predictions regarding new strains of viruses

[Paul Howell]

At http://www.networkweek.com/internet/story/NWW19990318S0004

< paul


Vendors go to war against new strains of virus

The spread of the Internet has increased the threat of viruses and it's 
getting nasty from Network Week 24 March 1999



BY LEE KIMBER
As anti-virus vendors start issuing warnings about the disk-deleting CIH virus,
network administrators already face a new, more dangerous threat - their own 
networks.

Data-stealing and data-importing programs are set to exploit growing network 
interconnectivity to steal sensitive data from hosts. They can import updates 
for themselves and in doing so, counter attempts to remove them. 

Instead of deleting your hard drives, they can quietly steal company secrets, 
dump sensitive data into newsgroups and IRC, and make managing your networks 
harder. 

That gloomy scenario was predicted by anti-virus researchers at the European 
Institute of Computer and Anti-Virus Research's (EICAR) annual conference in 
Denmark earlier this month. 

Researchers think tomorrow's threat will come in three types, all of which are 
beginning to appear. 

Type one is the data exporter, a program that grabs sensitive information and 
sends it back to an email address, newsgroup or Internet Relay Chat channel. 
Examples seen already include the well-known PolyPoster, which showed up 
posting documents to newsgroups late last year, and the colourfully-named 
ButtPlugs which can add IRC posting capabilities to the Back Orifice Trojan. 

Type two is the data importer. There is only one widely-known example: 
JavaBeans Hive. This two-part program downloads its second, more powerful part 
after the innocuous looking stub has infected a network host. 

"It doesn't work properly," says Symantec AntiVirus Research Center head, Eric 
Chien, "but it is a proof of concept." 

The third type is already familiar: client-server tools that give the user 
remote control over the infected hosts. NetBus and Back Orifice are the most 
well-known but there's also Net666, which installs a primitive Telnet service 
and pings a New Zealand server to let it know that it is up and running. 

"The other ones tend to be small fry compared to those," Data Fellows UK 
country manager Jason Holloway commented. 

These threats differ from traditional viruses by not generally advertising 
either their presence or their high level of programming skill (and system 
knowledge), and by their ability to keep your system communicating with another unauthorised system. 

In fact, it's the high level of programming skill required that has kept most 
of this so-called 'malware' from doing any damage. Speak to people such as 
Chien and Holloway, and they will often say the malicious program they are 
describing is flawed. 

"PolyPoster was particularly insidious," says Holloway. "It actually had some 
problems in real life, so its spread was limited." 

Off the record, he describes the flaw in more detail. You quickly realise that 
it would be easy to code around it and that, with the direction that 
applications are moving in, it is going to get even easier to code around it. 

But some malware is already well coded enough to cause network problems. On 
Take Happy99.exe, he says: "There are rumours of network email servers 
crashing under the load, and that it affects some email servers. At the moment 
the damage that it does is limited, but it could be rewritten to be virulent." 

The solution? Both Symantec and Data Fellows believe the solution will be for 
network administrators to add virus scanning at the email server and any other 
network access points, which, of course, is what network scanning vendors such 
as Internet Security Systems and Network Associates believe. That's why you 
see Data Fellows selling its 'Defence in Depth' (http://www.datafellows. com/) 
strategy for hierarchical scanning. And it's why Symantec is selling 
multi-tiered scanning products linked to its modular Navex approach. It's what 
email script and code-scanning vendors such as Integralis (MimeSweeper) 
believe, and why Star Internet added three-stage anti-virus scanning to its 
Unix email servers recently (Network Week, 10 March). 

And network administrators are likely to need more help like this from 
anti-virus vendors, their IPSs, or whoever manages their email, because the 
life cycle of this new threat is likely to be radically different from those 
of previous threats. 

"It will be slower to start," says Chien. "But when it does, the spread of the 
new network viruses will be much quicker because they are network aware." 

Chien also thinks you will need more help to deal with them because the stuff 
that will get on to your network will be much better at hiding itself than the 
viruses of the past - and much better at staying hidden, even if you try to 
find it. 

The only upside is that network administrators are not going to be short of 
work for the foreseeable future.