Strategies to beat the virus writers


Twenty years after Fred Cohen first defined the computer security problem of viruses in a paper he wrote as a graduate student, most experts would contend that viruses have evolved from intermittent irritants into an internet plague.

But Cohen, a research professor at the University of New Haven and principal analyst at the Burton Group, believes that viruses really haven't changed much since the late 1980s. Email-based viruses and programs that exploit software vulnerabilities basically all imitate similar iterations from the past, he says.

Still, the industry continues to grapple with viruses and other malware such as worms and Trojans that can tear across the internet and cause millions

in damage. With a constant stream of new threats, anti-virus companies have responded by producing signature files at an ever-faster pace to detect new attacks and by deploying techniques such as heuristics.

But in light of what some security experts say is the evolving nature of internet threats that use multiple attack mechanisms, plus the looming potential of so-called "zero-day" attacks, has virus protection reached its limit?

"Anti-virus suppliers haven't slipped up at all in terms of their ability to respond quickly. If anything, they've improved slightly, but the problem from a dimensions perspective has changed radically," says Eric Hemmendinger, analyst at Aberdeen Group.

"There's nothing slow about the worm propagation at this point...The propagation mechanisms are circumventing the speed issue."

Consequently, anti-virus companies are unleashing new tactics to ward off malware. They're making it easier for customers to deploy updates. They're incorporating anti-spam techniques, containing outbreaks, and ferreting out spyware and malicious mobile code. And they are looking beyond virus protection.

"What we're seeing as anti-virus as a standalone in the traditional sense isn't good enough, it has to be broader," says Sharon Ruckman, senior director of Symantec Security Response. "It's really about integrating technologies to give you a fuller solution. It's more than just a heuristic engine on the anti-virus side. You want the firewall protection and intrusion detection to come together in order to be a smarter solution."

Signatures still prime defense

At the heart of anti-virus technology are signatures files, which will remain key in the fight against viruses and worms, say anti-virus providers.

"There's always talk about the signature-based approach having had its day," says Chris Belthoff, senior security analyst at Sophos.

"From our perspective, it's still very much in use and really able to keep up with the virus threats."

Vincent Gullotto, vice-president of the Anti-virus Emergency Response Team (AVERT) at Network Associates, predicts that signature technology will be around for some time to come.

"It's effective and we've made great strides with it over the past few years," he says, citing Network Associates' "generic technology."

Generic detection uses a single virus definition to detect many variants of the same virus family. The technology, which "makes some assumptions that are heuristics-based, but in a more definitive way," has proven an effective proactive defense mechanism, states Gullotto.

For the most part, anti-virus companies all quickly release signature updates at about the same time, putting an end to the war on the speed front, believes Bob Hansmann, director of enterprise marketing at Trend Micro.

"It used to be days and there was a significant difference. Now we all have it [an update] out there in one or two hours," he says.

But signature files can be unwieldy, large files that are difficult for enterprises to deploy rapidly - a problem some vendors are now focusing on addressing.

"We have customers, for them to roll out a 200 KB update could take days in their organization. But if we can get them something smaller, a policy that's 3KB or 4KB, say, they can deploy that nationwide in four or five hours," says Hansmann.

For example, last summer's Sobig-F spread through email as a .pif file, so a company could quickly install an email filter to strip off attachments .pif extensions before deploying the larger anti-virus update, he says.

Sophos designs its updates as small binary files, not executables, on the order of 2KB to 4KB in size, which makes it easy for companies to deploy to a large number of desktops and servers, claims Belthoff.

"In terms of where virus protection is going, I think it will still rely predominantly on the signature approach for

the near term," he says. "If the operational excellence and responsiveness of the vendor is there, it's still a suitable approach to deal with viruses."

Appropriate management tools

An anti-virus vendor also needs to supply appropriate management tools, comments one IT manager at a major university which, along with a slew of companies, had its marketing center hit hard by the Nimda worm when it first struck in 2001.

The attack cost the center three-days of work, resulting in the loss of thousands of dollars and forcing the university to re-think its anti-virus solution, says the administrator, who requests anonymity. The college's new choice - Sophos - provides the necessary enterprise-level management functions that the previous solution didn't, he says.

"You need a management console where you see a whole network and manage centrally, rather than at the workstation level," he explains.

With viruses and spam starting to converge, anti-virus vendors are incorporating spam and web address filtering techniques, comments Matthew Kovar, analyst at the Yankee Group. "The anti-spam guys have been good at identifying bad IP addresses or bad web sites. That research is helping out the AV folks," he says.

Researchers at F-Secure have been putting a lot of effort into anti-spam technology over the past year, says Mikko Hypponen, director of anti-virus research at the company.

"Spammers and virus-writing groups have found each other, which means we have viruses written by organized groups and the quality of the virus is much better," he says. "From a technology point of view, anti-virus companies that are not in the anti-spam business will enter it. It makes sense to address both threats at the same time."

For example, according to Hypponen, last summer's Sobig virus installed proxy servers on victims' machines that spammers could use to send bulk email.

Spyware - yet another problem

Anti-virus providers also are on the lookout for spyware, software that tracks computer use.

"Spyware is picking up and getting more malicious," says Trend Micro's Hansmann. "Some of it is already classified as a virus. Many AV companies scan for spyware because of its virus-like behavior."

The wide range of malicious code coming through email, the web and other avenues requires more of a content security solution than classic virus protection, say security executives.

"Signature-based detection of viruses still remains to be the fastest and most accurate means to determine whether a file is infected or not," explains Ian Hameroff, senior security strategist with Computer Associates.

"However, anti-virus by its nature is a fairly reactive approach. More and more threats we've seen this year, and will see in the future, won't necessarily trip across the tripwires that anti-virus solutions use."

He cites a recent Trojan program that could alter the settings on an end user's computer via a web site that contained malicious code. "Right there, anti-virus, although it's probably thought by the average user to be the solution to that, can't address the challenge alone. You need an understanding of the content."

Hameroff says CA has augmented its anti-virus solution by packaging it with spam filtering, Web access control, and content security policy management for HTTP, SMTP and FTP.

More and more, malicious hackers are using mobile code - Java applets, JavaScript, Active X controls - to create attacks that can spread faster than anti-virus companies can release updates, says Shlomo Touboul, CEO at Finjan Software. His company provides technology that inspects the behavior of code downloaded from the internet and blocks content that doesn't comply with a company's security policies.

Aside from blocking viruses and worms, some vendors are working on ways to contain outbreaks in a network.

ForeScout Technologies recently launched WormScout, which automatically suppresses worm propagation and contains it within limited subnets in order to maintain network availability and business continuity.

Hewlett-Packard researchers have developed a throttle that slows the rate of virus propagation, according to Joe Pato, distinguished scientist at HP Labs.

System configuration also can help limit a worm's spread, says Symantec's Ruckman. For instance, a firewall rule restricting a system to a certain email program could help contain the spread of a worm that has its own SMTP engine. "While you might be impacted, you're not impacting anyone else and you've located that particular threat," she explains.

Techniques that are able to lock down systems will be needed to contain metamorphic viruses, which continually change and can elude signature-based detection and basic heuristics, continues Ruckman.

Putting it all together

The speed with which malicious code can spread is leading anti-virus suppliers to coalesce around multiple points of protection, says Hemmendinger.

"If you just take Network Associates and Symantec as examples, they're working as hard as they can to deliver more ways to deploy protection against this. In the meantime, by no means is anti-virus a bad approach," he says.

"Nobody is suggesting you take that stuff out. No single approach is going to stop this."

Intrusion prevention - an area that both Symantec and Network Associates have made acquisitions - show promise in battling malware, he says.

"We're not just an anti-virus firm. We're moving into the larger scope of being a pure security company, where we can offer different types of technologies that enhance anti-virus technology," claims Network Associates' Gullotto, citing the company's acquisition of intrusion-prevention firms Entercept Security Technologies and IntruVert Networks last year.

Firewalls also play an important role, he and others note. Anti-virus tools are becoming more intelligent, and those that can be plugged into third-party firewalls provide a more robust type of security solution, believes Gary Morse, president of security-services firm Razorpoint Security Technologies.

"One is looking for a malicious type of virus that might come in the form of an attachment, while the other is doing more packet-monitoring security," he comments.

Indeed, individual security technologies need to work together, says Trend Micro's Hansmann.

"Viruses are spreading through the network in lots of different ways, so perimeter security is not a solution and doing point products in single places is going to provide a little better, but still not a complete, solution," he says. "All these solutions are going to have to evolve and become more intelligent in working together."

On that front, Trend Micro, Symantec and Network Associates unveiled a cooperative effort with networking giant Cisco Systems to head off worms and viruses. The Cisco Network Admission Control program, slated for availability by mid-year, enables Cisco routers to block or restrict network access to an endpoint device that does not have anti-virus updates or operating system patches.

Cisco Trust Agent

Key to the program is the Cisco Trust Agent, software that sits on endpoint systems, collects data from security software clients and relays that information to the Cisco network. Network Associates, Symantec and Trend Micro have licensed the Trust Agent from Cisco to integrate with their products.

Meanwhile, Fortinet is touting its "dynamic threat protection," which combines ASIC-accelerated anti-virus and firewall protection with intrusion prevention.

"This technology we've been talking about is what comes when you blur what have been fairly arbitrary lines between the way anti-virus systems and intrusion prevention systems work," says Richard Kagan, Fortinet's vice-president of marketing. "You can make a system that is a lot more seamless and able to react much more dynamically."

Despite the evolving nature of viruses, one aspect has remained pretty constant - social engineering, believes CA's Hameroff. All the latest and greatest systems can still be thwarted without user education, he says.

"It's more than just technology, it's also people and processes," he adds.

Mass-mailing worms continue to pop up, even though they require users to double-click on attachments, notes Belthoff of Sophos.

"There's always an element of psychology and education and end-user awareness in terms of whether you're going to be successful or not at fighting viruses," he says.

"You could deploy the greatest, most wonderful technology, but if someone keeps double-clicking on attachments, you're still at risk."

Paying the price

But Professor Cohen says the industry has failed to implement defensive techniques that have been available for years to ward off viruses and worms, such as eliminating general-purpose functions from software and preventing buffer overruns.

"As a society, we have not yet opted to go for a little higher price in exchange for higher integrity, and we're paying the price every day," he warns.  

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.