Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 1: An Overview of Malware History

Brief history of anti-virus/anti-spyware industry

Regional character

Malware was and still remains mostly regional phenomenon. Very few epidemics have global nature. Now of course more so but even now regional differences are quite significant. So major antivirus companies while fighting for global presence remain in essence regional companies with major strength in one or two regions and weaker capabilities and presence in others. For each region there are now two three dominant companies

Europe and former USSR

USA, Canada and Latin America

China, India and South East Asia

We can also view anti-virus industry as consisting of two major generation of players. One is old-timers who started still in Dos days and the other are newer companies which try to find space under the sun during spyware explosion.

Actually there were good and bad periods for malware history. Some years there were a lot of activity in malware field, some years were unusually slow and business suffered greatly.  During those years weaker companies often went out of business or were consolidated into larger entities.

First antivirus companies started simultaneously with appearance of boot and file viruses. They include:

First they were a one-man shows, but they quickly grow and in late 90th (say 1996) became sizable companies that can be taken public. I think McAfee was the first AV company taken public. Dr.Solomon was probably the second.  Still in 1996 this was more or less rag-tag industry. 

In the USA McAfee was probably the most prominent of pioneers in this industry. It ended its independent existence in 201 being bought by Intel. It won significant share of corporate accounts in the USA and elsewhere.

Symantec is rather late entrant in the field and always was pretty questionable player (at least in personal antivirus area) but still survived as an independent company.

Founders

Paradoxically for such at first glance technical field very few companies were started y AV researchers/programmers. F-prot is one and Kaspersky is the second one.

Kaspersky was one of the few leading AV companiers which was started by the person personally involved in writing early anti-viruses. It has difficult time as after dissolution of the USSR and subsequent economic collapse of Yeltsin years its market had shrunken from the total USSR space to Russia, but it have found foreign markets. First in Germany, then in UK and USA.

Gradually malware protection, especially corporate malware protection, became a branch of the software industry with a lot of vendors. And like in any big business, with the growth of companies attempt to hype and oversell useless or harmful security  products to corporations as well as to  unsuspecting public proliferated. Some players just became too greedy. The story that is not radically different from Viox story.

"This sales force is given extraordinary training so that it can capitalize on virtually every interaction with doctors," Rep. Henry A. Waxman (D-Los Angeles) said of Merck's 3,000 sales representatives. "Yet when it comes to the one thing doctors most needed to know about Vioxx — its health risks Merck's answer seems to be disinformation and censorship."

A company bulletin from 2001 ordered the sales force to steer clear of discussing a scientific meeting convened by the Food and Drug Administration to evaluate Vioxx safety. "DO NOT INITIATE DISCUSSIONS," it said in a prominent warning.

In other internal missives, concerns about heart risks were termed "obstacles." A sales campaign to overcome the safety concerns was called "Project Offense." Another was dubbed "Project XXceleration" — a play on the spelling of the drug.

Like in any respectable and not so respectable industries there are several annual conferences devoted to this problem, and in each up to a dozen vendors with anti-virus and antispyware products are usually present.

Anti-virus and anti-spyware vendors are not completely honest players

While Microsoft Window has had and will continue to have vulnerabilities that lead to creation of viruses and worms including some new types I would like to stress that antivirus and antispyware products should not be considered as the only solution. They are partially solution partially a part of the problem for three main reasons:

Despite information overload about all kind of virus and worms, there are not so many articles/books that are worth reading about computer viruses. Even in old days of MS-DOS and file and boot viruses and Trojans one probably was better off with reading a good book about MS DOS structure and BIOS programming than a book about viruses. And this is still true in new dimensions of malware like network worms. 

In mid 1990-th when macro viruses became prominent  one would be better off reading a book about VBA than all this 1largely misleading and conflicting information that AV vendors distributed about macro viruses.

In 2000-2003 SMTP-based worms (miMail) and RPC-based worms (MS Blaster) were completely missed by major AV products (and that explain the level of epidemics they caused) and one probably can benefit from learning the basics of SMTP and MIME as well as TCP/IP.

Now spyware and network worms came into the prominence and it require more memory and registry knowledge. 

And it is important to understand that with any new threat it is almost guaranteed that AV companies will be  late comers to this field. The history confirms this hypothesis pretty nicely: they always missed the treat by at least a year and then try to sell half-baked solutions to unsuspecting customers.  It is better to use products from the companies who were first to understand the threat and who are not burdened by 10 year of AV malpractice. for example for spyware protection Adaware is one of such products and it has free version on its scanner. See more about spyware scanners at special page   For network worms some hardening of the registry and enabling PC firewall might represent a better protection then any AV product conceivable.

Funny, but changes in signature database of an antivirus scanner (when it suddenly stars to  detect some spyware/adware that it previous ignored) can produce an illusion of epidemics in large corporations, discovering cases that probably existed for months on corporate PC in one day and creating some sense of urgency to fight this newly discovered mass infection. Don't be fooled by such cases, they are just nuisance, not a real epidemic. Otherwise you can face the corresponding chaos and damage from dealing with too many cases of the  "non vital" threat at once.

Again I would like to stress that at least a rudimentary understanding of programming (now, especially scripting languages and VBA) is a must for in depth understanding of malware including viruses,  worms and spyware. Corporate AV specialists, who do not want or are unable to learn programming usually cannot adequately react to new threats and can became more part of the problem, then a part of the solution. 

Please remember that in 1995-1996 it took almost a year for AV vendors to (more or less adequately) react on the Concept macro virus. Each time a relatively new threat arise, AV vendors fall far behind the regular upgrade cycle. Before that the value of AV products for Ms Word macro virus protection was the same as  the value of a simple grep-style search utility, available for free from any good file repository ;-). 

Virus Bulletin used to provide decent analytical articles about complex viruses, but they deteriorated and recently are not that interesting to read.   Also they are ridiculously expensive and too closely connected with Sophos (that in 2003 acquired and partially destroyed ActiveState). 

This information vacuum sometimes creates an impression that underground virus-related publications are more reliable source of information about viruses than AV vendors and AV-related press ;-).   For example in case of Sircam worm no major AV vendors mentioned that it's cannot work on Windows 2000 and Windows NT and needs MAPI properly configured.

I would like to stress it again: any information from virus vendors should be viewed with skepticism due to inherent conflict of interests of AV firms. For people who are responsible for the corporate AV defense it pays to compare several sources of information especially if you do not have a sample of a particular virus and unable to analyses it yourself. Often AV vendors overestimate the danger and do not mention a limitations of a particular virus. Questions to be asked depend on the type of the virus. Generally it make sense to try to find an answers on the following questions:

For macro viruses/worms the questions to be asked include:

For mail worms additional questions are:

The real problem here is that until recently Windows executables were not signed (and macros also belong to executables -- they are just hidden in MS Word document format) and thus were not protected against tampering with MD5 checksums or similar. Both NT and Unix needs MD5 checksums for executables ASAP. Actually NT has such a capability (Authenticode) but it's not widely used. It looks like Windows XP make some positive steps in this direction but I do not know details.

All systems executables should be signed with MD5 based signature
or similar and their integrity should be easily verifiable

Do not jump into installing commercial AV tools each time you hear about a new nasty virus. In most case free scripts run via scheduler or via Netware login scripts (or similar mechanism) can be as good or even better. The same is true for the protection from email worms on the gateway level, but here free tools can serve complementary role; a commercial AV gateway filter has certain advantages. See my Overview of VB’97.

Moreover in commercial environment the loss leader is not viruses, its AV false alarms (or false positives as they are often called) -- despite AV-vendors  precautions they regularly appear and spoil the party. That mean that AV programs are much more close to Trojan Horse than one might suspect ;-) One self-quote would help:

Each day, most cases in corporate environment that are reported by customers that are not actual cases of virus infections. They are false alarms or false-positives.

The main problem here is AV products. Paranoid users and sometimes system administrators often blame on a computer virus effects that they cannot understand/explain.

In the past the main course of false positives in the corporate environment are such products as Inoculan, McAfee and F-secure.  The old version 4.0x sometimes recognized regular VBscript program as MS Word documents and produce messages like "Infection: 'Macro.Word97.Class.eb' [AVP]. Very distressing experience if one hundred remote and clueless users get this message in one day. Probably real virus would be less frustrating ;-)

Usually file viruses and macro viruses are reported as false positive, sometimes interesting combinations arise. For example now obsolete F-prot 2.xx   reported as infected any MS Word document that was disinfected by corresponding version of McAfee. That was very interesting experience if one part of the corporation uses F-prot and other McAfee ;-)

Another interesting combination arise if false positive detected but AV program unable to disinfect it and either renames it or put is some directory. That's when AV program became a real 100% pure Trojan Horse.

Inoculan is especially bad as it not only reports about files as infected when they are not, but moves them to the Infected directory. If configured that way Inoculan can be considered as a sort of Trojan Horse and may prevent installation of the packages on the network drive.

I do not want to go that far as to propose everybody move to Linux/FreeBSD (although they are not ideal and are susceptible to certain type of viruses and Trojans, they do provide a much better AV protection out of box than any flavor of Windows). All I ask for is: please do not just jump and install some over-hyped AV software package on Windows 2000/XP because a new virus or  worm was discovered -- usually that does not significantly increase the level of your AV protection. Try to use built-in mechanisms first, specialised tools second and generic AV scanners only as the last resort. the latter should be used in of-line scanning mode, not in "on the fly" mode to minimizes negative influences on other software. If you choose to use "on the fly" protection use minimal set of extensions.

Still as  a successful new virus probably will use slightly different approach, not foreseen by AV vendor and signatures are always slightly behind the events, unless you use an automatic update system (and in this case risk troubles if update is buggy) AV scanner does not provide too much protection to count on. They are mostly cleaning tools for known threats. Understanding your environment is a better goal and other tools can provide multilevel protection which is always more affective that a single level, based on AV package.

Understanding your environment is a much more important goal
 than getting super AV protection. 

Often in a corporate environment a lot can be done with adequate policies. If for example all Word documents and executable should be zipped before sending you can completely block corresponding attachments and thus diminish or eliminate related threats. 

Upgrade is also an interesting alternative, especially for home users. for example Windows 64 users can benefit both from better protection inherent in less common (for now) 64-bit architecture and the fact that most malware is written for Windows XP.  More radical solution is use less common OS available on Intel PC such as OpenSolaris. This is provide much higher level defense from threats but at high cost of compatibility.

It is obvious that anti-virus vendors will always be playing catch-up with the virus writers. Theoretically if anti-virus software updates were released quickly and people instantly installed them desktop just patch protection might be adequate. This is however impossible. The life cycle of a virus looks something like (this a self-quote again):

  1. Virus is written, tested, possibly deployed on a test network (but usually not debugged for every Microsoft OS in existence; for example virus may not work on Windows 9x, if the only test platform was Windows XP, or if it was debugged on Windows 9x, or on Windows 2000.
  2. Virus is released on a selected target (university campus, Usenet groups, etc.)
  3. Virus (if "successful" in a biological sense) enter the stage of epidemics and spreads like wildfire, possibly causing damage (such as sending documents from folders on the hard drive, or even wiping motherboard BIOS chips ;-). Generally the more damage the virus cause the less changes are for its survival and the ability to reach the critical mass. 
  4. The first samples get to AV vendor (someone notices a strange activity detect the virus and sends it to an anti-virus vendor ). At this time the virus might not still reach the critical mass.
  5. AV vendor(s) analyzed, and possibly decompiled a virus and updated their product's signature file. Typically the anti-virus vendor share data with others, but they may or may not do this promptly. Anyway at this stage getting a virus sample is not a problem.
  6. Press informs users about the threat and how to fight it. The anti-virus vendors issue bulletins, make the update to the first buggy solution, etc.
  7. Large ISPs and some large corporations  install updated signature files and implement other defense measures fort of their mail gateways (or firewall in case of Ms.Blaster type of viruses)  then on the desktop  Some large customers with decent professionals or support contracts do the same, some have automated distribution systems for the update, resulting in a rapid deployment of the fix.
  8. Even home users AV products start catching the virus. This is a start of a "chronic period" of the virus life when it still manage to infect some machines but the number is shrinking....
  9. Environment (for example version of OS or version of Office, etc)  changes to the extent that the virus is no longer is a viable threat. This is a clinical death. Complex viruses are more sensitive to env. changes and thus generally die much faster than simple one.

Please note that with some tuning for most email worms spam filters which can serve as a heuristic virus/worms protection tool.  That means that right now no home user  should access his ISP POP account with plain vanilla message client (like Netscape Messenger). One needs a spam filter either built as a POP retrieval tool or (in corporate environment and for Using/Linux) using message filter on the gateway level with additional spam filter installed. See Filtering Mail FAQ for more details.

 

 

DOS and Early Windows Period

Vendors

Major Vendors (Big Three)

DialogueScience  

Data Fellows Developers of F-Prot Professional.

AVP -- an example of a mature traditional scanner. 

Independent Organizations and Publications

The Crypt Newsletter -- Warning: Some satire included.

US Government

Universities

 

Spyware explosion and new entrants



Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: May 08, 2017