First published: 22nd March 2004
An article with this title and the byline Thomas Goodwin appeared in the South China Morning Post on 22nd March 2004. Allan Dyer was asked some questions for the article, around the topic of emerging super-viruses. Some of his answers were used in the article, now, for the first time, the full questions and answers are here.
Questions for Super Virus
New trends in the virus market?
I don't like the term "virus market", it implies that there is some sort of legitimate trade in viruses.
I think that the most important trend, which has become apparent over the last 1-2 years, is the involvement of organised crime and convergence with spam and fraud. We used to think of virus writers as bored teenagers or young people, with more technical knowledge than ethical development looking for a challenge (the stereotype was never entirely true, but there was some basis in fact). Now we see viruses that install backdoors for later use, quite extensive seeding events (service providers like MessageLabs can see hundreds or thousands of messages being sent before the epidemic outbreak starts), sophisticated "phishing" attempts (e.g. the PayPal worm) and attacks on sites that try to do something about it (spammers are using "Joe Jobs" as a DDoS against anti-spam sites). This all indicates that the attackers are planning ahead, they are organised, they are doing it for dishonest gain, and they fight to protect their interests. I don't mean that it is the traditional Mafia or Triads getting involved (maybe, maybe not, I have no evidence either way) but they are definitely criminal and definitely organised.
This trend will continue, I can't say exactly where it will go, but I don't think we will like it!
What in your definition is a super virus?
I don't have one. When a reporter first mentioned to me that some people were predicting that 2004 would be "The Year of the Super-Virus" my first reaction was, "So what will we call 2005?" We are seeing more of what some vendors dubbed "Blended Threats" a couple of years ago, but that was not new then, the Morris Worm (of 1988?) fills all the criteria of a blended threat.
There is a report that virus authors are re-using damaging code to create new families of super viruses. How will that impact users?
That is nothing new; virus writers have been copying code from each other for years.
It is an opportunity and a threat. On the one hand, it allows the virus writers to pick innovative features from other malware, plug it into their own code and quickly release something with the feature. On the other hand, anti-virus developers can try to recognise the re-used code, potentially catching any new virus that uses it. As always, it is a technology race between the good guys and bad guys. I don't think that users will see a particular impact, beyond the general trend of, either, increasing effectiveness of AV software, or bigger, more damaging, virus outbreaks.
How do cater for super-fast viruses where applying updates will be too late?
The same way we have for the past 17 years: improve information security management, employ threat reduction, improve the speed of development and delivery of updates, improve heuristics, change the environment, and educate users.
"Too late" is a tricky term, we are "to late" on user education, because users are still opening dangerous attachments, but we can still try to educate them in future. Some developers seem to be taking the current worms as a marketing opportunity to say, "updates are useless, use our heuristics", but they are also still using virus-specific scanning, with updates. In fact, every major AV developer is already using heuristics in their products. Scientifically testing which heuristics are the most effective is extremely difficult, you cannot reliably predict how many future viruses a heuristic rule will detect, especially as you are facing an active, intelligent opponent who will change their strategy.
Will be a proactive approach to viruses be ever feasible? If yes, what form will it take?
There will be no "magic bullets" (remember, we are facing an active, intelligent opponent). We should use a combination of techniques, including user education. Anti-Virus is part of Information Security Management in general.
There are many proactive steps organisation can take today; some have already done so. How about changing your organisation's email client? Many of today's email worms specifically target vulnerabilities in the most popular email client. A lot of organisations have no need to transfer executables in email, why not block all executable attachments, and all scripting in email bodies, at the gateway, that would block today's commonest route of virus spread.
With the new Bagle virus, how has it changed the dynamics of anti-virus solutions?
It hasn't
What must companies do to make sure that they can avert being affected?
Implement proper Information Security Management. By identifying the value of their information assets, and the threats and vulnerabilities that affect them, they will be able to plan their optimum information security strategy, balancing risks and costs.
I've already mentioned some specific examples in (5).
Do you think the two worlds of SPAM and viruses merge?
Perhaps I should read all the questions before starting to answer ;-) See (1).
Yes, they already have. Also, some information security managers are taking the view that there is no difference between an unwanted virus in email and spam - they are both things that they want to block, end of story.
Followup Questions
Can you please cite an example -- probably, one with a dollar figure -- on the negative impact of certain destructive viruses that the industry has encountered?
The figures of billions lost when LoveLetter hit and other similar events are wild extrapolations based on too little data, I won't quote them.
The ICSA Labs Virus Prevalence Survey 2002, recently published, found that the median cost of a virus disaster to a company was US$9,500. Three of the companies surveyed reported a cost over US$1,000,000 for a single disaster.