The growth of malicious code slowed between July 2001 and the end of last year, but new viruses pose a more constant threat and last longer than in previous years, a new survey of companies has found.

The Virus Prevalence Survey was conducted by ICSA Labs, an independent division of TruSecure Corp., based in Herndon, Va. ICSA Labs gathered information from 306 medium- and large-sized companies and government agencies. The purpose of the survey was to understand trends on the prevalence of viruses and malicious code on computer networks. The survey covered more than 900,000 computer desktops, servers and gateways. More than 1.2 million incidents involving viruses or malicious code were recorded during the course of the survey, which translates to 113 virus encounters a month for every 1,000 machines on a network during the 18 months covered by the survey. The rate of infections has grown at a rate of about 12 virus encounters per 1,000 machines each year since the survey began in 1996. However, between 2001 and 2002, that growth was considerably slower than in previous years, increasing by only two encounters per 1,000 machines, the survey found. ICSA also noted a decrease in the number of companies reporting a virus “disaster” during the survey period. Eighty per cent said they had experienced a virus disaster, down from 84 per cent in ICSA’s last Virus Prevalance survey.

Microsoft warns of firewall vulnerability

Microsoft Corp. has warned customers of another security vulnerability, this one affecting its Internet Security and Acceleration (ISA) Server 2000 firewall and Web cache product. A software flaw was found in the ISA Server’s Domain Name Service (DNS) intrusion detection application filter that could allow an attacker to launch a denial of service (DoS) attack against the ISA Server that prevents that device from processing DNS requests.

The ISA Server allows DNS requests to be passed from the Internet to an internal DNS server, a process known as DNS publishing. Application filters are used to analyze incoming data streams, including DNS requests. The filters enable the ISA Server to block, redirect or modify data as it passes through the firewall. For example, the filters could guard against attacks embedded in Uniform Resource Locators (URLs), Microsoft said. Because of the flaw, however, a specially formed DNS request, encountered under what Microsoft termed “a specific circumstance,” causes the DNS server publishing feature to stop responding. DNS requests received by the ISA Server after the DoS attack would be stopped at the firewall, Microsoft said. While other ISA Server functions would be unaffected by the failure of the DNS publishing component, administrators would need to restart the ISA server to recover from the DoS attack, the company said.