Bug Watch: There's safety in numbers

Bug Watch: Each week vnunet.com asks an expert from the IT security world to give their views on recent virus and security issues, with advice, warnings and information on the latest threats. This week's contributor is Eric Chien, chief researcher at Symantec's antivirus research centre.

Over the last year we have seen a decline in the number of public virus exchange sites. This decline appears to be attributed to three areas.

First, such trends happen normally, especially after virus outbreaks. This is due either to public attention or law enforcement agencies investigating suspected sites. For example, after the W97M.Melissa and VBS.Loveletter incidents we saw many major virus exchange sites go offline due to confiscation of equipment by law enforcement or due to unwanted attention.

Secondly, virus writers simply give up hosting such pages and 'leave the scene', often due to internal in-fighting, lack of time, or eventual maturity.

Thirdly, antivirus vendors and other third party individuals are reporting such sites to internet service providers (ISPs). Many major ISPs have terms of service (TOS) or acceptable use policies (AUPs) that clearly state virus or hacking related material is not allowed. By reporting such sites, ISPs today are much more conscious of the threat of viruses and have been quick to react in removing offending material.

This has been demonstrated in a variety of cases in the last few months. W32.Sonic, VBS.Davinia and recently VBS.Vierika all required a particular web page to download additional code. Once this page was removed, the virus no longer functioned properly.

By having TOS with virus clauses and responsive ISPs, we've been able to potentially avoid outbreaks from these viruses. For example, reports stated that the author of the VBS generator that created the 'Anna Kournikova' virus (VBS.VBWG.K) removed the generator from his web page due to public pressure.

In addition, we have begun to see sites use more types of encryption and authentication information. This prevents some of the automation from easily obtaining virus samples and data mining information from virus exchange sites.

Symantec uses a system known as Seeker to scan and find virus exchange websites, automatically cataloging information and potential new samples. However, some sites have begun to adopt authentication, where a user must first submit proper identification to the webmaster who will give approval, including a login and password. Only then will access be gained to the site.

While this potentially prevents automation without customisation, it also generally deters the average 'script kiddie' from gaining access to the site, downloading something like a virus generator and creating viruses by a simple point and click.

The co-operation of ISPs in quickly removing offending material is encouraging. In the past, just attempting to contact the right person often proved difficult and the review time lengthy. Today, many ISPs understand the responsibility and potential liability in hosting such content: they include clauses in their TOS/AUP and actively respond when notified.

We hope ISPs will continue to respond in removing such content. By doing so, the industry pulling together just might make particular viruses benign and prevent some of the major outbreaks we've seen over the last year.

Next edition:16 March