beyond10

Information about beyond10

Published on January 23, 2008

Author: Marcell

Source: authorstream.com

Content

Computer Viruses: Beyond the First Decade:  Computer Viruses: Beyond the First Decade Allan G. Dyer MHKCS, MIAP, AIDPM, MSc (tech), BSc [email protected] Yui Kee Co. Ltd. Ten Years:  Ten Years 1986: Brain Boot Sector Virus Appears 1988: Stoned written 1988, Friday 13th May: Jerusalem virus activated 1988: Mike RoChenle Hoax Virus Warning 1992, March 6th: First Michelangelo Day 1992: First Windows virus 1994: First OS/2 virus 1994: KAOS4 posted in Internet newsgroup 1994 August: Black Baron Arrested in UK 1994, September: ARCV virus writing group released with a police caution 1994, October: Virus total reaches 5000 Ten Years:  Ten Years 1994, December: Virus author charged in Norway 1995, January: Good Times Hoax first appears 1995, September: First Word Macro virus 1995, December: Black Baron jailed for 18 months 1996, February: First AmiPro Macro virus 1996, February: First Win’95 virus 1996, May: Hare distributed in Internet newsgroups 1996, August: First Excel Macro virus 1996, November: First Polymorphic Macro virus 1997: Word Macro Viruses Commonest Virus Type 1997: Office 97 & VBA makes cross-application macro viruses possible What is a Real Computer Virus?:  What is a Real Computer Virus? A computer virus is a program that can infect other programs by modifying them or the execution path of them in such a way as to include a (possibly evolved) copy of itself. Proviso: The program must be deliberately designed to replicate. Definition: Fig. 1 Viruses Die Out:  Viruses Die Out Brain : Infected only floppy disks Many File Viruses: Incompatible with Windows Stoned: Fails to infect 3.5” disks correctly Virus Environments:  Virus Environments PC/BIOS compatability DOS interrupts FAT partition Boot Sector Virus .COM .EXE File Virus Cluster Virus Virus Environments:  Virus Environments Windows API MS Word PC/BIOS compatibility DOS interrupts FAT partition Boot Sector Virus .COM .EXE File Virus Cluster Virus Windows Virus WordMacro Virus Viruses Spreading:  Viruses Spreading 3 many LANs 6no exchange 4 VERY common 4frequent Susceptible Population Route between machines Netware DOS Viruses Spreading:  Viruses Spreading 3 many LANs 6no exchange 4 VERY common 4frequent 4 VERY common 4frequent Susceptible Population Route between machines Netware DOS MS Word Virus Writers:  Virus Writers 4 very available 4 free & common 4 very available 6 expensive & obscure Environment Tools & Information DOS Windows Virus Writers:  Virus Writers 4 very available 4 free & common 4 very available 6 expensive & obscure 4 very available 4 free & common Environment Tools & Information DOS Windows MS Word The Changing Virus Writer:  The Changing Virus Writer “Traditional” Virus Writer: Interested teenager Motivations: “fun”, teenage rebellion, curiosity, showing off... Spread: deliberate, accidental, or sent only to researchers “New” Virus Writer Computing Professional/ Word Power User Motivations: curiosity, investigates existing WM virus & modifies it Spread: accidental, or sent only to researchers Chinese Viruses:  Chinese Viruses Binary File and Boot Sector Viruses Few are recognisably Chinese Can Affect all language users, not limited to Chinese Macro Viruses Over 200 macro viruses for Traditional Chinese Word Limited to Specific Word Language versions Main Word Environments in Hong Kong:  Main Word Environments in Hong Kong English Traditional Chinese Simplified Chinese English with Chinese Enabling Software (Twin Bridge, Rich Win etc.) Macro Conversion:  Macro Conversion English -> Chinese : Macros exist unchanged English Word Macro viruses can be transferred to Chinese Word easily The virus might not replicate in Chinese Word Chinese -> English : Documents (and their macros) not directly converted A Chinese Word Macro virus could only reach English Word by a deliberate act of conversion MacroCopy Behaviour:  MacroCopy Behaviour Behaviour of Example Macro Viruses in Chinese Word:  Behaviour of Example Macro Viruses in Chinese Word Extra Functions Exist:  Extra Functions Exist Traditional Chinese Word extra functions: CDate$(x) Returns date in format selected by x, RoC calendar and Chinese characters available. CTime$(x) Returns time in format selected by x, Chinese characters available. The Internet:  The Internet Increasing the Number and Frequency of our contacts The Virus Writer’s Problem: Initial Distribution:  The Virus Writer’s Problem: Initial Distribution Infecting Individual Machines Slow Danger of getting caught Mass Distribution Usually Depends on Luck e.g.. infect master diskette at factory Hare:  Hare May 96 - worldwide reports Hare.7550 found in June 96 and Traced to posts in: alt.cracks alt.sex alt.comp.shareware Hare.7786 traced to posts on 29 June 96 in: alt.crackers Destructive Activation 22 August & September Hare:  Hare Response: Anti-Virus developers made new versions available Thousands downloaded and checked their machines Result: A few reports of disinfection before activation About 16 activations worldwide Hare: Why it Failed?:  Hare: Why it Failed? Readers of alt.cracks and alt.crackers are technically aware involved in “dubious” activities probably cautious Hare often fails to replicate limited spread beyond initial distribution Phalcon.1168 Distributed 15 August 97, in a file ICQ.ZIP on the newsgroups::  Phalcon.1168 Distributed 15 August 97, in a file ICQ.ZIP on the newsgroups: hk.entertainment alt.chinese.computing alt.chinese.text.big5 aol.buy.and.sell asiaonline.buy.and.sell chinese.comp.software hk.biz.general hk.chinese hk.comp.chinese hk.comp.hacker hk.comp.hardware.datacomm hk.comp.mac hk.comp.mpp hk.comp.os.linux hk.comp.pc Phalcon.1168:  Phalcon.1168 No resulting incidents reported Accidental Spread:  Accidental Spread Causes Many Incidents Often E-mailing an Infected Word Document received some speakers details for this conference as a Word document infected with WM/CAP.A Stop Exchanging Word Documents Would Dramatically Reduce Prevelence of Word Macro Viruses Use RTF Internet Specific Viruses:  Internet Specific Viruses A Virus Could be written to specifically take advantage of the Internet WM/ShareFun is the first example mix between a macro virus and an automatic chain letter ShareFun:  ShareFun WordMacro/ShareFun.A - similar to WordMacro/Wazzu 1 in 4 chance of activation when infected document opened Attempts to send E-Mail by Microsoft Mail to three people from local alias list E-Mail contains infected Document Also infects on Tools/Macro or File/Templates menu items ShareFun:  ShareFun Infected users of MS Mail spread the virus QUICKLY Might send confidential documents Virus Problems that are Not Viruses: Hoaxes:  Virus Problems that are Not Viruses: Hoaxes GoodTimes Deeyenda Maddick Join the Crew Cancer chain letter Hacker Riot NaughtyRobot Penpal Greetings Anti-CDA Chain Letters:  Chain Letters Example hoax: Join the Crew Variant of the Good Times hoax Started by a message posted to some usenet newsgroups in February 1997 The original message: Hey, just to let you guys know one of my friends received an email called "Join the Crew," and it erased her entire hard drive. This is that new virus that is going around. Just be careful of what mail you read. Just trying to be helpful... Ignore these messages and do not pass them on. Chain Letters:  Chain Letters Plausible to ordinary users Very Strong Warnings of damage Users panic: Send copies to all their contacts Flood helpdesks with calls The Future of Viruses on the Internet:  The Future of Viruses on the Internet Not Feasible: RealAudio JPEG HTML Very Feasible: ActiveX (Security model does not address viruses) May be possible: Java (Good security model, implementation may be flawed) Internet Commerce:  Internet Commerce Not a single environment Look at each component: Plain messages could not support a virus Client application may be infected Goods may be infected Rouge software may subvert commerce application Virus an ideal method of delivering rouge software Developers MUST assume commerce software is running in a hostile environment Measuring the Size of the Virus Problem:  Measuring the Size of the Virus Problem Anti-Virus Solution Providers Not independant Common viruses under-reported The Wildlist Independant Surveys Hong Kong Surveys The Wildlist:  The Wildlist Co-operative listing coordinated by Joe Wells Only Includes incidents where a sample was received and verified by participant Currently used as the basis for in-the-wild testing of antivirus products by major testers: NCSA Virus Bulletin Computer Security Institute Survey:  Computer Security Institute Survey 6 March 1997 563 respondents 75% reported losses which totalled US$100 million 165 had losses from viruses, totalling US$12.5 million http://www.gocsi.com/preleas2.htm NCSA Computer Virus Prevalence Survey:  NCSA Computer Virus Prevalence Survey Based on 300 US sites with over 500 PC’s per site Infection rate of 33 per 1000 machines per month - up from 10 in 1996 survey Macro Viruses Growing Fastest 49% of sites reported WM/Concept macro viruses accounted for 80% of all infections NCSA Computer Virus Prevalence Survey:  NCSA Computer Virus Prevalence Survey One third had a disaster Average Recovery took 44 hours, 21.7 person-days of work and US$8366 Diskettes from Home Top source of infection e-mail attachment and download also common Conclusions: Good Protection will limit the number of PC’s etc. infected after a virus reaches a site Increased full-time protection, especially at the desktop is needed Hong Kong Surveys Performed at Local Exhibitions:  Hong Kong Surveys Performed at Local Exhibitions ITA95: IT Asia Exhibition, September 95 SW95: Software Exhibition, November 95 NW96: Networks Exhibition, July 96 HKC97: Hong Kong Computer Exhibition, May 97 Surveys: Number of Staff:  Surveys: Number of Staff Survey HKC97: Business Area:  Survey HKC97: Business Area Surveys: Anti-virus Policy and Software:  Surveys: Anti-virus Policy and Software Surveys: Viruses Encountered:  Surveys: Viruses Encountered Surveys: Viruses Encountered:  Surveys: Viruses Encountered Stoned / Stone Michelangelo Monkey AntiCMOS 20 3 3 2 Stoned / Stone Michelangelo AntiCMOS Die Hard Monkey Form 28 13 4 3 2 2 AntiCMOS Word Macro Stoned / Stone Concept Michelangelo MBR / Boot Sector 19 7 7 3 3 3 Forgot AntiCMOS Stoned / Stone Word Macro Concept Monkey Die Hard / DH2 Michelangelo 23 14 9 8 4 4 3 3 ITA95 SW95 NW96 HKC97 Survey: Use of Word:  Survey: Use of Word Survey: Version of Word Used:  Survey: Version of Word Used Survey: Exchange of Documents:  Survey: Exchange of Documents Survey: Word Macro Virus Prevelence:  Survey: Word Macro Virus Prevelence Survey: Word Macro Virus Prevelence:  Survey: Word Macro Virus Prevelence Survey: Other Macro Viruses:  Survey: Other Macro Viruses Costs:  Costs Loss of file and documents Loss of business Negative Publicity Data Corruption Lost working time Increased Technical Support Load Case 1: Small Office:  Case 1: Small Office 15 PC’s, 1 server No support staff No anti -virus software Problems saving Word documents WordMacro/Concept identified Anti-virus technician cleaned 300+ documents Calculable costs of incident: HK$1500 Incalculable costs: ??? Case 1: Small Office, Annual Costs:  Case 1: Small Office, Annual Costs Incident will re-occur often without anti-virus software Annual cost without anti-virus software: HK$18000 Effective anti-virus solution cost: HK$8100 Saving: HK$9900 (plus working time) Case 2: Large Organisation:  Case 2: Large Organisation 4500 PC’s, many sites Helpdesk recorded ~50 incidents/week Most incidents: AntiCMOS, WordMacro/Concept Anti-virus software: Custom package (no active component) MSAV Technician dispatched when virus found Estimated costs per incident: 2 man hours Estimated Annual costs: HK$520,000 Case 2: Large Organisation:  Case 2: Large Organisation Better than case 1 (lower costs/machine) Still a large number of reinfections Case 2: Large Organisation, Improvements:  Case 2: Large Organisation, Improvements Move to anti-virus software with active protection Virus can be detected at first contact Simplify disinfection No need for technician site visit reduces lost working time Detection at first contact prevents spread chance of reinfections minimised total number of incidents falls Case 2: Large Organisation, Annual Costs:  Case 2: Large Organisation, Annual Costs Poorly Designed Protection: 50 incidents per week 2 man hours per incident HK$520,000 annually With Active Protection and Easy Disinfection 25 incidents per week 10 man minutes per incident HK$21,667 annually New anti-virus software: HK$214,000 HK$235,667 annually Saving: HK$284,333 Efficient Protection Requires::  Efficient Protection Requires: Active Protection Files and diskettes scanned on access TSR in DOS VxD in Windows 3.1 & 95 VDD in Windows NT Automatic Handling of Routine Incidents On site service is costly Simple Instructions for Users with an incident What to do? Report to whom? What to tell source? The Virus Problem:  The Virus Problem Never a Major, Worldwide Disaster Continuous small disasters and general problems Will not disappear Will get worse as: programming becomes simpler global communications become more efficient Our Challenge:  Our Challenge Reduce the costs of viruses by: Efficient Protection Methods User Education Questions?:  Questions? This Speech will be available on the Internet. http://www. yuikee.com.hk/info-ctr/ Text (WordPerfect 5.1 file) Presentation (PowerPoint file)

Related presentations


Other presentations created by Marcell

DEALING WITH COMPLAINTS
13. 01. 2008
0 views

DEALING WITH COMPLAINTS

Person perception
17. 01. 2008
0 views

Person perception

CCMP Dressler 11 10 06
08. 01. 2008
0 views

CCMP Dressler 11 10 06

Highlights of Ancient Technology
11. 01. 2008
0 views

Highlights of Ancient Technology

636884Ancient Greek Geography
14. 01. 2008
0 views

636884Ancient Greek Geography

Bringing up baby bilingual
14. 01. 2008
0 views

Bringing up baby bilingual

13b
15. 01. 2008
0 views

13b

comets and asteroids
16. 01. 2008
0 views

comets and asteroids

Mechanising Cryptography
12. 01. 2008
0 views

Mechanising Cryptography

26111
14. 01. 2008
0 views

26111

a hazwast transporters
18. 01. 2008
0 views

a hazwast transporters

cay nn ce
20. 01. 2008
0 views

cay nn ce

petroleum slides
24. 01. 2008
0 views

petroleum slides

33053
04. 02. 2008
0 views

33053

What Is a Lyric Poem
05. 02. 2008
0 views

What Is a Lyric Poem

NRCClusteringModel
11. 02. 2008
0 views

NRCClusteringModel

A105 025 Cosmo
24. 01. 2008
0 views

A105 025 Cosmo

Bomer
25. 01. 2008
0 views

Bomer

TaxonMarkup
21. 01. 2008
0 views

TaxonMarkup

GothicArtPresentatio n05
29. 01. 2008
0 views

GothicArtPresentatio n05

NHSTA
05. 02. 2008
0 views

NHSTA

MITIme
07. 02. 2008
0 views

MITIme

ppt 37
14. 02. 2008
0 views

ppt 37

vmGmrg
14. 02. 2008
0 views

vmGmrg

MRCME HIV Associated Dementia
29. 02. 2008
0 views

MRCME HIV Associated Dementia

Easterly presentation
03. 03. 2008
0 views

Easterly presentation

The EU budget
07. 03. 2008
0 views

The EU budget

billionaire
24. 01. 2008
0 views

billionaire

NIDA Addiction as brain Disease
11. 03. 2008
0 views

NIDA Addiction as brain Disease

Ch94 NLP
12. 03. 2008
0 views

Ch94 NLP

Spring 05 set II
16. 03. 2008
0 views

Spring 05 set II

talking about famous people
19. 03. 2008
0 views

talking about famous people

California Geology
20. 03. 2008
0 views

California Geology

structure1
14. 04. 2008
0 views

structure1

oct 18 05 media orientation
16. 04. 2008
0 views

oct 18 05 media orientation

RegionalEventsStrate gy
18. 04. 2008
0 views

RegionalEventsStrate gy

tc english
21. 04. 2008
0 views

tc english

7674
22. 04. 2008
0 views

7674

Krems2
24. 04. 2008
0 views

Krems2

inttrade
08. 05. 2008
0 views

inttrade

cccarlos2
03. 03. 2008
0 views

cccarlos2

Ch9 twentieth century pess
30. 04. 2008
0 views

Ch9 twentieth century pess

pril
02. 05. 2008
0 views

pril

yr5 word probs
02. 05. 2008
0 views

yr5 word probs

1 4 Robin
06. 02. 2008
0 views

1 4 Robin

suesRakupots
12. 02. 2008
0 views

suesRakupots

Gynekologisk buksmÃrta ppt 2006
07. 02. 2008
0 views

Gynekologisk buksmÃrta ppt 2006

ESwindgeothermal07
17. 01. 2008
0 views

ESwindgeothermal07

NSSMIC2004 Ramello
24. 03. 2008
0 views

NSSMIC2004 Ramello

12455728
07. 02. 2008
0 views

12455728

Remix Movies1
18. 02. 2008
0 views

Remix Movies1

StephenKandDanielT DDay
07. 02. 2008
0 views

StephenKandDanielT DDay

attack revengecycle2
15. 01. 2008
0 views

attack revengecycle2