On the virus front, things remain active: Since Jan. 1, 2003, nearly 300 new threats were identified and signatures created. For more details, visit Symantec’s “Virus Definitions Added” at http://www.symantec.com/avcenter/defs.added.html.
At Microsoft, things have been quiet: Only one virus alert on W32.Lirva.A@mm http://www.microsoft.com/technet/treeview/?url=/technet/security/virus/alerts/Lirva.asp), and no security bulletins since Jan. 1.
My own personal e-mail, where I average 400 to 500 messages a day, shows that the Klez virus remains pretty active (at about 2 percent of overall traffic), and it is still listed as the top virus threat at most anti-virus sites. New viruses Yaha (currently known in 13 different variants, A through M) and Sobig (currently known in only two variants, W32.Sobig.A@mm and W32.Sobig.A@mm.enc) together comprise another 1 percent of traffic I’ve observed since New Year’s, with only small numbers of other viruses appearing. All major anti-virus vendors have signatures for these viruses posted, as well as removal tools for those who might get infected. For examples of what’s available, see the “Virus Definitions” and “Removal Tools” entries at Symantec’s Security Response page (http://www.symantec.com/avcenter/).
Measuring virus threat is an interesting subject and is handled somewhat differently at various sites. I use information from Symantec from the “Threat Severity Assessment” page (http://www.symantec.com/avcenter/threat.severity.html) as an example. Common threat components include the following with explanations of high, medium and low ratings for each one:
- The Wild Metric: Extent to which malware is encountered “in the wild” (that is, in incoming streams of e-mail, files, etc.). This accounts for the number of sites and systems infected, as well as geographic distribution, ability of current technology to combat threats and the complexity of the malware itself. A high rating means 1,000 or more machines, 10 or more sites or five or more countries affected. Medium means 50 to 999 machines, two or more sites or countries. Low is anything below medium.
- The Damage Metric: The damage that malware can cause when it infects a system. This measures the amount of damage in terms of triggered events, clogged e-mail servers, deleted or modified files, release of confidential information and so forth. High means file destruction or modification, very high server traffic, large-scale unrepairable damage, security breaches or destructive triggers. Medium means non-critical settings altered, buggy routines, easily repairable damage or non-destructive triggers. Low is anything below medium.
- The Distribution Metric: The rate at which malware spreads. This may be determined by e-mail propagation, type of executable attack, download mechanisms, network spread or difficulty to remove or repair. High means large-scale e-mail worms, network-aware executables (viruses) or uncontainable threats. Medium captures all but the worst viruses. Low includes most Trojan horses.
Overall, risk assessment rates malware across all three components—wild, damage and distribution—on a scale of Categories 1 to 5, where Category 5 is very severe and Category 1 is very low. The next newsletter will explain these categories in more detail.