Bug Watch: Looking for the weakest link

Bug watch: Each week vnunet.com asks an expert from the IT security world to give their views on recent virus and security issues, with advice, warnings and information on the latest threats. This week's expert is Eric Chien, chief researcher at Symantec's antivirus research centre.

Clearly, the abuse of the internet by malicious software today plays a major role in the propagation of damage and the ability to spread. Statistics from the year 2000 confirm this fact.

The top ten infectors reported to Symantec's antivirus research centre in the year 2000 all contain networking components. This is in stark contrast to 1999 when only two network-aware infectors graced the top ten - W97M.Melissa.A and Worm.ExploreZip.

With mass mailing and network spreading routines becoming standard, virus writers are beginning to develop new and more dangerous uses for network connectivity.

In December 1999, W32.Babylonia was the first worm to have the ability to auto-update itself. The virus was a traditional Windows executable file infector, and like many of the threats today, attached itself to outgoing emails.

However, unique at the time, the virus would connect to a specific website and download additional files for execution. This gave the virus writer the ability to update his creation along with potentially completely changing the functionality of the malicious code. The writer could modify existing features, perform bug fixes, and introduce brand new functionality.

System administrators could easily block the website using firewall rules, and the website was eventually shutdown. When this occurred, the auto-updating routine of W32.Babylonia no longer functioned properly and the risk from W32.Babylonia was substantially reduced. Thus, the auto-updating feature was a first proof of concept, but not very effective.

Fortunately, virus writers are slow to learn. We have seen only a few viruses perform similar tasks, but again using only a single website. Just this month, a new high-profile worm from Spain, named VBS.Davinia, no longer functioned properly after the webpage it utilised was removed.

Of course, that doesn't mean virus writers aren't attempting new techniques. In September 2000, W32.Hybris was discovered. W32.Hybris performed a similar task of downloading updates, but instead of using a single website, it utilised a newsgroup (alt.comp.virus). A newsgroup is a public forum where articles are replicated around servers all over the world. One cannot remove a newsgroup like one can remove a webpage. Thus, W32.Hybris still has the ability to update itself each day.

Conversely, the use of the internet by malicious software is not just limited to accessing new sites for updates, but also the reverse. In August, W95.MTX was discovered. W95.MTX modified system files so that one's computer would no longer be able to contact popular antivirus vendor websites and definition download sites. This would block the ability for antivirus products to obtain their own auto-updates. This problem remains today and requires users to obtain updates from third-party mirrored sites not blocked by the virus.

With the ability to spread further and faster, such worms are also being used in conjunction with creative payloads. The Linux.Ramen worm was also found in the wild this month. Linux.Ramen infects RedHat Linux 6.2 and 7.0 systems that have not been updated with particular security patches, and defaces the default webpage on the server. Thus, the worm is an auto-webpage defacing tool, performing the work instead of the hacker.

The possibilities of using or limiting network connectivity by malicious software are in their infancy. With methods such as peer-to-peer networking (Napster-like protocols), the shutting down of a single webpage will become the past, and auto-updating worms will become more effective and, at the same time, prevent the auto updating of antivirus products.

While the internet provides an effective method of antivirus updating, it also provides an effective method for viruses themselves to be updated. In addition, similar to the ineffectiveness of a virus using a single website for updates, in the future, antivirus vendors may fall to the same weak link.

Next edition: 2 February