Next viruses will be silent killers Love bug is childs play  developers demonstrate a cross-platform virus that disappears before it can be stopped By Eamonn Sullivan, IT Week ZDNET LONDON, May 11  Mere childs play. Thats the hacker verdict on the Love Letter worm  and the more than 20 new permutations of it  that are continuing to strike computers around the world. A report this week from a group of developers dismissed the Love virus attack as crude and demonstrated  with code examples and a working model  how it is possible to create a far more sophisticated virus that would work across platforms, do its work with stealth and disappear before it could be stopped. The next thing will be hackers using e-mail to hack into your database without you knowing, to get important pieces of information.

 NICK GALEA GFI SECURITY EXPERTS CONCUR that worms in the last year, such as Love and Melissa, merely proved the concept. Corporations should prepare now for much more dangerous worms that operate without user intervention, as opposed to those that rely on a recipient to take some action  for instance, to open an e-mail attachment.

Michal Zalewski, a Warsaw-based security specialist working for the Internet division of Telekomunikacja Polska SA, worked on a project to see if such a worm could be developed. The project was called Samhain and was developed by a loosely knit group in Europe. All work stopped on the project last year, but the group managed to create a working model.

This model is a deadly dangerous engine, which can be used to do very, very bad things, Zalewski wrote in the report. Probably we arent the first people who thought about it and tried to write it. Thats what makes us scared.

Protecting organizations from such a threat requires more than updated anti-virus software. The next thing will be hackers using e-mail to hack into your database without you knowing, to get important pieces of information, said Nick Galea, director of Malta-based GFI.

Ive been asked, twice, to develop such spy software, Zalewski said in an interview conducted over e-mail. I dont know if it happens every day, but for sure its possible. Automated worms are better spies than conventional hackers and crackers.

Some analysts, such as the Gartner Group, have suggested that companies employ a content firewall, quarantining executables, scripts and macros at the e-mail server or firewall level. Several companies have products that claim to do that for e-mail, such as GFIs Mail Essentials and Content Technologies MimeSweeper. But if you encrypt your e-mail, those scanners are going to have trouble, said Andreas Junestam, a technical consultant with Defcom Security in Stockholm, Sweden. Encryption  itself the answer to many security problems  will make content filters very difficult, unless the servers have a master key. But the master key itself will then become a security hole, Junestam said.

Zalewski, however, said companies should not expect a boom in such stealth worms. They are still difficult to develop. It is slow progress, he said, not a boom. But we probably should expect some kind of boom when talking about Visual Basic disk killers.

The code in the report is very Unix- or Linux-specific, but Zalewski said the project developed enough code for Windows to show that it is possible to spread to that platform as well. We only developed a cross-platform virus, called Califax, said proven to ourselves and stopped work on it, he said. The report is available at http://lcamtuf.na.export.pl/worm.txt It summarizes the seven deadly attributes of a more dangerous worm: Portability  works across platforms. Invisibility  stays undetected. Independence  spreads itself without user intervention. Learning  learns new techniques and tells other worms. Integrity  difficult to trace, modify or destroy. Polymorphism  changes frequently. Usability  does its work easily and disappears.

) 2000 ZDNet

http://msid.msn.com/mps_id_sharing/redirect.asp?www.msnbc.com/news/create_p1.asp?URL=www.msnbc.com/news/406448.asp

-- Martin Thompson (mthom1927@aol.com), May 11, 2000

Answers

This is a very good post. I had a discussion today with a friend of mine who works in the field, and she would concur.

-- (Dee360Degree@aol.com), May 11, 2000.