More has changed in the past two years of computer virus protection, than in the previous 20 years. Statistics from the global network of Network Box Security Response centers show a dramatic increase in the number of distinct threats seen, with a dramatic decrease in the time taken for a threat to reach peak infection levels; new techniques for bypassing protection devices; spamming techniques for the initial propagation stage of virus seeding.
NETWORK BOX TECHNICAL WHITE PAPER
The Network Box Anti-Virus Solution
Background
The term "computer virus" has evolved significantly over the years. While first it was used to refer to a specific set of software programs which self-replicated, it is now commonly used to refer to a whole host of malicious software CONTENT (malware) including:
Background........................................1 . eMail Worms . Network WormsThe Impetus for Change.................2 . Trojan Horses . Trojan DroppersTechnologies for Virus Detection..3 Throughout the rest of this whitepaper, Network Box will refer to all these classes The Network Box eMail Scanner..6 of malware as "computer virus".
The Network Box eMail Anti-Virus The first computer virus to appear "in the wild" (rather than being created, and System.................................................7 staying, in a laboratory) was known as "Elk Cloner". Rich Skrenta wrote it in 1982, and it replicated by attaching itself to the Apple DOS 3.3 operating system The Network Box File Scanner.....9 passed around on floppy disks. Most of these early viruses were disk or file infectors and spread by file sharing.The Network Box File Anti-Virus System.................................................9 As wide-area computer networks (such as bulletin boards) became popular in the 1980s and early 1990s, the number and spread of viruses increased dramatically. Anti-Virus Con?guration..............10 But, it was the advent of the Internet and World-Wide Web that provided the mechanism for the birth of the computer worm.Conclusion.......................................10 In the early 1980s, the vast majority of computer viruses were classic file and disk infectors. Now, in 2005, over 99.98% of all viruses are email or network carried SEPTEMBER 2005 worms .No part of this publication including text, examples, or illustrations may be reproduced, transmitted, In the early 1980s, it would take weeks for a new virus to propagate around the or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, world. Now, in 2005, computer worms often take less than 2.5 hours to reach for any purpose, without prior written permission their peak infection rate .of Network Box Corporation Limited. In the early 1980s, there were less than 3,000 viruses known to exist. Now, in Network Box Corporation Limited, 2nd Floor Star House, 3 Salisbury Road, Tsim Sha Tsui, 2005, over 3,000 new virus variants are seen every month .Kowloon, Hong KongTelephone: +852 2736-2083 As the nature of the threat changes, so must the techniques used to fight that Fax: +852 2736-2778 threat.www.network-box.com
1
NETWORK BOX CORPORATION LIMITED, 2ND FLOOR STAR HOUSE, 3 SALISBURY ROAD, TSIM SHA TSUI, KOWLOON, HONG KONGTELEPHONE: + 852 2736-2083 FAX: +852 2736-2778 www.network-box.comNETWORK BOX TECHNICAL WHITE PAPER
The Impetus for Change
More has changed in the More has changed in the past two years of computer virus protection, than in the past two years of computer previous 20 years. Statistics from the global network of Network Box Security virus protection, than in Response centers show:the previous 20 years. . A dramatic increase in the number of distinct threats seen (from less than 40,000, five years ago, to more than 150,000 today). A few years ago, one new variant of a particular virus would be seen, perhaps, once a month. Now, computer virus researchers are often seeing half a dozen, or more, new variants in a 24-hour period.
. A dramatic decrease in the time taken for a threat to reach peak infection levels. A common measure is the time taken for the infection rate (detections/blocks per minute) to reach half its peak level. Commonly, variants of the Mydoom, NetSky and Bagle worms (for example), now reach this point within less than 1 hour.
. New techniques for bypassing protection devices have appeared. These include password-protected archive, vulnerability exploitation, social engineering, message fragmentation, and standards bypass.
. The use of spamming techniques for the initial propagation stage of virus seeding (greatly increasing the initial rate of spread).
