Viruses get smarter

He's been a virus writer for seven years. He goes by the handle Melhacker and may have been responsible for the recent outbreak of the Bugbear worm, the second most prevalent worm on the Internet last year. Now he claims to be working on a new virus, Scezda, that represents a new type of threat.

Scezda, as he describes it, falls into an emerging category of megaworms that combine features from some of this year's most prolific worms and viruses, including Sircam, Klez and Nimda. It uses a random number generator to determine how long it will remain dormant on a target system. Then it randomly chooses one of many different methods to replicate itself.

This is the essence of the new era of megaworms, what some experts refer to as blended, or polymorphic, threats that rely upon multiple methods of propagation. And that's just one way in which the virus threat is evolving.

Current Threats

Viruses Get Smarter
Credit: David Hollenbach

This past year, researchers at Lynnfield, Mass.-based Sophos Inc. detected 7,189 new viruses, worms and Trojan horses, bringing the total to more than 78,000. On average, the Sophos virus labs produce detection routines for more than 25 new viruses each day.

Nine of the top 10 viruses detected by all major virus-protection companies in 2002 were mass-mailing viruses that exploited known vulnerabilities in the Win32 application programming interface. And 87% of all reports of infections stemmed from Windows viruses.

"Worms that are targeting known vulnerabilities are continuing to climb," says Vincent Weafer, senior director of the Symantec Security Response group at Cupertino, Calif.-based Symantec Corp. "That's significant because you're moving away somewhat from social engineering."

The most significant weakness exploited last year was the so-called malformed MIME vulnerability, originally discovered in 2001. Although a patch has been available for more than a year, viruses and worms have been able to capitalize on this vulnerability on unpatched machines to automatically execute a virus program when a user views an e-mail in preview mode.

Brid, Bugbear, Nimda and Klez all use this vulnerability, says Weafer.

"Today, the line between worms and viruses is blurred as successful designs take on characteristics of both and spread over the Internet," says Dan Ingevaldson, team leader of Internet Security Systems Inc.'s X-Force group. "The most successful worms act like a Swiss Army Knife, because they can spread by using many different proven methods, such as mass e-mail, Web server vulnerabilities or peer-to-peer technologies."

Virus Evolution

In the near future, companies will need to be prepared to deal with increasingly stealthy viruses carrying more destructive payloads, say researchers. In a recent research paper, Stuart Staniford, CEO of Silicon Defense in Eureka, Calif., outlined the emerging "threat of surreptitious worms that spread more slowly but in a much harder to detect 'contagion' fashion."

"We demonstrate that such a worm today could arguably subvert upwards of 10 [million] Internet hosts," Staniford concludes.

Anti-Virus Emergency Response Team (AVERT) researchers at McAfee Security, a division of Network Associates Inc., say they encountered a virus that took advantage of the New Technology File System (NTFS) Alternate Data Streams (ADS) feature, which allows data to be stored in hidden files that are linked to visible NTFS files -- and can't be removed without deleting the NTFS file itself.

Users who don't have permission to write to a file can't add an ADS to it. And although Windows File Protection, introduced in Windows 2000, prevents hackers from replacing protected system files, it doesn't prevent an authorized user from adding ADSs, along with hidden, executable code, to those system files.

ADS's primary purpose is to enable compatibility with the Macintosh file system. But in September 2000, McAfee discovered a virus named Win2K.Stream that attempted to conceal itself in an ADS. This works because most antivirus products don't scan the ADS, says Vincent Gullotto, vice president of AVERT. McAfee has added this capability. But so far, Gullotto has seen no other instances of this technique.

The intentions of virus and worm writers are also changing. In the past, most worms and viruses destroyed data. Now, however, there are indications that the masters of malicious code are looking to steal that data.

"We'll see a progression toward targeting data," says Gullotto. "We saw that this past year with Sircam, which randomly took documents out of the MyDocuments folder."

Symantec's Weafer agrees. "Payloads have moved from data destruction to dropping Trojans and compromising machines, as well as sending information from the machine out of the network," he says. "You have to update your security patches."

Chris Wraight, a technology consultant at Sophos, says "combined cocktail threats" will be much harder for users to eradicate. Such a worm "might drop a Trojan, another virus, or it might replicate on another occasion," he says. So just because you've uncovered one instance of the malicious code, it doesn't mean you've discovered all infections.

And while the vast majority of worms and viruses are written to target known vulnerabilities in Windows platforms, some researchers are warning Linux and Unix users to beware. The September outbreak of the Linux Slapper worm, for example, infected more than 20,000 machines and could be used for denial-of-service attacks, says Weafer. "We're mixing Linux and Windows systems in the corporate world all the time," he says. "People who have Linux and Unix systems assumed they were immune. We know that's not true."

Microsoft Corp.'s .Net Framework may also become a major target for some virus and worm authors. "Alcopaul," a member of the group Brigado Ocho, recently submitted his creation to antivirus research labs for evaluation. Although Alcopaul says his worm, topeace.exe, doesn't destroy data, he claims that it is capable of turning off antivirus software, disabling firewalls, spreading to the Kazaa file-trading program and mailing itself to e-mail addresses it harvests from the Temporary Internet Files folder via the Simple Mail Transfer Protocol.

Antivirus vendors are still studying Alcopaul's worm to determine what specific vulnerabilities it exploits. However, past .Net worms have infected .Net executable files.

Although only users running Windows XP with Service Pack 1 have the .Net Framework installed, Alcopaul's vision is on the future. And that's the rub for his targets—trying to find the right balance between acting on current threats and thinking about future ones.

For now, the best protection is to stick with the basics, says Weafer. "Pay attention to security updates and lock down unnecessary services."

Virus Trends To Watch

Proliferation of Megaviruses:

These worms and viruses change every time they replicate and target multiple vulnerability points instead of exploiting just one weakness.

Increased Data Theft:

Like Sircam, which removed files from the user's MyDocuments folder, new viruses will be designed to steal data—not just destroy it.

Greater Sophistication:

Virus writers will exploit a broader range of weaknesses, such as attaching viruses to Windows NTFS files as linked, hidden Alternate Data Stream files.

.Net Threat:

Virus and worm program writers are probing Microsoft's .Net Framework and developing programs that may leverage weaknesses in the framework and associated executable files.

Copyright © 2003 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon