The Battle Against Viruses on the CERN NICE Network Tami Kramer CERN Viruses - the problem There are an estimated 45,000 viruses “in the.
Download ReportTranscript The Battle Against Viruses on the CERN NICE Network Tami Kramer CERN Viruses - the problem There are an estimated 45,000 viruses “in the.
The Battle Against Viruses on the CERN NICE Network Tami Kramer CERN
Viruses - the problem There are an estimated 45,000 viruses “in the wild” today Growing at a rate of 6 new viruses per month Viruses are also becoming more sophisticated and malicious No longer an issue of destroying data on one machine but several at once
Virus History and Evolution Simple Viruses • Easiest to detect • • User launches infected program, virus gains control of the PC and attaches itself to another program, then transfers control back to the host program which functions normally Anti-virus software need only look for a “signature” (sequence of bytes) to detect
Virus History and Evolution Encrypted Viruses - Description • Hides fixed signature by scrambling the virus body making it unrecognizable to the scan engine • Encrypting virus always propagates using the same decryption routine, however the key value changes from infection to infection • Consequently the encrypted body of the virus also varies, depending on the key value
Virus History and Evolution Encrypted Viruses - Detection • Consists of a virus decryption routine and an encrypted virus body • User launches infected program, virus decryption routine gains control of the computer, decrypts the virus body, which infects new programs/files with new key • Anti-virus software must search for the decryption routine signature
Virus History and Evolution Polymorphic viruses - Description • Includes a scrambled virus body and decryption routine • However, adds a mutation engine that generates randomized decryption routines • The mutation engine and the virus body are both encrypted and the new decrypting routine is passed along with them
Virus History and Evolution Polymorphic Viruses - Detection • User launches infected program, decryption routine decrypts virus body and mutation engine, virus makes a copy of both itself and mutation engine in RAM, virus invokes mutation engine which generates a new decryption routine and encrypts with new decryption routine, infects new file • Virus authors distribute mutation engines for use by others
Virus History and Evolution Anti-virus vendors developed generic decryption techniques that “trick” polymorphic viruses into revealing themselves using a virtual computer
Most common viruses seen on the CERN network Various Word Macro viruses Happy99 Worm Win95 CIH / Chernobyl Hacking tools - NetBus, BackOrifice, etc...
Corporate / Sitewide Solutions Integrated client-server model Permits central distribution of updated virus pattern files and new scan engines Possible to schedule nightly client and server scans Allow for sitewide virus “sweeps” from a centralized administrator console in case of emergency
Virus Protect Administrator console
Notification of a virus on a client
Virus Hoaxes Not dangerous - Only serve to waste bandwidth and people’s time Typical Hoax viruses • California/Wobbler Trojan • Win A Holiday http://www.symantec.com/avcenter/venc contains a virus encyclopedia
Statistics 35-40 NT and Netware servers and 4000 clients running real-time and nightly scheduled scans Approximately 5 new clients infected per week
Still some problems Don’t have control over private servers installed by experiments (can only strongly RECOMMEND ) Some users disable real-time scanning LANDesk doesn’t clean open files or trojans which need DOS level intervention Symantec/Norton bought Intel/LANDesk so need to upgrade or find a new product
Conclusions Viruses are getting more and more sophisticad and malicious Sites must have a good commercial product You’ll never be completely safe...