After the Code Red and Nimda hybrid worms of last year and the latest MyParty mass-mailer virus, some in the antivirus industry are warning more worms will wreak havoc on our IT systems. They argue traditional virus-signature scanners need frequent updates, and tout behaviour-blocking software as a better solution. This feature looks at the latest worm threats and assesses how effective today’s technologies are in protecting us.
Organisations were hit by a monthly average of 113 virus infections for every 1000 computers they owned in 2001, according to US security services firm Trucorp. Its ICSA Labs division surveyed 300 US companies that had more than 500 PCs in the 20 months from January 2000 to August 2001, focusing primary on corporations using Intel chips and Microsoft operating systems.
Most viruses, ICSA Labs found, were spread through email, with 80% of the viruses identified being mass mailers. Some 70% of respondents said the virus infection rendered the PC unusable, while 37% said the infection lost them data. And almost two-fifths of firms reported a “virus disaster”, suffering infections at more than 25 machines, files or pieces of storage media at the same time.
ICSA Labs content security programs manager Larry Bridwell says the virus problem continues to worsen, even though firms are installing more antivirus tools.
The likelihood of more disasters and higher recovery costs will also increase as more worms are released like Code Red and Nimda, which spread through multiple methods. Antivirus firm McAfee also expects more Nimda-like worms in 2002. More than just trying to spread, McAfee expects they will try other actions like launching denial of service attacks, stealing passwords or deleting files. They will also target new communication methods, such as instant messaging, wireless and broadband.
For many years, the method of trying to identify a virus was through its signature — the part of the virus code than that can uniquely identify it. Signature detection comprises scanning suspect code (within an email attachment) with a database of known signatures. If the detection locates a known signature, it can then eradicate or quarantine the email and attachment. As new viruses are written, the antivirus (AV) software companies adds its unique signature to the database. In order to obtain protection, users are required to update (by downloading a file from the antivirus software website) the new database of signatures.
However, argues Dave Waterson of Auckland software security company Ripple Effects, the major flaw in AV scanning is that it is reactionary — the virus must be known to the AV software company. Most users, says Waterson, also don’t update their signature files as often as AV firms like, say every two days, as it is time-consuming and low-priority. Ripple Effects produces its own virus-stopping software called PrivateBase,which offers some protection by storing an email address book outside the email program, making it harder for the virus to mass-mail itself elsewhere.
Arjen de Landgraaf, director of Co-Logic, an Auckland-based security warning company, adds that viruses are getting smarter and increasingly rely on “social engineering”, such as offering nude images or $5000 prizes. Meanwhile, newer polymorphic viruses can change their look and feel, or hide so that they are automatically triggered by, for example, auto-preview panes.
However, Richard Batchelar, New Zealand manager of Symantec, denies traditional antivirus signature updating is failing, claiming it is “the most successful technique ever developed”. He does admits that more than just AV software is needed to cope with the latest dangers, called “blended” threats, which use multiple methods and techniques to propagate an attack.
“These threats automatically scan for one of the many vulnerabilities in order to compromise a system. They can embed into the HTML files of infected servers, infecting any visitors to that website or sending out email from compromised servers with a worm in the attachment. They can launch denial of service attacks, deface web servers and leave Trojan horses behind for execution at a later time,” says Batchelar.
All parts of the network must be protected to address this new kind of threat, he says, including antivirus, content filtering, firewall, vulnerability management and intrusion detection measures. “This will make their system extremely difficult and costly for intruders to compromise,” he says.
One useful method is behaviour blocking, which identifies a virus by analysing the behaviour of suspicious code and macros line by line, attempting to identify the effects of each command. When suspicious commands are found, the attachment is quarantined or eradicated. However, says Waterson, such software can lead to false alarms where harmless code is incorrectly identified and is not as accurate in identifying “malware” as scanning techniques. Furthermore, clever virus writers can write good virus code that can get through virus-blocking software.
De Landgraaf says such technology is in its infancy as “in reality they just check for code words in the email”. More promising, he says, but another system still in its infancy, is “sandboxing”. Here an incoming email first gets quarantined and checked on its behaviour in a “safe” where it cannot do any damage even when triggered, before it is passed on to the normal email program. Critics note that any slowing of normal network behaviour will be noticed by users.
Auckland-based ITB distributes sandbox technology made by US-based Norman Antivirus. ITB’s Alan Osborne says it establishes “a simulated computer within a computer” and claims customers won’t notice its scans as any different to any other.
The technology also claims to eliminate false alarms by enabling files to execute fully in a simulated environment, where Norman watches exactly what the file does. In this way, the software can easily rule out false positives, he says. Osborne claims 200 corporate and government users in New Zealand, who usually operate Norman in conjunction with email and web filtering systems such as Mail/Web Marshall, Mimesweeper and the like.
Pros and cons
All antivirus methods have weaknesses. Waterson speaks of integrity checking, which looks at changes to files in a user’s computer. If a file has been altered, it could indicate that the file has been tampered with by a malicious virus. But some malicious viruses can still pass integrity tests and files can be legitimately altered (such as with system updates) and yet be flagged by an integrity check.
Then we have security patches such as Microsoft’s regular updates. Microsoft’s Trustworthy Computing proposals suggest it is taking security even more seriously, but Waterson says due to the open nature of its software (with built-in application programming interfaces) and the increasing functionality of their software, it is difficult for Microsoft to provide effective security patches. Furthermore, some 100 or so patches are released every year, and users often fail to keep up to date with them, he says.
Companies can reduce their damage from viruses by restricting what a user can and cannot do on their system, such as restricting the employee’s authority to read, write, edit, create, delete and rename files.
But Waterson argues controlling access is difficult to implement, as staff are always enticed by attachments that say “I Love You”. It can also place severe restrictions on the use of Microsoft Office macros, thus reducing the functionality of these products.
Content filtering, which searches email content for keywords that may indicate viruses, can lead to many false alarms. In searching for the term “LoveLetter” for example, a legitimate email warning of the “LoveLetter” virus danger could be blocked by content filtering, Waterson says.
How end users keep their networks secure
We're just a big target: Microsoft