Fizzer Worm Has More Lessons for Enterprise

As it wended its way through corporate networks last week, the Fizzer worm did more than just clog mail servers and log keystrokes.

As it wended its way through corporate networks last week, the Fizzer worm did more than just clog mail servers and log keystrokes; it also pointed out just how quickly anti-virus vendors are losing ground to virus writers.

Despite the advances in AV software in the past few years, it is, by nature, a reactive defense. While heuristics and pattern-matching algorithms can catch some previously unknown "malware," threats such as Fizzer are still able to slip past AV programs and infect thousands of machines. And as AV vendors scramble to catch up with each new threat, virus writers continue to create innovative ways of defeating those defenses and stay ahead of the game.

Although many users are frustrated by this state of affairs, some administrators say the AV vendors are doing their best to combat an increasingly creative and determined group of virus writers.

"I think the AV vendors are doing an adequate job. However, I think the long-term prospects for AV are not good due to the ever-increasing database of signatures they have to maintain," said Paul Schmehl, adjunct information security officer at the University of Texas at Dallas and a founding member of Anti-Virus Information Exchange Network.

In fact, changes in how viruses are formatted means that "we are beginning to consider gateway AV scanning due to Yaha coming in in .zip format," Schmehl added.

Fizzer acts like most other mass-mailing viruses, arriving in an e-mail message containing an executable attachment. But thats where similarities end. The worm, which began infecting PCs on a large scale around May 9, includes features that havent been seen in many viruslike programs before. In addition to the keystroke logger, Fizzer acts as a small HTTP server that allows the virus writer to remotely control the infected machine.

Interestingly, some vendors agree with users assessments that AV software isnt up to the task of stopping every worm or virus that hits the network.

"This is the inflection point were at with AV right now. The reactive nature of dealing with this kind of malware clearly isnt enough," said Ian Hamerof, security strategist at Computer Associates International Inc., in Islandia, N.Y. "You need a combination of good technology and good computing policy. AV is only one tool in a larger strategy."

Hameroff said AV protection is at the beginning of an evolution that will make it "a bullet point in a strategy for the greater good. You need a higher view of policy and protection that takes into account a variety of things."

Some organizations already have such philosophies in place.

"[Fizzer wasnt] much of a problem for us because we already block the extension types that it uses," said Schmehl. "[Our] biggest risk ... is a single user getting the virus through Web mail, which is an ongoing but minor problem."

Most Recent Security Stories:

Search for more stories by Dennis Fisher.
Find white papers on security.
For more security news, check out Ziff Davis Medias Security Supersite.