Bug Watch: Can we predict the future?

Last week saw the appearance of the first worm targeted at the new trend of peer-to-peer (P2P) computing. While not hugely destructive, the gnutella worm was effective as a proof of concept as it demonstrated that file exchange software is a viable target for attack.

Gnutella was the latest in a long line of attacks to target the most recent user trends in software and hardware. So how can the antivirus (AV) community keep up with the host of new programs that writers are designing malicious code for? How can they 'see into the future' to protect PCs against a style of virus we've never experienced before?

In the last year we've seen a host of viruses which have taken on brand new forms due to the latest developments in technology. Viruses which can infect mobile devices and which disguise themselves as any number of downloadable and executable files were all prevalent in 2000.

Last week's gnutella worm was a classic example of this new trend. As the medium becomes more popular, virus writers start looking for the vulnerabilities - just like the spate of mobile threats that we saw at the end of last year.

More and more people are downloading MP3 files from the internet both at work and at home. Although gnutella did little more damage than simply taking up extra system resources, it could open the way for more serious attacks on P2P networks. Imagine if a user downloaded a file from Napster which was capable of erasing the contents of a hard drive (songs and all).

So how can people defend themselves against these unproven concepts? The answer is simple. Although all these new viruses have different methods of attack and target different programs, the majority behave in a similar way.

The two most effective methods for anticipating virus attacks both rely on the patterns found in the majority of viruses, and the 'rules' which most of these virus attacks adhere to. These methods effectively allow AV vendors to detect a virus before it's even been written.

Generic detection, for example, is designed to catch any virus that is generically created, and the recent Kournikova worm is a classic example of a virus that was caught in this way. Any virus created by one of the many toolkits on the web should be easily detectable by this method because it effectively has the same 'genetic' make-up as viruses seen before.

So if this protection is available, why was the Kournikova attack so widespread? A simple answer is human error. IT departments get complacent if they haven't seen a virus for a while and security becomes less of a priority. As a consequence, users don't have the latest detection capabilities and open themselves up to attack.

Heuristic scanning offers an equally effective method of stopping viruses in their tracks. The technology basically challenges each file that enters a company's network to a game of 20 questions. Instead of scanning for just one particular type of file it scans every file looking for the tell tale signs of virus activity.

The software asks each file questions such as: Do you contain an attachment? Are you an executable file? Have you been received by more than one source? The questions go on until the software can confidently predict the risk involved with the file entering the network. If a file contains malicious code, the virus is halted.

The technology effectively means that nothing but the most sophisticated virus should pass through the defences. Although it can't predict exactly what a new, unseen virus will look like, it can be confident that the file in question contains something suspicious.

There is, however, still the human element to take into consideration. In the past, people have simply turned off the heuristics on their PC because it slows the machine down. How can software stop a previously unseen virus if the user has chosen to disable it? The human factor will always need to be accounted for, which is why security education is such an important piece of the AV puzzle.

AV vendors can't predict the future. Viruses are getting increasingly more sophisticated, and the more programs on a user's desktop, the more targets a writer has to design viruses for. But what AV vendors can do is predict what trends are appearing, what technology exists, where the new threats are coming from and how they will target network and user vulnerabilities.

If all AV software is enforced correctly, users will have little to worry about, whether the virus is new or old. However, if they disable or fail to update their AV software, or download unknown files from the internet, they open themselves to attack. Vendors may be able to create near perfect virus solutions, but the perfect end user might take a little more time to develop.

Next edition: 9 March