|May the source be with you, but remember the KISS principle ;-)|
|Contents||Bulletin||Scripting in shell and Perl||Network troubleshooting||History||Humor|
Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013
Contents : Foreword : Ch01 : Ch02 : Ch03 : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13
Chapter 1: An Overview of Malware History
Malware was and still remains mostly regional phenomenon. Very few epidemics have global nature. Now of course more so but even now regional differences are quite significant. So major antivirus companies while fighting for global presence remain in essence regional companies with major strength in one or two regions and weaker capabilities and presence in others. For each region there are now two three dominant companies
Europe and former USSR
USA, Canada and Latin America
China, India and South East Asia
We can also view anti-virus industry as consisting of two major generation of players. One is old-timers who started still in Dos days and the other are newer companies which try to find space under the sun during spyware explosion.
Actually there were good and bad periods for malware history. Some years there were a lot of activity in malware field, some years were unusually slow and business suffered greatly. During those years weaker companies often went out of business or were consolidated into larger entities.
First antivirus companies started simultaneously with appearance of boot and file viruses. They include:
First they were a one-man shows, but they quickly grow and in late 90th (say 1996) became sizable companies that can be taken public. I think McAfee was the first AV company taken public. Dr.Solomon was probably the second. Still in 1996 this was more or less rag-tag industry.
In the USA McAfee was probably the most prominent of pioneers in this industry. It ended its independent existence in 201 being bought by Intel. It won significant share of corporate accounts in the USA and elsewhere.
Symantec is rather late entrant in the field and always was pretty questionable player (at least in personal antivirus area) but still survived as an independent company.
Paradoxically for such at first glance technical field very few companies were started y AV researchers/programmers. F-prot is one and Kaspersky is the second one.
Kaspersky was one of the few leading AV companiers which was started by the person personally involved in writing early anti-viruses. It has difficult time as after dissolution of the USSR and subsequent economic collapse of Yeltsin years its market had shrunken from the total USSR space to Russia, but it have found foreign markets. First in Germany, then in UK and USA.
Gradually malware protection, especially corporate malware protection, became a branch of the software industry with a lot of vendors. And like in any big business, with the growth of companies attempt to hype and oversell useless or harmful security products to corporations as well as to unsuspecting public proliferated. Some players just became too greedy. The story that is not radically different from Viox story.
"This sales force is given extraordinary training so that it can capitalize on virtually every interaction with doctors," Rep. Henry A. Waxman (D-Los Angeles) said of Merck's 3,000 sales representatives. "Yet when it comes to the one thing doctors most needed to know about Vioxx — its health risks — Merck's answer seems to be disinformation and censorship."
A company bulletin from 2001 ordered the sales force to steer clear of discussing a scientific meeting convened by the Food and Drug Administration to evaluate Vioxx safety. "DO NOT INITIATE DISCUSSIONS," it said in a prominent warning.
In other internal missives, concerns about heart risks were termed "obstacles." A sales campaign to overcome the safety concerns was called "Project Offense." Another was dubbed "Project XXceleration" — a play on the spelling of the drug.
Like in any respectable and not so respectable industries there are several annual conferences devoted to this problem, and in each up to a dozen vendors with anti-virus and antispyware products are usually present.
While Microsoft Window has had and will continue to have vulnerabilities that lead to creation of viruses and worms including some new types I would like to stress that antivirus and antispyware products should not be considered as the only solution. They are partially solution partially a part of the problem for three main reasons:
Next try to find out how the virus detects its presence on the computer -- information that often can be used for simple "home-made" vaccines.
That's why you should never rely of a single vendor information. Try to correlate at least three description, or, better, do some own controlled experiments to verify the data.
The sad truth about AV vendors is that they tend
to exaggerate the threat
Despite information overload about all kind of virus and worms, there are not so many articles/books that are worth reading about computer viruses. Even in old days of MS-DOS and file and boot viruses and Trojans one probably was better off with reading a good book about MS DOS structure and BIOS programming than a book about viruses. And this is still true in new dimensions of malware like network worms.
In mid 1990-th when macro viruses became prominent one would be better off reading a book about VBA than all this 1largely misleading and conflicting information that AV vendors distributed about macro viruses.
In 2000-2003 SMTP-based worms (miMail) and RPC-based worms (MS Blaster) were completely missed by major AV products (and that explain the level of epidemics they caused) and one probably can benefit from learning the basics of SMTP and MIME as well as TCP/IP.
Now spyware and network worms came into the prominence and it require more memory and registry knowledge.
And it is important to understand that with any new threat it is almost guaranteed that AV companies will be late comers to this field. The history confirms this hypothesis pretty nicely: they always missed the treat by at least a year and then try to sell half-baked solutions to unsuspecting customers. It is better to use products from the companies who were first to understand the threat and who are not burdened by 10 year of AV malpractice. for example for spyware protection Adaware is one of such products and it has free version on its scanner. See more about spyware scanners at special page For network worms some hardening of the registry and enabling PC firewall might represent a better protection then any AV product conceivable.
Funny, but changes in signature database of an antivirus scanner (when it suddenly stars to detect some spyware/adware that it previous ignored) can produce an illusion of epidemics in large corporations, discovering cases that probably existed for months on corporate PC in one day and creating some sense of urgency to fight this newly discovered mass infection. Don't be fooled by such cases, they are just nuisance, not a real epidemic. Otherwise you can face the corresponding chaos and damage from dealing with too many cases of the "non vital" threat at once.
Again I would like to stress that at least a rudimentary understanding of programming (now, especially scripting languages and VBA) is a must for in depth understanding of malware including viruses, worms and spyware. Corporate AV specialists, who do not want or are unable to learn programming usually cannot adequately react to new threats and can became more part of the problem, then a part of the solution.
Please remember that in 1995-1996 it took almost a year for AV vendors to (more or less adequately) react on the Concept macro virus. Each time a relatively new threat arise, AV vendors fall far behind the regular upgrade cycle. Before that the value of AV products for Ms Word macro virus protection was the same as the value of a simple grep-style search utility, available for free from any good file repository ;-).
Virus Bulletin used to provide decent analytical articles about complex viruses, but they deteriorated and recently are not that interesting to read. Also they are ridiculously expensive and too closely connected with Sophos (that in 2003 acquired and partially destroyed ActiveState).
This information vacuum sometimes creates an impression that underground virus-related publications are more reliable source of information about viruses than AV vendors and AV-related press ;-). For example in case of Sircam worm no major AV vendors mentioned that it's cannot work on Windows 2000 and Windows NT and needs MAPI properly configured.
I would like to stress it again: any information from virus vendors should be viewed with skepticism due to inherent conflict of interests of AV firms. For people who are responsible for the corporate AV defense it pays to compare several sources of information especially if you do not have a sample of a particular virus and unable to analyses it yourself. Often AV vendors overestimate the danger and do not mention a limitations of a particular virus. Questions to be asked depend on the type of the virus. Generally it make sense to try to find an answers on the following questions:
For macro viruses/worms the questions to be asked include:
For mail worms additional questions are:
The real problem here is that until recently Windows executables were not signed (and macros also belong to executables -- they are just hidden in MS Word document format) and thus were not protected against tampering with MD5 checksums or similar. Both NT and Unix needs MD5 checksums for executables ASAP. Actually NT has such a capability (Authenticode) but it's not widely used. It looks like Windows XP make some positive steps in this direction but I do not know details.
All systems executables should be signed with MD5
Do not jump into installing commercial AV tools each time you hear about a new nasty virus. In most case free scripts run via scheduler or via Netware login scripts (or similar mechanism) can be as good or even better. The same is true for the protection from email worms on the gateway level, but here free tools can serve complementary role; a commercial AV gateway filter has certain advantages. See my Overview of VB’97.
Moreover in commercial environment the loss leader is not viruses, its AV false alarms (or false positives as they are often called) -- despite AV-vendors precautions they regularly appear and spoil the party. That mean that AV programs are much more close to Trojan Horse than one might suspect ;-) One self-quote would help:
Each day, most cases in corporate environment that are reported by customers that are not actual cases of virus infections. They are false alarms or false-positives.
The main problem here is AV products. Paranoid users and sometimes system administrators often blame on a computer virus effects that they cannot understand/explain.
In the past the main course of false positives in the corporate environment are such products as Inoculan, McAfee and F-secure. The old version 4.0x sometimes recognized regular VBscript program as MS Word documents and produce messages like "Infection: 'Macro.Word97.Class.eb' [AVP]. Very distressing experience if one hundred remote and clueless users get this message in one day. Probably real virus would be less frustrating ;-)
Usually file viruses and macro viruses are reported as false positive, sometimes interesting combinations arise. For example now obsolete F-prot 2.xx reported as infected any MS Word document that was disinfected by corresponding version of McAfee. That was very interesting experience if one part of the corporation uses F-prot and other McAfee ;-)
Another interesting combination arise if false positive detected but AV program unable to disinfect it and either renames it or put is some directory. That's when AV program became a real 100% pure Trojan Horse.
Inoculan is especially bad as it not only reports about files as infected when they are not, but moves them to the Infected directory. If configured that way Inoculan can be considered as a sort of Trojan Horse and may prevent installation of the packages on the network drive.
I do not want to go that far as to propose everybody move to Linux/FreeBSD (although they are not ideal and are susceptible to certain type of viruses and Trojans, they do provide a much better AV protection out of box than any flavor of Windows). All I ask for is: please do not just jump and install some over-hyped AV software package on Windows 2000/XP because a new virus or worm was discovered -- usually that does not significantly increase the level of your AV protection. Try to use built-in mechanisms first, specialised tools second and generic AV scanners only as the last resort. the latter should be used in of-line scanning mode, not in "on the fly" mode to minimizes negative influences on other software. If you choose to use "on the fly" protection use minimal set of extensions.
Still as a successful new virus probably will use slightly different approach, not foreseen by AV vendor and signatures are always slightly behind the events, unless you use an automatic update system (and in this case risk troubles if update is buggy) AV scanner does not provide too much protection to count on. They are mostly cleaning tools for known threats. Understanding your environment is a better goal and other tools can provide multilevel protection which is always more affective that a single level, based on AV package.
Understanding your environment is a much more important
Often in a corporate environment a lot can be done with adequate policies. If for example all Word documents and executable should be zipped before sending you can completely block corresponding attachments and thus diminish or eliminate related threats.
Upgrade is also an interesting alternative, especially for home users. for example Windows 64 users can benefit both from better protection inherent in less common (for now) 64-bit architecture and the fact that most malware is written for Windows XP. More radical solution is use less common OS available on Intel PC such as OpenSolaris. This is provide much higher level defense from threats but at high cost of compatibility.
It is obvious that anti-virus vendors will always be playing catch-up with the virus writers. Theoretically if anti-virus software updates were released quickly and people instantly installed them desktop just patch protection might be adequate. This is however impossible. The life cycle of a virus looks something like (this a self-quote again):
Please note that with some tuning for most email worms spam filters which can serve as a heuristic virus/worms protection tool. That means that right now no home user should access his ISP POP account with plain vanilla message client (like Netscape Messenger). One needs a spam filter either built as a POP retrieval tool or (in corporate environment and for Using/Linux) using message filter on the gateway level with additional spam filter installed. See Filtering Mail FAQ for more details.
The home of the ADINF integrity checker (probably the best AV integrity checker on the market although Unix integrity checkers can be adapted to PC and some of them are free) and DrWeb -- a very powerful, but slow heuristic-based scanner. Free download.
Data Fellows Developers of F-Prot Professional.
F-macro is free and more or less OK. F-prot is free for individual users. F-macro is a decent and free tool for disinfection from macro viruses with a very good upgrade cycle although with proper Office Suit (Corel Office, Lotus Smart Suit, Star Office) all this anti-macro virus toys are largely redundant ;-) They also produce F-Secure Anti-Virus Macro Control -- the first macro virus integrity checker. For some strange reason anti-virus companies were very unsuccessful in fighting macro viruses and technology that use until probably end of 1997 was very weak. It is amazing but some product used simple checksums for detection of macro viruses until 1998 and some AV researchers even claimed that as achievement. This approach of course lead to proliferation of the number of "strains" of known macro viruses (with Vesselin Bonchev as the chief "classification officer" :-), but from the point of view of quality of defense was very unproductive and required frequent updates. At the same time this maneuver represented extremely clever and (in retrospect) very successful marking move.
Since probably early 1998 several more or less decent approaches emerged. One is to improve detection using heuristics which was long overdue and the second is to use integrity checker. Data Fellows F-Secure Anti-Virus Macro Control for NT is probably the first attempt to implement an integrity checker for macro viruses. It has a list of trusted macros and check all document for presence of non-trusted macros. A typical organization would only have a limited number of macros that are used. These are easy to certify, but addition any new macro for large organization can be painful and defeats the purpose. Make sense only for organizations with Office 97. With Office 2000 Microsoft built-in some mechanisms that prevent old "everything go" approach.
AVP -- an example of a mature traditional scanner.
Scanning is rather slow, but the quality of finding complex file viruses is pretty decent. Useful for finding Trojan programs. Not so interesting for macro viruses.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes. If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner.
ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least
Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.
Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info|
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: September 12, 2017