[ISN] Virus man gives corporates small tick

From: InfoSec News (isnat_private)
Date: Fri Mar 29 2002 - 00:47:09 PST

  • Next message: InfoSec News: "[ISN] Rampant attacks on home PCs"

    http://www.idgnet.co.nz/webhome.nsf/UNID/6AB6A4A6925696ACCC256B87007743B7!opendocument
    
    Thursday, 28 March, 2002
    Mark Broatch, Auckland
    
    A homegrown virus authority believes large organisations have made
    good progress in preventing mass-mailing viruses, but have some way to
    go in their general system administration.
    
    Nick FitzGerald runs Computer Virus Consulting in Christchurch,
    contracting his services mainly to large US organisations. The New
    Zealander previously edited the respected UK-based Virus Bulletin
    website.
    
    "Given the dramatic reduction in effectiveness of most mass-mailers -
    there really has been nothing for the corporate world to be deeply
    ashamed of since Anna Kournikova - I think most large corporates have
    sufficient filtering and gateway protection measures, viz mass-mailing
    viruses," says FitzGerald.
    
    "CodeRed and Nimda, however, raised some worries about the quality of
    system administration of crucial e-business servers and the like as
    both took advantage of 'old' exploits. Both could also, in nearly all
    cases, have been prevented, even if the patches had not been
    available, had common standards for proper server administration been
    followed in the installation and configuration of those servers."
    
    Microsoft is partly to blame for not applying stricter development and
    code review standards to products like IIS and having most of its
    options enabled  "including the ones known to be of no use or
    interest to 95%-plus of IIS users".
    
    But this does not excuse administrators who did not disable the unused
    and unneeded features of their machines, he says.
    
    FitzGerald says belated increased security measures by Microsoft have
    reduced Outlook's usefulness as a distribution method, but also most
    largish corporate email systems, which "disproportionately" use
    Outlook, now block all potentially executable attachments. A
    mass-mailer virus thus can't broadcast itself to corporate address
    lists.
    
    So virus writers are moving to implement self-mailing code that use
    their own SMTP client software and work "pretty much" anywhere, he
    says. They may also gather target addresses from many other sources on
    the victim PC, such as HTML files in the temporary internet files
    cache and mail folder files for other mail clients.
    
    FitzGerald, who says he has had viruses written using his name, also
    has a hunch there are fewer active virus writers than in the past.
    
    "We still see a large number of utterly trivial new viruses mainly
    written by teenage wannabes. However, it seems that fewer of those
    starting virus writing 'progress' to the more challenging aspects."  
    This may be, he says, partly because trivial hacking activities using
    popular remote access Trojan (RAT) tools are more interesting to those
    of the age and mindset who previously were getting into virus writing.
    
    He believes bog-standard "known virus scanning" is getting closer to
    the end of the road. "More generic approaches including better
    heuristic scanning have been developed, but this approach will always
    largely be a matter of who gets to bat first."
    
    Other developments, such as "sandboxing" - isolating and assessing an
    email before it is passes on to the normal email program - and keeping
    the user's address book outside the email package, can be useful
    security techniques, he says.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Mar 29 2002 - 04:33:44 PST