Popularity of Notes make it a virus target

Increasing popularity of Lotus Notes could make it the next high profile target for virus writers, a security expert has warned.

Independent security consultant Martin Overton said that although there are currently no Notes specific viruses, it is "just a matter of time" before they appear.

"The Melissa virus was targeted at Microsoft products - Outlook and Exchange Server. It arrived with a bang and gained almost mythical proportions. The stage is now set for virus writers to start targeting groupware," he said.

Overton stated that Notes, which is expected to have around 35 million users by the end of this year, has now reached critical mass.

"This is when it becomes attractive to the virus writers," he said.

But Stephen McGibbon, senior technical architect at Lotus Development, responded: "I totally refute Overton's contentions. To make an analogy: Other products, like Microsoft's Outlook, are like an egg with a hard shell - the digital signature - with a soft gooey inside. You trust it to the point where it fails. Notes and Domino are more like an onion. Once you get through one layer of security there's another," he said.

Security consultant Overton declined to outline exactly how a virus writer would set about targeting Notes, claiming that would be irresponsible. But he said mail bombs and Lotus' common programming environment, Lotusscript, are the biggest threats to Notes.

"Mail bombs are self launching OLE objects and can be used to steal passwords," he said. "But Lotusscript I believe will be the major undoing of Lotus Notes. In many ways it is very similar to Microsoft's VBA. This similarity I believe will soon give rise to Lotusscript viruses, Trojans and Worms. It is very possible that Lotusscript could become the Achilles heel of Notes, as VBA is to Microsoft Office applications."

He added: "I have already seen a sample of a Lotusscript routine that can delete a file when triggered."

However, McGibbon said this was not an issue anyway.

"Lotus has made a statement that is moving away from Lotusscript to Java script," he said.

Overton's advice for ensuring Notes is secured against targeted attacks is "simply good, solid administration. Ensure that clients have only the minimum access rights to perform their jobs."

He added: "Virus scanning of Notes/Domino servers is required, as otherwise Notes databases can become foxholes for viruses to hide out in, waiting to strike out once more."