VB January 2004, P.14
Total Page:16
File Type:pdf, Size:1020Kb
JANUARY 2004 The International Publication on Computer Virus Prevention, Recognition and Removal CONTENTS IN THIS ISSUE 2 COMMENT Malware Distribution (type) TRENDS 2.00% Drawing the lines 1.50% script AND 1.00% binary macro 0.50% 0.00% FORECASTS ItW %growth (VirusBulletin) %growth ItW ch April May June July 3 NEWS Mar August January February October September Once again the 2003 (January~October) Number crunching time has come to ponder what might be in store for SAS – the SysAdmin Service? the coming year. Jamz Yaneza looks at malware data collected over the past year and attempts some 3 VIRUS PREVALENCE TABLE predictions for 2004. page 14 4 VIRUS ANALYSIS ALL-ROUNDER Who? What? Where? Swen? Swen has something for everyone, one might say. Peter Ferrie has the nitty gritty details of this 11 LETTERS all-action virus. page 4 11 CALL FOR PAPERS HARDWARE SOLUTIONS Recent reports of a ‘new’ anti-virus solution based 12 FEATURE on quick pattern matching of network traffic Hardware anti-virus solutions? without a significant reduction in network speed seem tantalising. However, Matthew Wagner has 14 OPINION reservations about such a hardware solution. The malware battle: page 12 reflections and forecasts 17 PRODUCT REVIEW Authentium Command AntiVirus for Windows Enterprise 4.90.2 In this month’s VB Spam Supplement ASRG founder Paul Judge explains the aims and objectives 20 END NOTES & NEWS of the ASRG, and Pete Sergeant looks at economic and legal solutions to spam. ISSN 0956-9979 COMMENT ‘Being online is between anti-virus, anti-spam and general security, but their basic functions have little in common. becoming a Anti-spam is part of a larger industry for regulating combination of information. This includes not only filtering unsolicited annoying and worrying emails, but also such tasks as moderating news groups, suppressing pop-ups and controlling web browsing. The experiences.’ focus of this industry is knowing (or learning) what John Ogness types of information a user wants and regulating H+BEDV Datentechnik GmbH incoming information accordingly. Many standalone products are available and a number of operating system and application developers have released products with DRAWING THE LINES these capabilities integrated. The security industry is responsible for collecting Anti-virus companies have earned the reputation of security reports, notifying the appropriate individual or protecting users against computer-related threats. Today, organization about any problems, and tracking their malicious code has many opportunities to compromise a resolution. Usually detailed information is made user’s computer. These range from active trickery, such available about the dangers of each problem, how it can as the use of email, shared files, or instant messengers, to be detected, and how it can be fixed. Operating system the use of ‘invisible’ tactics, such as taking advantage of and application developers often maintain this flaws in software. information for their products and in many cases offer To complicate the issue, the incidence of spam continues automatic updates to correct the problems. Prevention or to increase at an alarming rate – currently it is estimated handling of computer compromises is another aspect of to represent more than 60 per cent of all email. the security industry. Furthermore, software security holes are uncovered daily Anti-virus companies already have the advantage of a and, due to the increasing complexity of new software reputation for protecting users. But anti-virus companies technologies, they are often more dangerous and more should not abuse this advantage in order to increase difficult to fix than before. profits or mislead users by releasing their own products Being online is becoming a combination of annoying and with the anti-spam/security label. Just as other industries worrying experiences. So where do the users turn? They respect the skills and qualifications of anti-virus turn to the place to which they have always turned for organizations, so should the anti-virus industry respect computer protection: the anti-virus community. the skills and capabilities of the security and anti-spam organizations that already exist. Should anti-virus companies extend themselves in order to protect users against these non-virus-related dangers This is not to say that anti-virus companies may not and annoyances? Fighting spam and fixing security participate in these industries. Rather, anti-virus problems are nothing new – these industries have been in companies should use their role as widely-known existence for a decade, though it is only recently that defenders to help inform users about the other industries they have been in high demand. From a user’s and solutions. perspective there may not seem to be much difference There is a need to build positive relationships between the anti-virus, anti-spam, and security industries. This may require the establishment of standards and interfaces so that their various solutions can work Editor: Helen Martin together successfully. It is important that the three Technical Consultant: Matt Ham industries develop a professional cooperation to help Technical Editor: Morton Swimmer combat the very real and growing threats of today’s Consulting Editors: interconnected society. Nick FitzGerald, Independent consultant, NZ Must anti-virus organizations start providing their own Ian Whalley, IBM Research, USA security and anti-spam solutions? No, but if they do Richard Ford, Florida Institute of Technology, USA Edward Wilding, Data Genetics, UK develop their own solutions, it is important that they acknowledge the fact that they are newcomers to an existing industry, and make efforts to cooperate with rather than re-invent these industries. 2 JANUARY 2004 VIRUS BULLETIN www.virusbtn.com NEWS NUMBER CRUNCHING Last month saw a flurry of the traditional end-of-year Prevalence Table – November 2003 predictions for the security challenges in the year ahead, along with a number of reports estimating the cost of virus Virus Type Incidents Reports attacks to businesses in 2003. However, it is difficult (if not impossible) to truly quantify the ‘average’ cost of a virus Win32/Opaserv File 7492 27.62% attack with so many variables and subjective issues to be Win32/Mimail File 7050 25.99% considered. This fact was suitably illustrated by two recent Win32/Dumaru File 2156 7.95% news reports published just one week apart in Computer Win32/Sobig File 1534 5.65% Weekly (CW – see http://www.computerweekly.com/). First, CW reported that a single virus attack could cost Win32/Bugbear File 1437 5.30% your business £66,000 – a figure arrived at by analyst Win32/Sober File 1110 4.09% firm Datamonitor. The firm estimated an average cost to Win32/Dupator File 1109 4.09% businesses of £26,000 for the more ‘serious’ virus incidents, Win32/Swen File 1014 3.74% while 11 per cent of survey respondents said their companies had suffered greater than £66,000 losses from Win32/Gibe File 989 3.65% a single incident. Win32/Klez File 812 2.99% One week later, CW reported the results of a different Win32/Yaha File 756 2.79% survey, this time carried out by the Corporate IT Forum Win32/Funlove File 286 1.05% (Tif). The Tif survey indicated that the ‘true cost’ per virus Win95/Spaces File 190 0.70% attack to UK companies is an average of £122,000 – a Win32/Nachi File 167 0.62% figure nearly double that indicated by the Datamonitor findings (and more than four times greater than the £30,000 Win32/Fizzer File 99 0.36% per attack cost estimated by PricewaterhouseCoopers and Win32/Magistr File 87 0.32% the Department of Trade and Industry’s 2002 Information Redlof Script 73 0.27% Security Breaches Survey). Win32/Lovsan File 73 0.27% Confused? All we can recommend is that figures such as Win32/SirCam File 59 0.22% these be taken with a dose of salt. While VB recognises Win32/Holar File 43 0.16% the importance of bringing home the notion that virus attacks can and do cause significant losses and upheaval Win32/Deborm File 40 0.15% to businesses, it is unlikely that analysts will come up Win32/Nimda File 31 0.11% with a reliable formula for putting an accurate figure on Win32/Spybot File 30 0.11% those losses. Win32/Ganda File 29 0.11% Win32/Hybris File 25 0.09% SAS – THE SYSADMIN SERVICE? Win32/Sdbot File 25 0.09% A set of proposals for tackling computer crime has been Fortnight Script 24 0.09% published by UK Parliamentary lobby group EURIM and Win32/Kriz File 24 0.09% the Institute for Public Policy Research. Among other Win32/Lovgate File 24 0.09% proposals, the paper recommends the introduction of frameworks to facilitate co-operation between industry and Win32/Parite File 22 0.08% law enforcement. One of the ideas put forward is to bring in Win32/BadTrans File 20 0.07% members of the private sector to assist law enforcement Win32/Valla File 20 0.07% bodies in areas in which they lack the specialist skills Others 390 1.03% necessary to investigate computer crimes. Rather than simply assisting with investigations (as computer security Total 27,130 100% experts have done in the past), the paper proposes that specialists from the private sector would be granted an The Prevalence Table includes a total of 280 reports across expanded role and become (unpaid) special constables 74 further viruses. Readers are reminded that a complete listing is posted at http://www.virusbtn.com/Prevalence/. (without the power to arrest). The full paper can be read at http://www.eurim.org/. JANUARY 2004 3 VIRUS BULLETIN www.virusbtn.com VIRUS ANALYSIS WHO? WHAT? WHERE? SWEN? begins with ‘p’, ‘q’, ‘u’, or ‘i’ (regardless of case), the Peter Ferrie virus displays a prompt to Symantec Security Response, USA install a Microsoft Security Update.