Arming against viruses

Security community members try to keep up with constantly changing threats

Welcome to computing's Cold War.

On one side of the divide, malicious coders launch an ever-changing variety of viruses, worms and spyware with increasing speed. On the other side, information security experts

attempt to create effective barriers. Their task is to prevent the

enemy from outflanking existing defenses and exploiting new

vulnerabilities.

"It's an arms race of goods guys vs. bad guys," said John Watters, chief executive officer of iDefense Inc., a company that gathers intelligence on viruses.

It's a race that virus hunters don't always win. Watters said that antivirus fixes tend to be a day late and a dollar short because exploits are hitting computers and networks before solutions can be developed or widely distributed.

But if speed is a factor, so is volume. McAfee Inc. officials reported last month that they expect to log a total of 17,000 to 18,000 new malware threats by the end of this year. Malware is a catchall that includes viruses, Trojans and other forms of malicious code (see sidebar, Page 28). In the first half of 2004, new viruses emerged at a rate of 50 per day, according to company officials.

Another wrinkle: Virus writers are combining various malware forms into so-called blended threats. Such attacks use multiple methods of propagation, making them harder to eliminate.

The nature of today's threat has given rise to vendor strategies intended to thwart increasingly sophisticated attacks. Such strategies may be termed defense-in-depth, layered or holistic. Regardless of the label, the idea is to provide an integrated defense that plugs as many gaps as possible.

Sizing up the threat

The current threat landscape features some old standbys, notably e-mail-borne viruses. During the first half of this year, mass mailers were the predominant vehicle for attacking enterprises, according to McAfee officials. Mass mailers declined in 2003, but the arrival of the MyDoom.N virus via e-mail in January, followed by Bagel and Netsky, tipped the balance to e-mail, according to Vincent Gullotto, vice president of McAfee Anti-virus and Vulnerability Response Team (AVERT).

More recent attack developments include bot software and spyware capable of identify theft.

A bot probes network service ports for holes, exploits openings and installs code that allows attackers to control the infected computer. Bots can be used as agents in denial-of-service attacks. Gaobot and SDbot are examples of these remotely controlled threats.

Jim Hurley, vice president of risk, security and compliance at Aberdeen Group, said he considers bots among the more significant threats of late. "They are all over the place," he added.

Oliver Friedrichs, senior manager of Symantec Corp.'s Security Response Team, called bots a substantial threat. He said they are harder to track than other threats because they can remain hidden.

Spyware, meanwhile, is widely installed on unsuspecting users' computers, embedding itself via freeware downloads and other means. Those programs typically snoop on users' Web surfing habits, but security experts believe they can do much more. For example, spyware can be used to harvest passwords and personal information, said Sam Curry, vice president of eTrust security management at Computer Associates International Inc.

To compound the problem, various threats are often melded together. Such hybridized, or blended, threats have been around since at least 2000, but the combinations — which Curry likened to gene splicing — continue to evolve.

Amit Yoran, director of the Homeland Security Department's National Cyber Security Division, acknowledged that most of the attacks getting media attention recently have blended threat characteristics. But he said he believes less visible and more focused attacks may be more dangerous.

"Oftentimes, the most damaging attacks are not necessarily the ones that receive the greater media attention," he added.

Playing defense

Against this backdrop, organizations' IT administrators are working to prevent as many potential security breaches as possible. Tom Buoniello, vice president of product development at Sybari Software Inc., said main scanning points for preventing threats include firewalls, the Simple Mail Transfer Protocol routing layer, messaging servers and the desktop.

Buoniello and other industry executives refer to this multipronged approach as defense-in-depth.

Not everyone is enthusiastic, however. No one argues against covering the antivirus bases, but some executives say layered security is not totally effective.

Defense-in-depth, Curry said, has led to the "Balkanization of the security industry." Islands of security and isolated expertise hamper data sharing and collaboration within organizations, he said, making it more difficult to identify intrusions.

Vendors such as McAfee, CA and Trend Micro Inc. offer integrated product suites as the answer to fragmentation. In addition to cohesion, such suites provide for centralized management and administration.

Critics of the all-in-one approach, however, say relying on a single antivirus engine could create a weakness.

Some government agencies use elements of both strategies. They

use suites to cover some areas and point products in others. Fontana, Calif., officials use Zix Corp.'s antivirus, content filtering and antispam suite at the Internet gateway. But administrators also run McAfee's antivirus on the desktop and GroupShield on the Microsoft Corp. Exchange server.

Chris Beck, an information services specialist for the city, said using both Zix, which uses Sophos Inc.'s antivirus engine, and McAfee provides added protection.

James Banks, director of technology at the Independent School District in Barbers Hill, Texas, uses McAfee VirusScan ASaP, a managed service, for the bulk of the district's protection, but he also uses StopZilla's pop-up blocker and Webroot Software Inc. Spy Sweeper anti-spyware product. His overall method, however, is to consolidate vendors where possible.

Regardless of the method, analysts say IT officials must

consider factors beyond technology in rounding out a security strategy.

"I recommend that companies compliment technology with training and communications," said Jon Oltsik, senior analyst for information security at Enterprise Strategy Group. "Users should know how to identify potential threats and understand basic security procedures to limit exposure — downloading the latest virus signatures on a regular basis for instance."

That's one way to win the virus race. n

Moore is a freelance writer based in Syracuse, N.Y.