http://www.idgnet.co.nz/webhome.nsf/UNID/6AB6A4A6925696ACCC256B87007743B7!opendocument Thursday, 28 March, 2002 Mark Broatch, Auckland A homegrown virus authority believes large organisations have made good progress in preventing mass-mailing viruses, but have some way to go in their general system administration. Nick FitzGerald runs Computer Virus Consulting in Christchurch, contracting his services mainly to large US organisations. The New Zealander previously edited the respected UK-based Virus Bulletin website. "Given the dramatic reduction in effectiveness of most mass-mailers - there really has been nothing for the corporate world to be deeply ashamed of since Anna Kournikova - I think most large corporates have sufficient filtering and gateway protection measures, viz mass-mailing viruses," says FitzGerald. "CodeRed and Nimda, however, raised some worries about the quality of system administration of crucial e-business servers and the like as both took advantage of 'old' exploits. Both could also, in nearly all cases, have been prevented, even if the patches had not been available, had common standards for proper server administration been followed in the installation and configuration of those servers." Microsoft is partly to blame for not applying stricter development and code review standards to products like IIS and having most of its options enabled — "including the ones known to be of no use or interest to 95%-plus of IIS users". But this does not excuse administrators who did not disable the unused and unneeded features of their machines, he says. FitzGerald says belated increased security measures by Microsoft have reduced Outlook's usefulness as a distribution method, but also most largish corporate email systems, which "disproportionately" use Outlook, now block all potentially executable attachments. A mass-mailer virus thus can't broadcast itself to corporate address lists. So virus writers are moving to implement self-mailing code that use their own SMTP client software and work "pretty much" anywhere, he says. They may also gather target addresses from many other sources on the victim PC, such as HTML files in the temporary internet files cache and mail folder files for other mail clients. FitzGerald, who says he has had viruses written using his name, also has a hunch there are fewer active virus writers than in the past. "We still see a large number of utterly trivial new viruses mainly written by teenage wannabes. However, it seems that fewer of those starting virus writing 'progress' to the more challenging aspects." This may be, he says, partly because trivial hacking activities using popular remote access Trojan (RAT) tools are more interesting to those of the age and mindset who previously were getting into virus writing. He believes bog-standard "known virus scanning" is getting closer to the end of the road. "More generic approaches including better heuristic scanning have been developed, but this approach will always largely be a matter of who gets to bat first." Other developments, such as "sandboxing" - isolating and assessing an email before it is passes on to the normal email program - and keeping the user's address book outside the email package, can be useful security techniques, he says. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Mar 29 2002 - 04:33:44 PST