All the Perl that's Practical to Extract and Report

New virus

Matts on 2001-12-04T17:21:35

Wowsers,

We're seeing right now probably the fastest propogating mass mailing virus ever... Called "Goner", it comes with a file called gone.scr. Most AV vendors haven't updated their signatures yet (we stopped it with our heuristic scanner, which I hope to talk about at TPC in 2002), so it's just flooding through most people's systems. We've seen over 10,000 so far today, which is just phenomenal considering it kicked off at about 3pm (it's now 5:20pm).

Of course it's *great* for business. I'm sure The Register and other sites all over the web will be quoting us for the next few days. It's kinda cool working for a much talked about company :-)

Warhol Worms

ziggy on 2001-12-04T17:26:16

Have you heard about Warhol worms? A craftily written piece of malware could wreak some serious havoc in about 15 minutes. 2 hours? That's a blessing; you have enough time to notice the attack and formulate a response. (presuming you have some good heuristics in your mail filters. :-)

Re:Warhol Worms

pudge on 2001-12-04T17:43:53

I get very few of these viruses. None of this new one. I think it must be due to me not knowing very many Windows users.

Yet something else I am thankful for at this time of year.

I get tons of spam, though. :/

Re:Warhol Worms

Matts on 2001-12-04T18:56:16

Yes, we heard of warhol worms. It's all good business for us though, because if one of those breaks out, we'll still stop it heuristically (we offer a 100% anti-virus guarantee, with good reason).

I think many sysadmins out there will think differently about 2 hours being a blessing :-) Remember it's not 2 hours to propogate, it's 2 hours to reach critical mass, which means that it's already infected enough computers to reach critical mass. Oh, and this one deletes antivirus software too, which is kinda funny :-)

Anyway, viruses bad, perl good. Perl good at stopping viruses, and all that.

Re:Warhol Worms

chaoticset on 2001-12-07T16:16:33

Wouldn't that indirectly make it anti-anti-virus software? (I've actually seen the term counter-counter-measures in use, so I don't think it's impossible to see the word anti-anti-virus.) :)

My manager got infected

Purdy on 2001-12-04T21:17:42

Fortunately, the details were also on Symantec. My manager opened it up (fortunately, he has Eudora so it didn't propogate) and I spent the next hour re-installing Norton (he had an old version that doesn't have e-mail protection) and taking out the virus.

Fun fun...

Jason

PS: Where I can find out more about this heur. stuff you talk about?

Re:My manager got infected

Matts on 2001-12-04T22:24:04

You have to call our salespeople to get info on the heuristic stuff. Basically, we detect email viruses by checking if the email (or attachment) is trying to do something malicious, like mail itself all over the place, or open files, etc. It's more complex than that, but you get the idea. We have an almost zero false positive ratio, and a 100% anti-virus guarantee, which so far (2 months) we've kept to for all customers. We also run through 4 commercial scanners, just to be sure.

And yes, it's written in Perl :-)

Re:My manager got infected

Purdy on 2001-12-05T13:34:16

What's the Web site? (don't know where you work)

Re:My manager got infected

Matts on 2001-12-06T08:07:06

Oh, sorry - www.messagelabs.com. Or www.star.net.uk. It's the same company, but they offer the service in different ways. MessageLabs has most of the AV info though.