Unprecedented level of Virus Alerts 424
arpy writes "iTnews reports that according to Trend Micro (makers of PC-cillin), there was a record-breaking level of virus alerts in the first quarter of 2004. In Q1 2003, Trend issued 35 virus warnings. During the same period this year, it issued 232. According to the company's annual virus round-up and forecast (PDF), the number of alerts was pretty much steady for 2001-2003. Particularly noteworthy is that so many of the viruses are variants, not original. Trend's April 2 Weekly Virus Report reveals that of the "Top 10 most prevalent global malware", the top five are all variations of Worm_NETSKY. This would seem to confirm Virus creators are sharing more code."
There are some nasty ones (Score:3, Insightful)
Re:There are some nasty ones (Score:2, Funny)
Sharing code (Score:3, Interesting)
One thing, the companies who make money off this certainly do not want this to stop. This isn't a put a tin foil hat on message. Just correlate the line, viruses and profit for these companies. Now, of course, chicken and egg.
Security is going nowhere, patching holes isn't going to save a sinking ship, and myself, I do not want to let the 'everybody else'
Re:There are some nasty ones (Score:2, Funny)
well, where's the link dammit?
Re:There are some nasty ones (Score:5, Interesting)
The more recent versions of these viruses are even killing off their 'competitors' - a recent Netsky will kill off any Bagle or MyDoom viruses it finds.
I'm still staggered that people will open email from people they've never heard of, open any attachments therein, entering passwords as they go!
The worst case of virus authors realising the stupidity of the people they were targetting was a virus with an NTP client built-in, so that the timebomb expiry on it would still work, despite the host PC's clock not being set correctly!
Re:There are some nasty ones (Score:3, Interesting)
Maybe windows will get its act together in the next service patch and stop making it so easy for the virus writers, but even then there will be a lot of computers on older versions. It would probably be more cost effective to go after the spammer's money source with a serious law enforceme
Re:There are some nasty ones (Score:2)
I'm not sure what you're talking about. Last year they issued 35 warnings in Q1, this year they issued 232 in Q1.
Re: there are some nasty ones (Score:3, Interesting)
In my experience many users don't buy/use any software (well, maybe Bonzai Buddy) that wasn't bundled with their PC. I've actually met people who will buy a new PC just to get a new word processor.
Re:There are some nasty ones (Score:5, Funny)
"in the first quater", "varients, not original".
Taco pick up a typo? You must be new here...
Virus scanners suck (Score:3, Insightful)
Re:Virus scanners suck (Score:5, Insightful)
Re:Virus scanners suck (Score:5, Informative)
In the good old days, viruses were tightly coded programs that often did cool things (undesirable, but still cool, like making all the letters fall off your screen). They would modify existing programs to become carriers - this is the true meaning of a virus, it modifys legitimate code to allow it to propogate.
Remember the Cascade virus, back in 1988? 1701 bytes of code that sits in memory, modifying
Correct me if I'm wrong, but I don't think a real virus has been written since the late 1990's. All current "viruses" are either trojans or worms.
Virus - modifies existing programs to include it's own code.
Trojan - executable file that pretends to be something the luser wants but is really malicious.
Worm - self replicating software that uses a network-accessible vulnerability to propogate to other machines on the network (think Code Red, et al)
Re:Virus scanners suck (Score:3, Interesting)
Well, I think you are. At least CIH [f-secure.com] was a real virus, by your definition. Check the technical descripion here [f-secure.com].
Nasty one, also - tries to re-flash the BIOS with garbage.
But generally speaking you're right, most of the so-called viruses are actually trojans these days.
Re:Virus scanners suck (Score:3, Interesting)
In this case, why are programs like Gator not removed by anti-virus software? By all definitions, Gator (or is it now Claria) and similar programs are Trojans. If the user knew what it would do to their system, they would have never installed it. Then there are the reports of "drive by downloading". If this isn't trojan activity, then what is?
Heuristic antivirus (Score:5, Funny)
On the plus side, we can hope that if The Machines ever get away from us, we can get Jeff or Data or NEO or Ahhnold to load a virus and save us. On the minus side, one of these days someone is going to write something really nasty, and even those of us who don't use Windows will be affected, either through the drag in traffic, bringing down nodes, or the phone calls and other messages.
It would be great to have a system that looks for changes and reports them...oh wait, I already have that.
-cp-
Alaska Bugs Sweat Gold Nuggets [alaska-freegold.com]
Re:Heuristic antivirus (Score:5, Insightful)
No, it did (does) work. It was simply more profitable to sell a program that requires frequent updates for each new threat. See e.g. Better antivirus software is worse than a virus? [vmyths.com]
Re:Heuristic antivirus (Score:4, Informative)
Free.
Until they start charging for it, at least, but it's free for the moment.
For those of you who don't know but run Windows anyways...
http://www.grisoft.com
Re:Virus scanners suck (Score:2)
e.g. "you got the ___ virus, this probably happened becasue you opened an unsage type of email attatchment... etc..."
Re:Virus scanners suck (Score:2, Insightful)
I don't think it gives a false sense of security, either. I for one know I'd rather have an updated AV scanner running on my machine for when the worm/virus/whatever the hell it is finally starts to propogate through MY network!
Comment removed (Score:5, Insightful)
Re:Solve the damn problem (Score:5, Insightful)
I think viruses over email will stop as soon as sexually transmitted diseases will stop because people stopped to have recreational, unprotected sex.
Re:Solve the damn problem (Score:4, Insightful)
What are you talking about? There's been lots of effort in combating the virus problem, namely the products of the major antivirus software vendors like Trend Micro, and Symantec. It's worked extremely well. More and more viruses and worms come out, and the vendors make more and more updates, and sell more licenses. They've become extremely profitable. Since profit = success, this virus problem is obviously well in hand.
Re:Solve the damn problem (Score:5, Interesting)
I'm guessing that was sarcasm, in which case I totally agree ^^
The problem here is that the viral arms race is a cash cow. It's in Symantec/Trend/McAffee/et. al.'s best interest, financially, to make sure that viruses/worms/malware continue to propagate.
If virus/worm/malware activity suddenly stopped, there'd be little need for the services those companies provide. If, however, the threat multiplied over time, there would be an increased demand for thier services - which in turn would equate to more money in their pockets.
I'm not saying these firms are crooked - I'm also not saying they aren't. All I'm saying is that they have a vested interest in keeping the threat alive, or even increasing its magnitude. Whether they do so or not is neither here nor there.
MS, of course, shoulders a portion of the blame for the problem. OE, after all, is the most effective virus/worm/malware distribution engine *ever*. (Outlook itself not being far behind, but that's part of Office, which most folks actually have to pay for -- OE comes installed with the Windows OS that comes pre0nstalled on most new machines, and hence has a much greater distribution) But then again, if it were secure, given MS's overwhelming marketshare, how would *that* effect the bottom line for the AV companies?
A healthy skepticism about the industry is quite warranted, I think.
Re:Solve the damn problem (Score:3, Insightful)
I personally do think these firms are crooked. They're basically parasites, since they depend on malware for their existence. And from statements they've made when asked about the use of Linux in order to be less vulnerable, in which they show that they obviously don't want people running anything besides Windows on their desktops, I think they're dishonest too.
Re:Solve the damn problem (Score:3, Insightful)
It's a nasty disease characterized by this nagging, persistent feeling you know everything about computers and there is nothing you do not know.
It's called Windowsitis.
Public Service Announcement:
Little Girl to her Mom: Mommy what's wrong with daddy?
Mom (choking back tears): Nothing, dear. Daddy is... having problems.
Little Girl: But why does he look that way?
Announcer: Millions of Americans are suffering with a devastating, deblilitating disease. Spilled drin
Re:Solve the damn problem (Score:4, Interesting)
Phil
Ummmm (Score:5, Funny)
This would seem to confirm Virus creators are sharing more code.
So, do they prefer GPL or BSD license?
GPL, duh (Score:5, Funny)
Re:Ummmm (Score:2, Funny)
Maybe they were getting ready for.. (Score:2)
Windows Virus End User License Agreement (Score:5, Funny)
Windows Virus End User License Agreement
Licensor, Skrip T. Kidie hereby licenses to you, the licensee, the ability to be infected on a single machine with not more than eight (8) processors by this Windows Virus (hereafter "the Virus").
By reading this, you agree to allow your machine to become infected. We reserve any and all rights without limitation, while you disclaim any purported rights you might have so much as thought you had, including "fair use" rights, and agree to hold licensor harmless for the inevitable destruction of your PC.
In the event you are found in possession of more copies of the Virus than you have license for, you will owe us $699 per violation. Furthermore,
(10 more pages of legalese here)
Re:Windows Virus End User License Agreement (Score:2, Funny)
And it's not going to go away soon... (Score:5, Insightful)
And so we come to the nightmare scenario. A relatively benign
parasite has infiltrated the general population and suddenly a very
"hot" parasite discovers how to piggy-back that infection. In the
blink of an eye - a day, an hour - 50% of Windows PCs around the
world are destroyed. It can happen, and therefore, it most probably
will.
Re:And it's not going to go away soon... (Score:5, Funny)
Re:And it's not going to go away soon... (Score:2, Redundant)
Re:And it's not going to go away soon... (Score:5, Insightful)
You base your conclusing on a broad sweeping assumption that "it can happen". This theory is flawed. Viruses and worms are combated on many fronts, using multiple strategies.
You are making a broad sweeping assumption as well. Routers with NAT, which offer rudimentary inbound firewalling as a side effect of actually doing NAT, do stop a good bit of the viral attacks such as back orifice etc but they aren't stateful firewalls like you'll see in an enterprise. They don't stop anything from going *out* the pipe. All it takes is a rogue payload on the inside of one of many networks with a big pipe and things get ugly quick! As an aside, I *don't* want my upstream provider filtering my traffic at all though and dropped the last ISP that started that and told them as much.
You're also assuming that the AV software catches 'everything'. What about the last bout of worms carried by the encrypted zips? I'm in the driver's seat on a dozen or so high traffic mail servers up and down the East Coast of the US and I (and other admins) was caught off guard by this worm. We block (with client permission) every executable attachment known to Microsoft operating systems and a few obscure ones as well. The encrypted zips slid right past qmail-scanner, clamav and a couple home-grown perl scripts we use for filtering. Those worms slid past the big name AV products at places I do other types of work. I will give the ClamAV and the qmail-scanner mailing lists credit though...it wasn't long before there were patches and add-ons for each to drop that worm at the gate, patches came in to the qmail-scanner list within hours of the first sighting of that worm in the wild.
The encrypted zip ruse was clever, how long before somebody comes up with something similar but more sinister? The only way to stop email-borne viruses completely would be to do as you say and stop all attachments completely. That's not an option for 99% of my clients, just simply not an option. Everytime I read something from one of the guys that works on ClamAV or one of the 'gurus' at the big AV labs about how shitty the code was in the last worm I get twitchy. What's going to happen if somebody that knows what they're doing and has a bit of cleverness up their sleeve as well decides to write the next nasty bug?
The REAL nightmare scenario... (Score:5, Interesting)
Word processing documents - randomly deleted words like 'no' and 'not', or flipped words like 'always' and 'never'.
Spreadsheets - zeroed out one or two cells
Presentations - Inserted random obscenities and links to unappetizing images
Imagine what would happen if nobody could trust their computers any more. Microsoft would be sued into oblivion, EULA or no EULA.
The only reason this hasn't happened... (Score:4, Insightful)
Re:Good (Score:5, Insightful)
Re:Good (Score:5, Insightful)
http://impsec.org/email-tools/procmail-security
Now I have to ask, if users are dumb enough to open a password-protected zipfile in what sure looks like an obvious virus-generated message to me, aren't those users dumb enough to be convinced to chmod +x &&
I think this is evidence that no security system can realy be foolproof. The fools are just too persistent!
Re:Good (Score:5, Funny)
Joe user wants to be infected.
Make something idiot-proof and someone will build a better idiot.
Re:Good (Score:3, Informative)
I have installed several Linux desktops in my workplace (replacing old winboxes). I always mount home as noexec. So even the dump users will be safe. Because
I've been suprised for the positive comments.
Re:Good (Score:5, Informative)
Not enough: "/lib/ld-linux.so.2
Re:Good (Score:2, Insightful)
Most of my files from the Linux machines are backed up on my FreeBSD machine; neither Linux nor FreeBSD are guaranteed secure, but the chances of both machines being vulnerable at the same time is exceptionally remote.
People deserve it? (Score:4, Insightful)
Relying on education and technological cures assumes that malware is a static target, but it's not. If you rely on improving people's understanding of viruses, you simply get viruses that act smarter and look like official emails. If you improve technology, you get viruses that actively target that technology itself (look at the BlackIce incident).
Technological solutions just create an arms race, and we've seen how well that works. Look at your inbox... the grim rise of noisemail is hardly a sign of success.
The solution is to acknowledge the nature of the problem: it follows the same laws as those of organic parasites, and the same solutions may be the only ones that work: perpetual change for the sake of change; trading of resistance; variety in place of standardization.
Or it could prove... (Score:3, Insightful)
Re:Or it could prove... (Score:2, Interesting)
I also think the Anti Virus companies hype this crap too much. But looking at the firewall logs shows to many people just don't get it.
Who cares? (Score:2, Interesting)
Re:Who cares? (Score:3, Informative)
VBA can even be in complied form within an Access Database.
Re:Who cares? (Score:3, Insightful)
How long has Macro security been set to high by default now? 2 years? 3?
Re:Who cares? (Score:3, Insightful)
Re:Who cares? (Score:3, Insightful)
I just block everything that isn't a document of some sort. Haven't had any problems at my company since.
The unfortunate reality is that some viruses may affect you even if you aren't infected. Massive virus outbreaks are like spam: both generate large amounts of junk traffic that slow everyone's connection.
Re:Who cares? (Score:2)
"making" a virus is not hard (Score:2, Insightful)
Re:"making" a virus is not hard (Score:2)
Not that I condone doing such a thing...
two questions... (Score:5, Insightful)
i'm not certain that these viruses use the same vulnerabilities, so my second question is pretty heavily weighted on the first
Re:two questions... (Score:2)
Yes, they do... the recipient of the virus opening up the attachment because they either got fooled ("new virus warning", "mail bounce", etc.) or enticed (porn stuff). Netsky, Bagle, MyDoom didn't exploit a Windows vulnerability. It did the "social engineering" thing to spread.
if that's the case, doesn't that mean a statistic like this should be pointed to not as an indicator of rising numbers of viruses, but as an indicator of the lack of respon
Odd.. (Score:2, Insightful)
First Quater? (Score:3, Funny)
PC-cillin - two updates per day! (Score:2)
Of course, we've still managed to get viruses through, both from not having the latest update (one Bagle variant got through), and from people not running the virus scanner - on Monday someone who had his/her portable at home at the weekend connected to the office network with NetSky-Q loaded.
Not enough (Score:5, Insightful)
My fault, I suppose, for leaving it the demilitarized zone. I'm just so used to Linux though -- the idea that a modern OS would permit such a thing to happen is ridiculous.
Calling wolf? (Score:5, Interesting)
Ugh (Score:5, Insightful)
So have they turned into bananas, or have they just gone to banana rich lands? Sorry, but I can't see how one can literally go bananas.
-Colin [colingregorypalmer.net]
Now if we could only fix the cause... (Score:3, Interesting)
What does surprise me is WHY these spread. I thought we had taught people time and time again, over and over, "don't open non-document attachments"... "keep your antivirus software updated"... "if you're ever in doubt, call us". Our advice is taken in and actually used once in a while, but it always seems to be thrown aside and forgotten.
I'm still on the search for that magic bullet that won't involve horribly restrictive mail filters or a lobotomy to remove the "OPEN EVERY EMAIL ATTACHMENT I RECEIVE" lobe...
Question about AV software (Score:5, Interesting)
Can someone give a brief explanation of how anti-virus software is able to scan so many files so quickly?
Re:Question about AV software (Score:5, Informative)
Viruses which have similar mechanisms leave similar signatures (in the case of true viruses; I'm not exactly certain how (or if) it's done for worms).
IANA Anti-Virus Specialist
Re:Question about AV software (Score:5, Informative)
Of course, you can always look at the source [clamav.net] to figure it out.
viruses hold only part of the blame (Score:3, Insightful)
It also indicates a couple of other things:
It's only a matter of time until one of these is truly destructive... Perhaps a fortunate side-effect would be the world waking up to why Microsoft software is so horrible.
Re:viruses hold only part of the blame (Score:2, Insightful)
Dude, no need for the "quotes" when you actually are a nerd.
Re:viruses hold only part of the blame (Score:3, Informative)
Netsky.B write-up [symantec.com]
Re:viruses hold only part of the blame (Score:3, Funny)
Should we still call them Virus alerts? (Score:5, Insightful)
Why are we married to calling everything virus related when it is actually the flash-spread of worms that pose the most risk?
The Morris worm was a wakeup call. It was the first large worm, and simultaneously the first Warhol attack. Today, the 'growing threat' is the idea of Warhol-type worms, even though the first such attack was back in the 1980s.
The future of security is probably in the department of protecting against blended threats. AntiVirus software that only deals with stuff on your disk isn't enough anymore. You need, in order of importance:
1. to adopt safer computing practices.
2. Have some type of firewall that limits external access to services you don't actively use.
3. A behavior based IDS (or similar technology)
4. Disk and memory AV (eg, a typical antivirus program)
5. Signature based IDS.
Signature based IDS is least important, especially if you have the firewall in slot 2 that negates most of the use of an IDS. Disk and memory AV is important, but since 99% of all user-originated content comes over the wire these days, the smart money is on 1, 2, and 3.
I suppose step 6 should be "Demand accurate coverage from technically competent news professionals that know the difference between the various threats". If your local anchorman said "Earthquake warning!" and it turns out it was a flood emergency, would you find that acceptable?
Where's... (Score:4, Interesting)
Since there was an unusually high number of viruses and alerts, it would be nice to see just how it's being handled on the user end. Were there spikes in Norton Anti-Virus purchases? Or are people getting nailed with virus after virus ( a big clue is that it's mostly just a slightly altered form of the virus ) because they're being typical Joe User and not trying to guard themselves?
Sharing code (Score:5, Insightful)
And writing them for the same reason for the same people. Money from spammers. Look how many of those new viruses open back doors for proxies and steal email addresses. I don't think that it is so the virus writers can send love notes anonymously.
need help fast (Score:5, Funny)
I run a website called politrix of which is my own Sun machine. I recently received the following email and am confused of what to do Can someone please link a book on common sense so I can buy it to figure out why I am suspending my own account. Please hurry! Currently I am writing to this poor man in Africa who's promising me a couple of cool millions, so when I become rich, I will reward you handsomely.
Antivirus Software Makers vs. Arms Dealers (Score:5, Insightful)
In a way, the antivirus industry always reminds me of the nobel profession of arms dealing. On the table you provide your clients weapens to "defend" themselves and to archieve and maintain peace. Off the table you know the business only flourishes when there is a war. Of course there is always a war, but your interest is in an all-out war. So what do you do if there is no such an all-out war going on? Don't panic, you simply make your clients believe there is one indeed. As soon as they believe you, you win.
If you don't know what I'm talking about, you shoudl read Vmyths [vmyths.com] more often.
An introduction to viruses (Score:5, Funny)
Virus are popular peer-to-peer sharing systems designed and optimized for Windows platforms.
Great features of these systems over other P2P systems
- It's free software, although the license is often missing.
- They are very well maintained. New versions are released almost every day.
- They are easy to use : no need for a GUI, no need for a CLI, everything is fully automated.
- Updates are also automatic.
- No need to tweak your firewall, popular viruses can work on port 25 using a SMTP-like protocol.
In order to join this community, you just have to run an installer called "outlook.exe". To improve your experience, the "internet explorer" add-on is also recommended.
And how handy, the installer and its add-on are part of the vanilla "Windows" installation CD set. No need to download anything and no registration is required. Very convenient.
Once the installer ("outlook.exe") has been started, an Evolution-like interface pops up. This is bloat, it can be safely ignored. Directly go to the "add contact" panel and fill in email addresses of friends you want to share executable with. Wait a few minutes (check the internet link is ok) et voila, viruses are automatically downloaded, installed and configured.
You know understand why this p2p system is so popular in the Windows world : easy to install, easy to use, and the operating system keeps a lot of unfixed security holes in order to avoid breaking backward-compatibility with older viruses.
Related to Spy/Adware? (Score:5, Interesting)
Will we reach a point when the constant pushing of garbage in users faces will make the internet worthless to the common man?
Re:Related to Spy/Adware? (Score:5, Interesting)
I work tech support at a local isp. We have... a fair number of customers (stupid NDA's). And I would say around 10-15% of our calls are virus/spyware related in at least some way.
But what is really upsetting is this - how can users (somehow) manage to get 225 pieces of spyware and 42 virus' and then NOT be able to install a anti-virus program or spybot? Jesus Christ. It just... fucks with my head. I can't figure out who's to blame in this one.
The other thing that is extremely upsetting is the utter lack of responsibility taken on by the computer manufactures in regards to spyware/virus'. Here's the deal. User X gets a new PC with their tax refund. User X puts computer on intarweb. 15 minutes later they get blaster, call me and tell me that "the internet broke their computer, can't be anything wrong with it just bought it blah blah blah blah." And then I go to look and, I'll be dammed, the brand spanking new dell they just bought contains 0 patches. No service pack 1, nothing.
I'm not sure if it's just dell (I think hewlett packard is the same) but both of these manufactures, for home pc's, ship them 100% unpatched. And, of course, they don't have to deal with the tech support of cleaning off spyware/blaster. It's not like it is even the user's fault. If any of you put winxp on a machine (even with the firewall in xp enabled) that wasn't behind NAT/firewall it will get blaster/wachi/nachi in 10 minutes. There's litterally nothing you can do.
Can we really blame Microsoft for this one? Or even ther user?
Allright, I think i'm done venting
This is because of one simple thing... (Score:4, Insightful)
The worm/virus explosion is because RBLs are WORKING, and spammers are finding less IP space they can operate from. Their only alternative is to infect client PCs and turn them into proxies. Any mail admin can tell you this is what's happening. RBLs are working. Now if we can get the ISPs to enforce their Terms of Service and shut down compromised PCs, along with the authorities who may at some point get off their lazy asses and start putting some of these spammers in jail, we'd have 99% less virus/worm propagation. Occam would agree. Lobby your District Attorneys to stop prosecuting Tommy Chongs and do something in the public interest and the world will be a better place.
Worms seed proxy/relay farms (Score:4, Informative)
One (unfortunate) solution to spam from compromised workstations is for mail servers to refuse to accept SMTP messages from hosts in dialup and DHCP address ranges.
For this I use the Pan-Am Dynamic List (PDL) [pan-am.ca].
Re: (Score:2, Insightful)
It makes me wonder. (Score:4, Interesting)
Re:It makes me wonder. (Score:3, Informative)
Company that profits from virii reports (Score:3, Insightful)
Pearl Harbor of the web. . ? (Score:5, Insightful)
On the one hand, what I see is a 'cool' new trend in virus writing; "Wow! Cool! Like, I can re-script a code which will secure me lots of slave machines! Excellllllent. I want to play, too!"
On the other hand, it also strikes me as very convenient that the web should be pummeled right now when there is such a push to massively control EVERYTHING and EVERYONE on the planet. --How easy would it be for the fine people in black-ops-secret-shmecret-government to release a few hundred viruses into the wild?
Pretty damned easy, I'd say. But to what end?
Simple. Everybody is getting fed up. "Oh, please install new laws which allow us to punish spammers. Oh, please, mighty government, do SOMETHING to control the web so that I can get my email!"
The internet, at the moment, is THE prime source of real information and world-wide communication. You can say here, out in the open, "BUSH IS A LIAR AND A CRIMINAL" And link to a hundred sites which explain -with detailed evidence- exactly why this is so.
Fascist governments don't appreciate this. Machiavelli recommended the swift destruction of dissidents who speak such things, in order to control a kingdom.
230 new script kiddies a month releasing malignant code into the wild, or a handful of unimaginative agents bent on pissing everybody off so much that they start begging for leashes?
I don't know. But it wouldn't surprise me in the slightest to find out that the assholes -once again- are in charge.
-FL
Knowledge. (Score:3, Insightful)
Wow. I guess I keep forgetting that Bush's psychopathic nature is not always commonly recognized. This seems amazing to me, but then I forget sometimes what it is like to be caught within the fog of manufactured reality. That's the nature of the psychopath
Why ? Because someone makes money on it ! (Score:4, Insightful)
Companies that
* Use a firewall
* Enforce the use of "RunAs" for all critical operations
* Dont use Outlook
Avoids 99.999999 % of all of viruses
Re: (Score:3, Insightful)
Solutions to viruses (Score:4, Informative)
hooks built into windows to detect "potentially nasty" behaviour (for example, modifying a system file, modifying winsock settings, changing the hosts file, making something start at startup, changing the IE homepage etc). When detected, one of 3 things will happen:
1.the action will be completly blocked (if its on a network with central policies and has this blocked)
2.it will ask you for the administrator password (if you are not an administrator or if the system has been set up to ask you even if you are admin)
or 3.it will pop up a nice warning to warn you that what this program wants to do could be bad.
Then, you can either allow it or deny it, depending on the settings.
If you deny it, windows would return an error to whatever program wanted to do it (e.g. if the program called RegCreateKey to create a key, it would return "cant create key" or if you called CreateFileEx to open the file, it would return "cant open file")
Plus, ideally, you would be able to add (but not remove the built in ones) new folders, files and registry keys to the "warnings" list. So for example you could have a writable file share on your system but if someone wanted to write to it, it would ask you first. Or on a network, the admin could block changing the desktop background.
Also, you would (ideally) be able to specify which events to block completly and which events to just warn for.
This alone would be a great help at stopping viruses and spyware.
Also, ISPs should firewall ports used by viruses at the ISP level (this includes ports like SMTP ports used by spam trojan zombies). If you do need one of those ports for legitimate use, they can unblock it. That would help stop trojans and zombies taking up valuable bandwidth (both the users Bandwidth and the ISPs Bandwidth)
Plus, email clients should be modified to not run scripts (better yet, get rid of HTML email completly, its mostly used for SPAM, viruses, scams and crap anyway plus it guzzles more bandwidth than regular text)
These things would:
1.make it harder for spyware/viruses to run automaticly
2.make it harder for spyware/viruses to do nasty things without your concent
3.make it harder for viruses to carry out their payloads (e.g. sending SPAM, DDOS attack etc)
4.make it harder for viruses to get into the inboxes of the cluless n00bs in the first place. And since they dont get notified about the removed virus, they never even know they recieved one.
Also, another (more drastic) step that would work for networks like corporate networks, university networks and such would be to lock anyone who has a virus or whatever out of the network untill they have cleaned their machine. Having a central copy of a toolkit of programs (such as Norton System Works and mabie others) and making them available to people locked out of the network would be a good thing to go with this point (so that when someone goes to central IT and says "my computer says I have been locked out of the network because I have a virus", central IT can hand them a CD with the latest most up-to-date recovery tools on it (anti-virus etc) and a simple set of instructions on how to clean their machine with it.
I know I've felt it (Score:4, Interesting)
In the last month and a half, I've literally received about 2 gigabytes of virus/worm mail in my UNIX-based mailbox. (Actually, it's an AIX box at my ISP.)
Anyway, I noticed that most of these come from a rather small set of "From:" addresses, and my (now cancelled) email address, im14u2c@primenet.com, was one of them. Did any of you receive large quantities of email wastage with that forged "From:" address?
Here's a short list of forged From: addresses I saw repeatedly on these virus/worm spam, in decreasing order of occurrence:
I noticed sis.com.tw got hit pretty hard, as did Jeff Garzik! I think they must've scraped these out of the SiS900 driver in the Linux kernel. [sis.com]
I'm regretting that suggestion I made to Ollie on how to speed up his CRC routine.
--JoeWhat's worse? Press fails to cover immune apps/OS (Score:4, Insightful)
Yes, OS X, BSD, and the various Linux distributions (i.e. Debian [debian.org], Mandrake [mandrakesoft.com], SUSE [suse.com], or RedHat [redhat.com] ). All easy to install, all easy to maintain, all easy to use. OS X comes pre-installed by the OEM and an increasing number of Linux distros are, too.
Furthermore, the layered structure of the OSes and separation of privileges means that these are resistent to future viruses as well as immune to those available today. Yes, apologists and astroturfers like to ignore that as well as blame users. But even if, and that's a big if, market share has more effect than design flaws, it will take quite some time for the virus activity to shift and during that time, businesses and users have come out ahead. Right now, die hard ideologs who refuse to drop a defective product are costing billions of dollars per quarter [globetechnology.com], a not insignificant number when you think how many jobs could be kept rather than downsized or outsourced in these increasingly bad economic times for the U.S.
How about a little focus? The title should have been "An Unprecedented level of MS Virus Alerts" and steer users off of the hamster wheel. From easy to hard, these are just a few of the many options:
A really effective solution (Score:5, Interesting)
Network admins and ISP's would basically add a "poison e-mail address" to a user's address book (and possibly spoof a few old/sent messages with this address as the sender/recipient). Every user's poison address would be unique, and it would only be used for this virus-prevention system. The name/address/other fields would be populated with random data and the user would be told not to delete this entry from their address book for any reason.
Whenever an e-mail was sent to that poison address, the network administrator (and possibly the user as well) would receive a plaintext, PGP-signed e-mail (with a plaintext URL that they could visit to further authenticate it) informing them that they had a virus; better yet, they could temporarily be disconnected from the network altogether.
Implementing this system would be very easy, a little bit of extra code on an e-mail server and automatically-generated
Am I missing something or would this make a major dent in the e-mail virus problem?
If more and more virii (Score:4, Insightful)
It's getting to the point at the office that all new virii noise on the IDS box is laptops coming in from the VPN. I can see a spike in traffic from one laptop, which gets reported to the Help Desk for cleaning, and the net result to the rest of the (properly patched) network sees NO negative result.
Three simple measures to reduce risk. Duh. (Score:3, Insightful)
If you're a tech, and you do work on people's PCs, tell them about these. There is no excuse not to have these measures implemented on each and every PC in the world.
1: Routers. If you have a broadband connection and _any_ box, be it Windows or Linux, there is no damn reason _not_ to have a router with the newest firmware revisions and a _changed_ administrative password (not admin/admin like on so many Linksys WLANs I've found on my PubTrans rides home). It will stop about ninety-nine percent of outside attacks at that level.
Even a cheap-ass Linksys BEFSR41v3 will do wonders to stop outside attacks ($50 at Fry's, by the way). I know; I'm running one of those on my home LAN.
2: Remove IE/OE or keep them from integrating into the kernel in any way, shape, or form. As is, they're too tightly twined with explorer.exe and as such, that open the door for a _world_ of pain (CoolWebSearch, anyone?).
Recommended alternatives: Firefox (though it has issues with PDFs in Windows), K-Meleon, Opera, Firebird, Mozilla, Eudora (light mode _ONLY_ unless you're going to pay for it; it included Cydoor spyware in earlier versions), Thunderbird, et cetera.
3: Get a decent antivirus program and software firewall in addition to your external measures. Grisoft's AVG is free and it updates on pretty much a daily basis, and ZoneAlarm is free if they don't want something better (like a spare AIX UNIX box between their machines and the Internet).
That's enough for the casual home user.
Hell, if you don't protect your PC, you don't deserve to have it.
Re:Clam AV (Score:4, Informative)
Quite well from my point of view. A virus went through the scanner three days ago, but the definition file was updated and I haven't seen any other virii go through it again.
This is the "Catched virus top 20" in my mail server for the last few days:
Comment removed (Score:5, Informative)
Re:I guess the soltuion is easy then... (Score:3, Insightful)
As more and more computer illeterate people switch to Linux, viruses will become a problem too:
Re:I guess the soltuion is easy then... (Score:4, Insightful)
Re:And yet still reports don't mention Microsoft (Score:3, Insightful)
Why would that matter? In the 80s, all of the worms, viruses and exploits were for UNIX machines, becuase that's what the Internet was.
Now, the Internet is Windows boxen, so that's what the virus writers are targeting.
Pointing out that 'all those worms are targeted at windows!' is like pointing out that thieves target rich people.