Page 3 of 3 FirstFirst 123
Results 21 to 27 of 27

Thread: Computer viruses becoming more complex, faster

  1. #21
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    I'm going to go back to the Admins themselves here...... Yes, it's easy to spread a virus around the amateur users, (read: Home), but I constantly hear of large companies being brought down by a virus or worm..... That's unacceptable, Period.

    The excuse that the constant patching is, IMO, just that... an excuse.

    I have 650 workstations to manage from a security point of view. I own 350 of them and the others are managed by sysadmins of varying competence from average to absolutely incompetent. In this scenario I had to make a decision. It was clear that patching my machines when they are open to the other 300 that are less than well managed was a waste of time. Protecting my perimeter was the best I could do. So, I have the following list of precautions and policies in place for all network users:- (these are off the top of my head.... I'm not at work right now and it's friday night...

    1. Policy: Email may only be collected from the email client set up by the sysadmin of your organization.
    2. Policy: You may not install any software without the explicit permission of your SysAdmin.
    3. Policy: You will not use any form of Instant Messenger
    4: Policy:You will not use any form of P2P network, see 2 above.
    5. Policy: you will not try to circumvent any safeguard put in place by me or your SysAdmin.
    6: Precaution: Firewall blocks all incoming then ports are opened to specific machines.
    7: Precaution: Firewall blocks all outgoing ports then ports are opened as necessary.
    8: Precaution: All publicly available machines are automatically patched daily, regardless of potential harm.
    9: Action: Incoming mail is scanned for spam, spam is ditched to a hold folder.
    10. Action: Incoming mail is passed to a virus scanner, viruses are removed.
    11. Action: Incoming mail is passed to attachment scanner. Executables are ditched to a hold folder.
    12. Action: Incoming mail is passed to a content scanner. Suspicious content is removed.
    13. Action: Incoming mail is sent to a secondary mail server that rescans for viruses with a different scanner.
    14. Action: Primary AV scanner is updated hourly, secondaries: 4 hours and daily.
    15: Action: Except on specific machines Outlook denies access to potentially dangerous attachments, (level 1 files)
    16. Action: Employ SurfControl to block access web sites that are not "authorized".
    17: Action: IDS reports any machine other than SMTP servers sending outbound SMTP. (Firewall blocks them too).
    18. Action: IDS reports any machine domonstrating scanning activity.
    19: Action: IDS reports IM attempts, P2P attempts, webmail attempts etc. Users get "slapped"

    I work for a non-profit so I don't have money to throw at problems but I am an entirely Windows shop....... I don't have the figures here but I will guarantee that my _entire_ expenditure has not exceeded $15,000 - that includes all the hardware.

    My record over the three years many of these "precautions" have been in place:-

    1. Prior to attachment checking got Kournoukova - killed in 2 hours.
    2. During a "downtime" of SurfControl got Klez... <sigh> - Killed in 3 days
    3. There is no three.....

    I firmly believe that proper perimeter protection is the answer - Remember, my patch level on internal machines, frankly, sucks.... I would like to do better but the reality is I can't.... But the perimeter protection by a competent SysAdmin, (blowing my horn there, in case no-one noticed), is far better then wasting your time chasing patches around a network.

    Just my $2.25......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #22
    Senior Member
    Join Date
    Aug 2003
    Wow..my employer has the exact same policy, except for #1-#19. I have warned, cajoled, and nagged. So whenever the next big whatever hits, I'll open up a big can of "I told you so", and maybe you (tigershark) will be kind enough to loan me your "big hand"...

  3. #23
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    Thanks groovicus,

    I guess that is similar to us. We also have "aiding and abetting" criminal activity. We would consider providing information and/or code to be this offence. Encouraging/Telling people to go out and do it would be the incitement charge.

    I think our difference is we consider information the same as material artefacts?

    I doubt if you could supply me with 200lbs of C4 and a box of detcaps for "educational purposes"

    It would seem to me on first sight that you would need to class the supply of malware code and instructions as "provision of criminal intelligence" or something? Whatever would discriminate it from freedom of speech?

    Interesting subject, and thanks for the link. It would also be interesting to hear what the situation is in other countries, to see how close or far apart we are?


    Tiger Shark: I guess what you are saying is "God helps him who helps himself, and God help him who does not"

    $2.25?................is that per day

  4. #24
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Nihil: No.... Tiger helps himself.... And "let the devil take the hindmost"

    $2.25?................is that per day
    Non-profit... remember.... That's Daily..... Luckily they give me a freebie in the pub from time to time....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #25

    RE: Question

    Stupid question but, people still write them in ASM, or they do c/cpp now/still?

  6. #26
    Join Date
    Jul 2003
    Stupid question but, people still write them in ASM, or they do c/cpp now/still?
    Sure, there are virii written in High Level Assembler, Assembler, C and so on. Which brings me to my next point like Nihil said, the speed of which a program infects users is not only dependant on how computers and other devices are connected, but also how effective the code was written (please note I did not say elegant. Some of the most widespread virii today are NOT elegant. Take Blaster... whatta piece of crap, but effective). Virus writers want to infect as many as quickly as possible with the least bit of detection, or to be detected when the code already is doing the damage and there is little to be done but damage control.

    I have not studied many newer virii, but I have studied older type virii for DOS and there were some clever ones written designed to infect floppies, boot sectors, exe files, com files, display funny message and pictures all written in assembly. It's pretty amazing what these people did for kicks and giggles, and if you do read the code, how simple it is to alter that code and make variants of virii out there. I am sure the same holds true today espcially with the high level languages that do not need the user to reference to push and pop the stack, move offsets into a register and declare all the bytes needed to run the program. They can spend more time figuring how to get the desired effect quicker using pre-made functions.

    Kids these days....

  7. #27
    Senior Member
    Join Date
    Oct 2003
    nice policy........ but the best thing to turn off the PC...... then it will be inpermiable...... even by the best HAckers & progs :P

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts