First there was Mydoom, which spread like wildfire and almost overheated the internet with thousands of emails an hour at its peak.
Then there was Sasser, a worm that exploited a vulnerability in unpatched Windows systems to infect a multitude of PCs.
And throughout the year, Bagle and Netsky plagued computers, turning some of them into zombies, as the virus writers feuded by unleashing a horde of variants.
Suffice it to say, 2004 was a banner year for viruses and worms. They managed to torment corporate networksdespite all the sophisticated technology available. What gives? According to those on the front lines of battling malware, the reasons include all the usual suspects – forgetting to patch systems or neglecting anti-virus updates.
But mostly, it comes down to the evolution of a threat from the classic computer virus into a hodgepodge of spyware, spam and trojans, often perpetrated by individuals and groups seeking financial gain.
“The equation changes so radically once money gets involved,” says Alfred Huger, senior director at SymantecSecurity Response.
“When people realize they can make serious money off of this type of crime, it raises the stakes.”
Defending corporate networks against this profit-driven, multi-faceted threat requires a layered approach, new technologies and coordinated processes. But last year’s onslaught of worms and viruses showed that some basic protective measures are still neglected.
In December, for example, only two of the new viruses in the Sophos top ten list were new – the rest had been around for a month or longer, recalls Gregg Mastoras, a senior Sophos security analyst. “These viruses are still spreading and affecting networks, yet virus protection has been out for months from all the vendors,” he says. “For whatever reason, people are not keeping their anti-virus up to date.”
Huger agrees: “Vast numbers of people still don’t have anti-virus, which is one of the reasons that virus writers are so successful.”
But the hybrid nature of today’s malicious code can slip past traditional anti-virus tools.
“Viruses have gone beyond the pure, true nature of a virus – they behave like other things. They take advantage of system vulnerabilities,” explains Bob Hansmann, senior product marketing manager at Trend Micro.
Consequently, it is incumbent on companies to keep up with software patches. But in a lot of cases, that did not happen last year, says Vincent Gullotto, vice-president of the Avert research division at McAfee.
Mass-mailer worms, adware and other pesky programs also are sneaking into corporate environments via mobile users, who log onto corporate networks over insecure systems, he adds.
And in many cases, malware still relies on the old social engineering trick. One of last year’s most prevalent pests, Netsky, duped users into clicking on an attachment in an email.
In light of how fast malicious code spreads nowadays, simply relying on the last anti-virus update for security is a “recipe for disaster,” maintains Sam Curry, vice-president of eTrust security management at Computer Associates.
“The old tried-and-true ‘update your anti-virus’ isn’t good enough,” he says. “It is an important part. You’ve got to have that update component. But it takes new techniques to find things that are anomalous, and an understanding of a new generation of threats that are more sophisticated. Their target isn’t just to kill your PC. It is to rob your bank account or steal your identity.”
The days of teenagers writing viruses simply to grab their 15 minutes of fame are fading fast.
“There still are teenagers writing viruses, but we saw [in 2004] so much more influence by organized crime, and the reason they are writing viruses is completely different. They’re writing them to make money,” says Mastoras.
This new wave of virus writers looking for money is also highly skilled, notes Symantec’s Huger.
With money coming into play, the worlds of spam and viruses have converged, with spammers hiring virus writers to compromise systems they can then use as spam relays.
These compromised systems, or zombies, can also be used by criminals to launch denial-of-service attacks or to download adware.
Getting adware installed on systems can also earn someone money, points out McAfee’s Gullotto. Eventually, adware could clog up a machine and make the browser unusable, or even maliciously redirect users to bogus websites to secretly collect personal information. Spyware, meanwhile, could install a key-logger to snatch a user’s personal data.
But although these threats look daunting, there are steps companies can take to protect their networks.
Companies have learned from the outbreaks caused by network worms such as Sasser that it is not enough to separate their internal network from the public internet, believes Mikko Hypponen, anti-virus research director at F-Secure.
“The main thing that has to be done is to take the firewall and keep it at the perimeter, of course. But it is also crucial to install a secondary firewall at every computer,” says Hypponen.
The proliferation of network worms led Trend to develop its Network VirusWall, which monitors network traffic for suspect activity, says David Perry, Trend’s global education director.
“The new kind of malware we see isn’t similar enough to viruses to be blocked with the same tools,” he says. “Traditional virus scanning is looking for a file on the disk to scan and network viruses don’t actually ever write to the disk.”
According to McAfee’s Gullotto, today’s threats require a layered approach. “You can’t stop them with any one approach,” he says.
To that end, McAfee moved into the intrusion prevention system (IPS) arena, and is looking at ways to incorporate some of that rules-based and behavior-based analysis into its VirusScan product to make it more proactive. In turn, the threat information that Gullotto’s team collects helps the IPS strategy. The core signature-based technology of anti-virus protection will remain crucially important, he adds.
At Sophos, engineers have developed technology that identifies the basic building blocks of viruses in an effortto protect against not just the current viruses but future ones, says Mastoras, adding that the technology applies to spam as well.
“I think a lot of anti-virus vendors are thinking in terms of how to proactively prevent threats that haven’t occurred yet, so they don’t have to wait for the latest update,” he adds.
Besides security software – and managing to keep it updated – companies need the right processes in place, advises Huger at Symantec. “All the technology in the world is going to avail you nothing if you don’t have the right processes in place,” he warns.
Indeed, some companies install so many security mechanisms that the system becomes unmanageable, says CA’s Curry. “If you deploy that much security, it’s hard to track it and find the alarm bell when all 20 barriers start ringing at once,” he explains. “It comes down to a management issue.”
Security Information Management technology can help firms zero in on the main threats to their assets, adds Curry.
The bottom line is that technology can help, but it isn’t the only solution.
Better user education, legislation, and more law enforcement against online criminals is also needed, declares Mastoras. “There’s this whole risk-reward equation that’s skewed. There’s a lot of reward and not a lot of risk, because not a lot of folks are getting caught,” he says.
Major software changes by Microsoft over the years have helped eradicate past viruses, such as boot-sector viruses, says F-Secure’s Hypponen. For example, by limiting the number of outbound simultaneous connections a PC can make, Windows XP Service Pack 2 limits a basic function that automated network worms need, he explains.
A complete overhaul of SMTP-based email is required to put an end to email worms, says Hypponen. But alternative protocols with strong authentication and encryption would need everyone to switch to a new system at the same time – which will not happen until email finally breaks.