beyond10

Views:
 
Category: Education
     
 

Presentation Description

No description available.

Comments

By: addiips (98 month(s) ago)

pls sir let me download this presentation pls

By: nitin30 (114 month(s) ago)

sir please let me dowload this presentation

By: hamm (118 month(s) ago)

can u please give me a copy of it

By: binoyjose9 (130 month(s) ago)

Good presentation. Can i have a copy of it as PPT

By: sherifeissa (131 month(s) ago)

great presentation

Presentation Transcript

Computer Viruses: Beyond the First Decade: 

Computer Viruses: Beyond the First Decade Allan G. Dyer MHKCS, MIAP, AIDPM, MSc (tech), BSc adyer@yuikee.com.hk Yui Kee Co. Ltd.

Ten Years: 

Ten Years 1986: Brain Boot Sector Virus Appears 1988: Stoned written 1988, Friday 13th May: Jerusalem virus activated 1988: Mike RoChenle Hoax Virus Warning 1992, March 6th: First Michelangelo Day 1992: First Windows virus 1994: First OS/2 virus 1994: KAOS4 posted in Internet newsgroup 1994 August: Black Baron Arrested in UK 1994, September: ARCV virus writing group released with a police caution 1994, October: Virus total reaches 5000

Ten Years: 

Ten Years 1994, December: Virus author charged in Norway 1995, January: Good Times Hoax first appears 1995, September: First Word Macro virus 1995, December: Black Baron jailed for 18 months 1996, February: First AmiPro Macro virus 1996, February: First Win’95 virus 1996, May: Hare distributed in Internet newsgroups 1996, August: First Excel Macro virus 1996, November: First Polymorphic Macro virus 1997: Word Macro Viruses Commonest Virus Type 1997: Office 97 & VBA makes cross-application macro viruses possible

What is a Real Computer Virus?: 

What is a Real Computer Virus? A computer virus is a program that can infect other programs by modifying them or the execution path of them in such a way as to include a (possibly evolved) copy of itself. Proviso: The program must be deliberately designed to replicate. Definition: Fig. 1

Viruses Die Out: 

Viruses Die Out Brain : Infected only floppy disks Many File Viruses: Incompatible with Windows Stoned: Fails to infect 3.5” disks correctly

Virus Environments: 

Virus Environments PC/BIOS compatability DOS interrupts FAT partition Boot Sector Virus .COM .EXE File Virus Cluster Virus

Virus Environments: 

Virus Environments Windows API MS Word PC/BIOS compatibility DOS interrupts FAT partition Boot Sector Virus .COM .EXE File Virus Cluster Virus Windows Virus WordMacro Virus

Viruses Spreading: 

Viruses Spreading 3 many LANs 6no exchange 4 VERY common 4frequent Susceptible Population Route between machines Netware DOS

Viruses Spreading: 

Viruses Spreading 3 many LANs 6no exchange 4 VERY common 4frequent 4 VERY common 4frequent Susceptible Population Route between machines Netware DOS MS Word

Virus Writers: 

Virus Writers 4 very available 4 free & common 4 very available 6 expensive & obscure Environment Tools & Information DOS Windows

Virus Writers: 

Virus Writers 4 very available 4 free & common 4 very available 6 expensive & obscure 4 very available 4 free & common Environment Tools & Information DOS Windows MS Word

The Changing Virus Writer: 

The Changing Virus Writer “Traditional” Virus Writer: Interested teenager Motivations: “fun”, teenage rebellion, curiosity, showing off... Spread: deliberate, accidental, or sent only to researchers “New” Virus Writer Computing Professional/ Word Power User Motivations: curiosity, investigates existing WM virus & modifies it Spread: accidental, or sent only to researchers

Chinese Viruses: 

Chinese Viruses Binary File and Boot Sector Viruses Few are recognisably Chinese Can Affect all language users, not limited to Chinese Macro Viruses Over 200 macro viruses for Traditional Chinese Word Limited to Specific Word Language versions

Main Word Environments in Hong Kong: 

Main Word Environments in Hong Kong English Traditional Chinese Simplified Chinese English with Chinese Enabling Software (Twin Bridge, Rich Win etc.)

Macro Conversion: 

Macro Conversion English -> Chinese : Macros exist unchanged English Word Macro viruses can be transferred to Chinese Word easily The virus might not replicate in Chinese Word Chinese -> English : Documents (and their macros) not directly converted A Chinese Word Macro virus could only reach English Word by a deliberate act of conversion

MacroCopy Behaviour: 

MacroCopy Behaviour

Behaviour of Example Macro Viruses in Chinese Word: 

Behaviour of Example Macro Viruses in Chinese Word

Extra Functions Exist: 

Extra Functions Exist Traditional Chinese Word extra functions: CDate$(x) Returns date in format selected by x, RoC calendar and Chinese characters available. CTime$(x) Returns time in format selected by x, Chinese characters available.

The Internet: 

The Internet Increasing the Number and Frequency of our contacts

The Virus Writer’s Problem: Initial Distribution: 

The Virus Writer’s Problem: Initial Distribution Infecting Individual Machines Slow Danger of getting caught Mass Distribution Usually Depends on Luck e.g.. infect master diskette at factory

Hare: 

Hare May 96 - worldwide reports Hare.7550 found in June 96 and Traced to posts in: alt.cracks alt.sex alt.comp.shareware Hare.7786 traced to posts on 29 June 96 in: alt.crackers Destructive Activation 22 August & September

Hare: 

Hare Response: Anti-Virus developers made new versions available Thousands downloaded and checked their machines Result: A few reports of disinfection before activation About 16 activations worldwide

Hare: Why it Failed?: 

Hare: Why it Failed? Readers of alt.cracks and alt.crackers are technically aware involved in “dubious” activities probably cautious Hare often fails to replicate limited spread beyond initial distribution

Phalcon.1168 Distributed 15 August 97, in a file ICQ.ZIP on the newsgroups:: 

Phalcon.1168 Distributed 15 August 97, in a file ICQ.ZIP on the newsgroups: hk.entertainment alt.chinese.computing alt.chinese.text.big5 aol.buy.and.sell asiaonline.buy.and.sell chinese.comp.software hk.biz.general hk.chinese hk.comp.chinese hk.comp.hacker hk.comp.hardware.datacomm hk.comp.mac hk.comp.mpp hk.comp.os.linux hk.comp.pc

Phalcon.1168: 

Phalcon.1168 No resulting incidents reported

Accidental Spread: 

Accidental Spread Causes Many Incidents Often E-mailing an Infected Word Document received some speakers details for this conference as a Word document infected with WM/CAP.A Stop Exchanging Word Documents Would Dramatically Reduce Prevelence of Word Macro Viruses Use RTF

Internet Specific Viruses: 

Internet Specific Viruses A Virus Could be written to specifically take advantage of the Internet WM/ShareFun is the first example mix between a macro virus and an automatic chain letter

ShareFun: 

ShareFun WordMacro/ShareFun.A - similar to WordMacro/Wazzu 1 in 4 chance of activation when infected document opened Attempts to send E-Mail by Microsoft Mail to three people from local alias list E-Mail contains infected Document Also infects on Tools/Macro or File/Templates menu items

ShareFun: 

ShareFun Infected users of MS Mail spread the virus QUICKLY Might send confidential documents

Virus Problems that are Not Viruses: Hoaxes: 

Virus Problems that are Not Viruses: Hoaxes GoodTimes Deeyenda Maddick Join the Crew Cancer chain letter Hacker Riot NaughtyRobot Penpal Greetings Anti-CDA

Chain Letters: 

Chain Letters Example hoax: Join the Crew Variant of the Good Times hoax Started by a message posted to some usenet newsgroups in February 1997 The original message: Hey, just to let you guys know one of my friends received an email called "Join the Crew," and it erased her entire hard drive. This is that new virus that is going around. Just be careful of what mail you read. Just trying to be helpful... Ignore these messages and do not pass them on.

Chain Letters: 

Chain Letters Plausible to ordinary users Very Strong Warnings of damage Users panic: Send copies to all their contacts Flood helpdesks with calls

The Future of Viruses on the Internet: 

The Future of Viruses on the Internet Not Feasible: RealAudio JPEG HTML Very Feasible: ActiveX (Security model does not address viruses) May be possible: Java (Good security model, implementation may be flawed)

Internet Commerce: 

Internet Commerce Not a single environment Look at each component: Plain messages could not support a virus Client application may be infected Goods may be infected Rouge software may subvert commerce application Virus an ideal method of delivering rouge software Developers MUST assume commerce software is running in a hostile environment

Measuring the Size of the Virus Problem: 

Measuring the Size of the Virus Problem Anti-Virus Solution Providers Not independant Common viruses under-reported The Wildlist Independant Surveys Hong Kong Surveys

The Wildlist: 

The Wildlist Co-operative listing coordinated by Joe Wells Only Includes incidents where a sample was received and verified by participant Currently used as the basis for in-the-wild testing of antivirus products by major testers: NCSA Virus Bulletin

Computer Security Institute Survey: 

Computer Security Institute Survey 6 March 1997 563 respondents 75% reported losses which totalled US$100 million 165 had losses from viruses, totalling US$12.5 million http://www.gocsi.com/preleas2.htm

NCSA Computer Virus Prevalence Survey: 

NCSA Computer Virus Prevalence Survey Based on 300 US sites with over 500 PC’s per site Infection rate of 33 per 1000 machines per month - up from 10 in 1996 survey Macro Viruses Growing Fastest 49% of sites reported WM/Concept macro viruses accounted for 80% of all infections

NCSA Computer Virus Prevalence Survey: 

NCSA Computer Virus Prevalence Survey One third had a disaster Average Recovery took 44 hours, 21.7 person-days of work and US$8366 Diskettes from Home Top source of infection e-mail attachment and download also common Conclusions: Good Protection will limit the number of PC’s etc. infected after a virus reaches a site Increased full-time protection, especially at the desktop is needed

Hong Kong Surveys Performed at Local Exhibitions: 

Hong Kong Surveys Performed at Local Exhibitions ITA95: IT Asia Exhibition, September 95 SW95: Software Exhibition, November 95 NW96: Networks Exhibition, July 96 HKC97: Hong Kong Computer Exhibition, May 97

Surveys: Number of Staff: 

Surveys: Number of Staff

Survey HKC97: Business Area: 

Survey HKC97: Business Area

Surveys: Anti-virus Policy and Software: 

Surveys: Anti-virus Policy and Software

Surveys: Viruses Encountered: 

Surveys: Viruses Encountered

Surveys: Viruses Encountered: 

Surveys: Viruses Encountered Stoned / Stone Michelangelo Monkey AntiCMOS 20 3 3 2 Stoned / Stone Michelangelo AntiCMOS Die Hard Monkey Form 28 13 4 3 2 2 AntiCMOS Word Macro Stoned / Stone Concept Michelangelo MBR / Boot Sector 19 7 7 3 3 3 Forgot AntiCMOS Stoned / Stone Word Macro Concept Monkey Die Hard / DH2 Michelangelo 23 14 9 8 4 4 3 3 ITA95 SW95 NW96 HKC97

Survey: Use of Word: 

Survey: Use of Word

Survey: Version of Word Used: 

Survey: Version of Word Used

Survey: Exchange of Documents: 

Survey: Exchange of Documents

Survey: Word Macro Virus Prevelence: 

Survey: Word Macro Virus Prevelence

Survey: Word Macro Virus Prevelence: 

Survey: Word Macro Virus Prevelence

Survey: Other Macro Viruses: 

Survey: Other Macro Viruses

Costs: 

Costs Loss of file and documents Loss of business Negative Publicity Data Corruption Lost working time Increased Technical Support Load

Case 1: Small Office: 

Case 1: Small Office 15 PC’s, 1 server No support staff No anti -virus software Problems saving Word documents WordMacro/Concept identified Anti-virus technician cleaned 300+ documents Calculable costs of incident: HK$1500 Incalculable costs: ???

Case 1: Small Office, Annual Costs: 

Case 1: Small Office, Annual Costs Incident will re-occur often without anti-virus software Annual cost without anti-virus software: HK$18000 Effective anti-virus solution cost: HK$8100 Saving: HK$9900 (plus working time)

Case 2: Large Organisation: 

Case 2: Large Organisation 4500 PC’s, many sites Helpdesk recorded ~50 incidents/week Most incidents: AntiCMOS, WordMacro/Concept Anti-virus software: Custom package (no active component) MSAV Technician dispatched when virus found Estimated costs per incident: 2 man hours Estimated Annual costs: HK$520,000

Case 2: Large Organisation: 

Case 2: Large Organisation Better than case 1 (lower costs/machine) Still a large number of reinfections

Case 2: Large Organisation, Improvements: 

Case 2: Large Organisation, Improvements Move to anti-virus software with active protection Virus can be detected at first contact Simplify disinfection No need for technician site visit reduces lost working time Detection at first contact prevents spread chance of reinfections minimised total number of incidents falls

Case 2: Large Organisation, Annual Costs: 

Case 2: Large Organisation, Annual Costs Poorly Designed Protection: 50 incidents per week 2 man hours per incident HK$520,000 annually With Active Protection and Easy Disinfection 25 incidents per week 10 man minutes per incident HK$21,667 annually New anti-virus software: HK$214,000 HK$235,667 annually Saving: HK$284,333

Efficient Protection Requires:: 

Efficient Protection Requires: Active Protection Files and diskettes scanned on access TSR in DOS VxD in Windows 3.1 & 95 VDD in Windows NT Automatic Handling of Routine Incidents On site service is costly Simple Instructions for Users with an incident What to do? Report to whom? What to tell source?

The Virus Problem: 

The Virus Problem Never a Major, Worldwide Disaster Continuous small disasters and general problems Will not disappear Will get worse as: programming becomes simpler global communications become more efficient

Our Challenge: 

Our Challenge Reduce the costs of viruses by: Efficient Protection Methods User Education

Questions?: 

Questions? This Speech will be available on the Internet. http://www. yuikee.com.hk/info-ctr/ Text (WordPerfect 5.1 file) Presentation (PowerPoint file)

authorStream Live Help