The Battle Against Viruses on the CERN NICE Network

1
The Battle Against Viruses on the CERN NICE
Network

• Tami Kramer
• CERN

2
Viruses - the problem

• There are an estimated 45,000 viruses in the
  wild today
• Growing at a rate of 6 new viruses per month
• Viruses are also becoming more sophisticated and
  malicious
• No longer an issue of destroying data on one
  machine but several at once

3
Virus History and Evolution

• Simple Viruses
• Easiest to detect
• User launches infected program, virus gains
  control of the PC and attaches itself to another
  program, then transfers control back to the host
  program which functions normally
• Anti-virus software need only look for a
  signature (sequence of bytes) to detect

4
Virus History and Evolution

• Encrypted Viruses - Description
• Hides fixed signature by scrambling the virus
  body making it unrecognizable to the scan engine
• Encrypting virus always propagates using the same
  decryption routine, however the key value changes
  from infection to infection
• Consequently the encrypted body of the virus also
  varies, depending on the key value

5
Virus History and Evolution

• Encrypted Viruses - Detection
• Consists of a virus decryption routine and an
  encrypted virus body
• User launches infected program, virus decryption
  routine gains control of the computer, decrypts
  the virus body, which infects new programs/files
  with new key
• Anti-virus software must search for the
  decryption routine signature

6
Virus History and Evolution

• Polymorphic viruses - Description
• Includes a scrambled virus body and decryption
  routine
• However, adds a mutation engine that generates
  randomized decryption routines
• The mutation engine and the virus body are both
  encrypted and the new decrypting routine is
  passed along with them

7
Virus History and Evolution

• Polymorphic Viruses - Detection
• User launches infected program, decryption
  routine decrypts virus body and mutation engine,
  virus makes a copy of both itself and mutation
  engine in RAM, virus invokes mutation engine
  which generates a new decryption routine and
  encrypts with new decryption routine, infects new
  file
• Virus authors distribute mutation engines for use
  by others

8
Virus History and Evolution

• Anti-virus vendors developed generic decryption
  techniques that trick polymorphic viruses into
  revealing themselves using a virtual computer

9
Most common viruses seen on the CERN network

• Various Word Macro viruses
• Happy99 Worm
• Win95 CIH / Chernobyl
• Hacking tools - NetBus, BackOrifice, etc...

10
Corporate / Sitewide Solutions

• Integrated client-server model
• Permits central distribution of updated virus
  pattern files and new scan engines
• Possible to schedule nightly client and server
  scans
• Allow for sitewide virus sweeps from a
  centralized administrator console in case of
  emergency

11
Virus Protect Administrator console
12
Notification of a virus on a client
13
Virus Hoaxes

• Not dangerous - Only serve to waste bandwidth
  and peoples time
• Typical Hoax viruses
• California/Wobbler Trojan
• Win A Holiday
• http//www.symantec.com/avcenter/venc contains a
  virus encyclopedia

14
Statistics

• 35-40 NT and Netware servers and 4000 clients
  running real-time and nightly scheduled scans
• Approximately 5 new clients infected per week

15
Still some problems

• Dont have control over private servers installed
  by experiments (can only strongly RECOMMEND )
• Some users disable real-time scanning
• LANDesk doesnt clean open files or trojans
  which need DOS level intervention
• Symantec/Norton bought Intel/LANDesk so need to
  upgrade or find a new product

16
Conclusions

• Viruses are getting more and more sophisticad and
  malicious
• Sites must have a good commercial product
• Youll never be completely safe...