Home > Bugs & Viruses > The Computer Virus–no Cures to be Found The Computer Virus–no Cures to be Found Eugenia Loli 2003-11-25 Bugs & Viruses 37 Comments Two decades and counting, the technology industry has yet to find a blanket solution to the ever-growing list of viruses and worms that constitute the greatest risk to computers on the Internet. About The Author Eugenia Loli Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker. Follow me on Twitter @EugeniaLoli 37 Comments 2003-11-25 8:35 pm Check out Cisco’s recently aquired product VMS with CSA. Instead of using thumprints of viruses and other nasties it just does system checks to find out what should be running and what shouldn’t. Although it still is a little expensive 2003-11-25 8:37 pm Do not share floppies, flash media, access the internet or other networked systems. If you keep a vapor barrier between you and the external world, I think it will cut down on the MOLD problems too… 🙂 I know it sounds really stupid… but there is really no alternative… yet… 2003-11-25 8:54 pm Please correct me if I am wrong, but as far as I know the majority of the viruses in the wild are not computer viruses, but are actually Microsoft viruses, with most of those being Outlook variants. So I still have no idea why the media refers to them as “computer” viruses. This is not what they are. I do remember around three or four years ago, there were two out for Linux. One was Ramen and one was Lion, I think. Were they even viruses or worms? One of them infected port 10005 was it? Anyway it was very easy to prevent infection. But the last study I read, and no I do not have a reference, stated that those on Mac platforms, had the absolute lowest rate of virus infections, and the risk was lower than even for Linux. 2003-11-25 9:03 pm Well that was kind of my question too. We keep hearing how OS X is damn near impervious to worms and virii by design. If that’s the case, why can’t Windows be equally as secure? What does Apple know that Microsoft doesn’t? And here’s a couple of Linux worms “Bliss” and “Staog”, pathetic excuses for worms that they were: http://librenix.com/?inode=21 2003-11-25 9:09 pm OK, there no solutions for viruses (there never will be) but there are for protecting systems. For instance, on Unix a virus could wipe out just a user account-thats it. The system would be untouched. Now, If there was a tool that automaticly stores the user account before a particular crash or wipe out and then recovers it then its possible- there probably is already a tool. Btw, If there is not such a thing then please create it and pay me monies. Viruses would be pretty pointless now… but trojans! that’s something you cant stop! 2003-11-25 9:10 pm That’s like saying we haven’t found a way to stop the sun from rising. 2003-11-25 9:30 pm HAHA! That is so funny. So now we have a total of 4 worms/viruses for Linux: Ramen Lion Bliss Staog Gee, I feel so exposed and vulnerable on the net. Are there any more, or is that it? 2003-11-25 9:51 pm This just in: Two centuries and counting, the medical establishment has yet to find a blanket solution to the ever-growing list of viruses and bacterial illnesses that constitute the greatest risk to humans on the planet. 2003-11-25 9:55 pm This computer ‘industry’ produces these viruses. At least, it does so for most vicious, most complicated and that do most damage. Antivirus makers write viruses to promote their antivirus software. That is not to say that nobody else does that, but it’s a proven fact. Kaspersky Lab has been notorious for that for a long time. I was infact familiar with different people whose previous job was @ Kaspersky Labs and they all confirm it… So of course this ‘industry’ will NEVER find a cure for viruses – viruses bring them money this way or another. Plus, it’s not TOO hard to be protected from viruses in a corporate environment, given that most of them now use internet to spawn, not floppies or anything of that sort. So a good firewall is what we can have for protection. Unlike home users who usually at a loss and not sure how to protect themselves, and that’s the target market for much of the antivirus software… Ah, *sigh*. 2003-11-25 9:57 pm > Ramen Uses some exploits available in RHL 6.0 and 7.0; could be easily fixed via security updates. > Lion Again an exploit, this time in bind. > Bliss You need to execute it in order to be infected. > Staog Also needs to be executed. Of course, new exploits are discovered relatively frequently in the userland. But why should you feel unsecure? After all, why are we constantly installing security patches? 2003-11-25 9:59 pm the technology industry has yet to find a blanket solution to the ever-growing list of viruses and worms that constitute the greatest risk to computers on the Internet. They’re correct on a blanket solution but there are many steps you can take to make these things very difficult to infect your network. For instance the linux 2.6 kernel has exec-shield built in which provides protection against stack, buffer, or function pointer overflows. by denying them access to execute memory it makes it very difficult to write shellcode. Fedora and RHES already ships with this by default I’m not sure about other distros except trusted-debian which users RSBAC and other ‘security’ minded distros. It’s great news were getting them on the plain old workstations. You can also block data in the payload of packets with your favorite IPF or IPT firewall using string matching. It takes a big performance hit to inspect every packet so thourally though which is why it is not commonly used. Point is there are things we can do, I just think alot of idiots think just because linux doesn’t have worms there isn’t a big enough reason to take away speed or functionality inplace of good security practice. 2003-11-25 10:02 pm BTW, imagine how much malicious code is written to compromise using known security exploits. I suspect it has only been 4 times attempted to write malicious code for the Linux userland. 2003-11-25 10:06 pm There are hardly any viruses now. They’re almost all worms which exploit a vulnerability in a particular piece of software, or exploit user stupidity. And there is a blanket solution; it’s called TCPA. 2003-11-25 10:18 pm Most everything we hear about in day to day “virus” activity is malicious scripting. Accomplished due to bad design in scripting of MS products. Yes there are vulnerabilities in all OSes for one thing or another, but the “pop culture virus” is a malicious script intended to attack and propagate via MS scripting in Outlook, Word, etc. I remember back when real viruses were things that infected the MBR and would hide in memory, attaching themselves to the disk even at the time of first disk access. Those were the real ones. Corrupted data, interfered with general functions, etc. I don’t even think modern anti-virus software looks for this stuff any more. A couple of months ago, someone posted a response to a news item mentioning that he tested this and found that modern software will not detect the real viruses of the DOS days, which can still be destructive if you’re using FAT on your disks. It’s okay to call today’s malicious scripts “viruses” since they do behave similarly on the surface (self-propagating(sp?). My point is that without bad OS and software design, there’d be a whole lot less to exploit and abuse. I loved that comment up above by Ben. Loved it :-)) 2003-11-25 10:24 pm A virus, worm, trojan, whatever-you-want-to-call-it is a program. By definition, computers run programs. So if you want to stop computer viruses, worms and trojans from running, then you have to stop programs from running. Oh, you want your computer to keep running programs? Hmmm… Well, mebbe we need to control how programs run and what they can or can’t do. 2003-11-25 10:55 pm Given the global interconnectivity, a viral, so to speak, spread of knowledge is inevitable. However, program viruses can be mostly neutralized if the operating system puts the user in control. A major step in that direction is the integration of mandatory access controls as linux security module SELinux, which works with kernel 2.6. Under proper access controls, a game infected with a virus will be playable but will not be allowed to interfere with system settings, damage your valuable documents, or compromise your privacy. Also, by using digital signatures most unauthorized insertions of viruses can be detected. Unfortunately, most people are ignorant about security, and I am not aware of any plans to release a desktop operating system with mandatory access controls. To be effective for ordinary users, setting of access controls must be seamlessly integrated into the graphical user interface, for otherwise the users would disable the controls. It is mathematically impossible for an antivirus program to determine for each program whether it is a virus or not, so if one simply relies on antivirus programs, the struggle with viruses will be endless and possibly losing. Also, while automatic updating improves the detection of viruses, a malicious compromise of the update server could be catastrophic. What is mathematically possible–and I believe feasible–is to require that a program or macro will be able to do only what it is authorized by the user to do. A secure operating system architecture is described at http://web.mit.edu/dmytro/www/OS_Architecture.htm Unfortunately, fully neutralizing macro viruses would require modification of the corresponding programs. 2003-11-25 11:17 pm There will be no 100% cure. But computing platforms can make it harder on the virus writers. I find it amusing that Linux/BSDs are considered for hobbyist and geeks but Microsoft OSes, which are made for the masses, tend to get nailed by virus/worms the most. A skilled programmer should be able to write a virus for Linux/BSDs just as easily as writing one for Microsoft Windows. The programmer would have to be knowledgeable of both platforms. So why doesn’t Linux/BSDs have more virus/worms? You would think the platform with the most technically knowedgeable users would have a whole slew of virus/worms. If Linux/BSDs dominated the market, would that increase the chances of having a knowledgeable person writing a virus/worm? How much more effort and skill does it take to write virus/worms for Linux/BSDs compared to the Windows platform? May be a way to cut down the number of virus/worms is to increase the knowledge and skill level of the programmer to create such things. Make it harder to create ready-to-run scripts so script kiddies would actually have to make an effort. Basically increasing the immune system of the platform. 2003-11-26 1:26 am I have no viruses for 6 years. My solution: I’m using a real Amiga. (Yes, it is a computer, connected to the internet, using to send/receive emails, browse webpages/etc..) 2003-11-26 2:24 am What about a capability system? Wouldn’t that stop any virus? 2003-11-26 3:31 am >>And there is a blanket solution; it’s called TCPA. Trusted Computing is about DRM and copyright enforcement, it has nothing to do with security or viruses. 2003-11-26 4:20 am — “This computer ‘industry’ produces these viruses. At least, it does so for most vicious, most complicated and that do most damage. Antivirus makers write viruses to promote their antivirus software.” — LOL!!! Yeah, and it was the aliens from the Roswell crash that shot Kennedy, right? *snicker* 2003-11-26 5:38 am Trusted Computing is about DRM and copyright enforcement, it has nothing to do with security or viruses. Is this supposed to be statement of fact, or just an ad hominem argument? Most people who understand security recognised early on that TCP was always meant to be a security framework, and that DRM was tacked on as a “benefit” as an appeal to rights holders to support it. 2003-11-26 6:02 am It’s pretty obvious that the cure to getting rid of viruses is to simply ban Microsoft Windows. 2003-11-26 6:03 am IMHO ,I would think the reason for there being viurs writers on MS stuff and not on linux etc ,would be that there are quite a few virus writers using liunx and somehow want to promote it by writing viurs for “other” os’es.Thats not say that their arent sript kiddies on windows ,but they wouldn’t know how to use linux or anyother os anyway,let alone program for it or exploit holes in it. 2003-11-26 7:53 am I’m no mathematician, but I recall it being proven that malware can always be one step ahead of antivirus. No matter how good the heuristics are, there is always ways to circumvent it. Now there may be ways to make it exceedingly difficult for any human to code such a virus with the right AV, i don’t really know. One part of the problem is that a true multipurpose AV doesn’t really exist, at least in the consumer market. A lot of stuff sails past NAV, particularly modern trojans. You really need a better software like trojan defense suite, or even tauscan or trojanhunter. The crux of the problem is that the heuristics just aren’t good enough. In the case of Trojan Defense Suite 3, it’s very powerful, BUT needs a human to interpret the results. The average Joe buying a computer will not be able to utilize many features in TDS 3. Take any off the shelf trojan and it can be made undetectable. Simply patch, hex, and pack it and ur done. Test it against AV packages, then it’s ready for release. The good part is, when someone spends a good bit of time on an exploit worm/autorooter, or a custom trojan, I suspect they use it very sparingly, thus there are comparatively few victims. Based on my reading on AV, seems Kapersky + TDS3 + adaware + spybot + some sort of commercial spyware detector (spycop??) would be a nice setup. There also some md5sum type programs available that are sort of cheap, easy to use tripwire. If you check ur system binaries, and a couple of test files, u’ll be alerted to any new virii. 2003-11-26 8:02 am @ DV2 You run as non-root most of the time on bsd and linux. I think this is one reason viruses are fewer. Worms, rootkits, and trojans though are a lot more prevalent. Tripwire is free for linux, so you could know quickly when a virus was modifying system binaries. VBS outlook viruses, and IE6 exploits are obviously non-existent. I suppose you could target mozilla, kmail, etc, but nix security settings are a lot tighter in regards to scripting capabilities. There also some theorical reason nix cannot be attacked as easily with viruses related to the filesystem or something. 2003-11-26 8:30 am Isn’t it mathematically proved that it’s impossible to find a way to detect all present and future viruses, because it’s equivalent to the turing halting problem? 2003-11-26 11:04 am I’ve been telling this for years… Just like the Nature fights virii through biodiversity, the best way here it technodiversity (I didn’t say file format hell, that’s not the same). It’s much more difficult to infect 10 different architectures than 10 times the same. Just like when you use GMO in a whole country you are facing a desaster, using only one platform is totally doomed. Just like biodiversity, this has the advantages of having the platform (=crop) more suited to the environment, and cause less losses in case of virus. 2003-11-26 11:10 am Lack of effective vectors are the reason there are hardly any Linux/ Mac viruses. Microsoft has had quite a few vectors especially outlook. If all microsoft systems would be patched to eliminate the current known vectors 90% of the viruses would dissapear overnight. We should always concentrate on the vectors for computer viruses. And no TCPA will not stop malware. 2003-11-26 11:49 am I read somewhere that there are only 40 [+-3] viruses for all kinds of Linux/BSD, most of them are a spec-distro-only viruses, there’re some that use exploites… but, they infect only the users dir… Are/were they any viruses that gained root and infected all of the system ??? 2003-11-26 2:18 pm From: Gab O Mey @ 2003-11-25 21:03:04 We keep hearing how OS X is damn near impervious to worms and virii by design. If that’s the case, why can’t Windows be equally as secure? What does Apple know that Microsoft doesn’t? Nothing at all. 1. Mac OS X has a very few network services enabled by default (such as Rendezvous). 2. The root account is not enabled by default and is never enabled unless the user enables it. 3. /System never needs to be touched except to install drivers and system updates, and the user must enter their password to allow anything to touch it, each time (as it has very restrictive permissions). 4. /Library/StartupItems (which launch on system startup) is also in the same boat with restrictive permissions. 5. Users are, of course, not able to access the home directories of other users, again because of permissions. There is more, but those are the essentials. I can think of a number of ways that a virus could work on Mac OS X, but in its default configuration most of them couldn’t work without the user knowing something about it and assenting to it. We then get into the game of conning a user into doing so, which makes tracing of the virus to its source all the more easy. 2003-11-26 3:41 pm Could a system be designed that is *theretically* invulnerable to virus attacks? Using code signing and an OS that enforces strict policies re: whose code can run with what priviledges I believe that this could be done. Kram II. 2003-11-26 5:03 pm “Yeah, and it was the aliens from the Roswell crash that shot Kennedy, right?” I once read a story about a malicious hacker and virus writer who was hired by McAfee, and then subsequently fired… …not because he was still in close contact with his old friends, and discussing ways to write viruses… …but because someone outside McAfee found out about it. If you have any doubt that there is collusion in the virus-writing industry, consider this: The Food and Drug Administration is going to get MORE MONEY FROM THE DRUG INDUSTRY to run the department WHICH DECIDES WHETHER TO APPROVE PRESCRIPTION DRUGS OR NOT. This money is going to be sent specifically to the group that OVERSEES THE APPROVAL PROCESS. I have no direct proof that there is a clear relationship between virus-control companies and the virus-writing community, but why should I believe there is none? Actually, I hope there is none, but I would not be surprised if there is some. 2003-11-26 5:09 pm “IMHO ,I would think the reason for there being viurs writers on MS stuff and not on linux etc ,would be that there are quite a few virus writers using liunx and somehow want to promote it by writing viurs for “other” os’es.” Didn’t Bill Gates once say that Linux users were the ones who were writing hacks against NT? You never heard of a “Virus construction kit?” They’re out there, and mostly for Windows, by Windows developers who got a bug up their butt for some reason. If you came into this world tomorrow, and got exposed to computers, which OS do you think it would be more likely you’d run into….Linux or Windows? Which OS has the overwhelmingly largest number of current applications, and which one has the most developers, corporate or otherwise? And which one has the most insecure (historically) e-mail client? 2003-11-26 6:43 pm “Could a system be designed that is *theretically* invulnerable to virus attacks? Using code signing and an OS that enforces strict policies re: whose code can run with what priviledges I believe that this could be done.” I think a capability system (ex. EROS, Argus PitBull?) is theretically invulnerable because a virus would never have the rights it needs to replicate or cause damage (or perhaps, even execute). I barely understand how they work, so I asked earlier in this thread if they’d do any real good. No response. I think it goes like this: your e-mail client (for example) can’t even see anything but itself and e-mail, and it doesn’t have authority to write onto itself. I think this is possible because every process or program has a set of “keys” that grant it rights to see/read/write/modify/execute something else somewhat specific; in comparison to giving universal rights to users which apply equally to every process and program they run. (But my understanding is very weak.) I kind of remember capability systems being mathematically proven secure. I don’t know if this use of “secure” applies to virii. Help? Anyone? 2003-11-27 1:20 am Well that was kind of my question too. We keep hearing how OS X is damn near impervious to worms and virii by design. If that’s the case, why can’t Windows be equally as secure? What does Apple know that Microsoft doesn’t? Nothing. They just have fewer restrictions to work under and thus can get the better product to market more quickly. Firstly, OS X’s (and Linux’s, for that matter) *design* is no better than XP’s from a security perspective. The problem lies primarily in a) default setup and b) platform popularity. The default setup in XP is hamstrung by the need to maximise the backwards compatibility and legacy support Microsoft cherish over just about everything else. Thus, the default user has significant privileges so they can install and run dodgy software that doesn’t even understand what different users are. There’s no technical reason XP’s default setup couldn’t have a restricted user account for regular usage which could have its privileges elevated when necessary for things like software installation – indeed, technically XP is better suited to this scenario than OS X or Linux. However, there are millions of *practical* reasons – namely all the pieces of software that can’t handle being run in a multiuser environment with fewer access privileges. Of course, even if this were true most worms would simply modify themselves to say “You must authorise yourself to view naked pictures of Anna Kournikova. Please enter your password below.” before wreaking their havoc and today’s situation would not be significantly changed. Apple are much better off with regards to their default setup because a) they expend less effort towards backwards compatibility and b) they have the luxury of having most of their software legacy support provided via a near-fully blown virtual machine rather than API thunking. (Actually, IIRC the Classic environment runs SUID root, so applications running within it might be able to do quite a bit of damage to otherwise protected files – anyone got a Mac handy they can check this on ?) Thus, it’s a lot easier for Apple to implement decent defaults than it is Microsoft. Secondly, Windows is a lot more common than both OS X and Linux. It’s always going have more security problems found, more viruses and a greater impact from each event, just by virtue of basic statistics. And that’s ignoring less tangible and measurable aspects like why virus writers might target some platforms over others, the environments certain platforms are more likely to be in and how much more vulnerable the user demographic of certain platforms makes them. Basically, security problems occur because one of two things happen. Either an end user does something to facilitate it (eg: executes a malicious attachment – with or without knowledge of the consequences) or a software coding bug is found and exploited (eg: buffer overflow, recent RPC issues). Ever-improving software development tools and processes should make the second type fairly rare in the not too distant future, but nothing is ever going to eliminate the first. 2003-11-27 1:37 am For instance, on Unix a virus could wipe out just a user account-thats it. The system would be untouched. This is a (common) specious argument. Firstly, many viruses propogate via activities the user can already do – like read their address book, send mail or have programs start at boot/login. In these cases a restricted privileges user is not a protection. Secondly, privileging-elevating vulnerabilities are not uncommon and on many systems go unfixed, even when patches exist. So, again, a restricted-prvileges user is not a defence in this scenario. Thirdly, most systems out there that get hit by viruses these days are single user desktops. Most of these users care a hell of a lot more about the mp3s/pr0n/assignments/love letters they have in their home directories (or other places) than they do about some random system files that can be reinstalled in an hour. Now, If there was a tool that automaticly stores the user account before a particular crash or wipe out and then recovers it then its possible- there probably is already a tool. Btw, If there is not such a thing then please create it and pay me monies. Viruses would be pretty pointless now… but trojans! that’s something you cant stop! These are commonly referred to as “backups” – there is significant prior art.