Platform-hopping virus poses new threat
Published: 05 Jun 2002 14:39 BST
A new virus called Simile.D may not be much of a threat to computer systems, but some of its technical tricks could lead to a rethinking of the principles underlying antivirus software.
The program has code that not only works hard to hide the virus' presence, it also randomises the program's size so as to make it harder to identify. On top of that, the fourth and latest variant of the bug -- which emerged this week -- can spread to both Windows and Linux computers.
"This is really pushing the boundaries on how to create cross-platform viruses," said Vincent Weafer, senior director of security response for antivirus-software maker Symantec.
The virus is hard-coded proof that a small segment of rogue programmers can create complex code that is still difficult for antivirus software to detect. If more viruses like Simile.D appear, it could leave antivirus companies with a tough trade-off.
With complex viruses such as Simile.D, antivirus software has to try multiple ways of identifying the code to get high recognition rates. And while that might leave PC users protected from such viruses, it would also bog down most computers. On the other hand, efforts to maintain performance may instead let stealthy bugs through.
"It is getting us to think about different ways of handling the problems," said Jimmy Kuo, antivirus researcher and McAfee Fellow at security-software maker Network Associates. "What we are worried about is detection taking too long to be useful. If the viruses get so complicated that detection takes forever to detect the virus, than that will cause a problem."
That's more of a threat than Simile.D itself.
If loosed on the Internet, the virus could cause some problems for administrators because of its ability to jump from Windows to Linux and back again. But the virus doesn't do much harm. On Windows systems, it opens a dialogue box with the author's name and the name of the virus, and it's programmed to do this only twice, on 17 March and 17 September. On infected Linux computers, the virus posts a message with similar content to the console, on 17 March and 17 May.
Other attempts have been made to create a virus that infects both Windows and Linux, most notably the year-old Winux or Lindose virus. However, that virus failed to spread. While Simile.D spreads successfully to Linux machines, the risk is lessened by the fact that only systems running in so-called superuser mode can be fully infected. "Superuser" and "user" modes refer to the level of access a user has to a system and the programs on it.
"It is less effective in Linux, especially if the user is running in user mode," said Symantec's Weafer. "It's more likely to infect from a Linux system to a Windows system than the other way around."
Roger Thompson, technical director of malicious code research for security-information provider TruSecure, didn't think the Simile.D virus would be much to worry about, even with it's cross-platform attack.
"It's going to be a Code Red and a Nimda -- worms that use some new exploit -- that are really going to spread," Thompson said.
Nimda, which struck last September, blended several different types of attacks -- spreading by email, JavaScript, shared network drives, and vulnerable Web servers -- and poked holes in the defences of many companies, even those with antivirus software.
Nimda, like Simile.D, showed antivirus vendors that the arms race between the virus writers and antivirus researchers is going full tilt.
Simile.D, also known as Etap.D, is an example of a "concept virus," a lab sample created by the virus underground and published for others to see. The major antivirus companies have already incorporated detection into their software, so Simile.D poses little threat to most users on the Internet who regularly download the latest definitions.
Yet, finding ways to detect it weren't easy.
Many antivirus programs detect viruses based on a "digital fingerprint" of the code. For example, the latest variant of the Klez worm, Klez.h, can be easily detected by current antivirus software based on its digital fingerprints.
However, with Simile.D's ability to change its characteristics like a chameleon, that's not possible.
For just such an eventuality, most antivirus programs also look for virus-like behaviour and try various types of pattern-matching that are keyed to encryption routines designed to hide a virus, and to the way a virus piggybacks on other programs.
"What you end up doing is a combination of the above, and you look at the code itself," said Symantec's Weafer.
Such techniques are time consuming, however, leaving software makers looking for other ways to maintain system security: "signing" code with a digital signature from a trusted source; keeping a database of acceptable code on the system; and limiting user power on the computer to certain tasks that aren't subject to virus attacks.
But while Simile.D has renewed discussions between antivirus researchers over how best to keep viruses out of systems in the future, standard measures still work, said Network Associates' Kuo.
"We aren't there yet," Kuo said.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
Did you find this article useful?
26 out of 45 people found this useful
- Share this article:
