A New Breed of Virus

Dec 1, 2005 12:00 PM, By Jacqueline Emigh

OLD-FASHIONED VIRUS ATTACKS ARE CORRUPTING COMPANIES these days from newer malicious software, or “malware,” which includes Internet chat, high-end cell phones and other computer-based technologies as points of illicit access to corporate networks.

Only a few years ago, organizations could fend off just about any malware incursion simply by installing good antivirus software at gateways between their own networks and the Internet.

But protection is a lot more perplexing these days, with the rise of IM (instant messaging) threats, cell phone viruses and so-called “blended attacks,” which contain a type of virus known as a “worm” with other kinds of hacking exploits.

In one type of blended threat, a worm named Blaster has taken advantage of one of many information security vulnerabilities, or “holes,” in Microsoft Windows to launch denial-of-service attacks against Web sites and corporate networks, temporarily shutting them down by showering them with too much traffic.

The Blaster worm made its biggest splash back in 2003, when it spread across more than one million Microsoft Windows PCs throughout the world.

Also known as W/32 SAN, the worm carried the embedded message, “I JUST WANT TO SAY, ‘LOVE YOU SAN.’”

Although specifics vary, worms typically replicate themselves across a network by making copies of themselves in computer memory.

In some of the newest blended threats, worms first slither into networks via e-mail and are then relayed rapidly across the Internet through chat or IM networks.

Spyware is another sort of malware that constitutes a growing menace. Although much spyware is relatively harmless, certain programs can take control of software running on other computers. Some viral attacks are accompanied by spyware.

Multidimensional onslaughts such as these demand multidimensional remedies, experts agree. Antiviral software is no longer enough.

“There are many different steps to computer security. If you miss any one of them, [hackers] are ‘in the door’ — whether through a virus, or through a direct attack,” says Guy Morgan, CEO and president of security consulting firm Farm9, Emeryville, Calif.

Cyberattacks can escalate quickly. When a crack opens up in a network, it does not take long to widen into a security chasm.

“After all, back in the Middle Ages, it only took one rat to start the plague,” says David Perry, director of education at Trend Micro Inc., Cupertino, Calif.

As the best means of protection against malware, experts advocate building numerous layers of information security software packages and hardware devices at points throughout the network. That way, each layer can buttress the others.

But opinions vary around the specific sorts of tools that organizations ought to deploy.

Westborough, Mass.-based Top Layer Networks, for example, sells an intrusion protection device aimed at curbing both software- and human-based attacks at the edge of the network, the company's Adam Hill says.

One customer, Honey Baked Hams Company, chose Top Layer's product because it does not adversely affect the speed and performance of the company's corporate network, says Erik Goldoff, information technology security and systems manager for the food processing firm.

Top Layers' device for the “edge” of the network also coexists peacefully with information security products running on network servers and employee desktops, Hill says.

“You have to ‘put locks in’ at a number of places. One lock alone will not do it,” Farm 9's Morgan says.

Morgan suggests combining antiviral products with intrusion prevention, firewalls, proxy servers and other measures aimed at screening out suspicious data traffic.

Traditional anti-viral products typically work by seeking out and finding software with “signatures” that match known viruses.

The other information security products use different criteria for determining which software code might be dangerous, such as where the data originated on the Internet and whether it is actually trying to enter another computer.

Antivirus software is changing, too. Increasingly, security vendors are putting together desktop “security suites,” which bring together traditional antivirus protection with other remedies for malware.

Trend Micro now augments its antivirus software with products to protect against messaging threats, spyware and spam e-mail, for instance.

Waltham, Mass.-based IM Logic, on the other hand, makes software specifically geared to Instant Massaging (IM) protection.

“You can build an iron wall around your company, but your IM channel will still be left wide open,” IMLogic's Art Gillen says.

Woodland Trust, an IMLogic customer, decided to adopt the product after turning to IM as a way of letting work-at-home employees communicate over a broadband network, says Richard Otter, network and systems manager for the United Kingdom-based charitable organizations.

If you are not yet familiar with IM, it's a form of online communications somewhat similar to e-mail, except that it happens in real-time.

Essentially, “IMers” chat back and forth over a network, exchanging quick text messages.

Hackers, however, are now creating special viruses just for IM networks. The best known include CoolNow, Choke and NewPic.

Typically, these IM worms locate the PC-based address book of the victim and try to send themselves to all of that person's IM contacts.

Some of them are even able to send short messages to these contacts and to “analyze” the replies.

Moreover, these worms tend to mutate quickly, making traditional antivirus remedies less effective against them.

“In IM, the speed of propagation is much faster,” Gillen says.

In fact, over 88 percent of all worms tracked by IMLogic's Threat Center displayed this sort of morphing activity.

One IM worm, dubbed Kelvir, has mutated at least 123 times since January of 2005.

In another emerging product category, some vendors now make software geared to guarding high-end PDA cell phones against new bugs that specifically target mobile devices.

Although viruses such as these have not yet achieved widespread propagation, certain strains have already been discovered, says Todd Tiemann, Trend Micro's director of device security.

Helsinki, Finland-based F-Secure Corp., another security software firm, has now enumerated more than 100 variants of mobile malware.

The biggest mobile malware family is Cabir, followed by Skulls, according to research performed by F-Secure.

Vendors are now producing mobile virus protection for the Symbian mobile operating system, which is particularly popular in Europe, as well as for two flavors of Windows: Windows Mobile for Smartphone and Windows Mobile for Pocket PC Phone Edition.

In another departure from tradition, Trend Micro also sells a product especially designed to protect embedded devices such as ATM machines and medical devices from viral attacks.

Like PDAs, more and more of these sorts of embedded systems are now running on trimmed-down versions of Windows, too.

Hackers typically like to have a large user base available before bothering to write a virus for a specific operating environment, Thiemann says.

Although experts agree on the need for multidimensional defenses against malware on PCs and networks, the jury is still out on what to do about new and emerging threats in the cell phone and IM arenas.

“IM protection is still a work in progress,” TopLayer's Hills says.

Moreover, many believe that viruses affecting cell phones and other embedded devices will not crop up to any significant degree for some time to come.

As malware attacks continue to proliferate, so will computer hardware and software products aimed at keeping these cyber critters at bay.

But within this ever-expanding panoply, products that take aim against IM threats, cell phone viruses, and blended threats are some of the key ones to watch.

ABOUT THE COMPANIES

For information, circle the Reader Service number (listed below) or visit securitysolutions.com

IM Logic	50
F-Secure Corp.	51
TopLayer Networks	52
TrendMicro Inc.	53

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue