Malware 1: Viruses

Total Page:16

File Type:pdf, Size:1020Kb

Malware 1: Viruses Malware 1: Viruses Tuesday, December 2, 2008 Sources: see final slide CS342 Computer Security Department of Computer Science Wellesley College Today’s class goals o Introducti on to malware taxonomy o Appreciating the evolution of viruses o Polymorphism/Metamorphism o General Anti-Virus (AV) detection techniques o Understanding the arms race between virus writers and anti-virus detectors. o Appreciate ag ain that: if y ou take y our tim e, have few patterns and use many levels of indirection, you are very hard to beat Malware: Viruses and Worms 24-2 1 Malware (MALicious softWARE) o A gggygeneric term increasingly being used to describe any form of malicious software like o viruses, worms, trojan horses, rootkits, spyware, malicious mobile code, backdoors, dialers, ransomware o Combinations are common o Some malware are actually combinations of more basic malware (e.g., a rootkit can be viewed as Trojan horse backdoor tool) o Broadly classified according to o Infection technique: “how does it propagate?” o Impact on target: “what does it do?” o Type of exploited vulnerability: “ How (by violating which assumption) did it get in?” Malware: Viruses and Worms 24-3 Malware Taxonomy Type Characteristics Virus Self-replicating code that infects a host file. Usually requires human interaction to spread. Sometimes used as generic term for all malware. Worm Self-replicating code that spreads across a network. Usually does not require human interaction to spread. Rabbit Virus or worm that multiplies without bound Trojan Horse Disguises itself as a useful program while masking hidden malicious purpose. Backdoor/Trapdoor Bypasses normal security controls to give attacker access User-level Rootkit Replaces or modifies executable programs used by system administrators and users Kernel-level Rootkit Manipulates the OS kernel to hide and create backdoors Spyware Monitors user interaction and collects information (e.g ., via keylogger) Logic Bomb Dormant malicious code triggered by date or event. Easter Egg Cute but harmless behavior triggered by special input. Malicious Mobile Code Small programs downloaded and executed locally with minimal user intervention. Typically written in Javascript, VBScript, Java, or ActiveX Combination Malware Combines techniques to increase effectiveness Malware: Viruses and Worms 24-4 2 Malware evolution Themes: o Increasing complexity/sophistication o Acceleration of rate of tool/technique release o Movement from viruses -> worms -> kernel level exploits Figure from Skoudis Malware, p.16. Malware: Viruses and Worms 13-5 Virus Basics o Virus = code that attaches itself to host programs and runs when host program executes. Running the host ppgrogram usually req uires user intervention. o Self-replication: when the virus runs, it copies (a possibly mutated version of) itself to other host programs. It needs a method to find other hosts. o A running virus may also execute a payload = mischievous or malicious action. o Note: self-replicating mutating code is a cornerstone of artificial life research. Malware: Viruses and Worms 13-6 3 Viruses Infection Techniques o Overwriting o Overwrite host program, changing behavior (easy to discover) o Typically overwrite beg inning , but can overwrite later (in which case virus may not be executed. o Appending o Add virus code to end of program, and jump to virus. o Typically virus jumps back to program to evade detection. o Prepending o Add virus code to front of host program. o Parastic virus: variant that overwrites start of program, but moves starting code later. o Cavity Virus o Squirreled away in “holes” in program o doesn’t change program size Malware: Viruses and Worms 13-7 Viruses Propagation Methods o Insert a copy into every executable (.COM, .EXE) o Insert a copy into boot sectors of disks o “Stoned” virus infected PCs bootbooteded from infected floppies, stayed in memory and infected every floppy inserted into PC o Infect TSR (terminate-and-stay-resident) routines o By infecting a common OS routine, a virus can always stay in memory and infect all disks, executables, etc. o Infect macros in documents/spreadsheets, etc. o A virus in MS Word Normal.dot file can infect all documents. o Infect shell scripts and other source code. Malware: Viruses and Worms 13-8 4 Viruses Propagation Vectors o Removable storage o Floppies, writable CDs/DVDs, USB flash drives o Email Attachments o Downloads o Shared Directories Malware: Viruses and Worms 13-9 Anti-Virus (AV) Techniques o Signature-based detection o signature = pattern/fingerprint matching virus o AV engine checks files against database of signatures o On-demand scanning vs. on-access scanning o Need to update signature database frequently o Heuristic detection o Check program for virus-like behavior (access boot sector, find all files in current directory, write to .EXE file, delete files) o Emulate behavior before executing or execute in sandbox. o Integrity checking o Record file fingerprints (sizes, checksums, hashes) in pristine system and check later (e.g. Tripwire). o Used by some AV scanners to avoid more detailed scanning o Must store fingerprints carefully! Malware: Viruses and Worms 13-10 5 Signature-Based Scanning o Hex strings from virus variants o 67 33 74 20 73 38 6D 35 20 76 37 61 o 67 36 74 20 73 32 6D 37 20 76 38 61 o 67 39 74 20 73 37 6D 33 20 76 36 61 o Hex string for detecting virus o 67 ?? 74 20 73 ?? 6D ?? 20 76 ?? 61 o ?? = wildcard Malware: Viruses and Worms 13-11 Anti-Virus Problems o False Positives o McAfee flagged Excel! o False Negatives o Fail to detect malware o Long detection times slows down machines o Developing signatures/keeping databases current o 100K new viruses/week! o What to do when virus detected o Delete vs. quarantine o Vendors focus on big clients, not individual users o Bad guys can disable/intercept AV scans o Arms race o Bad guys test new viruses against AV o Stealth techniques for hiding/changing viruses Malware: Viruses and Worms 13-12 6 Defeating Signature-based Scanning o Signatures are really just patterns of code The antidote to patterns is RANDOMNESS o Encrypted viruses: virus consists of a constant decryptor, followed by the encrypted virus body o Polymorphic viruses o Viruses that mutate and/or encrypt parts of their code with a randomly generated key, but keep same functionality o Metamorphic viruses o Viruses whose (possibly decrypted) body changes from variant to variant Malware: Viruses and Worms 13-13 Evolution of Polymorphic Viruses o Polymorphic viruses: constantly create new random encryptions of the same virus body o Marburg (Win95), HPS (Win95), Coke (Win32) o Virus must contain a polymorphic engine for creating new keys and new encryptions of its body o Rather than use an explicit decryptor in each mutation, Crypto virus (Win32) decrypts its body by brute-force key search o Oligomorphic viruses: different versions of virus have differen t encryptions of the same bdbody o Small number of decryptors (96 for Memorial viruses); to detect, must understand how they are generated Malware: Viruses and Worms 13-14 7 Detecting Polymorphic Viruses 1. Run suspect program in an emulator 2. Wait until it decrypts 3. Decrypted code will be identical for various copies 4. Use signature scanning on decrypted virus body Malware: Viruses and Worms 13-15 Virus Detection by Emulation Randomly generates a new key Decrypt and execute and corresponding decryptor code MttiMutation A Virus body Mutation B Mutation C To detect an unknown mutation of a known virus , emulate CPU execution of until the current sequence of instruction opcodes matches the known sequence for virus body Malware: Viruses and Worms 13-16 8 Detecting Polymorphic Viruses: Challenges o Determining when decryption is complete o Doesn’t work veryyg well against metamorp hic viruses and viruses not located near beginning of infected executable o Decryptor may be able to determine whether its running in an emulator. Malware: Viruses and Worms 13-17 Defeating Anti-Virus Emulators o To detect polymorphic viruses, emulators execute suspppect code for a little bit and look for opcode sequences of known virus bodies o Some viruses use random code block insertion or insert millions of NOPs at the entry point prior to the main virus body o Emulator executes code for a while, does not see virus body and decides the code is benign… when main virus body is finally executed, virus propagates Malware: Viruses and Worms 13-18 9 Metamorphic Viruses o Obvious next step: mutate the virus body, too! o Virus can carry its source code (which deliberately contains some useless junk) and recompile itself o Apparition virus (Win32) o Virus first looks for an installed compiler (Unix machines have C compilers installed by default) o Virus changes junk in its source and recompiles itself o New binary mutation looks completely different! o Many macro and script viruses evolve and mutate their code o Macros/scripts are usually interpreted, not compiled Malware: Viruses and Worms 13-19 Metamorphic Virus [Szor, 2001] o An early generation c7060F000055 mov dword ptr [esi], 550000Fh c746048BBC5151 mov dword ptr [esi+0004], 5151BCBBh o A later generation BF0F000055 mov edi, 550000Fh 893E mov [esi], edi 5F pop edi 52 push edx B640 mov dh, 40 BA8BEC5151 mov edx, 5151EC8Bh 53 push ebx 8BDA mov ebx, ebx 895E04 mov [esi+0004], ebx Malware: Viruses and Worms 13-20 10 Metamorphic Mutation Techniques o Same code, different register names o Regswap (Win32) o Same code, dffdifferent subroutine order o BadBoy (DOS), Ghost (Win32) o If n subroutines,
Recommended publications
  • Maldet: How to Detect the Malware?
    International Journal of Computer Applications (0975 – 8887) Volume 123 – No.6, August 2015 MalDet: How to Detect the Malware? Samridhi Sharma Shabnam Parveen Department of CSE, Assistant Professor, Department of CSE, Seth Jai Parkash Mukand Lal Institute of Seth Jai Parkash Mukand Lal Institute of Engineering and Technology, Engineering and Technology, Harayana, India. Harayana, India. ABSTRACT to violate the privacy and security of a system. According to Malware is malicious software. This software used to the Symantec Internet Threat Report 499,811 new malware interrupt computer functionality. Protecting the internet is samples were received in the second half of 2007 detection. probably a enormous task that the contemporary epoch of So it becomes necessary to detect the malware. computers have seen. Day by day the threat levels large thus This paper is organized as follows: Section two has covered making the network susceptible to attacks. Many novel the recent state of the malware security. Section three strategies are brought into the field of cyber security to guard discusses about the malware classification, section four websites from attacks. But still malware has remained a grave presents the malware dectector. Section five studies reason of anxiety to web developers and server administrators. mechanism of malware detection, and finally section six With this war takes place amid the security community and explains malware normalization process. malicious software developers, the security specialists use all possible techniques, methods and strategies to discontinue and 2. RELATED WORK eliminate the threats while the malware developers utilize new Technology has turn out to be an building block in recent types of malwares that avoid implemented security features.
    [Show full text]
  • Usuba, Optimizing Bitslicing Compiler Darius Mercadier
    Usuba, Optimizing Bitslicing Compiler Darius Mercadier To cite this version: Darius Mercadier. Usuba, Optimizing Bitslicing Compiler. Programming Languages [cs.PL]. Sorbonne Université (France), 2020. English. tel-03133456 HAL Id: tel-03133456 https://tel.archives-ouvertes.fr/tel-03133456 Submitted on 6 Feb 2021 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. THESE` DE DOCTORAT DE SORBONNE UNIVERSITE´ Specialit´ e´ Informatique Ecole´ doctorale Informatique, Tel´ ecommunications´ et Electronique´ (Paris) Present´ ee´ par Darius MERCADIER Pour obtenir le grade de DOCTEUR de SORBONNE UNIVERSITE´ Sujet de la these` : Usuba, Optimizing Bitslicing Compiler soutenue le 20 novembre 2020 devant le jury compose´ de : M. Gilles MULLER Directeur de these` M. Pierre-Evariste´ DAGAND Encadrant de these` M. Karthik BHARGAVAN Rapporteur Mme. Sandrine BLAZY Rapporteur Mme. Caroline COLLANGE Examinateur M. Xavier LEROY Examinateur M. Thomas PORNIN Examinateur M. Damien VERGNAUD Examinateur Abstract Bitslicing is a technique commonly used in cryptography to implement high-throughput parallel and constant-time symmetric primitives. However, writing, optimizing and pro- tecting bitsliced implementations by hand are tedious tasks, requiring knowledge in cryptography, CPU microarchitectures and side-channel attacks. The resulting programs tend to be hard to maintain due to their high complexity.
    [Show full text]
  • Polymorphic Blending Attacks
    Polymorphic Blending Attacks Prahlad Fogla Monirul Sharif Roberto Perdisci Oleg Kolesnikov Wenke Lee College of Computing, Georgia Institute of Technology 801 Atlantic Drive, Atlanta, Georgia 30332 {prahlad, msharif, rperdisc, ok, wenke}@cc.gatech.edu Abstract because the invariant parts of the attack may not be A very effective means to evade signature-based intru- sufficient to construct a signature that produces very sion detection systems (IDS) is to employ polymor- few false positives. On the other hand, each instance phic techniques to generate attack instances that do of a polymorphic attack needs to contain exploit code not share a fixed signature. Anomaly-based intrusion that is typically not used in normal activities. Thus, detection systems provide good defense because existing each instance looks different from normal. Existing polymorphic techniques can make the attack instances polymorphic techniques [28] focus on making the attack look different from each other, but cannot make them instances look different from each other, and not much on look like normal. In this paper we introduce a new making them look like normal. This means that network class of polymorphic attacks, called polymorphic blend- payload anomaly detection systems can provide a good ing attacks, that can effectively evade byte frequency- defense against the current generation of polymorphic based network anomaly IDS by carefully matching the attacks. However, if a polymorphic attack can blend statistics of the mutated attack instances to the normal in with (or look like) normal traffic, it can successfully profiles. The proposed polymorphic blending attacks evade an anomaly-based IDS that relies solely on pay- can be viewed as a subclass of the mimicry attacks.
    [Show full text]
  • SMB Security Series: How to Protect Your Business from Malware, Phishing, and Cybercrime Dan Sullivan
    How to Protect Your Business from Malware, Phishing, and Cybercrime The SMB Security Series Malware, Phishing, and Cybercrime – Dangerous Threats Facing the SMB State of Cybercrime sponsored by Dan Sullivan SMB Security Series: How to Protect Your Business from Malware, Phishing, and Cybercrime Dan Sullivan Introduction to Realtime Publishers by Don Jones, Series Editor For several years now, Realtime has produced dozens and dozens of high‐quality books that just happen to be delivered in electronic format—at no cost to you, the reader. We’ve made this unique publishing model work through the generous support and cooperation of our sponsors, who agree to bear each book’s production expenses for the benefit of our readers. Although we’ve always offered our publications to you for free, don’t think for a moment that quality is anything less than our top priority. My job is to make sure that our books are as good as—and in most cases better than—any printed book that would cost you $40 or more. Our electronic publishing model offers several advantages over printed books: You receive chapters literally as fast as our authors produce them (hence the “realtime” aspect of our model), and we can update chapters to reflect the latest changes in technology. I want to point out that our books are by no means paid advertisements or white papers. We’re an independent publishing company, and an important aspect of my job is to make sure that our authors are free to voice their expertise and opinions without reservation or restriction.
    [Show full text]
  • On the Infeasibility of Modeling Polymorphic Shellcode*
    On the Infeasibility of Modeling Polymorphic Shellcode∗ Yingbo Song Michael E. Locasto Angelos Stavrou Dept. of Computer Science Dept. of Computer Science Dept. of Computer Science Columbia University Columbia University Columbia University [email protected] [email protected] [email protected] Angelos D. Keromytis Salvatore J. Stolfo Dept. of Computer Science Dept. of Computer Science Columbia University Columbia University [email protected] [email protected] ABSTRACT General Terms Polymorphic malcode remains a troubling threat. The ability for Experimentation, Measurement, Security malcode to automatically transform into semantically equivalent variants frustrates attempts to rapidly construct a single, simple, easily verifiable representation. We present a quantitative analy- Keywords sis of the strengths and limitations of shellcode polymorphism and polymorphism, shellcode, signature generation, statistical models consider its impact on current intrusion detection practice. We focus on the nature of shellcode decoding routines. The em- pirical evidence we gather helps show that modeling the class of self–modifying code is likely intractable by known methods, in- 1. INTRODUCTION cluding both statistical constructs and string signatures. In addi- Code injection attacks have traditionally received a great deal of tion, we develop and present measures that provide insight into the attention from both security researchers and the blackhat commu- capabilities, strengths, and weaknesses of polymorphic engines. In nity [1, 14], and researchers have proposed a variety of defenses, order to explore countermeasures to future polymorphic threats, we from artificial diversity of the address space [5] or instruction set show how to improve polymorphic techniques and create a proof- [20, 4] to compiler-added integrity checking of the stack [10, 15] of-concept engine expressing these improvements.
    [Show full text]
  • Polymorphic and Metamorphic Code Applications in Portable Executable Files Protection
    Volume 51, Number 1, 2010 ACTA TECHNICA NAPOCENSIS Electronics and Telecommunications ________________________________________________________________________________ POLYMORPHIC AND METAMORPHIC CODE APPLICATIONS IN PORTABLE EXECUTABLE FILES PROTECTION Liviu PETREAN “Emil Racovi ţă ” High School Baia Mare, 56 V. Alecsandri, tel. 0262 224 266 Abstract: Assembly code obfuscation is one of the most popular ways used by software developers to protect their intellectual property. This paper is reviewing the methods of software security employing metamorphic and polymorphic code transformations used mostly by computer viruses. Keywords: code, polymorphic, portable I. INTRODUCTION to execute. Nowadays self-modifying code is used by The illegal copying of computer programs causes huge programs that do not want to reveal their presence such as revenue losses of software companies and most of the computer viruses and executable compressors and time these losses exceed the earnings. As a consequence protectors. the software companies should use strong protection for Self modifying code is quite straightforward to write their intellectual property, but surprisingly, we often when using assembly language but it can also be encounter the absence of such protection or just a futile implemented in high level language interpreters as C and security routine. Many software producers argued these C++. The usage of self modifying code has many frailties affirming that sooner or later their product will be purposes. Those which present an interest for us in this reversed with or without protection [1], [3], [6]. They are paper are mentioned below: right but only partially, because even if everything that 1. Hiding the code to prevent reverse engineering, can be run can be reversed, the problem is how long is the through the use of a disassembler or debugger.
    [Show full text]
  • A Review of Polymorphic Malware Detection Techniques
    A review of polymorphic malware detection techniques Joma Alrzini1, Diane Pennington2 1University of Strathclyde, UK, [email protected] 2University of Strathclyde, UK, [email protected] ABSTRACT Despite the continuous updating of anti- detection systems for the signature algorithm, using sandbox analysis, machine malicious programs (malware), malware has moved to an learning algorithms, deep learning framework based on a hybrid abnormal threat level; it is being generated and spread faster than malware analysis method, and feature engineering approach. before. One of the most serious challenges faced by anti-detection malware programs is an automatic mutation in the code; this is 2. AN OVERVIEW OF POLYMORPHIC MALWARE called polymorphic malware via the polymorphic engine. In this The first emergence of polymorphic malware occurred in case, it is difficult to block the impact of signature-based 1990. It comes in several structures to create malicious code by detection. Hence new techniques have to be used in order to using polymorphic engines. This type of malware is less likely analyse modern malware. One of these techniques is machine to be detected by an antivirus application. The most commonly learning algorithms in a virtual machine (VM) that can run the used techniques for writing polymorphic malware are packed malicious file and analyse it dynamically through encryption/decryption and data appending. These techniques automated testing of the code. Moreover, recent research used use code obfuscations to evade antivirus scanners. Thus, an image processing techniques with deep learning framework as a effective method has to be used to detect unknown malware with hybrid method with two analysis types and extracting a feature obfuscation; the machine learning method is now the most engineering approach in the analysis process in order to detect effective approach, particularly for abnormal malware [29].
    [Show full text]
  • Metamorphic Worms: Can They Remain Hidden?
    The Business Need for Security Metamorphic Worms: Can they remain hidden? Reethi Kotti Submitted to: Dr. Themis A. Papageorge Course: Foundations of Information Assurance CONTENTS I. Worms A. What are Worms ……………………………………………………....... 1 B. Few Popular Worms ………………………………………………….… 2 C. Propagation of Worms ……………………………………………….…. 3 D. Worm Signatures and Detection Strategies …………………………...... 5 II. Metamorphic Worms A. Introduction …………………………………………………………….. 6 B. Polymorphic vs. Metamorphic Worms ……………………………….... 6 C. Challenges faced during Detection …………………………………….. 7 D. Detection Strategies ……………………………………………………. 8 III. Result A. Metamorphic Engines ………………………………………………….. 9 B. Research Answer ……………………………………………………… 14 IV. Conclusion ………………………………………………………………... 15 V. References ………………………………………………………………… 16 ILLUSTRATIONS Figure 1 Topological Scanning 5 Figure 2 Random Scanning 5 Figure 3 General Obfuscation 9 Figure 4 Entry Point Obfuscation example 10 Figure 5 Illustration of a fragmented section of code 11 Figure 6 Illustration of the execution flow of a fragmented program 12 Figure 7 Zmist engine decompiling a PE file and integrating codes. 13 I. WORMS A. What are worms Worms can be thought of us as malicious codes that exploit the vulnerabilities of a system. However there is one feature that makes them unique, it is their ability to propagate over a network. Though a worm sounds similar to a virus, they vary greatly in the method they employ to keep themselves alive in a network. Both worms and viruses propagate from one system to the other; however, a virus needs to attach itself to a file, data or executable, to be able to move over the network. On the other hand, a worm can propagate autonomously, i.e., without any assistance of external software. Also worm nodes might at times communicate with each other or with a central site, but a virus doesn’t communicate with any external system.
    [Show full text]
  • Email Security II
    Email Security 1 / 43 Secure Email General Strategy Some Details Transit Issues Signing Headers General Flow Securing Transit Mail Steps MTA to MTA Security Secure Email Traffic Analysis PGP and S/MIME Spam Phishing 2 / 43 General Strategy Secure Email ■ General Strategy Basic scheme is pretty straight-forward Some Details ■ Transit Issues Encrypt the message body with a symmetric Signing Headers cipher, using a randomly-generated traffic key General Flow ■ Securing Transit Use public key cryptography to encrypt the Mail Steps MTA to MTA traffic key to all recipients Security ■ Traffic Analysis Digitally sign a hash of the message PGP and S/MIME ■ But there are many details Spam Phishing 3 / 43 Some Details Secure Email ■ General Strategy Obvious ones: which symmetric, public key, Some Details Transit Issues and hash algorithms to use? Signing ■ Headers More subtle: which algorithms do the General Flow Securing Transit recipients understand? Mail Steps ■ MTA to MTA Where do certificates come from? Security ■ Traffic Analysis Do you sign the plaintext or the ciphertext? PGP and S/MIME ■ How do you handle BCC? Spam ■ Phishing Will the ciphertext survive transit intact? ■ How are header lines protected? ■ What about attachments? ■ Many possible answers to all of these questions 4 / 43 Transit Issues Secure Email ■ General Strategy Not all mail systems accept all characters Some Details ■ Transit Issues Very few are 8-bit clean Signing ■ Headers Cryptographic transforms won’t survive even General Flow Securing Transit minor changes Mail Steps ■ MTA to
    [Show full text]
  • Malware Analysis Through High-Level Behavior
    Malware Analysis Through High-level Behavior Xiyue Deng and Jelena Mirkovic {xiyueden,mirkovic}@isi.edu Information Sciences Institute Abstract variants [17]. Such obfuscation techniques have greatly undermined traditional signature-based malware detec- Malware is becoming more and more stealthy to evade tion methods. We simply cannot keep pace with prolif- detection and analysis. Stealth techniques often involve erating malware variants. Notable attempts have been code transformation, ranging from equivalent code sub- made by researchers to improve signature analysis by stitution and junk code injection, to continuously trans- running AV suites on cloud [22], detecting encryption forming code using a polymorphic or a metamorphic decoders [15], detecting runtime signatures for polymor- engine. Evasion techniques have a great impact on phic malwares [24], etc. However, as new obfuscation signature-based malware detection, making it very costly techniques emerge, signature analysis alone cannot save and often unsuccessful. us. We propose to study a malware’s network behavior Besides static analyses, researchers have used dy- during its execution. While malware may transform its namic analysis to overcome code obfuscation. These code to evade analysis, we contend that its behavior include tracking disk changes, analyzing dynamic call must mostly remain the same to achieve the malware’s graphs, as well as monitoring malware execution using ultimate purpose, such as sending spam, scanning for debuggers and virtual machines. However, modern mal- vulnerable hosts, etc. While live malware analysis is ware is often equipped with anti-debugging and anti- hard, we leverage our Fantasm platform on the Deter- virtualization capabilities [18,19], making its analysis in Lab testbed to perform it safely and effectively.
    [Show full text]
  • Virus Bulletin, July 1994
    ISSN 0956-9979 JULY 1994 THE INTERNATIONAL PUBLICATION ON COMPUTER VIRUS PREVENTION, RECOGNITION AND REMOVAL Editor: Richard Ford CONTENTS Technical Editor: Fridrik Skulason Consulting Editor: Edward Wilding, EDITORIAL Network Security Management, UK Fire! 2 VIRUS PREVALENCE TABLE 3 NEWS Junkie Mail 3 VB 94 Conference on Track 3 Chill Out! 3 IN THIS ISSUE: IBM PC VIRUSES (UPDATE) 4 Scanner Update. The latest comparative review includes 27 anti-virus products. Find out which products FEATURE have kept up and which have fallen behind on pp.14-19. The Ludwig Collection 6 Viruses for Sale. Mark Ludwig has released a VIRUS ANALYSES CD-ROM containing thousands of viruses, including 1. Stealth.B: Invisible Fire 8 many new ones. What are the contents of The Collection, 2. Argyle: Viruses and the i386 10 and what are the implications for the industry? COMPARATIVE REVIEW Information Junkie. According to Reflex Inc, the latest The Review, Reviewed 12 virus to hit the streets is the new and dangerous Junkie VB Scanner Review: July 94 14 virus. An evaluation of the genuine threat to systems is given on p.3. PRODUCT REVIEW Norton on NetWare 20 REVIEW Virus: Prevention, Detection, Recovery 23 END NOTES & NEWS 24 VIRUS BULLETIN ©1994 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, OX14 3YS, England. Tel. +44 (0)235 555139. /94/$0.00+2.50 No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers. 2 • VIRUS BULLETIN JULY 1994 EDITORIAL Fire! Last months article on the Pathogen virus, which criticised the way it had been publicised, elicited a squeal of discomfort from Dr Alan Solomon, who believes that the S&S International press release was far from wholly unnecessary (see VB, June 1994, p.3).
    [Show full text]
  • Virus Bulletin, April 1998
    ISSN 0956-9979 APRIL 1998 THE INTERNATIONAL PUBLICATION ON COMPUTER VIRUS PREVENTION, RECOGNITION AND REMOVAL Editor: Nick FitzGerald CONTENTS Editorial Assistant: Francesca Thorneloe Technical Editor: Jakub Kaminski EDITORIAL Access all Areas 2 Consulting Editors: VIRUS PREVALENCE TABLE 3 Ian Whalley, Sophos Plc, UK Richard Ford, IBM, USA NEWS Edward Wilding, Network International, UK 1. The Name Game 3 2. EICAR ‘98 Conference 3 3. Microsoft Strikes Back 4 IN THIS ISSUE: IBM PC VIRUSES (UPDATE) 5 • Do it yourself: Jimmy Kuo kicks off a self-help series FEATURE about macro viruses. His suggestions on how to deal with Murky Waters 7 macro infections without a trip to the bank start on p.9. TUTORIAL • Macro progress: A new form of Excel macro virus was Free Macro Anti-virus Techniques 9 discovered a couple of months ago and we have an analysis on p.16. Then, just before going to proof, the first macro INSIGHT virus for another major application in the Microsoft Office Clued Up 13 suite surfaced – our analysis is on p.15. VIRUS ANALYSES • Give us a Clue: Our insight column this month covers 1. Three Out of Four Ain’t Bad 15 Dr Solomon’s Senior Technology Consultant. Put a face to the name, starting on p.13. 2. No Peace on the Excel Front 16 3. Bad IDEA 18 • Is eSafe? This issue sees an extended product review as we put EliaShim’s eSafe Protect through its paces. See the PRODUCT REVIEW results on p. 20. eSafe Protect for Windows 95 20 END NOTES AND NEWS 24 VIRUS BULLETIN ©1998 Virus Bulletin Ltd, The Pentagon, Abingdon, Oxfordshire, OX14 3YP, England.
    [Show full text]