Discover the malicious code that infected millions machines worldwide with insightful comments from people such as Mikko H. Hypponen (Director of Anti-Virus Research, F-Secure Corporation) and Graham Cluley (Senior Technology Consultant, Sophos).
A Look into the Viruses that Caused Havoc in 2003
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
How many were there?
And how many were windows viruses?
…to use IBM/Lotus Notes/Domino as my mailing infrastructure. And that this year was an very easy year for me. Not an single virus or trojan in the complete company. Maybe the reason for that is, that we reduced the infrastructure to just 1 Windows 98SE computer, 1 Windows NT 4.0 SP6a server and 1 Windows XP SP1 workstation. Every other workstation (about 20 of them) are runing on Gentoo Linux (Notes Client/Admin/Designer is runing in wine) and the other 7 servers run Linux (Red Hat and Gentoo) as well. 2 Notebooks are runing Gentoo Linux while they are in the office and Windows XP SP1 when we are outside and working directly at the customers place. The Notebooks are all firewalled, even when they are connected to the internal network (saves us alot of trouble). Every server and workstation and notebook runs an virus protection software.
While we did not have an single virus or trojan, this year we had an intruder on one of our stand-by Red Hat server (the server was by accident connected permanently directly to the internet (without firewall) and the intruder used an ssh exploit).
However… security is not just something you can implement once and then leave it runing. Security is an ongoing process wich needs alot of time.
From the economical view point, viruses as they happend this year, where an great thing for us. We had customers, where the complete DMZ went down and the internal network as well, because of an Notebook pluged into the network, infected almost every pc (including the servers) in the complete company. The network was well protected from outside, but not from inside. The gigabit ethernet and ATM network went complete down, because of the virus trying to find new networks and computers to infect them. All this is mostly producing so much work, that they can not handle it all internaly and workload is shifted to us.
I know… it is bad to talk/write something like this, but it is the way it is and to lie about it is as well not okay.
I hope next year will not be again such an mess! I prefere much more to concentrate on normal work, then always being the fireman and go out in the morning early to work all day long and try to fix things wich seams to be getting worse and worse the longer you try to fix them and the longer the computers are runing…
I think that this year there were about 40-60 viruses/worms. They were all for windows(mostly or all NT)
I also think that there was a new root-kit for linux but it only effects RH 7.2(could be wrong though)
This is not only an Windows issue! Other OS have their problems as well.
One of the major problems I see with the speed of the viruses spreading around is: Big companies have mostly an schedule when they distribute software internaly. Some of them only initalize once a day an push of software to the client or an pull from the server to the client. While other only do this every week or every month or ….
This is definatly to slow for viruses today! You almost need an realtime update of every single system, as soon an new virus is out. And this is not an easy task in an decentralised world!
Some years ago, you could just protect the network by scaning all floppies. Today in the mobile world and the very connected world, you need to check every single entrance to the network for viruses. And you need to keep care of internal systems, external systems and alot of internals systems wich are mobile and conect from external and internal. This is something most companies did not expect and were not 100% prepared for such an situation.
And it is not important if the system is Windows or another OS. Viruses are everywhere! (Okay… Windows has alot of them. But it is in no way an “only Windows” problem)
How many of these viruses/worms either …
a) Already had a patch available before they were out in the wild
b) Were a variant of some other virus or worm that should’ve already been patched by users, but wasn’t.
While it’s true that Windows is horrible on security, I’m not sure it would be nearly as bad if users were just a little more proactive. I mean, I’ve seen people who *know* how to use Windows Update and why they sholud do it, but they still don’t … even after having been nailed in the past.
But one thing you can be guaranteed of … if these people don’t patch their Windows box, they damn sure ain’t gonna do it for any other OS either, so if you switch to to another OS (no matter what it is), you better make sure that OS is locked down tighter than a vice grip.
I agree. While I think MS’s automated patching system (being introduced in longhorn) is invasive, its necessary. The facts are most HOME users are too lazy or ignorant of the importance of patching their systems and just ignore the warnings.
NOTE: Im emphasising HOME USERS because I understand that large companies have to test the patches before their implemented.
Computers are more like a car than a toaster. Even though some people would like the computer to be easy to use like a toaster, it probably won’t be for quite sometime. Cars need maintenance and check-ups just like computers. You need to run antivirus programs, spyware programs,firewall programs, and keep the software up to date. Depending on the type of computer, these tasks should be run eith daily or weekly.
Some operating systems are more secure by default because services are turn off at the start and/or the software has code audits regularly. Try to use the most secure machine you can.
If you must use a vulnerable machine try to keep it off the internet so that machine is not used to attack other machines.
‘Try to use the most secure machine you can’
this is the way i think in the past but not anymore.
why if i tell ya i was so confidence in iptabling my netfilter with ids and hardware router but my network still been penetrated/breached.
sometimes life just doesnt turn out to be the way you want…
peace.
But in my wild imagination i thought, would there be any possibility of creating a virus to destroy a virus. rather than hold the fort why not send an army of programs to scan the internet to destroy viruses. I dunno yeah its kinda stupid idea but it would be cool if such a thing could happen lol.
WorknMan:
You are correct that the vast majority of exploits/infections already have patches available. However, you seem to be thinking on the small scale (ie. a few workstations and servers)
For many of the customers I consult for, there are *thousands* of machines. To add to the confusion, these computers are spread across several different offices (in different states and countries) and there are boat-loads of users accessing the network from laptops via VPN connections.
Moreover, due to the fact that several business parters need to have access to certain computers (ie. insurance companies have access to the HR machines), it makes the situation a nightmare.
It is simply not feasible to insure that each machine is fully updated with the latest patches and/or virus updates. And often times (as the case with business parters), we don’t even have access to the machines accesing the network.
Simply put, as an organizations infrastructure grows, virus outbreaks have become a “cost of doing business”.
The funny thing is, the most worry-free machines that we manage are the linux/unix group. That is not to say they are without problems, but recovery and prevention is usually orders of magnitude easier.
My 1/50th of a $1.00.
That is exactly what Nachi did, it removed MSBlast, patched the hole, and scanned on.
The problem is that it created more traffic and problems than MSBlast.
Nachi is supposed to die Jan 1 2004.
There is an easy answer though, services should not be in Listening state by default.
MS is addressing this in XP SP2, they are turning on ICF (XP firewall). I think they are also turning on winodws update by default as well.
This is the way it should have been since day 1.
I didn’t see to much in the way of viruses this year, but the worms were in full effect. I saw on bugtraq how one group released a patch that will solve some of the OE and IE probs. It basically tightens security in the My Computer zone to levels that should be stock from Microsoft.
As far as the worms, there was a patch for rpc dcom before it hit full force. The initial report to bugtraq didn’t include souce code, and other groups came along and perfected the attack.
The cheap way out is just to use windows update, Outpost firewall, and AVG antivirus. And anti trojan tool like TDS 3 at $50 is nice too. I see trojans as being more of a prob in the future with all the p2p of executables these days. A lot of the modern trojans can slip past NAV pretty easy now.
>How many were there?
>And how many were windows viruses?
There will always be a lot less viruses on the unices than on Windows. A unix virus needs to be running at root level to do much damage. If the mal code author has root level access, he’ll probably do something like a worm or trojan instead of virus. Therefore worms that attack services on linux are going to be more prevalent. IMHO of course.
I usually do Windows Update manually because I am still a dial-up user. Having Windows Update set to automatic would not work so well for me. If you have timed updates, my machine is mostly likely offline when it wants to update. If it tries to update every time I connect to the internet, then I will have to turn it off or pause it until after I finish with the internet. It is better for me to do it manually.
People with broadband should have Windows Update set to automatic. The update can be scheduled during the night or when the computer is not being used.
One thing bad about the updates is that Windows wants to restart after each update most of the time. If I am on the internet, I have to do the updates after I collect all my email, check the news, and whatever else I want to do on the internet before having to shutdown my computer.
Microsoft said they were going to try to eliminate the need to reboot after most updates. I hope they honor their word.
On my Linux machine I do not have to reboot after updates unless it is a kernel update. I think this year that I only had to reboot three or four times.
Another nice feature would be having the actual update packages placed in a folder so that a CD could be burned. That way if the computer needs a clean re-install, you can apply all the patches before connecting the machine to the internet. Again, I am able to do this with Linux.
> The funny thing is, the most worry-free machines that we manage are the linux/unix group. That is not to say they are without problems, but recovery and prevention is usually orders of magnitude easier.
I can only agree with this.
I have two machines running Windows at home (they aren’t mine, otherwise they wouldn’t be running Windows). During the time it takes to just install a SP all my machines (1x debian/unstable, 1x debian/stable, 1x FC 1) have finished updating.
And there are still a few other updates for Windows left that I couldn’t install along with the SP…
Wondering if it possible to disable traffic for certain ports intended only for local MS networks on provider’s gateways.
including CIFS and such.
People who really need it, e.g. as part of corporate infrastructure, should use VPN/SSL tunnels etc.
But in current situation with broadband connection, every Schmoe machine is danger for whole network of his/her provider.
“”A unix virus needs to be running at root level to do much damage.””
No. The GNU attack was, by most accounts, done using an ordinary user account and taking advantage of the do_brk exploit (Now fixed) in the linux kernel to gain uid 0 privileges.
No system is foolproof, you just have to keep up your guard.
Heh if that wasn’t a troll……
However I don’t agree with you, Bram.
I’ve tried all the Windows versions since 3.11, and several linux distros, and I can tell you a well configured linux machine is much more stable than a well configured windows machine.
I like FreeBSD better but that’s another story.
Whatever really, if you don’t open your mind, nobody will… and having a closed mind is not very convenient in these days…