d

Virii: The Complete Documentation

• This category contains 20 Papers
• The last paper was added on 2007-03-26 (YYYY-MM-DD)

Beating the Superbug: Recent Developments in Worms and Viruses

Published on date, by Michael Clarkson, ©SANS Institute.

Viruses and worms are significant risks in today’s increasingly networked computing environment. This paper will examine the differences between worms and viruses, and then discuss recent developments in virus and worm technology. Some defensive techniques will be examined, and an attempt will be made to predict future possible techniques that may emerge in viruses or worms.

Bridging the gap between Red-alert virus situation and quality file-signature

Published on 2002-11-04, by Ken Millard, ©SANS Institute.

Recently, antivirus vendors have come under increasing criticism about the time they take to react to a red-alert virus situation1. Virus’ have become more sophisticated and spread more rapidly than ever before. Correspondingly, antivirus vendors are required to reduce the time taken to respond to new viruses. They also need to continue to provide quality support. Thus, balancing the need for a quicker solution with the market requirement for quality solutions and support. This has highlighted the need for both a paradigm shift in malware protection and investment in new technology to implement this shift.

Computer Virus Policy, Training, Software Protection and Incident Response for the Medium Sized Organization: A How-To Guide

Published on 2001-07-30, by Chris Gullett, ©SANS Institute.

LoveLetter, Melissa, Navidad, SirCam, Code Red - The names of computer viruses and worms have become headline news in the mainstream press. As they advance in technology and frequency, the cost to business has skyrocketed, from $7.6 billion1 (US) in 1999 to $17.1 billion2 in 2000. The addition of social engineering components to e-mail-delivered viruses and worms in the form of random subject lines and attachments makes user training more difficult3. The quick development and release of these viruses often catches system administrators and even anti-virus software vendors off-guard.

Detecting and Recovering from a Virus Incident

Published on 2002-11-15, by John Stone, ©SANS Institute.

There is an ongoing battle between the creators of computer viruses and malicious code and the firms creating software to prevent their actions. While antivirus firms are adding proactive technology to their software, when it comes to new types of viruses, they still largely depend on reacting to the actions of the virus creators. Short of dismantling your network, there is no way to totally protect your environment from the next new fast-spreading virus.

Detecting Complex Viruses

Published on 2005, by Peter Ferrie and Frederic Perriot, ©SecurityFocus.

There are many metrics by which to measure the efficiency and effectiveness of an antivirus product and the response organization that is backing it. Some of the commonly used metrics today include the antivirus company's response time to new threats and well as the availability of proactive detection. But are these metrics enough?

I thought we had virus protection: The mistakes that made us vulnerable to the W32/SirCam@mm virus

Published on 2001-08-16, by Bob Green, ©SANS Institute.

Computer security around our office used to be pretty lax. But with the threat of systems and data compromise we realized that we needed to have more than just an old 486 running Linux acting as a firewall and a few copies of Dr. Solomon (now McAfee's VirusScan Classic) to protect ourselves.

Implementing A Norton AntiVirus Managed Infrastructure

Published on 2002, by Rodney Lynxwiler, ©SANS Institute.

The purpose of this paper is not to go into a history of viruses, or even spend paragraphs describing how viruses work. I’d like to concentrate on some of the practical aspects of rolling out a managed antivirus solution to a large company, specifically for workstations and servers. If you spend any time at all perusing vendor documentation, you know there are holes, gaps and sometimes large crevices of missing information that are needed to make the practical decisions. That, coupled with the typical corporate politics and red tape, can send you into a tailspin! But, with some planning, forethought and good advice from people who have gone through it before, successful managed antivirus protection can be implemented. And, just think of how good it will feel when the next virus is thwarted before it has a chance to negatively impact the company’s resources.

Issues with keeping AntiVirus software up to date

Published on 2001-07-25, by John Graham, ©SANS Institute.

Explore different aspects to keeping ANY virus protection software up to date to be protected from virus infection. It is obvious that as Information Security professionals that we need to be aware of all of the "latest and greatest" information on outbreaks of malicious code, including how to recognize and repair them. Also, we know that we need to have virus protection software loaded at all possible points of failure within our organizations and we need to have procedures for when these outbreaks occur. However, it seems to me that one of the most difficult tasks is keeping all of this virus protection software up to date. All reputable virus protection software products come out with updates on a fairly frequent basis, and it is up to each organization to get these updates out to all computers that need to be protected. There are many ways to do this and many challenges that we face in accomplishing this, but it is important to keep our organizations as "clean" as possible.

Practical Guide to Enterprise Antivirus and Malware Prevention (A)

Published on 2001-08-17, by Jay Martin, ©SANS Institute.

Viruses, worms, and Trojans, each of which has some unique characteristics, are starting to blend together in people’s perceptions as well as the way they behave. A virus can use worm-like logic to spread and also install a Trojan horse type program. The distinctions are also mostly lost on the IT professional trying hard to keep this software from impacting their network and end nodes. For the purposes of this paper, I’ll put them all together with the term malware. Malware has been getting much more prevalent and virulent, despite the fact that programs that counteract these undesirable applications have been getting better and better.

principles and practise of x-raying

Published on 2004, by Frédéric Perriot, Peter Ferrie, ©Symantec Security Response.

X-raying designates a virus detection method relying on a known-plaintext attack on the virus body. Far from being a new technique, x-raying has been used since the DOS days of yore to detect encrypted or polymorphic viruses without having to emulate their decryption code. As Entry-Point Obscuring viruses surfaced, another advantage of x-raying became obvious, namely the ability to detect an infection without the — sometimes prohibitive — cost of locating the decryption code in the infected object.

Psst... Hey Buddy, wanna create a virus?

Published on 2003-02-13, by David Pearson, ©SANS Institute.

So, you think there are only a handful of virus creators out there? Just a couple of guys sitting in a back room in some third-world country clunking away on what we would consider a boat anchor of a PC? Think again. The person in the cubicle next to yours could, at this very moment, be creating a virus. Viruses will continue to be generated in greater numbers than ever before. Why? First of all, the number of people with access to computers and the Internet will continue to escalate. Secondly, creating viruses has become easier with the development and availability of virus authoring kits such as the (K)alamar Virus Creation Toolkit or Triniti’s VBS Worm Toolbox. The ability to write viruses has also become easier. Languages such as Visual Basic and Visual C, C++, both of which make use of GUI interfaces, make it so that very little actual programming knowledge is required. Virus authoring kits are also available for free on the Internet, and have made it fairly easy for someone to generate a virus or learn enough from the source code generated by the kits to write their own virus. With this truth and ease of availability, we are likely to see a dramatic increase in viruses as the potential virus writing community increases in number and the means for developing viruses and malicious code becomes easier.

Security Management View of Implementing Enterprise Antivirus Protection

Published on 2003, by Mike Stowe, ©SANS Institute.

This paper provides practical information to consider when planning the deployment, upgrade, design, or engineering of an enterprise antivirus solution. Antivirus solutions usually focus on Microsoft Windows environments, but this paper adds some tangential notes about Macintosh and UNIX variants.

Slow Down Internet Worms With Tarpits

Published on August 21, 2003, by Tony Bautts, ©SecurityFocus.

Worms, worms are everywhere! The recent and prolific spread of Internet worms has yet again demonstrated the vulnerability of network hosts, and it's clear that new approaches to worm containment need to be investigated. In this article, we'll discuss a new twist on an under-utilized technology: the tarpit.

System Administrator's Guide to Implementing Various Anti-Virus Mechanisms: What to do When a Virus is Suspected On a Computer Network (A)

Published on 2002-06-06, by Robert B. Fried, ©SANS Institute.

This paper, presented in the form of sample guidelines/procedures, will express in much detail the steps, techniques and methods of defense utilized/implemented in the detection, investigation and tracing of a suspected computer virus. Proposed courses of action will be discussed. The effectiveness of these actions, as well as the use and effectiveness of established mechanisms of defense will be evaluated.

The What, Why, and How of the 1988 Internet Worm

Published on July 2001, by Charles Schmidt and Tom Darby, ©Charles Schmidt and Tom Darby.

The above may be the computer understatement of the year. As of the time that Sudduth posted his message, the internet was coming apart. VAX and Sun machines across the country were being overloaded by invisible tasks, preventing users from being able to use the machines effectively, if at all, and eventually forcing system administrators to cut off many of their machines from the internet entirely in an attempt to cut off the source of infection. The culprit of all this chaos is a small (99 line, not including object files) program written by Robert Tappan Morris who was, at the time, a 23 year old doctoral student at Cornell University. This code, or this type of code, has since been given then name, worm.

Understanding the Virus Threat and Developing Effective Anti-Virus Policy

Published on 2002-03-11, by Frank Zipfel, ©SANS Institute.

According to recent ICSA statistics, your company was over 99% likely to be confronted with the threat of a virus infection in the year 2000, over 50% of which could be classified as a virus disaster. Was your company prepared to deal with this threat?

Virii Generators: Understanding the Threat

Published on 2002-05-12, by James Tarala, ©SANS Institute.

Ever since Robert Morris unleashed his first Internet worm in 1988, virii have been a nuisance and a threat to both corporations and individuals alike. In the early days, worms such as these took an understanding of at least basic programming and of the vulnerabilities inherent in the operating systems at work in computer networks. Those virii that were released took time and effort to produce and often were not created with destructive or malicious intentions in mind. But that was then, and this is now. A lot has changed in the world in the past fourteen years. While in the past the novice would have no access to a common global network (the Internet), yet alone GUI tools to create, package, and distribute malicious code against any whimsical target, today even foreign pre-pubescents have the chance to annoy and harm the networked community at large.

Virus and a worm: lessons learned from SirCam and Code Red in a university environment (A)

Published on 2001, by Marc Mazuhelli, ©SANS Institute.

Viruses and worms are two types of malware that we heard a lot from in the summer of 2001. Two specimens, one from each of these forms of malware, were released a few days apart in July 2001, keeping security personnel busy and generating a lot of coverage in the press.

Virus hoaxes — are they just a nuisance?

Published on 2001-07-18, by Darren Grocott, ©SANS Institute.

Virus hoaxes require little or no technical skill to initiate and are becoming as common as the virus problem itself. Should information security professionals be concerned about virus hoaxes? After all, it is commonly opinion that they are just a prank that doesn’t really hurt anybody.

Who Wrote Sobig?

Published on 2004, by travis, ©travis.

August 18, 2003 was a day of infamy in the world of computer software malware. The Sobig virus, as it was affectionately named by its the anti-virus industry, infected hundreds of thousands of computers within just a few short hours. W32.Sobig.F@mm was a mass-mailing, network-aware worm that sent itself to all the email addresses it could find, worldwide.