In message <#
[email protected]> "FromTheRafters"
Many blended threat worms of the recent past have used real virus
code. The point is that an infected file is likely to be executed by the
system or the user just as it would have had it not been infected.
They do?
Virtually everything I've run into falls into the one of two categories:
1) Trojan, being a piece of software which appears to perform a certain
action but in fact performs another.
2) Worms, being self-replicating computer programs spreading more or
less without user intervention across a network.
I haven't seen one in many years that played the original virus trick of
actually modifying existing EXEs and waiting for the user to shuffle
those EXEs off to another PC somehow. With USB drives capacity
increasing, and portable software becoming more popular, we may well see
the return of real viruses in the near future, but I can't think of one
that has had a major impact in many moons.
Now, that being said, a fair amount of malware is polymorphic in one
form or another.
It is real easy to say "just don't do it" and believe it is that simple.
I just wanted to point out that that is a naive attitude.
Perhaps somewhat naive, but the reality of it is that if you practice
minimal safe computing techniques, specifically, staying behind an
inbound packet filtering (Windows Firewall or NAT tend to do the job)
and don't install or run anything offered to you unsolicited, only
install software either from reputable companies or that you have
researched, plus stay up to date with Windows and application patches,
you'll be safe.
AV software tends to be far too slow to keep up with threats -- I've
been in the mail server business for many years now, my own server scans
each and every inbound message with three different engines, and still
we see malware sneaking through that, if rescanned 24 hours later, gets
caught. I wouldn't suggest to users that they rely on AV software, it
simply isn't up for the task.
There is also a fairly new class of worm, specifically attacking
vulnerabilities in AV software, often in the form of buffer overruns in
parsers -- So in some cases you're actually more vulnerable with AV
software installed then without. While this isn't a new concept as a
whole, malware exploiting this type of vulnerability automatically is
relatively new.
I can tell you that when I was in school, I absolutely loved McAfee, all
you had to do was get a file called "program.exe" into the search path
of the client-side component, then launch an AV scan and it would launch
said program.exe executable from the service-side scanning component
which ran with administrative privileges. Quick and easy promotion to
full administrative rights, what could be better?