Sneaky new virus format has software makers scrambling

[InfoSec News <isn () C4I ORG>]

http://news.cnet.com/news/0-1003-200-2218741.html

By Stephen Shankland
Staff Writer, CNET News.com
July 7, 2000, 1:10 p.m. PT

In the latest case of virus writers being a step ahead of the computer
industry, a comparatively new type of virus is forcing antivirus
software companies to rebuild their products.

These email viruses, such as Kakworm and Bubbleboy, are small programs
called scripts that reside in the body of an email message, not in the
file attached to the messages. While the viruses themselves have been
around since 1999, antivirus companies still are struggling to adjust
to their existence.

Symantec's Norton Antivirus software can catch Kakworm if the virus
actually executes, but the software is unable to detect it earlier,
the company says. The company is working on short-term workarounds and
a long-term rework to its scanning engine, said Patrick Martin,
product manager for the Symantec Antivirus Research Center.

Trend Micro, meanwhile, hasn't yet updated its desktop PC-cillin
software to deal with viruses in email text, though its server-based
eManager software can screen them out, said spokeswoman Susan Orbuch.

The hurdle illustrates the years-long struggle between virus writers
and antivirus companies. While many new viruses crop up each week,
virus writers rarely come up with new ways to spread viruses that
require major restructuring of antivirus software.

Viruses once were generally restricted to executable programs on PCs;
virus writers had to disguise such a program as a benign email
attachment and hope the recipient would open it. Virus writers later
pushed into new territory by embedding viruses in small programs
called macros that are part of Microsoft Word files and other document
formats.

Later, beginning with the Melissa virus, writers found that email
attachments coupled with Microsoft Outlook address books offered a
quick way to spread viruses. Then came the "I Love You" virus, spread
not through documents but through small programs written in a language
called VBScript that can control Microsoft Windows.

But the Love bug, also known as "Loveletter," still required
attachments, which are comparatively easy for antivirus software to
intercept. The fact that Kakworm and Bubbleboy reside in the message
itself is giving Symantec a headache.

Scanning the in-box file for Kakworm in Eudora, a popular email
program, can cause a major system performance drop, especially if the
in-box file has hundreds of messages and has to be scanned each time a
new one arrives, Martin said.

"Opening an email is much easier...than opening an attachment, so it's
much more dangerous and much more virulent" said Bruce Schneier, a
security analyst with Counterpane Internet Security.

But dealing with viruses in email is only a secondary issue, he added.
"Antivirus vendors have bigger problems. It's the speed of infection
they're dealing with," Schneier said. In the old days, when viruses
spread by floppy disks, it was fine to update virus definitions every
month or so. "Now, they spread in seconds, in minutes, in hours. Once
a month just doesn't fly."

Remedies on tap

Within the next week, Symantec expects to have a better idea of how to
deal with Kakworm. "We've got several things we're looking at right
now as possible short-term or long-term (solutions) for Kakworm,"
Martin said.

In the short term, Symantec is considering a special piece of software
that can clean up Kakworm. "The other mechanisms, such as more
sophisticated scanning, are more long term. You can't spit those out
quite as quickly," he said.

In the meantime, however, Norton Antivirus users continue to struggle
with Kakworm. Some customers using Eudora email software have reported
that the antivirus software, unable to repair the in-box file, has
quarantined the file so it's inaccessible. The program sometimes
recommends that people delete it, which results in the loss of stored
email messages.

One antivirus software maker, Computer Associates, says its antivirus
software works against Kakworm as long as customers have downloaded
the latest virus definition files. CA's antivirus software can deal
with viruses in the email text either at the server level or the PC
level, said Piers McMahon, senior business manager of security
software.

McMahon and Dan Schrader, a researcher at Trend Micro, agreed that one
way to deal with the new type of virus would be to disable the running
of scripts in email software.

"In general, 99.9 percent of people have no need to have the
capabilities for emails to have scripts within them. We take the view
that it should be an exceptional case, not a normal case," McMahon
said. "For most people, it's just dangerous having that as the
default."

The problem with Kakworm and Eudora is ironic: Kakworm took advantage
of a security hole in a competing email reader, Microsoft Outlook.
Microsoft patched the hole, but many people haven't installed the
update.

Public Enemy No. 1

Kakworm is a particularly prevalent virus, Schrader said. It's been
the most frequently reported virus this year, only temporarily bumped
out of first place by the Love bug. "Kakworm is the single most common
virus in the world," he said. "I'm quite convinced that when all is
said and done, Kakworm will have infected more people than Love bug."

One reason viruses in the email text are so nasty is that they can lie
dormant in newsgroup postings, where people can stumble across them
long after they were posted, Schrader said. Email text viruses execute
when a reader simply opens an email message, so even particularly
careful email users who normally shy away from attachments can be
stung by the bug.

Symantec and Trend Micro both predicted that viruses in the email text
will be increasingly common because computer systems and computer
users haven't caught up with the new method. Virus writers "are just
trying to find new avenues that people aren't as aware of," Martin
said. "Now that people have seen Loveletter and New Love, they're
getting used to file attachments. They're getting wise to that."

Viruses in email text can be written in JavaScript or VBScript.
"VBScript is the scripting language of choice because it makes it very
simple to use the Outlook address book," making for an easy way to
find new hosts for the virus to send itself to, Schrader said.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".