Virus numbers dwindle, but impact increases

Though the overall number of viruses being detected each month is falling, the severity of the viruses that are being written is increasing, with this year’s Code Red and Nimda worms as perfect examples of this trend, according to Vincent Gullotto, senior director of McAfee AVERT Labs, who spoke at Comdex in Las Vegas earlier this month.

AVERT Labs is the virus research division of Network Associates Inc., the company that owns the McAfee family of anti-virus and security companies.

As macro and VBS (Visual Basic Script) viruses are becoming less prevalent and more generally defended against, malicious code has turned more to worms and exploiting security vulnerabilities, he said. Macro viruses attack the feature offered in many applications that allow users to create their own mini-programs, or macros. Worms are distinct from viruses as they are able to spread themselves, rather than relying on user action to spread them, as viruses do.

Companies are largely doing a good job of protecting themselves against mass mailer worms that spread using e-mail attachments, by blocking those attachments from entering the network, he said. However, the rise of mobile devices like PDAs (personal digital assistants) and laptops create an environment in which malicious code that may not be a mass mailer can enter into a corporate network by bypassing corporate security measures, Gullotto added.

Despite the strides being made in the enterprise, users are still spreading viruses that require an attachment to be double clicked, he said. These outbreaks, however, are more likely to occur in the home, rather than in the office, as there is no IT administrator to help guard against such actions at home, he added. Users may also unintentionally infect corporate networks by downloading files from Web-based e-mail accounts, he added.

Virus writers have been largely quiet in recent months, with few major outbreaks or newly created viruses popping up, he said. It’s not clear whether this is a good or a bad thing, however, because the quiet may mean that the post-Sept. 11 computer crime laws have had an effect or it “could be the quiet before the storm,” Gullotto said.

The most recent major outbreak – Nimda, which infected hundreds of thousands of systems in September – was “the ultimate cocktail,” a worm that exploited multiple methods of spreading, and attacked systems through multiple security holes in Microsoft Corp.’s IIS (Internet Information Services) software, he said. Code Red also attacked IIS. Nimda was a proof-of-concept worm – a worm created to show that such a thing could be made – and though “they’re not always effective,” they are “where we see things going,” he said. The U.S. Federal Bureau of Investigation still has no solid leads on who wrote the Nimda worm, he added.

Nimda is likely only the next step in the evolution of similar malicious code, Gullotto said in a separate interview. Current virus-writing projects are likely tackling the problem of making a worm that functions like Nimda – that has multiple methods of spreading – without needing to exploit the same vulnerabilities that Nimda did, he said.

“Even if all IIS servers are patched, these guys aren’t going to stop,” he said.

Another disturbing trend finds that “the Internet is not only a vehicle by which a virus can be spread, but it’s becoming a target,” he said. A recent paper released by the CERT/Coordination Center, a government-funded security research body, warned that Denial of Service attacks, attacks which knock systems offline by flooding them with false traffic, are increasingly being directed against Internet infrastructure components like routers.

Such a scenario is not out of the realm of possibility for virus writers, since Code Red, which cropped up in July and also hit hundreds of thousands of systems worldwide, included a Denial of Service attack component, he said.

“If somebody’s serious about taking down the Internet … that’s one area they’re going to go after,” Gullotto said.

Despite such dire warnings, useful actions are being taken, he said. Companies need to continue their efforts to educate users, communicate between departments and organizations, and keep their software and patches up to date, he said.

Antivirus companies will have to make their own changes, he said, noting that those companies will need to change their methods of detecting viruses from signature-based to behavior-based systems. Currently, signature-based systems detect the presence of malicious code based on the appearance of a virus’ code, whereas behavior-based detection will discover malicious code based on how it acts, not how it looks. Such improvements will show up in McAfee products in the first quarter of 2002, when the company begins to integrate technology from Network Associates’ PGPfire and encryption products, he said.

“Security has to become a context … a way of being,” he said, adding that that context won’t come in one easy step.

“It’s going to have to just be people chipping away,” he said.

McAfee, in Santa Clara, Calif., is at