advertisement

beyond10

67 %
33 %
advertisement
Information about beyond10
Education

Published on January 23, 2008

Author: Marcell

Source: authorstream.com

advertisement

Computer Viruses: Beyond the First Decade:  Computer Viruses: Beyond the First Decade Allan G. Dyer MHKCS, MIAP, AIDPM, MSc (tech), BSc adyer@yuikee.com.hk Yui Kee Co. Ltd. Ten Years:  Ten Years 1986: Brain Boot Sector Virus Appears 1988: Stoned written 1988, Friday 13th May: Jerusalem virus activated 1988: Mike RoChenle Hoax Virus Warning 1992, March 6th: First Michelangelo Day 1992: First Windows virus 1994: First OS/2 virus 1994: KAOS4 posted in Internet newsgroup 1994 August: Black Baron Arrested in UK 1994, September: ARCV virus writing group released with a police caution 1994, October: Virus total reaches 5000 Ten Years:  Ten Years 1994, December: Virus author charged in Norway 1995, January: Good Times Hoax first appears 1995, September: First Word Macro virus 1995, December: Black Baron jailed for 18 months 1996, February: First AmiPro Macro virus 1996, February: First Win’95 virus 1996, May: Hare distributed in Internet newsgroups 1996, August: First Excel Macro virus 1996, November: First Polymorphic Macro virus 1997: Word Macro Viruses Commonest Virus Type 1997: Office 97 & VBA makes cross-application macro viruses possible What is a Real Computer Virus?:  What is a Real Computer Virus? A computer virus is a program that can infect other programs by modifying them or the execution path of them in such a way as to include a (possibly evolved) copy of itself. Proviso: The program must be deliberately designed to replicate. Definition: Fig. 1 Viruses Die Out:  Viruses Die Out Brain : Infected only floppy disks Many File Viruses: Incompatible with Windows Stoned: Fails to infect 3.5” disks correctly Virus Environments:  Virus Environments PC/BIOS compatability DOS interrupts FAT partition Boot Sector Virus .COM .EXE File Virus Cluster Virus Virus Environments:  Virus Environments Windows API MS Word PC/BIOS compatibility DOS interrupts FAT partition Boot Sector Virus .COM .EXE File Virus Cluster Virus Windows Virus WordMacro Virus Viruses Spreading:  Viruses Spreading 3 many LANs 6no exchange 4 VERY common 4frequent Susceptible Population Route between machines Netware DOS Viruses Spreading:  Viruses Spreading 3 many LANs 6no exchange 4 VERY common 4frequent 4 VERY common 4frequent Susceptible Population Route between machines Netware DOS MS Word Virus Writers:  Virus Writers 4 very available 4 free & common 4 very available 6 expensive & obscure Environment Tools & Information DOS Windows Virus Writers:  Virus Writers 4 very available 4 free & common 4 very available 6 expensive & obscure 4 very available 4 free & common Environment Tools & Information DOS Windows MS Word The Changing Virus Writer:  The Changing Virus Writer “Traditional” Virus Writer: Interested teenager Motivations: “fun”, teenage rebellion, curiosity, showing off... Spread: deliberate, accidental, or sent only to researchers “New” Virus Writer Computing Professional/ Word Power User Motivations: curiosity, investigates existing WM virus & modifies it Spread: accidental, or sent only to researchers Chinese Viruses:  Chinese Viruses Binary File and Boot Sector Viruses Few are recognisably Chinese Can Affect all language users, not limited to Chinese Macro Viruses Over 200 macro viruses for Traditional Chinese Word Limited to Specific Word Language versions Main Word Environments in Hong Kong:  Main Word Environments in Hong Kong English Traditional Chinese Simplified Chinese English with Chinese Enabling Software (Twin Bridge, Rich Win etc.) Macro Conversion:  Macro Conversion English -> Chinese : Macros exist unchanged English Word Macro viruses can be transferred to Chinese Word easily The virus might not replicate in Chinese Word Chinese -> English : Documents (and their macros) not directly converted A Chinese Word Macro virus could only reach English Word by a deliberate act of conversion MacroCopy Behaviour:  MacroCopy Behaviour Behaviour of Example Macro Viruses in Chinese Word:  Behaviour of Example Macro Viruses in Chinese Word Extra Functions Exist:  Extra Functions Exist Traditional Chinese Word extra functions: CDate$(x) Returns date in format selected by x, RoC calendar and Chinese characters available. CTime$(x) Returns time in format selected by x, Chinese characters available. The Internet:  The Internet Increasing the Number and Frequency of our contacts The Virus Writer’s Problem: Initial Distribution:  The Virus Writer’s Problem: Initial Distribution Infecting Individual Machines Slow Danger of getting caught Mass Distribution Usually Depends on Luck e.g.. infect master diskette at factory Hare:  Hare May 96 - worldwide reports Hare.7550 found in June 96 and Traced to posts in: alt.cracks alt.sex alt.comp.shareware Hare.7786 traced to posts on 29 June 96 in: alt.crackers Destructive Activation 22 August & September Hare:  Hare Response: Anti-Virus developers made new versions available Thousands downloaded and checked their machines Result: A few reports of disinfection before activation About 16 activations worldwide Hare: Why it Failed?:  Hare: Why it Failed? Readers of alt.cracks and alt.crackers are technically aware involved in “dubious” activities probably cautious Hare often fails to replicate limited spread beyond initial distribution Phalcon.1168 Distributed 15 August 97, in a file ICQ.ZIP on the newsgroups::  Phalcon.1168 Distributed 15 August 97, in a file ICQ.ZIP on the newsgroups: hk.entertainment alt.chinese.computing alt.chinese.text.big5 aol.buy.and.sell asiaonline.buy.and.sell chinese.comp.software hk.biz.general hk.chinese hk.comp.chinese hk.comp.hacker hk.comp.hardware.datacomm hk.comp.mac hk.comp.mpp hk.comp.os.linux hk.comp.pc Phalcon.1168:  Phalcon.1168 No resulting incidents reported Accidental Spread:  Accidental Spread Causes Many Incidents Often E-mailing an Infected Word Document received some speakers details for this conference as a Word document infected with WM/CAP.A Stop Exchanging Word Documents Would Dramatically Reduce Prevelence of Word Macro Viruses Use RTF Internet Specific Viruses:  Internet Specific Viruses A Virus Could be written to specifically take advantage of the Internet WM/ShareFun is the first example mix between a macro virus and an automatic chain letter ShareFun:  ShareFun WordMacro/ShareFun.A - similar to WordMacro/Wazzu 1 in 4 chance of activation when infected document opened Attempts to send E-Mail by Microsoft Mail to three people from local alias list E-Mail contains infected Document Also infects on Tools/Macro or File/Templates menu items ShareFun:  ShareFun Infected users of MS Mail spread the virus QUICKLY Might send confidential documents Virus Problems that are Not Viruses: Hoaxes:  Virus Problems that are Not Viruses: Hoaxes GoodTimes Deeyenda Maddick Join the Crew Cancer chain letter Hacker Riot NaughtyRobot Penpal Greetings Anti-CDA Chain Letters:  Chain Letters Example hoax: Join the Crew Variant of the Good Times hoax Started by a message posted to some usenet newsgroups in February 1997 The original message: Hey, just to let you guys know one of my friends received an email called "Join the Crew," and it erased her entire hard drive. This is that new virus that is going around. Just be careful of what mail you read. Just trying to be helpful... Ignore these messages and do not pass them on. Chain Letters:  Chain Letters Plausible to ordinary users Very Strong Warnings of damage Users panic: Send copies to all their contacts Flood helpdesks with calls The Future of Viruses on the Internet:  The Future of Viruses on the Internet Not Feasible: RealAudio JPEG HTML Very Feasible: ActiveX (Security model does not address viruses) May be possible: Java (Good security model, implementation may be flawed) Internet Commerce:  Internet Commerce Not a single environment Look at each component: Plain messages could not support a virus Client application may be infected Goods may be infected Rouge software may subvert commerce application Virus an ideal method of delivering rouge software Developers MUST assume commerce software is running in a hostile environment Measuring the Size of the Virus Problem:  Measuring the Size of the Virus Problem Anti-Virus Solution Providers Not independant Common viruses under-reported The Wildlist Independant Surveys Hong Kong Surveys The Wildlist:  The Wildlist Co-operative listing coordinated by Joe Wells Only Includes incidents where a sample was received and verified by participant Currently used as the basis for in-the-wild testing of antivirus products by major testers: NCSA Virus Bulletin Computer Security Institute Survey:  Computer Security Institute Survey 6 March 1997 563 respondents 75% reported losses which totalled US$100 million 165 had losses from viruses, totalling US$12.5 million http://www.gocsi.com/preleas2.htm NCSA Computer Virus Prevalence Survey:  NCSA Computer Virus Prevalence Survey Based on 300 US sites with over 500 PC’s per site Infection rate of 33 per 1000 machines per month - up from 10 in 1996 survey Macro Viruses Growing Fastest 49% of sites reported WM/Concept macro viruses accounted for 80% of all infections NCSA Computer Virus Prevalence Survey:  NCSA Computer Virus Prevalence Survey One third had a disaster Average Recovery took 44 hours, 21.7 person-days of work and US$8366 Diskettes from Home Top source of infection e-mail attachment and download also common Conclusions: Good Protection will limit the number of PC’s etc. infected after a virus reaches a site Increased full-time protection, especially at the desktop is needed Hong Kong Surveys Performed at Local Exhibitions:  Hong Kong Surveys Performed at Local Exhibitions ITA95: IT Asia Exhibition, September 95 SW95: Software Exhibition, November 95 NW96: Networks Exhibition, July 96 HKC97: Hong Kong Computer Exhibition, May 97 Surveys: Number of Staff:  Surveys: Number of Staff Survey HKC97: Business Area:  Survey HKC97: Business Area Surveys: Anti-virus Policy and Software:  Surveys: Anti-virus Policy and Software Surveys: Viruses Encountered:  Surveys: Viruses Encountered Surveys: Viruses Encountered:  Surveys: Viruses Encountered Stoned / Stone Michelangelo Monkey AntiCMOS 20 3 3 2 Stoned / Stone Michelangelo AntiCMOS Die Hard Monkey Form 28 13 4 3 2 2 AntiCMOS Word Macro Stoned / Stone Concept Michelangelo MBR / Boot Sector 19 7 7 3 3 3 Forgot AntiCMOS Stoned / Stone Word Macro Concept Monkey Die Hard / DH2 Michelangelo 23 14 9 8 4 4 3 3 ITA95 SW95 NW96 HKC97 Survey: Use of Word:  Survey: Use of Word Survey: Version of Word Used:  Survey: Version of Word Used Survey: Exchange of Documents:  Survey: Exchange of Documents Survey: Word Macro Virus Prevelence:  Survey: Word Macro Virus Prevelence Survey: Word Macro Virus Prevelence:  Survey: Word Macro Virus Prevelence Survey: Other Macro Viruses:  Survey: Other Macro Viruses Costs:  Costs Loss of file and documents Loss of business Negative Publicity Data Corruption Lost working time Increased Technical Support Load Case 1: Small Office:  Case 1: Small Office 15 PC’s, 1 server No support staff No anti -virus software Problems saving Word documents WordMacro/Concept identified Anti-virus technician cleaned 300+ documents Calculable costs of incident: HK$1500 Incalculable costs: ??? Case 1: Small Office, Annual Costs:  Case 1: Small Office, Annual Costs Incident will re-occur often without anti-virus software Annual cost without anti-virus software: HK$18000 Effective anti-virus solution cost: HK$8100 Saving: HK$9900 (plus working time) Case 2: Large Organisation:  Case 2: Large Organisation 4500 PC’s, many sites Helpdesk recorded ~50 incidents/week Most incidents: AntiCMOS, WordMacro/Concept Anti-virus software: Custom package (no active component) MSAV Technician dispatched when virus found Estimated costs per incident: 2 man hours Estimated Annual costs: HK$520,000 Case 2: Large Organisation:  Case 2: Large Organisation Better than case 1 (lower costs/machine) Still a large number of reinfections Case 2: Large Organisation, Improvements:  Case 2: Large Organisation, Improvements Move to anti-virus software with active protection Virus can be detected at first contact Simplify disinfection No need for technician site visit reduces lost working time Detection at first contact prevents spread chance of reinfections minimised total number of incidents falls Case 2: Large Organisation, Annual Costs:  Case 2: Large Organisation, Annual Costs Poorly Designed Protection: 50 incidents per week 2 man hours per incident HK$520,000 annually With Active Protection and Easy Disinfection 25 incidents per week 10 man minutes per incident HK$21,667 annually New anti-virus software: HK$214,000 HK$235,667 annually Saving: HK$284,333 Efficient Protection Requires::  Efficient Protection Requires: Active Protection Files and diskettes scanned on access TSR in DOS VxD in Windows 3.1 & 95 VDD in Windows NT Automatic Handling of Routine Incidents On site service is costly Simple Instructions for Users with an incident What to do? Report to whom? What to tell source? The Virus Problem:  The Virus Problem Never a Major, Worldwide Disaster Continuous small disasters and general problems Will not disappear Will get worse as: programming becomes simpler global communications become more efficient Our Challenge:  Our Challenge Reduce the costs of viruses by: Efficient Protection Methods User Education Questions?:  Questions? This Speech will be available on the Internet. http://www. yuikee.com.hk/info-ctr/ Text (WordPerfect 5.1 file) Presentation (PowerPoint file)

Add a comment

Related presentations

Related pages

Beyond10 Freelance Marketing I Strategy PR Events I Cardiff

We deliver freelance marketing solutions to small businesses focused on growth. Whether you are looking for on-demand marketing, or to build a marketing ...
Read more

Beyond 10 | Facebook

Beyond 10. 547 likes · 1 talking about this. Beyond 10 is a entertainment driven, group of accomplished musicians having a great time rockin out to their...
Read more

beyond10 (@thinkbeyond10) | Twitter

The latest Tweets from beyond10 (@thinkbeyond10). We deliver freelance marketing solutions to small businesses focused on growth. Take your business to the ...
Read more

beyond10 | LinkedIn

Learn about working at beyond10. Join LinkedIn today for free. See who you know at beyond10, leverage your professional network, and get hired.
Read more

Beyond10 Productions, Inc. in Dover, DE | Company Info ...

Discover Company Info on Beyond10 Productions, Inc. in Dover, DE, such as Contacts, Addresses, Reviews, and Registered Agent.
Read more

Beyond10 freelance marketing | Facebook

Beyond10 freelance marketing. 48 likes · 1 talking about this. We deliver freelance marketing solutions to small businesses focused on growth. Take your...
Read more

Beyond 10 (beyond10) on Myspace

Beyond 10 (beyond10)'s profile on Myspace, the place where people come to connect, discover, and share.
Read more

beyond14 - vidme

beyond14 . sengsoklay Follow ... beyond10. sengsoklay. 4,610. 35:14. beyond09. sengsoklay. 4,558. 35:44. beyond08. sengsoklay. 4,409. 34:35. beyond07.
Read more

User Profile: beyond10 - chirbit.com

beyond10 Rachel Follow Message Me. Posts Favorites; 1: 0: Followers Following; 0: 0: Joined Last Seen; 2 years ago: 2 years ago: Texas: rss feed: chirbits ...
Read more

Infinity_Beyond10 - Wattpad

Wattpad - Stories You'll Love Hello Beautiful People! Well a few things about is I LOVE ONE DIRECTION (: I'm new at this writing thing, but its a real ...
Read more