Virus toolkits are s'kiddie menace

[InfoSec News <isn () C4I ORG>]

[I should add that I once brought this subject up in the company of a
Symantec Vice President, and he was close to coming to blows with me
for even thinking that the anti-virus companies work with the virus
writers.  - WK]


http://www.theregister.co.uk/content/8/17106.html

By: John Leyden
Posted: 21/02/2001 at 18:12 GMT

Much has been made of the developer's decision to pull the toolkit
behind the Anna Kornikova virus - but anti-virus experts have warned
that many such toolkits are readily available and just as easy to use
by would-be vandals.

Last week the creator of K]Alamar's Vbs Worms Creator, used to create
the Kornikova virus,pulled the toolkit from virus-creation Web sites,
reportedly after pressure from friends appalled at the harm inflicted
by Anna.

But there are many more toolkits capable of generating malicious code.

Anti-virus firms reckon that most viruses are developed using widely
available toolkits. But there is widespread disagreement about a; the
number of toolkits available to the public, and b; the best approach
to deal with the potential threat.

According to Jack Clark, European product manager at Network
Associates, there are perhaps 100 virus creation toolkits, though some
are not particularly popular and so fail to grab the attention of
anti-virus vendors.

Virus creation toolkits first came to prominence with the emergence of
macro-viruses; and now toolkits to produce worms, boot sector and file
viruses are all within easy reach, Clark says.

"The Anna Kornikova virus was the first time a virus created from a
toolkit has spread so rapidly but there will be more," he predicts.
While awareness of security issues has been raised by the publicity
surrounding the Anna bug, 'script kiddies' may be encouraged to
experiment with virus writing, he says.

Neil Barrett, technical director at Information Risk Management,
confirms that no particular skill is needed to use virus-creation
toolkits.

"It's trivial to use these toolkits. If you can use a point and click
Windows-style interface and drive a web browser then it's simplicity
itself to produce some surprisingly sophisticated viruses," he says.

IRM uses virus toolkits to create Trojans which are then used to check
the security of his clients' networks.

The toolkits may have some legitimate uses, but in the vast majority
of cases a used to create malicious code, and the antivirus industry
is split on the right approach to take in defending against the
problem.

Network Associates' Clark says the right approach is to include
generic detection within anti-virus software, so that any virus
produced with a particular toolkit will be automatically detected.
Lack of generic detection means users of products from, for eample,
rival Sophos, have to update their protection each time a new variant
of a virus comes out.

According to Graham Cluley, senior technology consultant for Sophos,
the inclusion of generic detection in antivirus software can trigger
false alarms; for this reason Sophos preferrs to temper its use of
generic detection, or heuristics, in its products.

The more important lesson to learn from virus outbreaks such as the
Anna Kornikova virus and the Love Bug is that firms should consider
blocking visual basic scripting and files with double extensions, both
tricks used in the Anna bug, Cluley advises.

So toolkits are a problem; so why then can't security firms exert
pressure on ISPs to stop hosting them, in the same way they pull sites
containing offensive porn?

Or maybe security firms are secretly happy they allow virus creation
to flourish - after all these keep anti-virus firms in the spotlight
and helps them sell their software to frightened punters.

NAI's Clark denies this, saying it lacks the clout to exert pressure
on ISPs to pull virus toolkits; besides, toolkits could be easily
spread in newsgroups.

"We're not the Mafia and we don't have the ability to get ISPs to pull
virus creation kits from Web sites," Clark says. "Its not as if we can
tell them if they don't act they'll wake up with the head of a Trojan
horse in their bed."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".