As Virus Attacks Develop, Defenses Evolve

This year’s outbreak of viruses delivered via e-mail attachments left many users without access to electronic mail for days. For those used to the productivity of e-mail, the attacks were a hard lesson.

The cost isn’t just measured in inconvenience. According to Bloomberg News Service, cleaning up after the Melissa virus cost $393 million. Soon after that, the Love Bug assault hit networks, costing an estimated $10 billion.

"The attacks on Internet-connected systems we are seeing today are more serious and more technically complex than those in the past," says Elizabeth D. Zwicky, co-author of "Building Internet Firewalls," an Internet security book. "To keep those attacks from compromising our systems, we all need all the help we can get."

Today many organizations are concentrating their efforts on finding and killing viruses at the desktop. Desktop anti-virus tools have three distinct strategies for protecting the desktop.

The oldest is scanning, an approach that requires comparing executables and other files against a known database of viruses. Scanning is popular -- programs such as Norton AntiVirus and InoculateIT depend upon the technology -- but it has the shortcoming of not being able to detect viruses that have not been entered into the scanner's virus database.

Another approach is often described as "heuristic." This method seeks out suspicious instructions inside files. Even though this method can detect both known and unknown viruses, it’s unable to identify all viruses. The biggest inconvenience of heuristic technologies is the occasional false alarm.

A third method of detection is called "generic." The generic method doesn’t rely on existing virus signatures. Instead, using a strategy that comes from artificial intelligence, generic anti-virus technologies observe activity in the system, analyzing any changes. If a virus appears, the technology attempts to restore the system to its original clean condition.

Recent outbreaks focused on macros delivered in e-mail attachments. Like the Melissa virus, the Love Bug spread itself using Microsoft Outlook Address Books. But where the Melissa virus had to infect a Word document before it could spread, the Love Bug acted independently of individual files. In June, Microsoft Corp. ( issued a patch to Outlook that limited the destructive capabilities of attachments containing programs. The patch is strong medicine: It prevents the use of attachments for legitimate transfer of programs and disables certain features that many organizations had come to count on.

Still, the Outlook patch is typical of the ongoing balancing act between a product’s features and system security. "We’ll continue to adjust the balance of security and functionality in Office," says Lisa Gurry, product manager, Microsoft Office. "It’s important to remember that security of office productivity products is going to be an evolving process. As time goes on you can expect us to improve both the security and feature set of Office."

Still, some wonder why it took Microsoft so long to make these changes in the first place. Frank Prince, a senior analyst at Forrester Research Inc. (, says the reason is simple: "Until there was enough reason, [Microsoft] wasn’t economically motivated to make the change."

The temptation to single out Microsoft or Outlook for criticism is great, but security analysts warn against it. "You can’t blame these attacks on Microsoft," says Narender Mangalam, product manager for eTrust Security at Computer Associates International Inc. ( "The fault should lie squarely on those doing the abuse." Forrester’s Prince agrees, saying, "The majority of e-mail vendors are very sensitive to security. E-mail vendors don’t need to add security features; they should make the existing features easier to use and configure." But addressing the problem by focusing only on attachments may be missing an important source of risks.

Anti-virus makers are struggling to come up with a response to new threats: Viruses embedded in the text of e-mail messages rather than in attachments. These new viruses, with names like Bubbleboy and Kakworm, are small scripts that reside in the body of a message rather than an attachment. Because opening and reading an e-mail is so much easier than opening and viewing an attachment, this kind of virus has the potential to be far more dangerous and much more virulent than attachment-based viruses.

According to Symantec Corp.’s ( Vincent Weafen, director of the AntiVirus Research Center, there’s an even scarier threat on the horizon. "We’ve begun to see a sharp increase in Windows-native viruses that are divided into multiple processes, are multithreaded, and network aware. These viruses are very sophisticated and use multiple threads to divide the work between replication, avoiding detection and delivering a payload. These are far more technically advanced than script-based viruses, and their numbers -- while still small -- are growing rapidly."

Rather than continuing to rely on protection at the desktop, many companies are looking for new approaches in the fight against viruses. "The anti-malicious code market is increasingly infrastructure-driven," says Amit Yoran, president of RIPtech Inc. (, an information security service provider. "Any security architecture that relies on end-user proactiveness is doomed to failure," he says.

As a result, several vendors are building anti-viral intelligence into networks rather than concentrating on the workstation. One approach is to place a filter at the inbound network connection to prevent certain file types from getting into the network. One example is W. Quinn Associates Inc.’s ( FileScreen 2000, a utility that allows a network administrator to set filters to block certain types of files from being saved on a Windows NT server or Windows 2000 server by specific employees or groups of employees. By preventing executables from being saved to disk, FileScreen 2000 eliminates the potential of mail users storing and executing rogue code in attachments.

What’s really needed, according to eTrust’s Mangalam, "is a security guard rather than a gate. Too often we think of security technologies as gates that either allow -- or disallow -- access to a resource. With the sophistication of the new attacks -- including viruses -- we need the ability to discriminate on content rather than on static information such as an IP address, file extension, or MIME type."

Another important approach, according to Symantec’s Weafen, is to establish clean network pipes. "The idea of scanning the stream as it comes in pushes the burden off the desktop and into the infrastructure where more resources are available. You might see ISPs start to market 'clean pipes' as an offering -- in fact, some specialized network providers already do this," Weafen says.

RIPtech’s Yoran agrees that the problem needs to be addressed at both the network and the desktop, but doubts "clean pipes" will become a mainstream offering. "One possibility is to have network and Internet service providers (ISPs) provide the security, but I doubt they will be able to. After all, they are already overwhelmed providing connectivity."

A far more ambitious approach is to develop a digital immune system for the Internet. Researchers at IBM Corp. (, along with partners at Symantec, have spent 11 years on a new approach to anti-virus technology that attempts to treat the entire Internet as a single organism. Called the Digital Immune System, it works like this: When an anti-virus tool running on your PC discovers an unknown virus, it automatically packages the infected file and sends it securely over the Internet to an automated virus analysis center.

The immune system creates an antidote that is sent to the originally infected PC to eliminate the original infection and then sent to all other computers that are registered with the immune system. The immune system can respond quickly to a new virus outbreak. In the past, users of anti-virus software have had to wait for other users to find and submit new virus samples, for human experts to analyze them, and for periodic scheduled updates to the software. According to Symantec’s Weafen, the immune system should cut the response time to a matter of minutes.

"Consciousness of security hygiene is raised as a result of these attacks," Forrester’s Prince says. "And that’s good because the most difficult and dangerous part of these kinds of attacks is not technical but social." Microsoft’s Gurry agrees: "Viruses are partly a social phenomenon and we need to make sure that users are aware of their options -- whether those options are in the Office suite or in the infrastructure."

Despite improved user awareness, RIPtech’s Yoran warns that we haven’t seen the end of the evolution of attacks. "What we’ll start to see next is a decreased emphasis on attachment-borne viruses and an increase in mobile code viruses. When that time comes we have to be sure that the tools and services we use evolve along with the threats."