Bug Watch: combating virus variants

Bug Watch: Each week vnunet.com asks a different expert from the IT security world to give their views on recent virus and security issues, with advice, warnings and information on the latest threats. This week's expert is Eric Chien, chief researcher at SRC, Symantec's antivirus research centre.

The VBS.Funny.A virus that we saw this week was yet another variant using VBS.NewLove.A code, which caused several antivirus companies to hastily send out alerts.

In reality this virus should not have been a problem - it used code from viruses for which definitions already exist. If the antivirus community wants to stay one step ahead of the virus writers, variants such asthis have to be expected and planned for.

At Symantec, we get between 10 and 20 new viruses a day, variants included. On average we get more than 10 viruses a day that are new in the sense that they do not resemble a known virus. Variants are defined as those that 'borrow' code directly from known viruses, to varying degrees.

Windows 95 macro viruses are prone to variation by their very nature. By copying macros in a document when replicating, the virus could be copying legitimate or corrupted macros, or even another virus, thus producing a new variant.

Other variants appear through a lack of creativity. Take the code, change a variable name and you have a variant. This requires very little skill and does not satisfy the virus writer's motivations for technical challenge or infamy. The infamy rests with the original creator, and what's the technical challenge in changing one name?

Without doubt, the more successful a virus the more variants will be produced. Every time we see a new class of virus, we see a huge number of variants.

Successful and simple viruses spawn variants. Viruses that have been heavily copied include W97M.Thus, XM.Laroux, VBS.LoveLetter.A and W97M.Ethan, all of these viruses and many of their variants appear monthly on the Wild Lists.

However, successful W32 viruses/worms are usually not copied. Like W32.FunLove.4099. They are just too complex for other virus writers to borrow code from.

To stay one step ahead of the virus writers antivirus companies have to develop 'smart' definitions which will recognise the core code of a virus - and variants would be immediately detected. When Symantec produced definitions for LoveLetter and NewLove we expected the many variants, so when VBS.Funny.A (and there is already a VBS.Funny.B) was discovered, it was it was no surprise that existing variant detection for VBS.NewLove.A detected it. We all need to think ahead in this game.

Next edition: 29 September