The Battle Against Viruses on the CERN NICE Network Tami Kramer CERN

Viruses - the problem  There are an estimated 45,000 viruses “in the wild” today  Growing at a rate of 6 new viruses per month  Viruses are also becoming more sophisticated and malicious  No longer an issue of destroying data on one machine but several at once

Virus History and Evolution  Simple Viruses • Easiest to detect • • User launches infected program, virus gains control of the PC and attaches itself to another program, then transfers control back to the host program which functions normally Anti-virus software need only look for a “signature” (sequence of bytes) to detect

Virus History and Evolution  Encrypted Viruses - Description • Hides fixed signature by scrambling the virus body making it unrecognizable to the scan engine • Encrypting virus always propagates using the same decryption routine, however the key value changes from infection to infection • Consequently the encrypted body of the virus also varies, depending on the key value

Virus History and Evolution  Encrypted Viruses - Detection • Consists of a virus decryption routine and an encrypted virus body • User launches infected program, virus decryption routine gains control of the computer, decrypts the virus body, which infects new programs/files with new key • Anti-virus software must search for the decryption routine signature

Virus History and Evolution  Polymorphic viruses - Description • Includes a scrambled virus body and decryption routine • However, adds a mutation engine that generates randomized decryption routines • The mutation engine and the virus body are both encrypted and the new decrypting routine is passed along with them

Virus History and Evolution  Polymorphic Viruses - Detection • User launches infected program, decryption routine decrypts virus body and mutation engine, virus makes a copy of both itself and mutation engine in RAM, virus invokes mutation engine which generates a new decryption routine and encrypts with new decryption routine, infects new file • Virus authors distribute mutation engines for use by others

Virus History and Evolution  Anti-virus vendors developed generic decryption techniques that “trick” polymorphic viruses into revealing themselves using a virtual computer

Most common viruses seen on the CERN network  Various Word Macro viruses  Happy99 Worm  Win95 CIH / Chernobyl  Hacking tools - NetBus, BackOrifice, etc...

Corporate / Sitewide Solutions  Integrated client-server model  Permits central distribution of updated virus pattern files and new scan engines  Possible to schedule nightly client and server scans  Allow for sitewide virus “sweeps” from a centralized administrator console in case of emergency

Virus Protect Administrator console

Notification of a virus on a client

Virus Hoaxes  Not dangerous - Only serve to waste bandwidth and people’s time  Typical Hoax viruses • California/Wobbler Trojan • Win A Holiday  http://www.symantec.com/avcenter/venc contains a virus encyclopedia

Statistics  35-40 NT and Netware servers and 4000 clients running real-time and nightly scheduled scans  Approximately 5 new clients infected per week

Still some problems  Don’t have control over private servers installed by experiments (can only strongly RECOMMEND )  Some users disable real-time scanning  LANDesk doesn’t clean open files or trojans which need DOS level intervention  Symantec/Norton bought Intel/LANDesk so need to upgrade or find a new product

Conclusions  Viruses are getting more and more sophisticad and malicious  Sites must have a good commercial product  You’ll never be completely safe...