by Allan G. Dyer
This is a personal look at some of the papers at the Virus Bulletin Conference, held last month in Prague.
Of great relevance to Asian computer users, Costin Raiu explored the complexities of the Multi-Byte Character Sets, and how they affect macro viruses in Microsoft Office. When infected documents are moved between different language versions of Office, some double-byte characters in comments are replaced. Depending on the identification method used in anti-virus software, this may result in the modified virus going undetected. Also, as some viruses store parts of their code, or other data, in comments, the behaviour of the virus might change. Costin's work will be a useful reference for developers improving their detection of macro viruses in double-byte versions of Office.
Aleksander Czarnowski discussed new types of Distributed Denial of Service (DDoS) attack: Pulsing Zombies, Stick (an anti-NIDS) and 4to6ddos (attacks IPv6 networks from non-IPv6 hosts). He also covered some solutions to DDoS problems (mostly using NIDS) and the involvement of viruses and worms in DDoS attacks. He concluded that the only solution currently really working was detection of DDoS components at a host level, which anti-virus software is ideally suited for performing, and the ultimate protection will involve linking multiple layers of anti-virus and network security protection.
Peter Morley explained the issues around processing of virus collections by anti-virus developers. He had an interesting take in the strategy of prioritising the processing of samples from different sources: in-the-wild samples, monthly collections from other developers and backlog. Peter prompted some discussion by raising the question of advertising the count of viruses detected. The counting of viruses is not simple because some products detect groups of similar viruses generically while others identify exactly. However, Peter's point was that, of the approximately 50,000 known viruses, over half were 'legacy' DOS viruses that are no longer a threat in modern networks. Because these legacy viruses are still included in the totals, they are still usually included in the test sets used in comparisons of anti-virus software. Therefore, the results of the tests are that all products score in the high 90's percent, giving the impression that all products are about as good as each other. In reality, there are often significant differences between products in detection of viruses that are a credible threat in today's networks. Peter wanted to list a lower total of current viruses, with a note: (also detects XX,000 legacy viruses). In my opinion, the number of viruses is essentially irrelevant, what matters is cost-effective protection against the malware that is a real threat to your organisation. Marketing departments that quote larger and larger numbers in their advertising and customers that use those numbers to make purchase decisions are getting it wrong. The issue is more complex than that, and the evaluation should reflect the situation.
John Stojanovski explained anti-virus problems and potential solutions for the Palm OS. The current threat for Palm OS devices is minimal - one virus and a few Trojans, but future developments are likely to change this. Already, Palm OS 4 has an ‘Autorun’-style feature for secondary storage devices which could easily be exploited by viruses. Improvements in connectivity through Bluetooth and the Telephony manager will both increase the potential for spread and the possibilities for damage. John called for the AV industry to be ready for these developments.
Meiring de Villiers explained the legal issues of res ipsa loquitur and concluded that a software developer would be liable if they shipped infected software. This, at least, reassures us that the law is not a total ass, but I was disappointed that the much more interesting and complex issues around ordinary businesses accidentally or negligently distributing viruses was not addressed.
Jeannette Jarvis described a Successful Anti-Virus Strategy from the perspective of a major corporation (Boeing). She identified four ‘P’s: Products, Processes, Policies and People; and detailed their use in combination.
A panel from AVIEN (Anti-Virus Information Exchange Network) led by David Phillips explained who they are, and what they do. AVIEN exchanges information about viruses between large corporate users, without Anti-Virus vendors. They have found this to be effective in allowing them to respond to a major outbreak hours before anti-virus developers have released updates. However, in the discussion, Vesselin Bontchev raised the point that if they acted before a sample has been analysed by a Researcher they could be taking actions that will worsen the situation and that any delay in getting a sample to the Researchers is damaging. I think there is merit on both sides of the discussion - communications in an emergency, including sample delivery, should be streamlined and efficient, but large organisations must also be prepared to act on ‘Best Available Data’ to minimise the impact, even if the methods chosen are shown to be less than optimal in the long run.
Vesselin Bontchev dissected a virus epidemic. In most cases, we have very little idea about the spread of viruses. However, some viruses take action in a way that can be monitored. W97M/Groov.A is one such virus - it sends a file to Vesselin's AV company’s ftp site (perhaps the virus writer wished to inconvenience the company, other AV researchers have also been the target of such tricks) - since 1998 they have received an average of 1800 uploads every day. By analysing the statistics and follow-up, Vesselin showed that there was a delay of several months before the population really started growing, a period of exponential growth, then linear growth and a plateau showing annual variation. Christmas was a definite trough, and April a high-point (perhaps when many SOHO users switch on their computer for the first time in the year to complete their US tax return). W97M/Groov.A has not been near the top of the lists of viruses reported to vendors or researchers, but this self-reporting mechanism clearly shows it is more prevalent. What other viruses are also prevalent, but do not have a self-reporting mechanism? Attempts to contact the infected users showed that the vast majority (97%) were complacent and did not care about virus infections - this is the real reason that the computer virus problem is still increasing.
Jessica Johnston took an outsider's look at trust in the anti-virus industry and found a complex web of different perceptions. The Computer Anti-virus Research Organisation (CARO) is made up of some of the top experts in the AV industry, mostly from competing companies, but they cooperate on resolving virus threats and pooling their knowledge. Trust between members is very important in CARO, but Product Managers may perceive them as sharing more between themselves than they communicate with their own management. CARO has power and influence within the industry, but is virtually unknown to customers and Jessica concluded that CARO must listen to the critiques to survive.
I have touched on less than half the papers presented, but limitations of time and space prevent a more complete report. Overall, the conference was very good, and the city of Prague an excellent location. This newsletter will probably return to some of the issues raised in future editions.