Internet Virus Boom

Year-2000 viruses proved to be as impotent as the infamous year-2000 bug itself. As the long-anticipated date approached, fears grew that hackers would take advantage of the millennium to launch new attacks. But it didn't happen, and Charles Rutstein, an analyst at Forrester Research, is not surprised.

"We have been saying for the last six months that the millennium would be a complete nonevent as far as viruses are concerned," Rutstein says.

He cites two reasons for this. "First of all, most virus writers had better things to do on New Year's Eve than to sit around and watch their creations take life. Secondly, even though the propagation rate for new viruses is much faster than before, the notion that any virus writer could time a virus outbreak to occur exactly on the eve of Y2K is ludicrous."

The worst problems came from malicious code that took advantage of year-2000 fears.

"Some of our biggest challenges came from people springing Y2K hoaxes," says Don Jones, director of Y2K readiness at Microsoft, in Redmond, Washington. "There was one that claimed to be from Microsoft Support.com, and another claimed to be from Bill Gates."

Although year 2000 didn't initiate the onslaught of viruses expected, the proliferation of computer viruses today has been ushered in by technical innovations such as the Internet that created infinite opportunities for unsuspecting technology users to be thwarted.

So even though Jan. 1, 2000, came and went without much incident on the virus front, IT managers will need to be ever more vigilant about protecting their companies from a business-halting virus outbreak as the new millennium brings increased dependence on the Web and interconnectivity of networks.

A Hacker's Dream

Imagine an exploding population of homogeneous organisms, with each one able to initiate intimate contact with any other. Add a small group of wily predators who love to tinker with the forces of nature, and the stage is set for artificially induced epidemics.

This describes exactly the present state of affairs in information systems, and the increased vulnerability to viruses and malicious code, according to Carey Nachenberg, chief researcher at Symantec's antivirus research centre, in Cupertino, California.

"It is very different from anything we have seen before," Nachenberg says. "For the first time, we have a computing monoculture. Monocultures in the natural world are extremely vulnerable to pests such as viruses."

The same is true, he adds, in the not-so-natural world of computing.

"By the end of last year, there were more than 200 million PCs connected to the Internet," Nachenberg says. "Ninety per cent of these are Windows machines running the same applications, such as Word, Microsoft Exchange, and Excel."

The reasons for concern do not stop there. Not only do the unscrupulous have a bigger field to play in, they also have tools that are easier to use and potentially more dangerous.

"The advent of macro and script viruses - viruses written in Macro languages such as Word Macro and VBScript - makes it fairly easy to write new ones," says Vincent Gulotto, director of Avert, the emergency response team at Network Associates (NAI), in Santa Clara, California.

Don't Panic . . . Yet

ActiveX and Java add to this problem, says Sal Viveros, group marketing manager for total virus defence at NAI.

"This is mobile code. As it becomes easier to use, we will see more mobile virus code," Viveros says, adding that this kind of mobile virus code is particularly scary because it can be activated simply by surfing to a Web site.

Most analysts and users agree that it is only a matter of time before the invasion of the bad applets begins.

Antivirus software vendors such as Symantec and NAI enjoy a steady revenue from selling protection from just these kinds of threats, so IT professionals must take such warnings with healthy scepticism. However, analysts tend to support all of the above concerns. And while they, too, stress the need for calm, they also caution against complacency.

"When macro viruses first came on the scene, most viruses were still written in assembly language or machine code," says Roger Thompson, technical director of malicious code research at ICSA, a computer security research company in Reston, Virginia. "And they were spread by physically transporting infected floppies from one machine to another. In those days, we recommended that you upgrade your antivirus software every two to three months."

Now it can be as often as every few hours.

"Antivirus software that automatically updates itself makes sense in the present environment," says Ron Krantz, chief IT architect at Niagara Mohawk Power, in Syracuse, New York. "Vendors like Anti-Virus Pro offer four or five fixes a day."

No-Hands Attack Strategy

This may sound a little extreme to IT managers who support thousands of clients. Krantz emphasises that businesses need to find the right balance when implementing an antivirus solution.

"Rarely will you need to get updates that often," Krantz says. "The vendors are already very quick to get fixes out to everyone when a new virus appears. So daily updates will matter only if you are the unfortunate one to get hit first."

Another factor, according to Krantz, is resource allocation. In other words, productivity lost from constant software upgrades can easily be greater than the productivity lost from a new virus.

"It takes time to download the new fixes to each desktop," Krantz says.

Two of the biggest anti-virus vendors, NAI and Symantec, are scrambling to make their antivirus code smart enough to automatically upgrade only when necessary. This method has yet to be proven, but if successful, it could give network managers a little more breathing room.

Antivirus software operates by scanning for a match with a signature file. These signatures are the fingerprints that identify malicious code. Signature scanning technology is mature, and the software is now quite effective.

But no matter how good the software is, it can't finger a new virus unless that virus's signature is known and filed in a repository.

"Today, it is entirely possible that a virus which surfaced for the first time in Malaysia could show up on your desktop the very next day," Forrester's Rutstein says.

This is why NAI and Symantec are working to completely automate the process of providing signature updates. NAI calls it the AutoImmune system, and Symantec has its Digital Immune system. Neither is fully functional yet, but both employ heuristic technology to identify suspicious code.

"Think of it like this: If you see someone walking down your street wearing a mask and carrying an automatic weapon, you might get suspicious," Symantec's Nachenberg says. "Our heuristic software is designed to recognise suspicious code."

Once that code is identified, the software will automatically send a copy to the vendors' labs. The code is analysed, and if it is indeed malicious, experts will create both a signature file and a fix. These will then be sent via the Internet as automatic upgrades.

Batten Down the Hatches

Whether these solutions will really offer users the security they promise remains to be seen. Meanwhile, IT managers struggle to make do.

"We are considering doing virus scanning on all incoming e-mail," Krantz says, but he adds that there are some major problems with implementing such a solution.It is expensive, it creates a bottleneck at the mail server, and it isn't clear that such a scan will be all that effective," Krantz says. This last concern is a direct consequence of the new methods employed by hackers"We aren't just scanning for binary code inside an executable anymore," Krantz says. "The bad code could be hidden in a password-protected Zip file or encrypted in SMIME [Secure MIME]. These are things we can't even scan."

So as new applications and systems continue to open doors for hackers, and the interconnected Internet landscape expands, IT managers will have to keep closer watch over their growing networks in the coming years.

At the same time, IT can count on antivirus vendors to work on fighting the latest exploits.

Key Viruses to Watch Out For

Macros and scripts

There was a time when all malicious code was written in low-level languages. Hackers needed to be good at the esoteric art of writing in assembler or machine code to create effective viruses. But all that changed about five years ago.

"The Concept virus debuted in 1995," says Roger Thompson, technical director of malicious code research at ICSA, a computer security research company in Reston, Virginia. "It was written in Word Basic. The payload had a remark: 'And that's enough to prove my point.' We surmised it was a challenge among hackers."

The challenge was met. Virus writers now routinely use macro and scripting languages to create their most malicious pranks. Analysts say the new breed is not all that different from the old, but that there are two important distinctions.

"The fact that these viruses are written in higher-level languages does not make them any more or less dangerous," says James Hurley, managing director of information security at Aberdeen Group, in Boston.

"The important thing is that hackers don't have to know how to program in the more difficult, low-level languages."

In other words, these new tools automatically increase the number of potential virus authors.

The second differentiating factor that makes these new viruses more of a threat is that most of this new code is Web-enabled.

"It is so easy to tie these new macro viruses to e-mail," says Charles Rutstein, an analyst at Forrester Research, in Cambridge, Massachusetts.

The Melissa virus is probably still the most famous of these e-mail-borne, macro pests. According to Rutstein, Melissa was not all that destructive, but it did spread like wildfire. This was no coincidence. The infectiousness of a virus, Rutstein explains, varies inversely with its virulence.

"It is an age-old debate among hackers," Rutstein says.

"How destructive do you want to make it? If your virus is very destructive, it won't travel well since the response will be faster.

"A non-harmful virus, however, is likely to travel better. It can creep silently, rear its head once in a while, and spread far and wide."

Melissa was of the second variety.

"It wasn't intentionally destructive, but it wasn't benign, either - it did cause mail servers to crash," Rutstein says.

Antivirus vendors have adapted to the new breed: bad macros and scripts are routinely caught and obliterated. They remain, however, easier to write and more fleet of foot than older generations.

Bad applets

IT managers are already anticipating the arrival of newer, applet-borne enemies.

"I am sure that Java and ActiveX malicious code already exists," says Ron Krantz, chief IT architect at Niagara Mohawk Power, in Syracuse, New York. It is the anatomy of applets, he explains, that make them more problematic than conventional viruses.

"On the Java side, you are at the mercy of the Java Virtual Machine to keep code inside the sandbox," Krantz says. "But some Java applets can run locally on your machine. These are not executables, and most antivirus software scans primarily for executable code. The same is true for ActiveX components."

Vincent Gulotto, director at Avert, the emergency response team at Network Associates (NAI), in Santa Clara, California, thinks that the Java Virtual Machine architecture does afford some protection.

"ActiveX is probably more dangerous than Java," Gulotto says. "The Java sandbox really does limit what a hacker can do. ActiveX, on the other hand, gives more control to the author."

Steve Lipner, manager of the security response team at Microsoft, disagrees.

"ActiveX is a platform that was designed with security features from the ground up," Lipner says. "Authenticated signatures are built into it."

An onslaught of malicious applets may sound like an IT nightmare, but Rutstein says that they will be no worse than the current crop of cyber pests.

"Viruses that use Java or ActiveX are really no more scary," Rutstein says.

"The fact that these are simply programs running on your machine without your permission is scary enough, but no more so than what we have already seen."

The folks at NAI, however, say bad applets do pose a new problem. The spectre of malicious code that can take over your system just because you surfed to the wrong Web site is a little frightening. Fortunately, the threat is still unrealised.

Aberdeen's Hurley says users are probably safe from bad applets - at least for now.

"Until Java and ActiveX applets are widely deployed, the enterprise has some breathing room, but not much," Hurley says.

Join the newsletter!

Error: Please check your email address.

More about Aberdeen GroupADVENTAutoImmuneAvertForrester ResearchICSAMicrosoftNAINiagaraSupport.comSymantec

Show Comments