Panda predicts more viruses

Still haunted by nightmares about Nimda and Code Red? Get ready for more.

That was the message from Los Angeles-based anti-virus developer Panda Software last month when it released its predictions of potential and probable threats to computing systems in 2002. The company said it is likely this year will see more forms of the notorious viruses that infected systems by worming their way from person to person.

Code Red took the industry by surprise by being the first virus capable of spreading rapidly without leaving traditional traces of infection. Although Code Red did not physically infect files, it spread through the Internet and lodged itself in the memory of infected computers.

On a different scale but just as destructive was the Nimda virus, which exploited vulnerabilities in Microsoft’s Internet Explorer. This vulnerability allowed Nimda to run automatically when viewed in the e-mail client’s preview window. The e-mail did not have to be opened for the virus to spread and infect.

With these two high-profile attacks in mind, Panda said it is likely that 2002 will see viruses exploiting vulnerabilities such as buffer overflows, which potentially could allow programs to be run on users’ computers without their knowledge.

A buffer overflow is linked to the process of an application being assigned memory in a computer. According to Jim Hurley, vice-president and managing director, information security with the Boston-based Aberdeen Group, there are always two locations where memory is assigned: one where the application executes and one used as a scratch pad for data and interactions with other applications. Hurley said that buffer overflows occur when the memory from application A overflows into application B, thereby corrupting application B’s memory.

“What [Panda] is referring to as a possibility for a viral infection would be what’s known in the security business as a covert timing channel,” Hurley said. “The skill which you have to have in order to write covert timing applications is way beyond what the typical author of a virus possesses. I would dismiss out-of-hand what Panda is saying as far as buffer overflows.”

But Panda Senior Technical Support Steve Gold said that buffer overflows are a possibility, though not necessarily a vulnerability that is certain to be exploited. He said that the real trend lies in the worm-like viruses like Nimda because they are harder to clean up and because they spread considerably faster than the traditional virus.

The Canadian general manager for Symantec Corp., an Internet security tool manufacturer, agreed. Toronto-based Michael Murphy said there is an emerging trend with mass-mailing worms targeting Windows 32-bit operating systems, but warns that there are also more serious viruses in existence that have not had the fame of Nimda and Code Red.

“If you look at those two, they were probably not the biggest, but they got a lot of media attention for mainly one simple reason,” Murphy said. “They were less about viruses and anti-virus as they were as an emerging trend toward a blended threat. What I mean is a security attack or threat that employs multiple methods and techniques for self-propagation. They are difficult to contain because people went after them like they were just a virus problem, and went after them with just a virus solution. If you did that, you only cut off one of the many heads of the worm.”

Both Murphy and Gold suggested that corporations use stronger means of security than merely anti-virus software. Blended threats require blended defences, such as anti-virus in conjunction with firewalls, intrusion-detection and vulnerability management.

Still, Murphy said that the weakest link resides in human weakness that will continually be exploited. He said that deleting unsolicited e-mails from unknown sources is a generally good rule of thumb, but added that it is the e-mails from friends, family and acquaintances that users should be more concerned with. He advised using extreme caution if you have received an e-mail from someone you know that is unsolicited and unexpected.

“Although consumers are not the target of attacks any longer, they are being used as the facilitator to launch a greater attack,” Murphy said. “Individual users have the power in their hands to make sure their anti-virus products are kept up-to-date to rid their exposure to threats, or at least at a minimum quarantine or slow down the spread of the threats that are out there.”