Full ArticleQuote:
Computer viruses became more intricate and spread at a faster speed in the first half of 2003, posing a grave threat to computer networks, Symantec Corp. reported Wednesday.
Printable View
Full ArticleQuote:
Computer viruses became more intricate and spread at a faster speed in the first half of 2003, posing a grave threat to computer networks, Symantec Corp. reported Wednesday.
What is the internet coming to? Soon we will have to go back to the dark ages.Quote:
These threats are also spreading faster than ever before. The Slammer worm had a worldwide impact within a few hours, while the Blaster virus infected around 2,500 computers every hour.
Guidance...
Computers are becoming cheaper and there apparently is a greatly increased number of malicious "hackers" and virii writers.
Not if people become security literate and protect themselves; two, the people who are writing this code need to grow up. It's not funny to shut down peoples computers, **** them up, or flood the interenet any more than it is for any malicious "hacker"(mainly skiddies) to run some program they do not even understand and mess with peoples computers.Quote:
What is the internet coming to? Soon we will have to go back to the dark ages.
Main Points:
1) The public needs to be security literate
2) Skiddies and virii writers need to grow up
PM8228,
It takes time to make people security conscious... but time won't make the others grow up :)
i hate viruses, its a waste of tanlent
You need talent to create a virus? No way... virus creation kits?
However, if you mean waste of talent fixing/protecting against, then I completely agree. :)
All,
I read last weekend (can't remember where) that the University of Quebec will be including a course on writing virii in it's CS curriculum. The idea is that if people understand how they work they wil be better preparred to deal with them.
That was the universities point of view. I happen to vehemently disagree.
If i can find the article I'll come back and edit...
Hi Folks,
All of a sudden I feel very, very, old. I can remember the days when we connected at 9,600 Baud (roughly equivalent to BPS).
I remember one of my people developing an internal communications system to run on an IBM S/38, and us discussing what to call it, we chose "e-mail" :D ...............my PC booted DOS (about v3.0, I think) There were probably a few dial-up BBS sites around, but no internet as we know it now.
My point is that I consider the Symantec analysis to be a bit "weak".............of course malware is travelling faster and further...it is called technology. My current modem would fire crap out at 578,000Bps..................we have cable, satellite and DSL? There are more targets?
A biological analogy................if there are 5 farmers living twenty miles apart and one contracts strep throat..............chances are the others won't?.......50,000 soldiers on an army camp an the MO will be quite busy?
It is all down to technology and environment IMHO :)
Just my £0.02
Cheers
Very good analogy nihil!! I like it.Quote:
A biological analogy................if there are 5 farmers living twenty miles apart and one contracts strep throat..............chances are the others won't?.......50,000 soldiers on an army camp an the MO will be quite busy?
You are right that with more targets connected together on faster communications systems there will of course be more infections occurring faster.
I think the thing that concerns me more than that is the fact that the timespan from vulnerability discovery to exploit code to worm is getting shorter and shorter. Slammer exploited a hole that was 6 months old. Blaster exploited a hole that was about 6 weeks old.
Patching is a full-time job and then some these days (maybe they should come out with a MCPI (Microsoft Certified Patch Implementer) certification- it would be a high-demand cert these days!!). When you have vulnerabilities coming out weekly and it takes a month to patch the tens of thousands of computers in your environment but the malicious coders of the world come out with an exploit worm in 2 weeks it poses a huge problem.
The other huge problem- which has been covered in other threads- is that security education is only half the battle. Even a well-educated and intelligent home user can not feasibly keep his system patched over a 56k dial-up connection. Windows 2000 SP4 is 130Mb- it would take more than 5 hours to download on an excellent, noise-free connection. Worms like Slammer and Blaster can infect a vulnerable machine in about 1 minute.
They need to come up with alternative means of distributing the patches like making them freely available on CD at Best Buy, CompUSA, Walmart, Blockbuster- anywhere that consumers can just go get the CD for free to patch their computer rather than trying to download it.
Anyway- kudos again on the great analogy!
I'm sure any virus writers and blackhats here on AO will flame me for this but I think the more virus writers and blackhat hackers they throw in jail the better. It will send a strong message that this is not being put up with!
I read somewhere that the reason why (speculation of course here) a new worm exploiting the MS RPCSS vulnerability hasn't been released yet as predicted was because the hackers/writers were hiding underground due to all the arrests and investigative activity focused around the Blaster worm...who knows maybe some truth to that speculation??!?
I realize this doesn't cure the root problem and is only a deterence but I think it would help greatly since we are really starting from a very low prosecution rate now.
We do also need to understand the WHY DO THEY DO IT better and work on that core too!
...hey the damn software needs to be fixed and better developed too...I know.
we dont have that here.. secuirty site ..these kinda people get banned ..i mean if they write viruses and send them to someone :)Quote:
virus writers and blackhats here on AO
EDIT: found some good news for ya :)
Hackers to Face Tougher Sentences
http://www.washingtonpost.com/ac2/wp...-2003Oct2.htmlQuote:
Convicted hackers and virus writers soon will face significantly harsher penalties under new guidelines that dictate how the government punishes computer crimes.
I know what you guys mean. It just takes too much time to patch and protect yourself not to mention the 1000 other users in your network. even with patch management tools and remote deployment software installed on your network it still takes too bloody long to make sure everything is up to date. throw in the 200 mobile users that use notebooks and work from outside or from home and you have a major pain in the a$$.
I myself just got infected by trojan.qhosts as you can see from my thread. probably just from visiting some website. And I update daily. I am still trying to figure out which website that infected me. Spent about half an hr trying to clear up the mess.
http://www.antionline.com/showthread...hreadid=249266
New article in Washington Post that just came out where the govt is increasing the punishment for convicted computer hackers.
Punishment will now fit the crime and there is no $5,000 damage threshold. In the past prosecutors had to show the criminal caused at least $5,000 in damage. They can now use costs of restoring data, fixing security holes, damage assessments and revenue loss into the total damage calc. Hmm.
I hope this helps cool the creation and distribution of malware some. :p
Since everyone here likes analogies this is what is going to happen..Quote:
New article in Washington Post that just came out where the govt is increasing the punishment for convicted computer hackers.
Punishment will now fit the crime and there is no $5,000 damage threshold. In the past prosecutors had to show the criminal caused at least $5,000 in damage. They can now use costs of restoring data, fixing security holes, damage assessments and revenue loss into the total damage calc. Hmm.
I hope this helps cool the creation and distribution of malware some.
Survival of the fitest. With this in place there will be less lamers writing virii(c/p code + modification)/Vrri toolkits. What will also happen is that the only people writing virii will be people who are so good at it that you will have incredibly large problems unless you develope a "vacine".
Bacteria A infects a town. The doctor uses penicillan and all is well. Unknown to him and the others though Bacteria B mutated into Bacteria AB, which is penicillan resistant... and this process continues. The fine will only deter skiddies, not hardcore blackhats. Sorry :(
Just an observation/question... have there ever been any kind of studies done that differentiate between damage caused by skiddies, and damages caused by "hardcore" blackhats?
From what I've seen (which is limited), don't the majority of the problems come from skiddies? (I kinda like that word, reminds me of something you would find in your underwear)..sorry, I digress..
Anyway, if you can knock the children out of the equation, wouldn't that be almost like curing the common cold? Sure, there's plenty of other new fun diseases to discover, but at least serious effort could be directed there, instead of those minor annoyances.
Pardon my ramble, my coffee is kickin' in!! :)
Hi!
PM8228 and groovicus.....................nice points.
I believe that the lifting of fixed penalties etc. will deter the skiddies (skidmarks?), or at least make their parents a little more interested in what they are doing.$$$$$$$$$$$ are great motivators :)
I have often wondered how these things get spread so far and so quickly. I suspect that serious blackhats must have their disciples who go and do the work for them? As well as copying source and modifying it into variants?
I agree with groovicus that if you can stop the distribution agents you will have won a major phase of the battle.
On the other hand, PM8228 has a point in that there will always be the serious blackhats. These people are social deviants/misfits or whatever. It is just like you will always have rapists and murderers, or any other crime where the perp. does not receive any material gain? Punishment might deter the fainthearted, but most criminalists seem to think that it is the certainty of being caught that is the real deterrent?
I am not worried about virus generation toolkits. They take a comparatively long time to write, and as soon as they are distributed they fall into the hands of the AV providers, who will quickly produce a generic solution. I think that the production of a generator that does not have a distinctive pattern must be the greatest challenge to blackhats? No one has managed it yet AFAIK.
I think that the legislation can go further to include the owners of websites that host blackhat forums etc. I also feel that ISPs have been less than enthusiastic regarding their potential contribution to the fight?
There will always be the problem of Internationalism though? If a US citizen opens an offshore website, or uses an offshore e-mail provider, there is very little that domestic US legislation can do?
Just a few thoughts
Cheers
Well I am a coder, but I can not/never tried to write a virus so correct me if I am wrong, but Virii toolkits have a bunch of code then they just put it together and compile it to someones specifications. The two ways I can think of that would all for non-pattern files isQuote:
I am not worried about virus generation toolkits. They take a comparatively long time to write, and as soon as they are distributed they fall into the hands of the AV providers, who will quickly produce a generic solution. I think that the production of a generator that does not have a distinctive pattern must be the greatest challenge to blackhats? No one has managed it yet AFAIK.
A) have a bunch of different code that does the same things
B) AI - Personally I think AI is sweet ****(not for virii), but it means you have to have like a million years of experience
I am sorry Nihil(i just realized this mean nothing in latin, had a test on it today :p) but I disagree. By taking down someone's site especially in the US is against the constitution, and although the goverment is already turning it into a joke, there is a freedom to express one's self and oppinions that I believe should be upheld.Quote:
I think that the legislation can go further to include the owners of websites that host blackhat forums etc. I also feel that ISPs have been less than enthusiastic regarding their potential contribution to the fight?
PM8228, it is not ALWAYS agains the constitution to take down a web site. (certain forms of pornography come to mind) While I do agree with the first amendment, IMHO, often times it is taken too far, and out of context. The media blitz over our national do not call list is a good example of this.
It is not always so black and white....
I might have been slightly misconstrued. :)
1. Virus Generation kits must, by their very nature, have limited parameters......they will leave a pattern......I think I have about 3 of them somewhere (I was beta testing a South American AV product a while back). I have not noticed a "modern one". The reason is that they are too easy to generically protect against...so the considerable effort is not rewarded with the "impact". I guess I am suggesting that they are obsolete. There may be some worm generators around, I have not looked recently. These and trojan generators may still be valid, because the means of spreading is not viral? and they tend to rely on human frailty or software weaknesses? I believe that the task is very difficult, and AI is well beyond me :) Recent trends suggest that skiddies just take existing code and modify it?
2. There are some websites that extol the use of malware, and distribute such materials . I do not think that such activity is protected by any amendment to the Constitution of the USA? It is hardly "expressing opinion"?. I guess that it is like groovicus's comparison to child pornography. Similarly you do not have the "democratic right" to commit treason?
OK there are a lot of "grey areas", but it is the skiddie sites I am referring to. Real "pro's" would not go near these......they just provide ammunition to nuisance makers?.......I would actually not be surprised if a lot of "black hats" would like to see these sites disappear?
BTW....In my country, "incitement to commit a crime" is a crime in itself..........how about the USA?
Cheers
If I understand your law correctly, the only thing I can think of that may be comparable would be "criminal facilitation". I'll just put the link here instead of quoting.
http://caselaw.lp.findlaw.com/nycodes/c82/a25.html
However, one would have to prove actual intent to commit a crime, and that would take a clever prosecutor.
The problem is, that by stating that "any info here is for educational purposes only", (or similar crap), the first amendment comes into effect. The ISP and web-master are effecively absolved of blame and recompense from any harm resulting from materials stored on their server/property.
EDIT: I'll have to give a little thought about what a black-hat may think. Were it me, I guess I would welcome the skiddie activity because it makes an effective smokescreen.
I'm going to go back to the Admins themselves here...... Yes, it's easy to spread a virus around the amateur users, (read: Home), but I constantly hear of large companies being brought down by a virus or worm..... That's unacceptable, Period.
The excuse that the constant patching is, IMO, just that... an excuse.
I have 650 workstations to manage from a security point of view. I own 350 of them and the others are managed by sysadmins of varying competence from average to absolutely incompetent. In this scenario I had to make a decision. It was clear that patching my machines when they are open to the other 300 that are less than well managed was a waste of time. Protecting my perimeter was the best I could do. So, I have the following list of precautions and policies in place for all network users:- (these are off the top of my head.... I'm not at work right now and it's friday night... ;)
1. Policy: Email may only be collected from the email client set up by the sysadmin of your organization.
2. Policy: You may not install any software without the explicit permission of your SysAdmin.
3. Policy: You will not use any form of Instant Messenger
4: Policy:You will not use any form of P2P network, see 2 above.
5. Policy: you will not try to circumvent any safeguard put in place by me or your SysAdmin.
6: Precaution: Firewall blocks all incoming then ports are opened to specific machines.
7: Precaution: Firewall blocks all outgoing ports then ports are opened as necessary.
8: Precaution: All publicly available machines are automatically patched daily, regardless of potential harm.
9: Action: Incoming mail is scanned for spam, spam is ditched to a hold folder.
10. Action: Incoming mail is passed to a virus scanner, viruses are removed.
11. Action: Incoming mail is passed to attachment scanner. Executables are ditched to a hold folder.
12. Action: Incoming mail is passed to a content scanner. Suspicious content is removed.
13. Action: Incoming mail is sent to a secondary mail server that rescans for viruses with a different scanner.
14. Action: Primary AV scanner is updated hourly, secondaries: 4 hours and daily.
15: Action: Except on specific machines Outlook denies access to potentially dangerous attachments, (level 1 files)
16. Action: Employ SurfControl to block access web sites that are not "authorized".
17: Action: IDS reports any machine other than SMTP servers sending outbound SMTP. (Firewall blocks them too).
18. Action: IDS reports any machine domonstrating scanning activity.
19: Action: IDS reports IM attempts, P2P attempts, webmail attempts etc. Users get "slapped"
I work for a non-profit so I don't have money to throw at problems but I am an entirely Windows shop....... I don't have the figures here but I will guarantee that my _entire_ expenditure has not exceeded $15,000 - that includes all the hardware.
My record over the three years many of these "precautions" have been in place:-
1. Prior to attachment checking got Kournoukova - killed in 2 hours.
2. During a "downtime" of SurfControl got Klez... <sigh> - Killed in 3 days
3. There is no three.....
I firmly believe that proper perimeter protection is the answer - Remember, my patch level on internal machines, frankly, sucks.... I would like to do better but the reality is I can't.... But the perimeter protection by a competent SysAdmin, (blowing my horn there, in case no-one noticed), is far better then wasting your time chasing patches around a network.
Just my $2.25...... :p
Wow..my employer has the exact same policy, except for #1-#19. I have warned, cajoled, and nagged. So whenever the next big whatever hits, I'll open up a big can of "I told you so", and maybe you (tigershark) will be kind enough to loan me your "big hand"... :)
Thanks groovicus,
I guess that is similar to us. We also have "aiding and abetting" criminal activity. We would consider providing information and/or code to be this offence. Encouraging/Telling people to go out and do it would be the incitement charge.
I think our difference is we consider information the same as material artefacts?
I doubt if you could supply me with 200lbs of C4 and a box of detcaps for "educational purposes" :D
It would seem to me on first sight that you would need to class the supply of malware code and instructions as "provision of criminal intelligence" or something? Whatever would discriminate it from freedom of speech?
Interesting subject, and thanks for the link. It would also be interesting to hear what the situation is in other countries, to see how close or far apart we are?
Cheers
Tiger Shark: I guess what you are saying is "God helps him who helps himself, and God help him who does not"
$2.25?................is that per day :D
Nihil: No.... Tiger helps himself.... And "let the devil take the hindmost" ;)
Non-profit... remember.... That's Daily..... Luckily they give me a freebie in the pub from time to time.... :cool:Quote:
$2.25?................is that per day
Stupid question but, people still write them in ASM, or they do c/cpp now/still?
Sure, there are virii written in High Level Assembler, Assembler, C and so on. Which brings me to my next point like Nihil said, the speed of which a program infects users is not only dependant on how computers and other devices are connected, but also how effective the code was written (please note I did not say elegant. Some of the most widespread virii today are NOT elegant. Take Blaster... whatta piece of crap, but effective). Virus writers want to infect as many as quickly as possible with the least bit of detection, or to be detected when the code already is doing the damage and there is little to be done but damage control.Quote:
Stupid question but, people still write them in ASM, or they do c/cpp now/still?
I have not studied many newer virii, but I have studied older type virii for DOS and there were some clever ones written designed to infect floppies, boot sectors, exe files, com files, display funny message and pictures all written in assembly. It's pretty amazing what these people did for kicks and giggles, and if you do read the code, how simple it is to alter that code and make variants of virii out there. I am sure the same holds true today espcially with the high level languages that do not need the user to reference to push and pop the stack, move offsets into a register and declare all the bytes needed to run the program. They can spend more time figuring how to get the desired effect quicker using pre-made functions.
Kids these days.... :)
nice policy........ but the best thing to turn off the PC...... then it will be inpermiable...... even by the best HAckers & progs :P