Klez: The virus that won’t die?

Virus alert centers are bracing themselves for a new wave of Klez worm attacks this week: One annoying variant of the persistent pest is expected to resurrect itself July 6 to send infected e-mail. And, experts warn, it’s likely to continue plaguing us unless we all clean up our acts.

The Klez worm is approaching its seventh month of wriggling across the Web, making it one of the most persistent viruses of all time. It maintains a dangerous energy and produces offspring that arise with perilous regularity.

It’s proving more resilient than its predecessors. The British security firm MessageLabs Ltd. estimates that one in every 200 e-mail messages contains a variation of the Klez virus. Symantec Corp. and McAfee Security, makers of two of the leading antivirus products, still get more than 2000 reports of new infections daily. MessageLabs predicts Klez will soon surpass last summer’s SirCam as the most prolific virus ever.

How’s Klez Different?

Klez has a few nasty twists that may hint at the future of Internet viruses. Primarily, it’s a “blended threat,” which is software that distributes itself like a virus, and behaves sometimes like a worm and at other times like a Trojan horse.

Klez mails itself to addresses it scavenges from e-mail address books, but can also search an infected hard drive for addresses from the Web browser cache or temporary files. Klez also draws its return address from those sources–making the virus additionally tricky to track. Its methodology shows how those who write viruses are teaching their creations’ progeny to be more cunning. The twist of harvesting addresses relies on human psychology to keep people clicking on the file attachments that unleash the virus and spread it to others.

But Klez is not just a nuisance. Because there is no way to determine whether a virus was launched by a hacker or a terrorist, law enforcement must investigate every major case. Consequently, valuable policing resources are being diverted from the hunt for members of Al-Qaeda, and other terrorists, to the task of determining whether a simple virus outbreak is more than a prank.

“[Virus creators] could be 14-year-old kids or a terrorist group, yet you need to be able to respond,” says Christopher Painter, deputy chief of the U.S. Department of Justice’s Computer Crime and Intellectual Property Section.

But even if homeland defense cybercops determine that one of these sneakier, blended threat viruses is a terrorist weapon, viruses by nature allow anonymity. Unless the person who sent the virus claims responsibility, we may never know where a virus or worm came from, whether it was deliberately sent our way, or why it was released at all.

How Klez Works

“These types of blended threats use multiple avenues of infection, and they employ techniques that exploit network vulnerabilities,” says Vincent Weafer, senior director of Symantec Security Response. It’s not enough to update your antivirus software’s data definitions regularly, he notes. Users who install security patches regularly are better equipped to defend their PCs against the kinds of worms that attack well-known Windows weaknesses.

In the months since Klez was first identified, antivirus vendors have discovered seven other variant versions of the virus. These strains share many behavioral traits, but act slightly differently from one another. For example, some later versions can also attack other computers over networks by copying infected files to file servers and shared hard drives. The newest variant, W32.Klez.H@mm, contains another worm, a virus-within-a-virus called ElKern, that can damage an operating system beyond the capability of antivirus software to repair it. In some cases, users have to format their entire hard drive and reinstall Windows to eliminate the virus from their PC.

Researchers call malicious code like Klez a worm because Klez can propel itself to the next victim’s PC. Viruses, on the other hand, rely on a vulnerable application to propagate to another victim, often using the victim’s e-mail program. In recent years, Outlook Express has become the most popular target for virus writers. Because Outlook Express is bundled with Windows, it comes with virtually every PC.

Klez normally arrives in the in-boxes of unsuspecting victims as a file attachment. When the victim double-clicks the attachment, the fun begins for Klez. It scavenges for new return addresses and spreads itself using any of dozens of different subject lines. Sometimes it masquerades as a “Klez removal tool,” and some draw subject lines from random words from files on the victim’s hard drive.

“These types of social engineering tricks are extremely effective,” says virus researcher Sarah Gordon, who studies the secretive world of virus writers. People don’t want to ignore a friend or colleague, she says, “They feel compelled to look at an attachment–even though they’ve heard the warning.”

Impossible to Track

Antivirus experts agree that China and Southeast Asia were the first regions to experience a widespread Klez outbreak. But that doesn’t mean the creator of the virus lives in Asia, or even in that hemisphere.

“It’s very difficult to tell from text within a virus, or even the first place a virus is spotted, where it actually was written or from where it was first launched,” Gordon says.

Weafer agrees. “Our track record in [catching virus writers] is very poor.”

Even if experts identify the PC where the virus originated, “the person who releases [the virus] may not necessarily be the person who authored it,” Gordon adds.

Consequently, these pests essentially take on a life of their own, the experts say. And they suggest PC users brace themselves for more viral visitors.

A typical scenario is that of Southern California PC user Michael “Jilly” Jillson, who was receiving several Klez-infected e-mail messages daily when he sought help from PC World.

“I update my antivirus software on a daily basis and am not too concerned about infecting my software; however, this is a nuisance and I want it to stop,” Jillson wrote.

It’s likely that Klez is coming to Jillson because his e-mail address is in an address book on one or more infected PCs. Unfortunately, unless all of Jillson’s acquaintances clean their infected hard drives with the Klez Removal Tool and install up-to-date antivirus tools, Klez will almost certainly continue to reappear in Jillson’s in-box.

The only answer seems to be that everyone who uses a PC is responsible, in a small way, for their neighbor’s security, and must ensure their own computer is clean.

The lesson: Homeland cyber-defense starts at home.