MiniZip, a compressed version of the ExploreZip worm, infected thousands of companies around the world last week. The episode highlighted the weakness of products that must identify the fingerprint of the malicious code in order to block it.
The MiniZip worm uses a little-known shareware compression program called Neolite, which allowed it to slip past many antivirus tools and infect companies before a cure could be distributed.
The MiniZip worm infects computers the same way as ExploreZip: via an attachment containing executable code that deletes files and sends infected messages to others. It affects systems running Microsoft's Outlook, Outlook Express and Exchange.
"Antivirus tools are limited in what they can do because they are based on what has happened before. And if a bad guy thinks of [something new], the current techniques are inadequate," said Avi Rubin, author of The Web Security Sourcebook and a security expert at AT&T Labs in Florham Park, NJ.
Dan Schrader, vice president of new technology at Trend Micro in Cupertino, California, acknowledged that his company's products didn't scan for files compressed with Neolite.
"The problem with antivirus software is that it's inherently reactive. We have artificial intelligence for identifying viruses, but virus writers are good at getting around heuristics," Schrader said.
Information technology managers said this worm is troubling because it evaded antivirus software. "Unfortunately, this is like every other virus. Someone has to get it and send it to antivirus companies to isolate before they even know about it," said Jerry Maldonado, director of technical services at Total Computer Care, a systems integrator in Ronkonkoma, NY.
Sal Viveros, group marketing manager for Total Virus Defense, a product from Network Associates in Santa Clara, California, said his company offered a MiniZip update to its antivirus tool almost a full week before companies reported infections, but many businesses didn't update their antivirus files before the Thanksgiving holiday.
But he insisted no antivirus product could have detected MiniZip unless it had a specific update. "It is impossible to detect beforehand all the different variables [used] to write a malicious attack," Viveros said.
Ron Moritz, chief technology officer at San Jose-based Finjan Software, disagreed. He said his company's SurfinGate First Strike Security product blocked MiniZip by setting policies to disable executables that erase file content. "Most organisations are saying, 'We don't want executables delivered by e-mail, and we don't have a problem with a policy that blocks it,'" he said.