Viruses

Security researchers have warned that sudden impact viruses, such as the Slammer worm, are being superseded by slow-burning worms that focus on avoiding detection and bypassing traditional anti-virus software.

Malware authors, many of whom use viruses as a way of making money, are regularly testing their viruses against anti-virus packages, often through a vendor's trial software.

Writers also submit their viruses to some companies' live test sites to measure their effectiveness.

One of the fastest spreading viruses seen so far, Slammer, infected 90 percent of vulnerable hosts within 10 minutes of being released. It raced around the Web, disrupting IT networks worldwide. But because the worm caused such damage it was widely reported and defined quickly by the anti-virus vendors. IT staff were able to quickly prevent further harm.

Many new viruses attempt to install key loggers that can record passwords and personal details leading to identity theft and other related issues. Key loggers are more commonly classified as spyware, but the line between viruses, malware and spyware is becoming increasingly blurred.

With the virus writers changing approach and reasons for their activity, organizations should be very concerned.

When is a Virus Not a Virus?

In late 2004, Microsoft announced a vulnerability affecting JPEG files, one of the most common image formats. Image files that appeared harmless actually contained security attacks. Internet Explorer processes JPEGs before writing them to disk cache, so desktops became infected before the desktop anti-virus software had a chance to work. Organizations could only rely on their gateway-based solutions to stop the threat.

Anti-virus vendors debated whether it was their responsibility to be detecting such vulnerabilities, while the desktop application vendors frantically worked on security patches to plug the vulnerability in their applications. In the end, companies were left vulnerable for an extended period of time and then had to go through the pain of updating all workstations.

Most anti-virus solutions are not tuned to detect JPEG malware because, by default, they only search executable and scripting files. And if the desktop anti-virus scanner needs to look at more types, it consumes valuable processing power.

Is Your Virus Scanner Looking at Everything?

Most companies today take for granted that their gateway-based anti-virus scanning solutions are doing everything they promise. Security administrators worry less about traffic entering through these scanners, but rather spend their time tracking and eliminating any traffic that does not.

Infected password-protected zip files only affect gateway scanners. On client computers with up-to-date anti-virus protection, the worm is detected once the user provides the password and decompresses/decrypts the zip file. This underscores the critical need to implement an anti-virus defense on multiple layers of the IT infrastructure.

Gateway anti-virus solutions should provide for scanning exceptions—for instance, when a password-protected file cannot be scanned. Users will go to great lengths in attempting to open an infected email attachment. If anyone thought a password-protected zip would thwart the distribution potential of malware, numerous incidents have proved the opposite.

Security experts recommend using different anti-virus scanning engines at the email gateway, the server and the desktop, for extra protection. Anti-virus vendors react to new viruses at different rates, and scans typically miss viruses one to three percent of the time. Having different vendors' protection at each tier means that if one product misses a virus or is slower in responding to a new threat, another may detect it.

Internet-based email (such as Yahoo and Hotmail) remains a significant backdoor for virus attacks. Fewer than one percent of sanctioned corporate email boxes are Internet-based accounts, but numerous companies tacitly allow Internet mail as a perk or a spam diverter. The Nimda virus, which exploited holes in Microsoft IIS servers to infect browsers, also illustrated the potential danger of Web activity. Anti-virus scan engines for Web gateways are one response to this threat.

IT departments are now enforcing strict anti-virus compliance by employees and business partners on all connecting nodes, including remote laptops and personal digital assistants (PDAs). But although most leading anti-virus vendors have clients that support different types of devices, none supports all variants (for instance, Palm, Pocket PC, RIM Blackberry and Symbian), and they also may not be tightly integrated into the desktop management solution.

Wireless Application Protocol (WAP) devices, unified messaging and Voice over Internet Protocol (VoIP) represent potential new victims for virus writers. The limited capabilities of these devices and services make them less interesting as targets, but they have potential as infiltration points into the network. Another potential attack vector is Instant Messaging (IM). The security industry has so far been relatively slow to address this space. Many companies have opted not to take advantage of the capabilities of IM but, instead, to disable it until they are able to protect it.

Recent testing by AV-Test.org found that average response times for anti-virus vendors to respond to new threats varied from just under seven hours to more than 29 hours.

A technology called sandboxing is increasingly being used alongside traditional pattern file checking to try to speed up responses to new viruses. Sandboxing involves detecting a new virus by observing what the suspect code does in a virtual test environment and predicting what it might do to a standard desktop PC.

An example of sandboxing technology is Norman's Sandbox feature, which has been shown in tests to recognize 100 percent of viruses. Norman is one of several third-party anti-virus solutions that M86 Security supports and can integrate with MailMarshal and WebMarshal.

Some organizations think viruses can be prevented by stripping all attachments from incoming email, but this is disruptive to day-to-day operations. M86 Security solutions deliver complete gateway content security for email and Web browsing and provide high-throughput integration with leading virus scanning software, including Norman and McAfee solutions. For a full list of supported anti-virus software, please contact us.