLE!!! (-1, Troll)

Cyno01 (573917) | more than 10 years ago | (#8588666)

Australia shot from 14th place to 5th over the last six months of 2003!
BOMB AUSTRALIA!! RABBLE!...

dingo baby eating knife weilding crocidile bum thumbers...

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>