Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: network virus spreading

  1. #1
    Senior Member
    Join Date
    Feb 2004
    Posts
    197

    Question network virus spreading

    do any of you guys know if its possible for a virus to spread through a network drive (shared drive that every one on a network can see and access.and if its possible can you tell me how? and which viruses are the scariest nightmares for networks(the one thats spreads the fastest )?


    and how can i prevent this from happening

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Yes.
    http://vil.nai.com/vil/content/v_100030.htm

    Your questions are covered in great detail here. Just start trolling through the forums and you'll find the answers to your questions.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Senior Member
    Join Date
    Feb 2004
    Posts
    197
    thanks alot . another qustion whats the diffrence betwwen worms and viruses

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Textbook answer:

    1. A worm spreads
    2. A virus infects

    There are now hybrids, but mostly a virus will attach itself to files and may try to send itself, or allow you to do it.

    Worms just pass along e-mail, network shares etc. They do not infect files, boot sectors or whatever............they just spread themselves about?

    Cheers

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Nihil:

    Ed Skoudis laid this out rather well in his book "Malware: Fighting Malicious Code"... A nice read if you get hold of it.

    Virus: "A virus is a self-replicating piece of code that attaches itself to other programs and usually requires human interaction to propagate".

    Worm: "A worm is a self replicating piece of code that spreads via networks and usually doesn't require human interaction to propagate".

    They do not infect files, boot sectors or whatever............they just spread themselves about?
    Skoudis seems to be leaning towards, along with others, that the majority of worms we are seeing recently are all "tests". He describes the makup of a worm, Warhead, (exploit(s)), Targeting mechanism, (scanner and the algorithms that drive it), and payload(s), (the Nasty stuff). I think the theory about "test" worms is really rather justified considering that we have had numerous worms in the last couple of years, they are getting faster and better targetted yet they haven't really done any damage to the infected machines, (yeah, yeah, cleanup costs are "damage" but I'm talking about formatting the box after a while or messing up all the data files it can find on network drives.... That's much more costly. But this all comes down to the payloads carried..... They aren't really carrying a malicious one. Why.... 'cos they don't need one yet????
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Yes, and I fully agree with his position for several reasons:

    1) I know for sure that underground groups have set a response time benchmark that they feel once beaten, will render a corp/govt/end user helpless when the real McCoy comes.

    2) I know that the benchmark is set at 10 minutes. This is the response time that a top flight organization will have before all machines are protected. The 10 minute window is what these folks are looking to beat.

    3) As stated, the propigation times are improving and the delivery styles are being tweaked.

    4) I have reviewed worm/virus/trojan code and the latest stuff is, by far, not the work of an ametuer. Compare this to code written 5 years ago and the difference is like night and day.

    5) Insiders at various AV companies are expecting the big one to be polymorphic and already are rumored to have code ready to deal with such horribleness.

    So buckle your seatbelts and wait because the latest round of annoying remailers are just a prelude to what is coming.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Good to see someone else keeping up with the enemy...... I was under the impression that the "world' propagation time was 15 minutes..... Heck, what's 5 minutes between friends.

    The consensus also seems to be not just polymorphic but also blended. It may have multiple warheads, it's own SMTP engine to spread itself in a virus-like fashion, it will be encrytped and polymorphic to make detection more difficult and finally will have multiple payloads.... the payloads may work randomly or in sequence, (DoS a target, (AV vendors come to mind), trash all network docs/ppts/xls/mdbs etc, ......... then trash the box....

    So let's think about that for a second..... the potentials are:-

    1. Unknown Warhead(s)... But let's be logical, if you want maximum spread in the shortest possible time they aren't going to attack "odd services", they will be common, (mail, web, etc). A multiple warhead worm will probably have warheads for different OS's. It's warheads are either going to be zero day or recently discovered for any attacked OS.

    2. It's going to try to spread itself. <Duh> By other warheads or by mail....

    3. It's not going to be recognisable by AV, Trojan scanners etc. and even if it "will be" detected it won't be either by the speed it is travelling or because it is DoSing the common AV vendors.

    Can we "Pre-mitigate"?

    Yes, I think we can.... With thought and knowledge of our own network, what is required within it and to make it work. Some suggestions would be.

    1. The oldest one in the book.... If the port isn't required to be open at all times to all IP addresses on the public network either close it permanently or limit it to specific, trusted IP addresses. If it _must_ be open all the time DMZ it... keep it away from your private network, in this way you minimize the number of available resources for the worm.

    2. If it is required sometimes, open it when needed and close it immediately it isn't. Preferably have the service in the DMZ. If that's impossible - don't open it when the threat is high - look before you leap - you can always use a CD to transfer that file - the cost of the gas or the Fedex ain't that much if that's what's needed - Remember, there are always alternatives to a file transfer method - pick one that isn't reported vulnerable..... It may not be safe but if it isn't reported within 24 hours of the outbreak it's getting close to being safe....

    3. DMZ's..... What are they.... They are the place "outside" your network that is also "inside" it. It requires tighter ingress rules than the public -> DMZ network..... There's no reason to have port 80 open from the DMZ to the trusted..... Then it should be closed... period. It complicates the attackers problem - he has an exploit for HTTP/IIS and wins that battle.... But then he needs an exploit for SMTP to an Exchange server to get from the DMZ to the trusted too.... The automated tool, (worm), may not have that..... Bingo - potential hosts are restricted.

    4. Egress rules..... Well, everyone cares about the incoming.... The threats are so diverse that in order to maintain security then you would have to block everything - you can't do that. But let's think about what _has_ to go outbound. We can lock that down a lot. You have no reason to allow outbound SMTP if you run your mail server... so block it except from the mail servers themselves. So what ports do you _need_ to go outbound.... You don't need SSH(port 22),? then block it outbound. It will prevent the "out of OS" exploits from taking place in many cases....

    5. The firewall..... Can you strip potentially harmful extensions from the email? Do it.... Use FTP to transfer the needed files and let them sit till your AV has updated.... Can you block them from http too..... might be a good idea if the threat gets high.... Yeah, you might have only a few minutes - but when you know about it, use it.... M$ updates be damned.... Mitigate at the other levels..... It may cost you $1m in lost business.... But the overall cost in "hidden costs" exceed that considerably.... Be smart - no matter what the boss says...... explain the risk in the hidden costs..... can you say stock prices, reputation...... Means a lot in a competitive world.

    IMO, this is an issue of prior thought.... Understand the threat..... Keep up with it - it changes you know.... Do what you need to do to only allow the minimum traffic in _and_ out of the network to allow the users to do what they need to do and the public to see what they need to see..... And maybe you just "pre-mitigated" the nasty that will probably be being written today.....

    There will be another tomorrow.......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Senior Member
    Join Date
    Feb 2004
    Posts
    197
    can you tell me if im correct ,viruses imbed there code in files. and worms just copy themselfs


    how do anti virus companies keep up with the newest viruses and worms?

    it must be preety hard because with one worm or virus generator a person can make lots of diffrerent worms or viruses

  9. #9
    Senior Member
    Join Date
    Feb 2004
    Posts
    197
    do any of you know what life means.

  10. #10
    Senior Member
    Join Date
    Sep 2003
    Posts
    126
    Are you trying to be insulting or are you suggesting that the virus/worms are mimicking life? which ever one it is please make it clearer in future posts.
    [Shadow] have you ever noticed work is like a tree full of monkeys you look down and all you see is monkeys below you then you look up and all you see is a bunch of *******s above[/shadow]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •