Virus man gives corporates small tick

[InfoSec News <isn () c4i org>]

http://www.idgnet.co.nz/webhome.nsf/UNID/6AB6A4A6925696ACCC256B87007743B7!opendocument

Thursday, 28 March, 2002
Mark Broatch, Auckland

A homegrown virus authority believes large organisations have made
good progress in preventing mass-mailing viruses, but have some way to
go in their general system administration.

Nick FitzGerald runs Computer Virus Consulting in Christchurch,
contracting his services mainly to large US organisations. The New
Zealander previously edited the respected UK-based Virus Bulletin
website.

"Given the dramatic reduction in effectiveness of most mass-mailers -
there really has been nothing for the corporate world to be deeply
ashamed of since Anna Kournikova - I think most large corporates have
sufficient filtering and gateway protection measures, viz mass-mailing
viruses," says FitzGerald.

"CodeRed and Nimda, however, raised some worries about the quality of
system administration of crucial e-business servers and the like as
both took advantage of 'old' exploits. Both could also, in nearly all
cases, have been prevented, even if the patches had not been
available, had common standards for proper server administration been
followed in the installation and configuration of those servers."

Microsoft is partly to blame for not applying stricter development and
code review standards to products like IIS and having most of its
options enabled — "including the ones known to be of no use or
interest to 95%-plus of IIS users".

But this does not excuse administrators who did not disable the unused
and unneeded features of their machines, he says.

FitzGerald says belated increased security measures by Microsoft have
reduced Outlook's usefulness as a distribution method, but also most
largish corporate email systems, which "disproportionately" use
Outlook, now block all potentially executable attachments. A
mass-mailer virus thus can't broadcast itself to corporate address
lists.

So virus writers are moving to implement self-mailing code that use
their own SMTP client software and work "pretty much" anywhere, he
says. They may also gather target addresses from many other sources on
the victim PC, such as HTML files in the temporary internet files
cache and mail folder files for other mail clients.

FitzGerald, who says he has had viruses written using his name, also
has a hunch there are fewer active virus writers than in the past.

"We still see a large number of utterly trivial new viruses mainly
written by teenage wannabes. However, it seems that fewer of those
starting virus writing 'progress' to the more challenging aspects."  
This may be, he says, partly because trivial hacking activities using
popular remote access Trojan (RAT) tools are more interesting to those
of the age and mindset who previously were getting into virus writing.

He believes bog-standard "known virus scanning" is getting closer to
the end of the road. "More generic approaches including better
heuristic scanning have been developed, but this approach will always
largely be a matter of who gets to bat first."

Other developments, such as "sandboxing" - isolating and assessing an
email before it is passes on to the normal email program - and keeping
the user's address book outside the email package, can be useful
security techniques, he says.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.