Return-Path: <sentto-279987-3980-1007080775-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 29 Nov 2001 16:43:08 -0800 (PST) Received: (qmail 6649 invoked by uid 510); 30 Nov 2001 00:40:01 -0000 Received: from n26.groups.yahoo.com (216.115.96.76) by all.net with SMTP; 30 Nov 2001 00:40:01 -0000 X-eGroups-Return: sentto-279987-3980-1007080775-fc=all.net@returns.groups.yahoo.com Received: from [10.1.4.52] by n26.groups.yahoo.com with NNFMP; 30 Nov 2001 00:35:46 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 30 Nov 2001 00:39:35 -0000 Received: (qmail 54855 invoked from network); 30 Nov 2001 00:39:34 -0000 Received: from unknown (216.115.97.167) by m8.grp.snv.yahoo.com with QMQP; 30 Nov 2001 00:39:34 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta1.grp.snv.yahoo.com with SMTP; 30 Nov 2001 00:39:36 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fAU0fW414616 for iwar@onelist.com; Thu, 29 Nov 2001 16:41:32 -0800 Message-Id: <200111300041.fAU0fW414616@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 29 Nov 2001 16:41:32 -0800 (PST) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Malware:.A.virus.and.worm.forecast.for.early.2002.] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Malware: A virus and worm forecast for early 2002. By Roger Thompson, Information Security, 11/29/2001 <a href="http://www.infosecuritymag.com/articles/november01/technology_malware.shtml">http://www.infosecuritymag.com/articles/november01/technology_malware.shtml> Does anyone know the worst part of Nimda? It's not how the worm infected HTML pages, or how it wormed across local shares, or the way it beat unmercifully on port 80. It wasn't even the way it infected programs and attached itself to e-mail messages, although all these were pretty bad. The worst part of Nimda was that it forced me to rewrite this article. When thinking about malware predictions for the coming year, my chief concern was the emergence of something that combined viral and worm properties, burrowed through published security vulnerabilities and appeared before I could publish a warning. Fortunately, the rest of my predictions have yet to come to fruition. But it's only a matter of time before we see new and more dangerous malware outbreaks. With that in mind, my malware version of the "Old Farmer's Almanac" includes everything from the mundane to the sensational. More macro and script viruses. We will continue to see these emerge at the rate of 500 to 600 a month, although none of them will have any measurable impact. The major antivirus programs are more than able to detect most of these heuristically, and this, combined with the fact that most corporations wisely filter potentially harmful attachments at the gateway, means that this class of malware poses few problems. The true impact will be borne by the antivirus community. Forced to examine, name and catalog these annoying viruses and worms, AV researchers will be distracted from their truly useful work of heading off more serious outbreaks. More Remote Access Trojans (RATs) or backdoors. A segment of hacking community treats the "owning" of as many boxes as possible like an indoor sport. In increasing numbers, malware writers continue to disguise RATs and backdoor scripts as "adult" movies and then post them to pornography newsgroups. However, these activities should pose no serious problems to anyone but naive and unsophisticated home users and the occasional, hapless, large software company (and I'm not naming names, but you know who they are). More mass-mailing Win32 viruses. Viruses--such as Magistr, SirCam and Hybris--will continue to cause problems for some corporations that still don't filter out executable attachments at the e-mail gateway, relying instead on their AV solutions. Antivirus heuristics simply don't work on Win32 programs as well as they do on macros and scripts. The only way conventional AV scanners can catch Win32 viruses is by being able to recognize them, which means their signatures must to be up to date. You quickly see the flaw with this strategy when you consider that e-mail worms can spread faster than antivirus updates. A new Code Red . Emerging in August, Code Red was easily the most interesting and elegant piece of malware seen in 2001. Although there were four versions of this worm, there were actually two separate code bases. In other words, CodeRed.B--the variant--was a simple modification that fixed a couple of CodeRed.A's bugs. The worm formerly known as Code Red II, subsequently renamed CodeRed.C, was actually a completely different program. The worm was conceptually so similar to the original Code Reds, it was given the name CodeRed.C to reduce confusion. CodeRed.D was a modification of CodeRed.C that removed some of its self-limiting features, allowing it to spread further and faster. These were limited to Win2000 and IIS 5. It's almost certain that the authors of these worms are closely examining NT 4.0 and IIS 4.0 to see if a similar exploit can be found for these platforms. Certainly, we'll see another worm in this category within the next six months. W32/Nimda v1.0. The biggest, mostly likely malware threat to emerge in the next six months is a variant of Nimda. Compared to Code Red, Nimda was a boring, commonplace code, and could even be described as pedestrian. However, its author showed a fine understanding of the weakness of conventional AV defenses and the psychology of corporate security. While the worm targeted old and well-known vulnerabilities, for which patches had been available, the Nimda author correctly guessed that the majority of networks either hadn't installed all the patches or didn't configure their PCs for security. If Nimda didn't get you with one trick, it would (and did) get you with another. Given that Nimda was internally listed as v0.5, and given that the original worm didn't exploit all the known vulnerabilities, it's more than reasonable to expect a v1.0, or higher, seeded on some of the leftover Code Red-compromised PCs still out there, and set to all launch within minutes of each other. Even if none of these predictions comes to fruition, the bottom line of malware prevention remains the same: patch early, patch often, filter and update signatures. In other words, exercise common sense. ROGER THOMPSON (<a href="mailto:rthompson@trusecure.com?Subject=Re:%20(ai)%20Malware:%20A%20virus%20and%20worm%20forecast%20for%20early%202002.%2526In-Reply-To=%2526lt;200111291421.fATELia22345@smtpsrv2.mitre.org">rthompson@trusecure.com</a>) is director of malicious code research for TruSecure Corp. He speaks at security conferences and is on the editorial board of Virus Bulletin and the advisory board of the Wild List Organization. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Universal Inkjet Refill Kit $29.95 Refill any ink cartridge for less! Includes black and color ink. http://us.click.yahoo.com/iHh8lD/MkNDAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:59 PST