virus

Following my question to readers around the globe - Do we really need Antivirus solutions in 2008?  - The answer is a non-surprising YES we do!

As Alan over at Stillsecure puts it:

Alan goes straight to my point - we do not need the AV of 2001 - we need the AV of 2008. The solutions of today is a combined tool that offers virus cleaning/stripping, spam handling, malware control, IDP/IPS and so on. And these tools will continue to develop as the threats changes and evolve.

Kurt Wismer put it this way in comments, and on his blog:

Self replication has a way of ... attracting attention - exactly! So what we see today is that many malware authors try to avoid detection, and keep more control over the process of inflicting damage. And as such malware is not detected by normal AV-tools using signatures, we need tools that are able to detect threats that tries to fly below the radar. Which brings us back to Alan and the 2008-AV tools.

Andy is as usual spot on with his comment:

Yes, we would be much worse. It would be only a matter of time before the old jungle of virus and worms would flood the net again. It is like the measles of Alan all over again.

To summarize my take on AV anno 2008 - we still need it. We need it more than before. We need it as one of many building blocks to take care of security.

As Larko put's it:

I guess that some would, but that does not mean the rest of us should!

I pose this question to you - my readers. In 2008, do we really need antivirus tools anymore?

Mass distributed virus' as we saw them back in the day of the Blaster and similar virus seems to be all off the screen today. Have the virus authors started to write smaller virus that stays below the radar - and thus are not detected by the AV-products? Are they now only targeting special targets - like particular banks, SCADA or singled out corporations? Or countries and causes? Or are they too busy writing malware to care about virus?

Do we really need to pay out on gateway and client AV solutions if there are no virus knocking on the door?

Do you believe that there are no more virus out there? That other threats are taking over and rendering AV-solutions useless?

Is this the whole truth? Or have the AV solutions became so good that they catch everything, even without us noticing?  That they are an absolute critical part of the solution for any entity connected to the net?

I would love your opinion! Please share your thoughts, and I will contribute mine as well ;)

Edit: Followup post: http://www.roer.com/node/417

The time has come to suspect any new hard disk you buy and install in your systems. According to this article, 1800 Maxtor disks of the size 500Gb comes with a bonus off the shelf.

If you install the disks, you get a virus too.  Actually, as soon as you pick it up in the store, you get the virus. It is already installed on the device.

According to the article, the virus will upload any and all data on the device to two online database.  Also according to the article, most disks of this size are bought by governmental agencies. And thus, the Chinese must have installed the virus. (The newspaper is in Taipei).

Obviously this kind of automatic back-up solution is not in the best interest of it's customers, so Seagate-Maxtor has pulled the disks from the market. 

The interesting part in my opinion is that this kind of virus is not getting caught by AV-scanners. One reason is the low volume (number of infected devices). Another reason is that the device is likely to be installed, presumed clean, and just kicked into action. Not until the server-install AV client starts its weekly scan, will the virus be detected - IF and only IF the signature of the virus is in the AV client.

What can you learn by this?

• Never trust ANY hardware you bring into your perimeter
• ALWAYS check EVERYTHING you install in your systems and network - in a safe environment. For hard drives, that means testing, low-level formating and signing them off in a secure, non-connected environment. You do have that, right?
• As security gets tighter, threats evolve and finds other ways to get to you. It is a long time since boot-virus traveled by floppies. But if slow distribution is the easiest, most cost efficient way to hit you, that is how it will be done.
  
• Targeted attacks are increasingly common. We are leaving the days where the goal was to hit as many as possible. The goal today is cash - not attention.
  

Technology gets increasingly more advanced. But the technical understanding seems to decrease. The result is companies investing large amounts in technology, without understanding the potential damage that very technology may impose when it is not doing what they expected, or open them to threats. 

According to Tim Tracy, the first virus in the wild, Elk Clone, turns 25 this year.

Tim has put together a charming and interesting story about Rich Skrenta, who in his 9th grade made what is generally reccognized as the first computer virus in the wild - meaning the first computer virus known to spread itself outside of a safe location.

Rich is today a successful serial entrepreneur. The virus is long gone. The story is still fun, though! 

The Register brought forward this story about a "new" phishing tool. A file downloaded and installed on your computer gives the phisher full access to intervene your Internet banking, PayPal, eBay and so forth.

What is new with this? Spyware, greyware, trojans and virus has been installed on your computer for a long time. Bots have been controlled from the outside for years. The fact that the tool is able to access your information, tap into your communication and present to you what looks like ordinary PayPal, banking or eBay sites is nothing new. What I find disturbing is the that the anti-phishing tools do not detect the hijacking, and thus are not able to prevent it. As a matter of fact, Norton 360 clears the page you are viewing.