There is a Contest
on the Internet.
TRY NOT TO PLAY.
Only a Virus Author can Win.
3/3/04
Tired of Viruses?
So are we. End the problem.
Please see our proposal:
Whole Office
Anti-Virus Protection
And see our information on:
Virus Defense Suggestions
Need a Free
Anti-Virus Solution?
WARNING
This week there is a virus contest going on between
three rival Virus writers.
They are trying to see who can infect the most computers.
Don't participate in this contest!
None of these new viruses are
as destructive as Mydoom.F, but they are becoming extremely clever
and aggressive in persuading users to infect their computers.
See our report on Mydoom.F at: http://www.softprose.com/information/antivirus/mydoom.shtml
The three viruses are:
Bagle - EXTREMELY clever messages that try to convince
users to run the virus. Messages pose as Email administrators,
saying that your Email is going to be cut off or you have to
run the attached patch. Some messages even provide a "password"
to use to accomplish this bogus task.
Mydoom.G (Now including Mydoom.H) (Remember, Mydoom.F
erases files and is very bad to catch!) New variant of MyDoom,
the "G" strain remains highly infectious but does not
appear to be destructive. However, MyDoom.G is even more effective
at disabling other anti-virus software
Netsky (Netsky.F) is using some advanced technique to
distribute itself at perhaps the fastest rate ever seen for an
Internet Virus. This one is BRAND NEW, and anti-virus software
may not have a handle on it yet. It may also be similar to the
SoBig virus, with a goal of creating fleets of "zombie"
computers that can later be resold as SPAM generating computers…
NOTE: Rumor has it that Netsky may have a new technique for
infecting Web Pages, which may be the cause of it's unusually
rapid transmission. Netsky itself may prove to be the most serious
single infection threat in the past 12 months.
ALL of these viruses will:
1) Disable antivirus software. In particular, Norton Anti-Virus
(NAV), McAfee, and F-Secure products are attacked, along with
a growing list of others. (Note that Computer Associates Inoculate
IT is nearly always ignored in the list of antivirus products
subject to these attacks.) Infected computers may immediately
lose anti-virus protection, opening them up for other attacks.
2) Can turn an infected PC into a "zombie" which can
be used later to send Spam, other viruses, etc.
3) Opens up security on the machine so that someone who knows
how can take over the machine, read files, etc.
4) Disguises who is sending the email with false information.
Assembles their own Email address book from any file on the computer.
Sends Email with it's own software, not requiring Outlook or
any other program on your computer.
5) May do other destructive or damaging things on a timed schedule.
6) Use NETWORK INFECTION techniques. One machine on a network
that is not protected may get the virus, and then infects a shared
drive on a server. This shared drive will then infect any other
machines not protected against this type of attack. (Note that
all computers and servers should be running anti-virus software
to protect against this problem!)
7) Each of the three have a particular "special ability"
that may or may not be of interest.
In addition, these viruses
may mutate very rapidly.
The mutations may not be picked up by anti-virus software for
hours or days.
The flood of viruses and variants hitting the Internet is starting
to cause breakdowns in the ability of the anti-virus vendors
to properly protect client machines, AND their own software.
As most of these viruses now attack anti-virus software as the
first thing they do, it is increasingly important that users
pay attention to their machines and Email and use extreme caution
when confronted with anything unusual, uncertain, or confusing.
DO NOT RUN STRANGE ATTACHMENTS. IF IN DOUBT, RUN NO ATTACHMENTS
AT ALL!
InoculateIT and Etrust Anti-Virus
users, take note:
Users who have InoculateIT and Computer Associate's ETrust Anti-Virus
should have a high degree of protection from the virus strains
discussed in this article. Protection for most of these worms
are included in recent updates, and your systems should be safe
from infection. No action should be required as your systems
should be protected. However, note that the "Realtime Monitor"
for the software should be on the default setting of "Monitor
both directions" to be most effective- If the display in
the Taskbar shows a Red Circle and Line through the blue box
of the Realtime Monitor, something is wrong and your virus protection
is not active. (Ditto if the blue box is not shown at all in
the Taskbar.)
How will this Virus Problem
End?
An Editorial from SoftProse Technology, Inc.
This virus problem is a quite
serious one. Users buy computers with anti-virus software that
never updates or will expire updates after a few months, and
assume that they "have protection". This encourages
virus authors- any anti-virus software that "expires"
for updates is a tool that encourages virus authorship, not true
protection. Virus software should update for the life of the
computer or operating system, and not require periodic re-purchases
to remain in effect. In addition, antivirus software should automatically
check for updates several times a day, such as the default 4
hours we set for our InoculateIT / EtrustAntiVirus systems. Users
also must bear some responsibility to keep their software updated;
to not involve themselves with "cheater" software such
as Kazaa; and to avoid running strange attachments.
Spyware and Adware, along with Spam transmission efforts, are
now becoming more and more closely linked to virus authorship.
Anti-virus software will not touch "commercial" Spyware
and Adware, claiming that this is not their responsibility. However,
computers are failing when they are overwhelmed by Spyware and
Adware, and this is a major growing problem. Anti-virus software
must protect against all malicious software, not just those produced
by amateurs.
Internet Service Providers such as Earthlink, AOL, Verio, RoadRunner,
Optimum Online, etc. are the actual means by which these viruses
are transmitted. The true "source of infection" is
the Internet pipe by which we are communicating. To resolve these
issues, new routers called "filtering routers" can
be installed, to replace the current "boundary routers"
that connect users to the Internet. Replacing all the boundary
routers with new filtering routers that can remove virues and
spam is a major expense, and a technological challenge. It is
also a challenge that must be met, and SOON, as consumers are
being pounded by the products of brilliant but immature criminals.
The only way to defend against these problems is for the
Internet itself to rise in it's own defense. Companies that
make the new generation of router systems include Cisco and Juniper
Networks, but many other vendors will be available in the near
future. ISP's that implement filtering of this kind will be extremely
desirable. SoftProse Technology, Inc. is now involved both in
encouraging current ISP's to take responsible actions and to
implement these filtering technologies, and to discover and promote
ISP's that currently offer these services to their clients. |
Information on this problem may
be found at:
About.com has a good Antivirus reference at:
http://antivirus.about.com/
Article: War of the Worms http://antivirus.about.com/b/a/069462.htm
From Computer Associates:
Virus Information Page:
http://www3.ca.com/virusinfo/
Win32.Bagle.K
http://www3.ca.com/virusinfo/virus.aspx?ID=38480
Win32.Mydoom.H (BRAND NEW)
http://www3.ca.com/virusinfo/virus.aspx?ID=38481
Win32.Netsky.F
http://www3.ca.com/virusinfo/virus.aspx?ID=38479
For one organization's frustrations
with a lack of Filtering Routers, see:
http://www.ddos-ca.org/faq.php
Last Modified on: 3/3/2004 |
|
|
