as

Sneaky new virus format has software makers scrambling

In the latest case of virus writers being a step ahead of the computer industry, a comparatively new type of virus is forcing antivirus software companies to rebuild their products. These email viruses, such as Kakworm and Bubbleboy, are small programs called scripts that reside in the body of an email message, not in the file attached to the messages. While the viruses themselves have been around since 1999, antivirus companies still are struggling to adjust to their existence.

Symantec’s Norton Antivirus software can catch Kakworm if the virus actually executes, but the software is unable to detect it earlier, the company says. The company is working on short-term workarounds and a long-term rework to its scanning engine, said Patrick Martin, product manager for the Symantec Antivirus Research Center. Trend Micro, meanwhile, hasn’t yet updated its desktop PC-cillin software to deal with viruses in email text, though its server-based eManager software can screen them out, said spokeswoman Susan Orbuch.

The hurdle illustrates the years-long struggle between virus writers and antivirus companies. While many new viruses crop up each week, virus writers rarely come up with new ways to spread viruses that require major restructuring of antivirus software. Viruses once were generally restricted to executable programs on PCs; virus writers had to disguise such a program as a benign email attachment and hope the recipient would open it.

Virus writers later pushed into new territory by embedding viruses in small programs called macros that are part of Microsoft Word files and other document formats.

Later, beginning with the Melissa virus, writers found that email attachments coupled with Microsoft Outlook address books offered a quick way to spread viruses. Then came the ‘I Love You’ virus, spread not through documents but through small programs written in a language called VBScript that can control Microsoft Windows. But the Love bug, also known as ‘Loveletter’, still required attachments, which are comparatively easy for antivirus software to intercept.

The fact that Kakworm and Bubbleboy reside in the message itself is giving Symantec a headache. Scanning the in-box file for Kakworm in Eudora, a popular email program, can cause a major system performance drop, especially if the in-box file has hundreds of messages and has to be scanned each time a new one arrives, Martin said.

“Opening an email is much easier than opening an attachment, so it’s much more dangerous and much more virulent” said Bruce Schneier, a security analyst with Counterpane Internet Security.

But dealing with viruses in email is only a secondary issue, he added. “Antivirus vendors have bigger problems. It’s the speed of infection they’re dealing with,” Schneier said. In the old days, when viruses spread by floppy disks, it was fine to update virus definitions every month or so. “Now, they spread in seconds, in minutes, in hours. Once a month just doesn’t fly.”

Symantec expects to have a better idea of how to deal with Kakworm. “We’ve got several things we’re looking at right now as possible short-term or long-term (solutions) for Kakworm,” Martin said. In the short term, Symantec is considering a special piece of software that can clean up Kakworm. “The other mechanisms, such as more sophisticated scanning, are more long term. You can’t spit those out quite as quickly,” he said.

In the meantime, however, Norton Antivirus users continue to struggle with Kakworm. Some customers using Eudora email software have reported that the antivirus software, unable to repair the in-box file, has quarantined the file so it’s inaccessible.

The program sometimes recommends that people delete it, which results in the loss of stored email messages. One antivirus software maker, Computer Associates, says its antivirus software works against Kaworm as long as customers have downloaded the latest virus definition files. CA’s antivirus software can deal with viruses in the email text either at the server level or the PC level, said Piers McMahon, senior business manager of security software. McMahon and Dan Schrader, a researcher at Trend Micro, agreed that one way to deal with the new type of virus would be to disable the running of scripts in email software. “In general, 99.9 per cent of people have no need to have the capabilities for emails to have scripts within them. We take the view that it should be an exceptional case, not a normal case,” McMahon said. “For most people, it’s just dangerous having that as the default.”

The problem with Kakworm and Eudora is ironic: Kakworm took advantage of a security hole in a competing email reader, Microsoft Outlook. Microsoft patched the hole, but many people haven’t installed the update.

Kakworm is a particularly prevalent virus, Schrader said. It’s been the most frequently reported virus this year, only temporarily bumped out of first place by the Love bug. “Kakworm is the single most common virus in the world,” he said. “I’m quite convinced that when all is said and done, Kakworm will have infected more people than Love bug.” One reason viruses in the email text are so nasty is that they can lie dormant in newsgroup postings, where people can stumble across them long after they were posted, Schrader said.

Email text viruses execute when a reader simply opens an email message, so even particularly careful email users who normally shy away from attachments can be stung by the bug. Symantec and Trend Micro both predicted that viruses in the email text will be increasingly common because computer systems and computer users haven’t caught up with the new method.

“Virus writers are just trying to find new avenues that people aren’t as aware of,” Martin said. “Now that people have seen Loveletter and New Love, they’re getting used to file attachments. They’re getting wise to that.” Viruses in email text can be written in JavaScript or VBScript. “VBScript is the scripting language of choice because it makes it very simple to use the Outlook address book,” making for an easy way to find new hosts for the virus to send itself to, Schrader said.