Backdoors, Trojan plague Usenet, says McAfee

A part of the Internet that existed before the Web ever did, and was once among the busiest places online, is now, despite its loss of visitors (and many would argue, loss of quality, as well), a breeding ground for some of the Internet’s most vicious viruses, according to anti-virus firm McAfee, a division of Network Associates Inc.

That corner of the Internet is Usenet, a series of forums, or newsgroups, dedicated to specific topics such the Los Angeles Lakers, Unix system administration or any imaginable permutation of sex, where people interested in those topics can meet, discuss and post files. However, along with debates and downloads, viruses are also spread and archived there, according to Dmitry Gryaznov, the manager of advanced virus research at McAfee and a member of the VirusPatrol project at McAfee’s Avert Labs.

Gryaznov has been studying viruses on Usenet for five to six years, and says that despite the perception Usenet is becoming increasingly irrelevant in the face of the Web, the population of Usenet visitors is actually growing as new Internet users log on every day. The volume of Usenet posts grew 20 percent from January 2001 to April 2001, he said. And those new visitors are likely to encounter a flood of viruses, including Trojan horses, backdoors and tools used to take over PCs for use in Denial of Service attacks, he said.

Such viruses are rarely posted to newsgroups advertising themselves as viruses, he said, but are rather disguised as image, movie or sound files. Many newsgroups are devoted to sharing files of these types, as well as trading pirated software. Often the files users download are not what they appear to be, but instead are actually program files that install viruses or backdoors on PCs without the user’s knowledge, Gryaznov said.

Sex and other file-trading newsgroups are among the most popular on Usenet and the most popular for virus writers, he said.

“More and more people are joining (these newsgroups) because it is free stuff,” he said. But so are the virus writers.

Separating the viruses from the legitimate posts is no easy task because of the volume of messages posted to Usenet each day. Over 230G-bytes of data are posted to newsgroups each day and a single virus may be posted as often as 200 times per day, according to Gryaznov’s research.

Many of the viruses found on Usenet are well known and destructive. Along with the Happy99 virus and the LoveLetter (ILoveYou) virus which wreaked havoc worldwide to the tune of US$10 billion in 2000 , the Melissa virus which caused $80 million in damages in March 1999 began its life in newsgroups, with the first ever posting of the virus coming there, Gryaznov said.

These viruses, despite their age, are still making their way around Usenet because newsgroup posts are archived at sites such as Google and the posts take a long time to expire, he said.

Some viruses even scan newsgroups looking for new versions of themselves and auto-update when they find one, according to Vincent Gullotto, senior director of Avert Labs.

Many companies have curtailed access to newsgroups, often done through dedicated newsreader programs, but this has not stopped Usenet-spawned viruses from infiltrating corporate networks, he said. E-mail and Web browsing programs have also added newsgroup access features, making the spread of viruses into the corporate setting harder to curtail.

“There are plenty of gateways and you simply cannot block all of them,” Gryaznov said.

The course of action designed to fight the spread of viruses on Usenet is, by now, fairly familiar to most users: keep your anti-virus program updated, run it regularly, don’t open suspicious files or download programs whose function you’re unsure of. However, as newsgroup patrons may not be expecting viruses, they must be educated, Gryaznov said.

To that end, the company will be launching a new virus information Web site later this year called VirusPatrol Live. VirusPatrol Live will include large amounts of the data Gryaznov and VirusPatrol have collected about Usenet and viruses, including statistics and more detailed virus information. VirusPatrol also hopes to expand its scans of Usenet from the one-third now covered to all newsgroups, he said.

Additionally, VirusPatrol posts virus alerts to newsgroups in which viruses appear, hoping to warn users and thus keep them from downloading infected files.

In the battle stop to viruses, he said, “undoubtedly, education is one of the keys.”

McAfee, in Santa Clara, Calif., can be contacted at