STATISTICS FROM ANTI-VIRUS RESEARCHERS

Date: Sat, 20 May 2000 12:11:05 -0500
From: Gene Spafford
I wrote this last week for our campus security mailing list (I am the campus ISSO, among other things).

(This has been edited somewhat from the original.)

Several of you have taken me to task for my comments about Microsoft software quality. I don't say these things to bash MS -- I say them based on over a dozen years of experience and research in infosec issues. Quite simply, Microsoft is the vendor that is putting arbitrary scripting commands into their email clients and servers, Microsoft products are ones that continue to exhibit security flaws and problems known to researchers for decades, and it is Microsoft's design decisions and products that result in problems such as Melissa, the "love bug," and a myriad of computer viruses. Couple this with the nearly total Windows population in some environments, and we have an extremely volatile situation.

Ask any biologist, doctor, historian, or agricultural specialist: what happens when you introduce a severe contagion into a monoculture population with little natural resistance? You get pandemic -- widespread infection and damage. Whether it is measles and smallpox killing something like 90% of the Aztecs, Dutch Elm disease destroying a mainstay of the American forest, or ILOVEYOU in Outlook damaging files on machines worldwide, the result is a massive and quick-spreading epidemic.

Analyze statistics from anti-virus researchers, companies, and on-line documents. You will find that there are currently about 60,000 recognized computer viruses (not worms, such as Melissa or ILOVEYOU, but traditional viruses). Of these (as of this week):

• Slightly less than 52,000 are viruses for DOS/Window/NT platforms
  - about 6000 of these are Word macro viruses
  - about 150-200 of these are known to be widespread "in the wild"
  - in 1999, approximately 650 new viruses were reported each month (more than 20 a day)
• 680 are for the Amiga
• A few hundred are for Javascript, Hypercard, Perl, and other scripting languages. Few of these can spread beyond a few machines without active support of the users
• 150 are for the Atari
• 31 are native to the Macintosh, and only two of them are known to exist anymore
• 2 or 3 are viruses native to OS/2
• About 5 are for Linux/Unix/etc, but none have been found in quantity "in the wild", nor would they be likely to spread very far if they were "loose"
• None are for BeOS, ErOS, or other small-population systems.
  
  So, over 85% of all the known viruses are for Microsoft platforms (nearly all the self-propagating worms are as well). The rate of new reports -- especially for macro viruses -- means that pattern-based virus detectors can never be up-to-date and provide 100% protection. (Note: I'm not trying to draw grand conclusions here about the reasons for this skew, but simply point out where the overwhelming threat is.) Fast-spreading, self-propagating worms using Outlook move so quickly that they are likely to be upon us before an anti-virus vendor can even get a copy to analyze.

The situation is made worse by Microsoft trying to minimize the scope of the problem and claim that they aren't responsible in any way. The MS spin doctors are even attempting to blame the users!
(One MS executive even claimed that we should beat our users to prevent problems such as the "love bug": http://www.digitalmass.com/columns/software/0508.html
Microsoft employees and apologists are attempting to claim that these are problems that every software platform has, as if this somehow makes the gaping vulnerabilities less of a problem. This is simply not true -- you can't construct a "Melissa" or "love bug" worm without Outlook and MS Windows scripting host.

So, we need to do what we can ourselves to help our situation. What should you, as Purdue system and security administrators, consider doing?

• #1 is to make sure your anti-malware software is up-to-date to detect older, known viruses. We have site licenses for various NAI products if you don't have something installed yet. Also, install Tripwire if you are using NT or Unix boxes (we have this site-licensed, too). The use of Tripwire will help detect new, as-yet undetected viruses (after the fact, unfortunately) and also help in clean-up of damage by giving a snapshot of altered files and registry settings. (It also provides intrusion detection in addition to the change detection involved in detecting viruses.)
  
• #2 is to ensure that your users understand good anti-malware practices. This can't stop all future problems, but it may help limit their spread. In particular, get users to cut and paste text in email rather than attach Word documents. If they need to send a file of some kind, then have them use ftp rather than embed the files in email. On the receiving side, users should simply reject any executable content rather than depend on virus screening.
  
• #3, perform regular, comprehensive backups of all systems. If you do not perform regular, full backups of any systems, notify those users and ensure that they understand the procedures (and importance) to do it themselves. Files deleted by buggy software, viruses, worms, crashes or simple mistakes cannot always be recreated. Backups are critical for recovery. (Be sure to test your backups periodically to ensure they work!)
  
• #4, be certain your systems are up-to-date on patches and security fixes, no matter what kind of platform you may be using.
  
• #5 If you use Outlook, disable the Windows scripting host feature (see article at the URL given above). Alternatively, think about switching your users from Outlook to some other email client (e.g., Eudora). For this to work, however, you need to de-install Outlook rather than simply install something alongside it. (There was at least one case on campus where someone using Eudora on Windows saved the ILOVEYOU code to disk and started it, and it then activated Outlook to use the global address book to mail copies to other users.)
  
• #6, if your users are using Internet Explore, be certain they have their security settings on the highest level for all zones unless you *know* it is safe to use a lower setting. Also, in the security settings, disable ActiveX if at all possible -- ActiveX supports threats that cannot be defended against. In all WWW browsers users should be careful about enabling Javascript and Java, with Java being safer than Javascript in up-to-date browsers.
  
• #7, When acquiring new systems, think carefully if you really need Windows/Word, or whether an alternative is available that is more resistant to attack. This is especially a concern if you don't have staff or expertise to be constantly dealing with security concerns. For instance, if you are only seeking a machine to run a WWW server, then a Mac makes a robust server with an almost non-existent history of security problems. In fact, last year the US Army replaced their NT-based WWW servers after repeated security problems and they have not had a single security incident since! Similarly, you can run Excel and Word on a Mac, and using StarOffice on a Unix box you can deal with the same files. There are also other word processing programs (e.g., Framemaker, AppleWorks, others) and spreadsheet systems. Windows and Office are not the only choices.

The key here is to think about total cost of operation and the needed core functionality. When you put a machine in service there may be the up-front cost of the box and the software, and in this regard a Wintel box seems the best choice. But add in the time spent applying security patches, strengthening the default installation, responding to (and cleaning up after) break-ins and malware incidents, and the time spent staring at blue screens -- time for you and your staff is valuable, as is the loss of productive work time by your users. Yes, Windows runs thousands more programs than does Unix or a Mac -- but do you ever need those in a work or lab environment? Most are games, or are versions of software you don't need or already have in another form. Consider carefully what you want: buying a system because it runs programs you will never use and that may cost more over its lifetime to operate is not a bargain.

This is not intended to suggest that Microsoft is the source of all evil, or that you should run out and replace all your Windows boxes with something else. There are good people working for MS -- and several of them are former students and colleagues. The university (and the world around us) would come to a very abrupt halt if we didn't have MS products for everyday use. Furthermore, other vendor products are hardly bug-free -- we continue to see security advisories for Solaris, HP-UX, Linux, and others. But the number of security problems for MS products and the near ubiquity of MS platforms in many environments means that we need to be especially concerned about this as a potential problem area.
(See http://www.securityfocus.com/frames/?content=/vdb/stats.html for some interesting numbers supporting this.)

Several security experts, myself included, are convinced that we have seen only the tip of the iceberg as far as new worm/virus code is concerned. Being aware of alternatives and threats is the first step in protecting ourselves. Trying to reduce the "monoculture" environment and replace the most vulnerable members of the population is simply one step towards protecting our environment against future threats.

You *do* have choices, and if only enough people exercised their choices we might find *all* the vendors paying a little more attention to security.

SEE LABELING VIRUSES CORRECTLY!
What they are: "Microsoft Outlook Express virus" or "Microsoft Explorer virus" or "Microsoft Word macro virus (reputedly the single largest source of viruses for years!)."