1 / 16

The Battle Against Viruses on the CERN NICE Network

The Battle Against Viruses on the CERN NICE Network. Tami Kramer CERN. Viruses - the problem. There are an estimated 45,000 viruses “in the wild” today Growing at a rate of 6 new viruses per month Viruses are also becoming more sophisticated and malicious

ruth-baldwin
Download Presentation

The Battle Against Viruses on the CERN NICE Network

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Battle Against Viruses on the CERN NICE Network Tami Kramer CERN

  2. Viruses - the problem • There are an estimated 45,000 viruses “in the wild” today • Growing at a rate of 6 new viruses per month • Viruses are also becoming more sophisticated and malicious • No longer an issue of destroying data on one machine but several at once

  3. Virus History and Evolution • Simple Viruses • Easiest to detect • User launches infected program, virus gains control of the PC and attaches itself to another program, then transfers control back to the host program which functions normally • Anti-virus software need only look for a “signature” (sequence of bytes) to detect

  4. Virus History and Evolution • Encrypted Viruses - Description • Hides fixed signature by scrambling the virus body making it unrecognizable to the scan engine • Encrypting virus always propagates using the same decryption routine, however the key value changes from infection to infection • Consequently the encrypted body of the virus also varies, depending on the key value

  5. Virus History and Evolution • Encrypted Viruses - Detection • Consists of a virus decryption routine and an encrypted virus body • User launches infected program, virus decryption routine gains control of the computer, decrypts the virus body, which infects new programs/files with new key • Anti-virus software must search for the decryption routine signature

  6. Virus History and Evolution • Polymorphic viruses - Description • Includes a scrambled virus body and decryption routine • However, adds a mutation engine that generates randomized decryption routines • The mutation engine and the virus body are both encrypted and the new decrypting routine is passed along with them

  7. Virus History and Evolution • Polymorphic Viruses - Detection • User launches infected program, decryption routine decrypts virus body and mutation engine, virus makes a copy of both itself and mutation engine in RAM, virus invokes mutation engine which generates a new decryption routine and encrypts with new decryption routine, infects new file • Virus authors distribute mutation engines for use by others

  8. Virus History and Evolution • Anti-virus vendors developed generic decryption techniques that “trick” polymorphic viruses into revealing themselves using a virtual computer

  9. Most common viruses seen on the CERN network • Various Word Macro viruses • Happy99 Worm • Win95 CIH / Chernobyl • Hacking tools - NetBus, BackOrifice, etc...

  10. Corporate / Sitewide Solutions • Integrated client-server model • Permits central distribution of updated virus pattern files and new scan engines • Possible to schedule nightly client and server scans • Allow for sitewide virus “sweeps” from a centralized administrator console in case of emergency

  11. Virus Protect Administrator console

  12. Notification of a virus on a client

  13. Virus Hoaxes • Not dangerous - Only serve to waste bandwidth and people’s time • Typical Hoax viruses • California/Wobbler Trojan • Win A Holiday • http://www.symantec.com/avcenter/venc contains a virus encyclopedia

  14. Statistics • 35-40 NT and Netware servers and 4000 clients running real-time and nightly scheduled scans • Approximately 5 new clients infected per week

  15. Still some problems • Don’t have control over private servers installed by experiments (can only strongly RECOMMEND ) • Some users disable real-time scanning • LANDesk doesn’t clean open files or trojans which need DOS level intervention • Symantec/Norton bought Intel/LANDesk so need to upgrade or find a new product

  16. Conclusions • Viruses are getting more and more sophisticad and malicious • Sites must have a good commercial product • You’ll never be completely safe...

More Related