Print
Discuss
Send to friend
RSS feedsThis week Jack Clark, technical consultant at McAfee Security, considers the deluge of recent virus activity and how security firms and users can protect themselves from further attacks.
The last eight weeks have been among the busiest the antivirus community has ever experienced. Between them MyDoom, Netsky and Bagle have eclipsed the volume of virus activity we saw in the whole of 2003.
But what has started this sudden virus avalanche?
At the last count there were eight versions of MyDoom, 14 versions of Netsky and 16 versions of Bagle in existence. Although it's not uncommon to see a large number of variants appear after an initial outbreak, it is unheard of for so many to appear in such a short time.
Initial thoughts are that the growing number of virus creation kits currently available on the internet could be accounting for this rush of variants. These automated kits allow computer users with few technical skills to alter the code of viruses and release new variants into the wild.
A second explanation is that virus writers are looking to stay one step ahead of antivirus vendors with each new variant released. While we might expect any savvy virus writer to disappear after writing a virus for fear of detection by the authorities, this new breed appears to be revelling in the challenge of outwitting the security companies.
For example, could each, relatively minor, modification to the Bagle virus be down to the author altering his code just enough to stay ahead of those organisations working to prevent damaging outbreaks?
Is the writer releasing a new version every time a vendor adds detection for the current variant? If so, it's an intriguing game of cat and mouse and something we rarely see from writers nowadays - especially with the increasing number of custodial sentences being handed out for internet crimes.
Even more intriguing than the ongoing battle between vendor and virus author is the suggestion that the real battle is between the authors themselves. Could the huge amount of virus activity be caused by rivalry between warring virus-writing factions?
There is certainly evidence that the Netsky and Bagle writers competed against each other, using messages hidden in the virus code to trade insults. As a Bagle variant appeared with a hidden taunt or insult, so a new version of Netsky would follow with a response.
The suggestion from some corners of the antivirus community is that Bagle's creators have become jealous of the media attention Netsky has generated - and possibly incensed by the fact that part of Netsky's payload is to remove both Bagle and MyDoom.
To further escalate the feud the most recent MyDoom variant has included comments insulting Netsky.
It's likely that a combination of all these factors explains the unprecedented volume of virus activity since the New Year. But when can we expect it to end?
In addition to the number of attacks we've seen, the writers are also finding new ways to bypass perimeter defences. Using a password-protected Zip file to hide the Bagle virus, in particular, has demonstrated that authors are increasingly thinking about how they can penetrate the network.
With many antivirus packages failing to scan these encrypted files, assuming the user is foolish enough to open an unsolicited message then the attack will be successful. Desktop antivirus protection consequently becomes extremely important.
To keep networks safe from this current wave of attacks, users and administrators need to follow the same golden rules that vendors have been trying to get across for years: regular antivirus updates, multi-layered protection, heuristic and generic detection to stop unknown attacks and, above all, education.
Employees need to use their common sense about whether or not a file looks legitimate. If you're not expecting it, don't open it.
Only time will tell whether we've seen the last of Bagle, Netsky and MyDoom, or whether we can expect more of the alphabet to be consumed as further variants appear.
2004 has already been one of the most frantic years since viruses first emerged, with vendors and businesses battling to stay one step ahead of the writers and keep their networks secure.
And there's still work to be done if vendors are to stop this particular avalanche.
See also:
IT managers blame lack of funds to defend against rising tide of attacks 09 Sep 2004Netsky, Bagle and Mydoom variants still topping the virus charts 02 Sep 2004
Virus writers cash in with latest breed of email threat 17 Aug 2004
Security experts increase risk assessment as latest worms begin to spread 06 Jul 2004
'Dark forecast' as Windows users warned of new family of viruses 04 May 2004
The latest wave of cyber-crimes and acts of vandalism have demonstrated once again that many systems are still vulnerable to attack. 15 Apr 2004
Netsky and Bagel variants continue to spring up, but virus writers' slanging match cools down 09 Mar 2004
All Enterprise Security Technology
del.icio.us
Digg this
reddit!
