Experts predict more mutating viruses

By Ellen Messmer
Network World, 10/30/00

Havoc wrought by Internet-based computer viruses continues to worsen, a new study concludes. And the worse news is that software vendors are predicting an even darker future in which self-mutating viruses become practically undetectable and almost unstoppable.

These mutating menaces, known as polymorphic and metamorphic viruses, are not yet common. But virus hunters warn that a few of this year's virus crop - in particular the NewLove worm - are precursors of mutants that will be difficult to stop because they change shape to evade detection.

Virus infections have increased steadily from 10 per 10,000 computers in 1996 to 91 per 10,000 computers this year, according to the International Computer Security Association (ICSA) survey of 300 organizations in high technology, government, manufacturing and finance.

The worst offender has been the LoveLetter virus, which struck worldwide last spring. About 41% of the surveyed organizations said LoveLetter inflicted a "disaster" in their networks, shutting down servers and costing companies an average of $120,000 based on lost productivity and other measures.

All but one organization surveyed acknowledged being hit by a major virus this year - even though 70% of desktops, 91% of servers, 45% of firewalls and proxies, and 80% of e-mail gateways were running antivirus products.

The problem, according to the ICSA, is Internet-enabled viruses such as Love Letter and Melissa propagate more rapidly than the older boot-and-file-type viruses, which are in sharp decline.

Antivirus software products depend on identifying virus signatures (or "fingerprints") to wipe them out.

That reactive strategy is no longer sufficient in an age when a harmful virus can propagate at lightning speed across the world by grabbing one victim's address book and mailing itself out to a dozen more victims.

The ICSA report said virus protection has to explore new approaches, but it had few suggestions besides "behavior blocking," which involves using antivirus software to prevent questionable actions, such as mass mailings, from executing in applications.

"What we do now is signatures-based, and signatures are reactive; we call it 'find and fix,' " says Diana Kelley, general manager in the Symantec research labs. "We sometimes equate it to an arms race right now [between the virus writers and the antivirus product vendors] - and it's neck and neck."

Detecting the garden-variety virus takes a few hours, and it's done by running suspect code through an antivirus scanner. But when this doesn't work, it can take days or even months for a more manually conducted software investigation to find the fingerprint.

Distributing updates quickly throughout an organization can be a problem. Network Associates' MyCIO.com hosted security service this week is debuting a peer-to-peer technology dubbed Rumor that lets one desktop PC distribute VirusScan antivirus product updates to other peer PCs running VirusScan.

"The LoveLetter virus was the reason we switched from [McAfee.com's] CD-type distribution of antivirus software to the MyCIO.com online security service," says Lee Rocklage, network manager for DPR Construction in Redwood, Calif. "It's a much faster distribution method."

Getting harder to detect

The most frightening thing about the new viruses is that they are getting harder to detect. Their authors are adding encryption routines to hide them, decrypt them, add a few bytes and encrypt them again to look even more different - making them polymorphic.

A metamorphic virus, by contrast, adds a mutation engine so it can take its basic virus design and rewrite itself to look and behave differently enough to evade detection based on its first signature.

To compound this, virus authors have learned to bury pernicious commands, such as for wiping out files, way down in an obscure program instruction. This makes it much harder for antivirus scanners (also known as "virtual computers") to detect viruses by running automated routines.

"It took over a day to deal with NewLove, which followed after the LoveLetter worm," says Carey Nachtenberg, chief researcher at Symantec's antivirus research center. "It's not strictly polymorphic, because it didn't encrypt itself, but it did bury its logic."

Other software vendors, including Trend Micro, do classify NewLove as polymorphic, describing it as an extremely destructive virus that disables Windows and zeroes in on files, making them unusable. It was inspired by the success of LoveLetter, according to Trend Micro, but it's polymorphic in that it changes its code with every infection, adding random bits of code and getting larger along the way.

NewLove travels the same way as LoveLetter did, propagating through e-mail attachments, clogging mail servers and erasing files. LoveLetter was not polymorphic, although dozens of variants still circulate, including one that popped up a week or so ago called VBS/Loveletter.bj.

NewLove, although first thought to be a variant on LoveLetter, didn't hit a lot of systems. As a polymorphic-style worm though, it grabbed the attention of antivirus experts, says April Goostree, research manager at security vendor McAfee.com. "We spent quite a lot of time to decode it and figure out how to protect people against it," she notes.

Symantec's Nachtenberg worries about a computer virus, worm or Trojan horse so well-crafted that it will be practically undetectable. The whole issue is fraught with challenges for the traditional virus-detection method because software scanning will take longer to find polymorphic and metamorphic viruses.

There are thousands of types of computer viruses, but fortunately, the number of polymorphic viruses "is very slight," says ICSA's Roger Thompson.

The concept is not new - it appeared around 1991, with the Tequila and Maltese Amoeba viruses. Thompson discounts polymorphic viruses as a major threat at this time.

But Rob Clyde, an Axent Technologies vice president, isn't so sanguine.

"After Love Letter, another polymorphic virus called Life Stages appeared in June, and there are now at least some 20-odd mutation engines posted on the Web that you can use," Clyde says.

These engines, which can be used to build polymorphic viruses, have names like the Trident Polymorphic Engine, Nuke and Dark Angels.

"What's on the horizon are mutation engines to build metamorphic viruses," Clyde says, noting that one virus, called Bolzano, showed it can mutate its code, although it doesn't seem to do actual damage.

"So far, creating a metamorphic virus hasn't proven easy to do. But the danger is someone will come up with a great metamorphic virus. And these are going to take a lot longer to detect," he says.