[ISN] Evolving viruses threat to many platforms

From: InfoSec News (isnat_private)
Date: Thu Jun 06 2002 - 02:29:24 PDT

  • Next message: InfoSec News: "[ISN] CERT warns of another BIND problem"

    http://news.com.com/2100-1001-932423.html?tag=fd_lede
    
    By Robert Lemos 
    Staff Writer, CNET News.com
    June 5, 2002, 4:00 AM PT
    
    A new virus called Simile.D may not be much of a threat to computer
    systems, but some of its technical tricks could lead to a rethinking
    of the principles underlying antivirus software.
    
    The program has code that not only works hard to hide the virus'
    presence, it also randomizes the program's size so as to make it
    harder to identify. On top of that, the fourth and latest variant of
    the virus can spread to both Windows and Linux computers, according to
    a recently released analysis.
    
    "This is really pushing the boundaries on how to create cross-platform
    viruses," said Vincent Weafer, senior director of security response
    for antivirus-software maker Symantec.
    
    The virus is hard-coded proof that a small segment of rogue
    programmers can create complex code that is still difficult for
    antivirus software to detect. If more viruses like Simile.D appear, it
    could leave antivirus companies with a tough trade-off.
    
    With complex viruses such as Simile.D, antivirus software has to try
    multiple ways of identifying the code to get high recognition rates.  
    And while that might leave PC users protected from such viruses, it
    would also bog down most computers. On the other hand, efforts to
    maintain performance may instead let stealthy programs through.
    
    "It is getting us to think about different ways of handling the
    problems," said Jimmy Kuo, antivirus researcher and McAfee Fellow at
    security-software maker Network Associates. "What we are worried about
    is detection taking too long to be useful. If the viruses get so
    complicated that detection takes forever to detect the virus, than
    that will cause a problem."
    
    That's more of a threat than Simile.D itself.
    
    If loosed on the Internet, the virus could cause some problems for
    administrators because of its ability to jump from Windows to Linux
    and back again. But the virus doesn't do much harm. On Windows
    systems, it opens a dialog box with the author's name and the name of
    the virus, and it's programmed to do this only twice, on March 17 and
    Sept. 17. On infected Linux computers, the virus posts a message with
    similar content to the console, on March 17 and May 17.
    
    Other attempts have been made to create a virus that infects both
    Windows and Linux, most notably the year-old Winux or Lindose virus.  
    However, that virus failed to spread. While Simile.D spreads
    successfully to Linux machines, the risk is lessened by the fact that
    only systems running in so-called superuser mode can be fully
    infected. "Superuser" and "user" modes refer to the level of access a
    user has to a system and the programs on it.
    
    "It is less effective in Linux, especially if the user is running in
    user mode," said Symantec's Weafer. "It's more likely to infect from a
    Linux system to a Windows system than the other way around."
    
    Roger Thompson, technical director of malicious code research for
    security-information provider TruSecure, didn't think the Simile.D
    virus would be much to worry about, even with its cross-platform
    attack.
    
    "It's going to be a Code Red and a Nimda--worms that use some new
    exploit--that are really going to spread," Thompson said.
    
    Nimda, which struck last September, blended several different types of
    attacks--spreading by e-mail, JavaScript, shared network drives, and
    vulnerable Web servers--and poked holes in the defenses of many
    companies, even those with antivirus software.
    
    Nimda, like Simile.D, showed antivirus vendors that the arms race
    between the virus writers and antivirus researchers is going full
    tilt.
    
    Simile.D, also known as Etap.D, is an example of a "concept virus," a
    lab sample created by the virus underground and published for others
    to see. The major antivirus companies have already incorporated
    detection into their software, so Simile.D poses little threat to most
    users on the Internet who regularly download the latest definitions.
    
    Yet, finding ways to detect it weren't easy.
    
    Many antivirus programs detect viruses based on a "digital
    fingerprint" of the code. For example, the latest variant of the Klez
    worm, Klez.h, can be easily detected by current antivirus software
    based on its digital fingerprints.
    
    However, with Simile.D's ability to change its characteristics like a
    chameleon, that's not possible.
    
    For just such an eventuality, most antivirus programs also look for
    virus-like behavior and try various types of pattern-matching that are
    keyed to encryption routines designed to hide a virus, and to the way
    a virus piggybacks on other programs.
    
    "What you end up doing is a combination of the above, and you look at
    the code itself," said Symantec's Weafer.
    
    Such techniques are time consuming, however, leaving software makers
    looking for other ways to maintain system security: "signing" code
    with a digital signature from a trusted source; keeping a database of
    acceptable code on the system; and limiting user power on the computer
    to certain tasks that aren't subject to virus attacks.
    
    But while Simile.D has renewed discussions between antivirus
    researchers over how best to keep viruses out of systems in the
    future, standard measures still work, said Network Associates' Kuo.
    
    "We aren't there yet," Kuo said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Jun 06 2002 - 05:17:14 PDT