Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 1: An Overview of Malware History

v.2.01; Oct. 21, 1997

An Overview of The Seventh International Virus Bulletin Conference (VB’97)

The conference was held ; Oct.2-3, 1997 in SF. The partially accurate program of the conference is available on http://www.virusbtn.com/VB97/programme_tables.html.

I would like to single out the following five presentations that IMHO deserve attention:

The most impressive was the presentation by David J. Stang. Its title could probably be changed to "'In The Wild List' Is Dead". Although David diplomatically stated that "This article is NOT an attack on the developers of any wild list" it was actually a RIP for the ; "In The Wild List" urban legend. IMHO this is probably the main result of VB’97. Better late than never ;-). I hope that after this presentation the new editor of the Virus Bulletin will abandon the "In The Wild" urban legend.

Overview of the Best Presentations

David J. Stang: "In pursuit of prevalence: a look at "In The Wild"

I had never ; listened to David before and the fact that he worked in NCSA in the past makes him a little bit suspect ; (NCSA is the major proponent of the "In the Wild List" :-), but he gave a very good presentation. I believe most people connected with AV testing will (silently :-) agree that the ; "In The Wild List" is unscientific (i.e. subjective), misleading (if used in AV scanner testing) and generally serves no identifiably useful purpose. It's a little bit ; like the shadow of academician Lysenko's heritage (for those lucky souls who did not know about Lysenko and Lysenkoism, see the definition in the "Sceptic's dictionary" at http://wheel.ucdavis.edu/~btcarrol/skeptic/lysenko.html). A meaningful "In the wild list" is just not possible due to regional differences. For example there is a product called V-HUNTER (http://ras1.dials.ccas.ru/dsav.htm#Vhunter) that for many years detected and disinfected only viruses that were found in Russia (it does not cover polymorphic viruses - they are covered by DrWeb, though). The list of viruses that it contains, even if we exclude polymorphics, has very little to do with the "In the Wild List".

IMHO the "In the Wild List" is an artificial mix. As such, ; it should never be used for evaluations of the quality of the AV software. Often it does not include viruses that became widespread for a month or two (a very long period in the AV industry). At the same time it includes viruses which probably never managed to get into a particular country, ; and in this sense are no different from any virus that can be found on "Virus CDs" or in collections available via the ; Internet.

Although I have publicly criticized the ; "In the Wild List" several times, nobody has taken the ; time ; to put all the relevant arguments against it on paper. David's presentation does the job just fine. If any publication uses the "In the Wild List" in 1998, ; I recommend it be viewed with great suspicion or just thrown in the garbage, where it probably belongs ;-).

David Stang made a good field study of virus distribution in several different countries and formulated four reasons why a good wild list in not possible (I paraphrased them as follows):

  1. The problem of scanner precision. Scanners are so imprecise that for a new virus even if two scanners report the same name (which is seldom the case) it is unclear whether it is the same virus, two strains of the ; virus or just two different viruses (one mistakenly misidentified due to bugs in one of the scanners).
  2. The problem of under-reporting and late reporting. "In the Wild List" is not objective and relies on "good will" ; i.e. ; ; on the reports from ; antivirus vendors/researchers. Antivirus vendors are generally reluctant to release information about viruses that their scanners does not detect/disinfect or does not handle well. That means that such cases were underreported or reported late. Not only AV vendors have no real incentive to report about new cases unless they are already incorporated into the scanner, ;they themselves are not always able to obtain reliable information from their customers about infections by old viruses for last month, especially if the virus is disinfected by a particular scanner without problems ; (corporate customers are one important example; disclosure of such statistical information in corporations is often regulated).
  3. The problem of complete absence of proactive value. Viruses can spread much faster that updates to the list. ; So "In the Wild List" is never up to date. Often it is seriously misrepresent the situation. For example if a new type of virus appears it will not be promptly reported. As everybody know the Concept virus took the world by surprise. But it took ; half a year before one half of the 27 respondent countries reported the virus to the "In the Wild List", even though the virus was the most widespread in many or all of this countries during that period.
  4. The problem of limited value as a prevalence table. Purging the viruses from the list is even more arbitrary than their inclusion, so the list cannot be used as a reliable prevalence table. Again, AV vendors have neither real incentives no reliable information from customers to report about the disappearance of a particular virus for a particular month.

Again, IMHO the main reason is that prevalence is so different between regions of the world that a global prevalence list make very limited sense after, say, a dozen most widespread viruses. See below for the discussion of Dmitry Grayznov's presentation about one possible alternative - "In The Usenet List". It is an objective, but it has several serious problems that need to be solved before it can be viable for AV scanners testing.

Jimmy Kuo: "Free Macro Anti-virus Techniques"

For some strange reason Jimmy Kuo’s presentation was put on the technical track. IMHO it was the most useful for practitioners presentation at the conference. Jimmy did a really useful job of collecting and classifying the methods of improving macro virus protection in MS Word without using macro virus scanners of VxD. I would like to applaud Jimmy’s vendor neutral-approach that was used in the paper. The text of this paper is available on http://www.nai.com/services/support/vr/free.asp ; ; I strongly recommend downloading and reading it. Several additional useful techniques should be mentioned:

  1. Use MS Word 97, if possible. Macro viruses that have protected macros will NOT be converted correctly to MS Word 97 (see below);
  2. Use RTF as an alternative format for attachments.
  3. For Word 6.0 users only: Installation of SCANPROT macros in the STARTUP directory instead of NORMAL.DOT ; (not recommended for Word 95 users - they need to upgrade to Word95a or, better, Word 97; ; Word 97 users have the highest level of macro virus protection among MS Word users including the built-in functionality of SCANPROT).

A combination of copying the NORMAL.DOT template from a special backup directory, SCANPROT installation in the STARTUP directory and the use of RTF proves, as my own experience shows, ; ; to be a very inexpensive and efficient corporate framework for fighting macro viruses. These methods are especially useful for organizations that are afraid of using VxD for stability reasons.

As for RTF, I have had a positive experience with it in a large corporate environment, despite the fact that the CAP.A virus fools the user. This virus saves the document in native MS Word format instead of RTF even if the user tries to save it in RTF. At the same time, it ; ; is very easy to check on the mail gateway (or in the mailbox) if the attachment was really converted to RTF. One only needs to check the first 5 bytes of the file. So the check can be really quick, much quicker than scanning the file for macro viruses.

David Aubrey-Jones: "Macro Attacks on Office ‘97"

This was an interesting presentation that tried to systematize macro virus protection features that are available in MS Word 97. Although Microsoft could and should do more, they have made a number of important and significant changes in Office 97 that makes the threat of macro virus infection less likely. The following features (with the exception of ; No. 1) are generally poorly documented and communicated to the public.

  1. A built in macro warning dialog (like SCANPROT for Word 6.0; enabled by default).
  2. A scanner/disinfector built in the Word Basic converter ; (WWINT32.DLL).
  3. A feature that disables old Word Basic macro copying commands when the destination of the copy is locked for viewing (i.e. the project is password protected).
  4. The ability to protect projects can be applied to NORMAL.DOT, ; making it impossible for macro viruses to infect NORMAL.DOT without the user supplying the password.
  5. Execute-only macros cannot infect NORMAL.DOT (the vast majority of macro viruses contains ‘execute-only’ or ‘protected’ macros that have some (primitive) form of encryption).

The last feature is probably the most important. In Word 97 only ‘projects’ can be protected, while in Word 6 any single macro can be protected. A ; Microsoft white paper "Word Basic Migration to Visual Basic for Applications" (available as a self extracting archive wbmigrat.exe from http://support.microsoft.com/support/kb/articles/q164/3/70.asp) lists the following four important restrictions:

  1. Macros in protected projects cannot be copied.
  2. Macros cannot be copied into protected projects (so if you protect NORMAL.DOT it will be protected from viruses).
  3. The ExecuteOnly argument functionality of the Word Basic MacroCopy statement has been disabled.
  4. The Organizer does not list macros in a protected document.

Generally, switching to Office 97 is a pretty smart move from the point of view of macro virus protection.

Dmitry Gryaznov: "Scanning the ‘Net’"

VirusPatrol is a free service, provided by Dr. Solomon, to protect users of newsgroups from virus infections by the daily scanning of major Usenet newsgroups. Dmitry Gryaznov’s project was really innovative in several aspects and, to a certain extent, proved that Dr. Solomon is one of the market leaders.

First, probably the best way for a virus author to quickly distribute a virus is to mail it to one or several popular USENET groups. Also, ; files and documents that contain a particular virus (for example a resume that contains the CAP.A virus) are an indicator of a prevalence of the virus. Attached executables and documents are scanned using heuristic analysis. Suspicious samples are analyzed and a detection and clean-up routine is incorporated in FindVirus. VirusPatrol issues an alert to the newsgroup warning other readers not to download the infected file. In this way a virus outbreak may be prevented. Service is not intrusive. Readers of the scanned newsgroups will be aware that they are being protected by Internet VirusPatrol only when an alert is issued within that group. The list of viruses found on the scanned newsgroups over the past two months is available via http://www.drsolomon.com/vircen/vp/index.cfm. It is really ; instructive reading.

The second important aspect of this pioneering work is the ability to create something like an "In the Usenet List". I believe that Dmitry should take some steps in this direction. There are several problems that need to be resolved, such as the posting of virus collections and posting viruses for distribution in provirus newsgroups. The simplest way is to exclude them. A second approach is to introduce a rating for each virus found according to the newsgroup and to use a ; lower rating for virus distribution newsgroups. Let's briefly discuss four major objections mentioned above against the "In The Wild List":

  1. The problem of scanner precision. Still valid, although only one scanner is used and bugs are limited to this particular scanner. Still not all viruses will be reported.
  2. The problem of under-reporting and late reporting. ; The list is objective and this problem seems to be less important.
  3. The problem of complete absence of proactive value. Still true, but heuristics provide some (limited) proactive detection. ; As virus authors try to distribute viruses via USENET, a ; proactive value depends on the quality of the heuristics. At least some proactive value can be anticipated. More experience and information is needed.
  4. Problem of limited value as a prevalence table. ; Probably limited for the first dozen only. More experience and information is needed.

Martin Overton, FAT32 - New Problems for Anti-virus or Viruses?

Martin Overton provided an interesting discussion of FAT32 that appeared in the Service Pack 2 for Windows 95 and is a preferable file system for today 3G+ ; hard drives. The paper is available on http://www.salig.demon.co.uk/fat32/fat32new.htm. ; ; He demonstrated that many DOS viruses (including MBR and boot sector (DBR) viruses) work adequately under Windows 95 and FAT32. At the same time most antivirus vendors were very slow to implement proper handling of FAT32.

Some of his findings appear to be completely opposite to postings by notable researchers on the alt.comp.virus group. The most important of them is that DBR ; viruses really cannot be removed from FAT32 partitions by non-FAT32 compatible anti-virus software.

That means that customers with FAT32 installed, who paid for such AV products as AVP 3.0, F-prot Professional 3.0 and ThunderByte (as well as probably several others) were paying not for protection from a large subset of boot viruses that infect the boot sector [DBR] instead of MBR, but for vapor. Of those that do support FAT32, both McAfee ViruScan 3.03 and Norton Antivirus 3.0 constantly gave false positives after a cold-clean-boot [Virus found in memory]. Those that successfully support FAT32 and didn’t produce false alarm include: Dr. Solomon’s AVTK 7.72 and VET 9.44. Sophos Sweep supports FAT32, but refuses to remove FORM.A as they consider a FAT32 partition infected with a FAT16 boot virus a problem that requires help from their support desk.

Concluding remarks

IMHO one important problem was completely overlooked: the problem of the reliability of AV products. AV products not only add to the cost of ownership of ; the Microsoft and Novel platforms. More often that not AV products, especially NLM s and VxD drivers, negatively affect the underling OS stability. Like other categories of consumers, AV consumers need some kind of consumer protection from problems like those reported by Martin Overton. The level of testing of AV products (QA) really needs to be improved. I will add just one example:

; ; ; ; ; ; ; ... ... ...
;

The author plans additional research into this subject.

---

Dr. Nikolai Bezroukov

Copyright 1997, Nikolai Bezroukov

Permission granted to freely copy and redistribute (including posting on web pages, usenet, BBS, bulletin boards of on-line service providers) provided this copyright notice is included. ;

Copyrighted material contained within this document is used in compliance with the United States Code, Title 17, Section 107, "for purposes such as criticism, comment, news reporting, teaching"

Disclaimer: All comments or statements are solely my own, and do not reflect or represent any organization's that I may be associated with.


Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Created: Oct 16, 1997;