Virus Numbers Dwindle, but Impact Increases
LAS VEGAS -- Though the overall number of viruses being detected each month is falling, the severity of the viruses that are being written is increasing, with this year's Code Red and Nimda worms as perfect examples of this trend, according to Vincent Gullotto, the senior director of McAfee AVERT Labs, who spoke here at Comdex on Wednesday.
AVERT Labs is the virus research division of Network Associates, the company that owns the McAfee family of antivirus and security companies.
As macro and Visual Basic Script viruses are becoming less prevalent and more generally defended against, malicious coders have turned more to worms and exploiting security vulnerabilities, he says.
Companies are largely doing a good job of protecting themselves against mass-mailer worms that spread using e-mail attachments, by blocking those attachments from entering the network, he says. However, the
Despite the strides being made in the enterprise, users are still spreading viruses that require an attachment to be double-clicked, he says. These outbreaks, however, are more likely to occur in the home, rather than in the office, as there is no IT administrator to help guard against such actions at home, he adds. Users may also unintentionally infect corporate networks by downloading files from Web-based e-mail accounts, he adds.
Virus writers have been largely quiet in recent months, with few major outbreaks or newly created viruses popping up, he said. It's not clear whether this is a good or a bad thing, however, because the quiet may mean that the post-September 11 computer crime laws have had an effect or it "could be the quiet before the storm," Gullotto says.
The most recent major outbreak--
Nimda was a proof-of-concept worm--a worm created to show that such a thing could be made--and though "they're not always effective," they are "where we see things going," he says. The U.S. Federal Bureau of Investigation still has no solid leads on who wrote the Nimda worm, he adds.
Nimda is likely only the next step in the evolution of similar malicious code, Gullotto says in a separate interview. Current virus-writing projects are likely tackling the problem of making a worm that functions like Nimda--that has multiple methods of spreading--without needing to exploit the same vulnerabilities that Nimda did, he says.
"Even if all IIS servers are patched, these guys aren't going to stop," he says.
Another disturbing trend finds that "the Internet is not only a vehicle by which a virus can be spread, but it's becoming a target," he says.
A recent paper released by the CERT/Coordination Center, a government-funded security research body, warned that
Such a scenario is not out of the realm of possibility for virus writers, since
"If somebody's serious about taking down the Internet ... that's one area they're going to go after," Gullotto says.
Despite such dire warnings, useful actions are being taken, he says. Companies need to continue their efforts to educate users, communicate between departments and organizations, and keep their software and patches up to date, he says.
Antivirus companies will have to make their own changes, he says, noting that those companies will need to change their methods of detecting viruses from signature-based to behavior-based systems.
Currently, signature-based systems detect the presence of malicious code based on the appearance of a virus's code, whereas behavior-based detection will discover malicious code based on how it acts, not how it looks. Such improvements will show up in McAfee products in the first quarter of 2002, when the company begins to integrate technology from Network Associates' PGPfire and encryption products, he says.
"Security has to become a context ... a way of being," he says, adding that that context won't come in one easy step.
"It's going to have to just be people chipping away," he says.