Malware - Blog

12/23/2008

Why we are not safe or why virus scanners are not enough

I finished the last article with the rather dismal forecast that eventually we will all have our computers infected with a virus. Many people may not agree with that prediction or may be asking why. Well here is the why.

Most people know that they should have a virus scanner installed on their system. All virus scanners use a set of files that contain virus signatures. The exact contents of the virus signature files will vary according to vendor, but just know that the signature of a virus is the minimum information to identify it. For instance the signature may contain information such as the size of the file, a hash code of the file and the file name. The various anti‑virus product vendors will update their signature files on different schedules. Some of them update daily, others update weekly and there is at least one that updates more than once daily. If all other things are equal, the more frequent the update, the better the protection.

Most of the people that have a virus scanner also realize that they must update the signature files for the scanner to be effective. The better products allow for an automatic update that can be run daily. If you have an ‘always on’ connection such as DSL or cable, then configure your virus scanner to update the signature files in the early morning time. (Around 04:00 05:00 AM appears to be a good time.)

Now, you are saying, “I update my signature files every day”. ”I am safe”. Well, I am sorry to say that you are not safe and in fact you may be less safe than someone that does not have a virus scanner. To understand why, you need to look at the process that happens when a new virus is released.

The virus will usually make its debut in the wee hours of the morning. (They often start in Europe or Asia.) Someone at the anti-virus company will have to discover that there is a new virus. This usually happens after several systems get infected with it. Let us assume the new virus is released at 04:00 AM. If we are lucky, the anti‑virus company will be aware of it by 06:00 AM, but many times it could take much longer. The next step will be two or more hours of analyzing the virus so that it can be detected reliably. Then the anti‑virus company can produce the new signature file, test it and post it on the web site for you to download. By the time all of this is done it is at least six hours since the virus was released. Many times it can be much longer. It is even worse if the company only updates its signature files once a day or, unacceptably, once a week. This process leaves a window of no protection that is a least one day and probably most of two days after a new virus is released. If you take the attitude of “I am protected', you are being lulled into a false sense of security. You should always be on the lookout for a virus in your email messages.

Posted at 17:32 by Roy Chastain | Category: Malware | Permalink | Email this Post | Comments (0)

Musings on Malware - Part One

Worms, Viruses and Trojans

Trojan – A program, usually undesirable, that pretends to be desirable program.

Virus – A small program written specifically to cause problems in your computer.

Worm - A program that propagates itself over a network, reproducing itself as it goes. (http://wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?query=Worm&action=Search)

Worms, viruses and trojans all fall into the heading of malware. Malware could be described as any computer program that you don’t really want running on your system. It includes the category of spy-ware and possibly even pop-ads and ad tracking software.

Trojans

Trojans may arrive on your system as an email attachment or they may be downloaded from a web site. The best defense against trojans is to always know the source of the program that you are about to execute. In the case of an email attachment, know the person that sent it to you and have them verify that they did actually send you the program and that it is what it is supposed to be. Better yet, just do not run a program that comes to you as an email attachment. When you go to download a program from a web site make sure you are dealing with a reputable web site.

Worms

Worms crawl around the internet. They may arrive as an email attachment or they maybe programs that are running on another system that can access your system via a network (local or internet). A worm will usually carry one or more programs with it, called the payload. In general the payload of a worm will be a virus.

Viruses

We all know about viruses. We all fear them and eventually we will all have our computers infected with one. A virus can travel in many ways. They may be disguised as a trojan, an attachment to an email or the payload of a worm.

Posted at 17:22 by Roy Chastain | Category: Malware | Permalink | Email this Post | Comments (0)