If theres one thing that anti-virus software makers fear—aside from a mass change of heart by the virus writers—its the creation of a virus-delivery mechanism that evades detection by their signature-based products. The development of detection files for every new virus is the meat and potatoes of what anti-virus vendors do.
Because each virus is unique, anti-virus products require new signatures to detect each one, even those that are simply variants of previous malware. Without the signatures, anti-virus software is essentially blind: Not only wont it be able to stop the virus, but it also wont even be able to alert the user that a virus may have come through.
This nightmare scenario is, in fact, playing itself out right now. The latest round of variants of the Bagle virus—Bagle.Q, R, S and T—to hit the Internet has employed a delivery technique that slips past gateway and desktop anti-virus protection, as well as firewalls and intrusion detection systems. Like most other viruses, these viruses spread via e-mail. However, they do not include an attachment infected with the actual viral code, which is the delivery mechanism of choice for most virus writers. Instead, the new wave of Bagle variants sends a blank e-mail to random recipients. Once the message is opened, or even viewed in the preview pane in Outlook, Bagle exploits a flaw in Internet Explorer and automatically downloads the virus code from a remote server through TCP port 81.
Because many enterprises dont scan for viruses on their incoming HTTP traffic, the malicious file has no trouble on the way in.
The Bagle variants use a vulnerability in IE related to HTML object tags, which have a number of legitimate uses. The tags are often used to run dynamic content such as streaming audio or video. But in the case of Bagle, the viruses use the tags to execute a script on the infected machine to connect to a remote Web server and retrieve the virus-laden HTML file.
This is clearly bad news for anti-virus vendors, which, at the very least, must re-examine their methods; in the worst-case scenario, if this infection method takes off and becomes the norm, it could require the vendors to rework the way their products function. Some anti-virus experts, however, said that existing techniques are still useful in combating the new breed of attacks.
“The key is that no AV vendor should be relying on one trick in the bag. You have to have lots of ways to catch [the viruses],” said Sam Curry, vice president of product management for the eTrust division at Computer Associates International Inc., based in Islandia, N.Y. “The worrying thing is the degree of sophistication out there among the virus writers. These guys are savvy. They will find new ways to get their code out there. This should be a wake-up call to the industry that says these guys can be just as professional in the way they release software as you can.”
But, its likely worse for enterprises that must now depend more than ever on users to act as their last line of defense against these viruses.
“This threat passed right through gateway, router, firewall and server anti-viral protection and relied on the end users PC as the last line of defense. That last line of defense required each end user to have their OS [operating system] patches up-to-date and Outlook configured to restrict what is an otherwise useful capability,” said Bill Franklin, president of Zero Spam Networks Corp., based in Miami, which saw waves of the new Bagle variants recently. “Any defensive strategy that lets intruders pass all the way to the last line of defense unchecked is not just suboptimal, its asking for catastrophe. We all know that relying on the end user to stop virus attacks is not workable.”
And just to keep things interesting, spammers apparently are well on their way to using this technique as well. The spammers have developed a way to use JavaScript to deliver HTML mail messages, and it could likely be used to deliver other malicious content, too, Franklin said.
“This is the most significant new threat we face as a community,” Franklin said.