According to Russian anti-virus company Kaspersky Labs, viruses are being used to infect PCs with Trojans, creating zombie networks that send out spam or participate in denial-of-service attacks.
"We cannot speak about viruses as a separate threat," said Natalya Kaspersky, chief executive of Kaspersky Labs. "They are mixed with spam, using Trojans to distribute emails. The 'bad' industry creates new technology and we need an instant response. Those people unite and exchange information."
The company said that it was seeing 200 new viruses a day. "[Virus writers] have resources and customers who pay them money for their work. These customers are not always robbers but definitely there is more money in the Internet, and we are forced to put more money in security as a result."
Kaspersky added that viruses were tending to spread using links, as opposed to last year when virus writers coaxed users into opening attachments. She said that the motive of virus writers was now to make money, not just to irritate users.
"Virus writers are cooperating," said Kaspersky. "They work in groups that exchange information with other groups on forums and Web sites. They even have tools to exchange information, which is a big problem for us. We need to cooperate to prevent this."
Kaspersky said the company expects that next year exploits will start occurring within hours of a vulnerability being announced.
"This is why vulnerabilities are so important," said Kaspersky. "We are against anyone who publishes vulnerabilities because it gives hackers a tool."
Talkback
I really wish there were laws that forced these jerks to first make you authorize their crap to be installed on your computer. Also, the law needs to stipulate that they have to warn you that they are installing softare that will transmit information off of your computer! I am a conservative republican saying this so that can give you an idea of how sick I am of this garbage.
Yeah not all hackers are involved in that or support such actions... I say bring it on. If they wanna have a go then I think we should have a go at them. If SPAMers want to start trouble then why don't we just hack them and screw there network!?!
Being against anyone who publishes information about vulnerabilities is foolish. If the average Joe can't read about vulnerabilities, how can he protect himself?
Hackers don't have to publish information in order to share it, especially if they are working together.
Note also that the most reliable reports about vulnerabilities are posted by anti-virus and security companies. How will stopping them help?
Your political orientation has little to do with your position on the matter.
And, as for laws governing this material, you do realize that a person who writes a VIRUS has little concern for someone writing them a ticket, or slapping them on the hand, as well as usualyy being outside the scope of US law.
The only solution for this type of software is the effort of the software companies to write better code, instead of quick releasing versions to make a buck or two. Or, take the Unix/Linux approach and limit how software can actually execute on a computer, as opposed to everything running under the administrative account (ie. Windows).
"This is why vulnerabilities are so important," said Kaspersky. "We are against anyone who publishes vulnerabilities because it gives hackers a tool."
Taking this quote into account, I'd like to ask Kaspersky, how he feels about companies releasing broken code, that allows their users to be exploited in the first place? Is he sublininally defending his own software too?
Disclsure has its draw backs, but if its this hard to get a vendor to release patches now with the majority of advistories being detailed, can you imagine the turn around time for a patch if fulldisclosure was banned?
Don't understand why she says she is against anyone who publishes vulnerabilities. Many times people find a hole, they approach M$/other software vendor and are ignored. The hackers know the vulnerabilities and share them amongst themselves. Sometimes, publishing the vulnerabilities is the only way to get the vendor to fix the problem.
By not publishing the vulnerabilities, the only people who get hurt are the admins who can't protect against something they don't know exists. The hackers will share the holes and exploit them regardless.
Maybe she means there should be a recommended delay between finding the hole, informing the vendor, and publishing?
Time to install a good SELinux policy. Red Hat Fedora Core 3 allready turns on SELinux by default. But unfortunately the secrity policy is targeted at servers. What's need is a policy that sandboxes webbrowsers and e-mail clinets.
If it hits windows today. It will be similar problems in other oses tomorow. Better be prepared.
Laws against writing viruses, DOS attacks, etc, will do nothing since the makers of malware are going to do it whether it's legal or not.
The only solution that I see is for users and admins to use common sense, and to demand more security from the companies they purchase software from.
The software companies SHOULD make sure their code is more secure, but users need to be able to adhere to common sense security policies, such as not opening strange attachments, using anti-virus software and/or a firewall, and keeping their Critical Updates current (for Windows users). The ones who are the easiest targets are the ones who don't know anything about protecting themselves.
Anonymous Consultant in Sweden wrote :
<<
If it hits windows today. It will be similar problems in other oses tomorow. Better be prepared.
>>
I totally agree.
DO NOT make the mistake to think that using Linux is always safer then Windows and DO NOT make the mistake to think that 'the bad guys' only attacks Windows. I am sure that SOON, if it's not already done, 'bad guys' will be as bad against Linux than against Windows. NOW they do it for the money more than for some 'technological preferences', as we all already know, money can buy a lot of things and a lot of people.
Without publishing the vulnerabilities, how can one make sure that who's responsible for the software will ever correct it?
May be the author is not thinking cooperatively, like he is proposing we do... :-)
Short and simple, Kaspersky is a twit.
"We are against anyone who publishes vulnerabilities because it gives hackers a tool."
This is such a patently ridiculous statement; I don't even know where to begin attacking her. First, the argument that now that virus writers are paid (as though all virii up to this point were solely a labor of love) will make them more motivated is absurd.
Virus writers who were previously not committed to the craft may indeed be "more" motivated by money, but ask any geek, Which gets done faster? The code they are paid for or the code they "want" to write (ala personal projects, community projects that they are heavily committed to, etc)
*(Every coders dream is to get paid for doing the projects they love most, it just doesn't happen that often)
That virus writers are going to beat everyone in the footrace because they now have access to the
same tools for collaboration that they had 10 years ago is a silly notion, the methods for distributing
ideas and working together, be it on a virus, or an OSS Bayesian filter, remain the same. IRC, documentation, email, and more recently Instant Messaging, etc, etc, etc.
Although, I must admit, there is an air of truth in that one statement. "..it will give hackers a tool."
Well, if you look at the traditional (correct) definition of hacker, this is 100% correct.
Once you have properly documented and provided a how and why type of assessment, "hackers" can work together at a very rapid rate to write code that will do everything from detect the presence of the vulnerability to a patch for the system. Sure, virus writers are probably working just as hard, but this is nothing new.
I would imagine that if you told Kaspersky about a tool that allowed the complete novice to craft a
virus using nothing more than a GUI interface and very basic compiler, she would beat the pans, raise the alert, and warn everyone of the impending doom. Of course, those of us with our heads removed from our posterior would laugh heartily, since we all remember (I am sure) a little program called "virus creation laboratory". As I recall, it was a Pascal turbo vision app that generated the appropriate asm code, and all
you need was the old compilation/linking tools provided by Microsoft with MS-DOS 5.0(??) The world did not end, I assure you.
In short, the views presented in this article are extremist and alarmist in nature, and the only apparent source of information has a fairly obvious bias. After all, did you really expect a representative (and to venture a guess, owner) of an Anti-Virus Software
( http://www.kaspersky.com/ )
to present an honest "state of the industry" address without painting a scary picture, casting a few shadows on the wall, and reminding everyone the bogey man lives in the closet?
But we can't blame her solely. No, the next person to blame would be Dan Ilett. After all, was he paid off by Kaspersky Labs to create this advertisement in the guise of news? Where is the alternate opinion? At least round up a few other people who are knowledgeable to put in their opinions, even if they are in agreement. Worst thing that could happen is it would lend you at least some credibility. In fact, did you even write this? Or just
sign your name to the Kaspersky Labs Press release. But it's not all Poor Dans fault either. Apparently his editor was asleep at the wheel when this trash graced his desk.
But alas, I've already put more thought and effort into this rebuttal than was put into the original.
In short, don't believe everything you read, and try to hold your News sources accountable for reliable, accurate, and as un-biased news as possible. Or at least hold out for news that does a better job of at least appearing credible.
Virus writers could well start focussing more on GNU/Linux installations in the near future. However, the nice thing about GNU/Linux is that you can disable or completely uninstall anything that proves to be an incorrigible security risk... (*cough* I.E.)
So it sounds to me as if the age-old flame-war over whether or not GNU/Linux is inherently more secure than Windows is about to be settled, one way or the other.
I read in the newspaper about a technology which suggested the consumer look for bank or institutions that have single use credit card number. If this single use credit card number (software) was combined with a card present encryption (hardware) device which never allow your information to go on the internet. Then will be no need to educate anyone about giving up their information, because your information will never leaves your person.