As is the case of medical viruses, there is no "cure" for computer viruses and the key lies in prevention. Because the nature of viruses, their transmission, and frequency are constantly changing, the preventative methods must be equally dynamic. For example, it was once adequate protection to simply search for a specific sequence of code, called a signature, to detect a virus. Anti-virus firms routinely updated signature files and users updated their systems to include the newest definitions. However, the virus engineers began creating viruses that mutated when replicating. Some of the mutations were encrypted. This created a need to include decryption algorithms with the signature files. While the anti-virus vendors busied themselves researching and combating encrypted viruses, the virus engineers were equally busy creating a new breed of polymorphic viruses which randomized the encryption routines.

Obviously, with today's sophisticated virus threat, anti-virus detection must encompass the dynamic ability to detect based on even unknown behavior. This parallel has not been achieved in the medical community, where only viruses with known patterns of infection can be prevented. Indeed, even in the computer arena, few companies are able to successfully achieve a high standard of detection against mutating viruses, much less defend against newly created viruses.

The Threat Today

According to the ICSA, the virus problem has worsened over the past four years, as seen with a two-fold growth, per year since 1994. Median down time per incident is estimated at 24 hours, with five person-days involved in recovery. While the average cost per virus incident is $1,750, 25% of the respondents to the ICSA survey reported recovery costs of $50,000 - $100,000 per incident.² Worldwide, estimates are that 88 virus encounters will occur each month per 1000 PC's.

1999 Congressional Testimony of Richard Pethia, CERT Coordination Center: "Melissa is different from other macro viruses because of the speed at which it spread. The CERT/CC received its first confirmed reports of Melissa early in the afternoon of Friday, March 26, 1999. Over the next four days, the CERT/CC received a continuous stream of reports from United States government organizations, educational institutions, and corporations including telecommunications providers, energy utilities, manufacturing companies, and computer vendors. In addition, calls came in from many countries including Canada, the Netherlands, New Zealand, Qatar, Singapore, Sweden, and the United Kingdom. By Tuesday, March 30, the CERT/CC had reports that it had reached more than 233 organizations and infected 81,285 computers. Some sites had to take their mail systems off-line. One site reported receiving 32,000 copies of mail messages containing Melissa on its systems within 45 minutes."

The Melissa virus, which exploited e-mail address books for distribution, infected 38 times more frequently than previous viruses. This occurred despite the fact that 90% of respondents to the same ICSA survey reported using anti-virus software. Why then, were infection rates so severe?

First, we must understand that we are entering a new era of computer viruses. Initially spread via floppy diskette, virus infections did not easily become widespread. A year might pass before the virus could be considered prevalent. In the 90's, macro viruses were introduced which exploited Microsoft Word and were able to spread with relative ease through shared documents. Even so, it took a month or two before the virus achieved significant prevalence. This next generation of viruses, as seen with the Melissa virus, exploits the connectivity of the Internet and needs only a few days to establish widespread infection.

Obviously, anti-virus firms cannot possibly manage this threat using standard methods of signature scanning for detection. With a vehicle as fast as the Internet, signature based scanning would be akin to placing a band-aid on a severe wound. It simply would not be able to stop the flow of infection. Worse, this method is only useful for viruses that are already known to the anti-virus industry. Melissa was a brand new virus. To counteract in this sophisticated arena, the anti-virus engine must be able to intelligently make decisions regarding the behavior of a file. This element, called heuristic scanning, is key to successful detection.

Not all heuristic scanning is created equal. Both Network Associates' McAfee VirusScan and Symantec's Norton AntiVirus provide heuristic scanning, yet both of these products failed to detect the Melissa virus. Even with updated signature files to detect Melissa after her initial occurrence, subsequent variants of the same virus were not detected by these scanners. In fact, only one commercially available scanner detected the Melissa virus based solely on powerful heuristics - Command AntiVirus.

Prevention is the Key

This reality demonstrates the futility of defending against tomorrow's threat with yesterday's technology. To be effective in the dynamic continuum of computer viruses, potential hosts must be defended to prevent initial infection from occurring. This is a critical point. Once infection occurs, the vast interconnectivity of the Internet will facilitate worldwide infection - despite the best efforts to update signature files.

The most important aspect of prevention requires the use of a constantly monitoring background scanner employing a high level of heuristic capabilities. Indeed, dynamic virus protection, often referred to as real-time scanning, has been documented as the single most important defense by the ICSA. In spite of this, some vendors entirely disable or lower heuristic scanning in their real-time scanners by default, relying on the user to have the sophistication and knowledge to modify the setting for suitable protection. For example, Network Associates disables all heuristic scanning in their real-time module and Symantec excludes all Microsoft executables from being scanned. However, even with the defaults changed to provide a higher level of protection, neither of these products provided suitable defense against Melissa.

Simply a Matter of Trust

Some of the best efforts to eradicate the virus threat have in fact provided yet another avenue for its growth. Recently, Microsoft introduced new security tools in Office 2000 that promised to lessen the likelihood of a macro virus infection. Instead, the tools allow a virus to take advantage of a trust relationship with another user thereby infiltrating undetected into the new system. Of course, this avenue requires that User A trust User B, an avenue likely to occur in an enterprise where document sharing is common.

Taking advantage of a trust relationship is nothing new. Spam mailers routinely spoof e-mail addresses to make it appear the e-mail is from a known, and therefore trusted, source. Recipients tend to automatically execute e-mail attachments received from a known source without verifying their origin, appropriateness, or integrity. Users unknowingly download viruses from web sites simply based on advertisements from "trusted" sources. More than one virus has been unintentionally distributed with "trusted" software or hardware products. With such disturbing trends, perhaps the X-Files creed says it best - "Trust No One".

The Future

---

According to the ICSA survey, all indications point to a worsening of the virus epidemic. The current 40,000 plus viruses would not only increase to 80,000 within a year, but more sophisticated virus engineering techniques and subsequent expedient delivery via the Internet could signal catastrophe for improperly protected systems. Assuming infection incidents increased proportionately, the median rate for infection would increase to 176 per 1000 systems per month, or stated differently, administrators could be faced with 18% of their systems infected monthly within the next year. Without proper detection, within two years, the rate would rise to a crippling 36%. Even at the lower projected rate of $1,750 per incident, this manifests a cost so prohibitive it could easily force a highly infected enterprise out of business entirely.

Current market estimates place 89 million computers worldwide. Of these, less than 40% use anti-virus protection, despite the fact that, historically, anti-virus software places in the top five selling lists for retail outlets. Thus, 60% of the population will continue to unknowingly host and transmit viruses well into the future. Indeed this exemplifies another parallel with its medical counterpart - as long as a host is provided, viruses will continue to proliferate and exploit at the first weakness.

Richard Pethia, director of CERT Coordination Center, summarized his testimony before Congress by stating: "Melissa represents a new form of virus that demonstrates how quickly an infection can spread across a network and hints at the kind of damage that could be done. Incident response organizations were able to limit Melissa's damage by working effectively together to analyze the problem, synthesize solutions, and alert the community to the need to take corrective action. With possible future viruses, it may not be possible to act as quickly or effectively. Response organizations will always have a role to play in identifying new threats and dealing with unprecedented problems, but response methods will not be able to react at Internet speeds with complicated viruses or with multiple, simultaneous attacks of different types."

"The long-term solutions to the problems represented by Melissa will require fundamental changes to the way technology is developed, packaged, and used. It is critical that system operators and product developers recognize that their systems and products are now operating in hostile environments. Operators must demand, and developers must produce, products that are fit for use in this environment. As new forms of attack are identified and understood, developers must change their designs to protect systems and networks from these kinds of attack."

¹ An "in the wild" virus is one that has been reported by multiple parties to have unknowingly infected their systems. It is differentiated from a zoo or laboratory virus which is contained for research purposes and may, for this purpose, be used to deliberately infect a particular system.

² ICSA Labs 1999 Computer Virus Prevalence Survey

 

Home � Purchase Center � Virus Center � Support Center