Evolving viruses threat to many platforms

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1001-932423.html?tag=fd_lede

By Robert Lemos 
Staff Writer, CNET News.com
June 5, 2002, 4:00 AM PT

A new virus called Simile.D may not be much of a threat to computer
systems, but some of its technical tricks could lead to a rethinking
of the principles underlying antivirus software.

The program has code that not only works hard to hide the virus'
presence, it also randomizes the program's size so as to make it
harder to identify. On top of that, the fourth and latest variant of
the virus can spread to both Windows and Linux computers, according to
a recently released analysis.

"This is really pushing the boundaries on how to create cross-platform
viruses," said Vincent Weafer, senior director of security response
for antivirus-software maker Symantec.

The virus is hard-coded proof that a small segment of rogue
programmers can create complex code that is still difficult for
antivirus software to detect. If more viruses like Simile.D appear, it
could leave antivirus companies with a tough trade-off.

With complex viruses such as Simile.D, antivirus software has to try
multiple ways of identifying the code to get high recognition rates.  
And while that might leave PC users protected from such viruses, it
would also bog down most computers. On the other hand, efforts to
maintain performance may instead let stealthy programs through.

"It is getting us to think about different ways of handling the
problems," said Jimmy Kuo, antivirus researcher and McAfee Fellow at
security-software maker Network Associates. "What we are worried about
is detection taking too long to be useful. If the viruses get so
complicated that detection takes forever to detect the virus, than
that will cause a problem."

That's more of a threat than Simile.D itself.

If loosed on the Internet, the virus could cause some problems for
administrators because of its ability to jump from Windows to Linux
and back again. But the virus doesn't do much harm. On Windows
systems, it opens a dialog box with the author's name and the name of
the virus, and it's programmed to do this only twice, on March 17 and
Sept. 17. On infected Linux computers, the virus posts a message with
similar content to the console, on March 17 and May 17.

Other attempts have been made to create a virus that infects both
Windows and Linux, most notably the year-old Winux or Lindose virus.  
However, that virus failed to spread. While Simile.D spreads
successfully to Linux machines, the risk is lessened by the fact that
only systems running in so-called superuser mode can be fully
infected. "Superuser" and "user" modes refer to the level of access a
user has to a system and the programs on it.

"It is less effective in Linux, especially if the user is running in
user mode," said Symantec's Weafer. "It's more likely to infect from a
Linux system to a Windows system than the other way around."

Roger Thompson, technical director of malicious code research for
security-information provider TruSecure, didn't think the Simile.D
virus would be much to worry about, even with its cross-platform
attack.

"It's going to be a Code Red and a Nimda--worms that use some new
exploit--that are really going to spread," Thompson said.

Nimda, which struck last September, blended several different types of
attacks--spreading by e-mail, JavaScript, shared network drives, and
vulnerable Web servers--and poked holes in the defenses of many
companies, even those with antivirus software.

Nimda, like Simile.D, showed antivirus vendors that the arms race
between the virus writers and antivirus researchers is going full
tilt.

Simile.D, also known as Etap.D, is an example of a "concept virus," a
lab sample created by the virus underground and published for others
to see. The major antivirus companies have already incorporated
detection into their software, so Simile.D poses little threat to most
users on the Internet who regularly download the latest definitions.

Yet, finding ways to detect it weren't easy.

Many antivirus programs detect viruses based on a "digital
fingerprint" of the code. For example, the latest variant of the Klez
worm, Klez.h, can be easily detected by current antivirus software
based on its digital fingerprints.

However, with Simile.D's ability to change its characteristics like a
chameleon, that's not possible.

For just such an eventuality, most antivirus programs also look for
virus-like behavior and try various types of pattern-matching that are
keyed to encryption routines designed to hide a virus, and to the way
a virus piggybacks on other programs.

"What you end up doing is a combination of the above, and you look at
the code itself," said Symantec's Weafer.

Such techniques are time consuming, however, leaving software makers
looking for other ways to maintain system security: "signing" code
with a digital signature from a trusted source; keeping a database of
acceptable code on the system; and limiting user power on the computer
to certain tasks that aren't subject to virus attacks.

But while Simile.D has renewed discussions between antivirus
researchers over how best to keep viruses out of systems in the
future, standard measures still work, said Network Associates' Kuo.

"We aren't there yet," Kuo said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.