This year we have seen three instances of malicious programs which caused severe damage all over the world:

• The Melissa incident - experiences discussed in Security info for week 13
• The CIH virus - described in Security info for week 17
• The ExploreZip worm - described in Security info for week 23

Common for all these is that a huge number of computers were affected and the incidents got large media coverage. The latter may have helped to raise the security awareness among PC users in general.

This week's security info will discuss whether there are other things common to these malicious programs and try to make some predictions about the future state of such programs and how to protect against them.

New techniques

All the three above-mentioned programs use techniques never seen in the wild before this year. Melissa (a macro virus) and ExploreZip (a worm) use similar techniques in that they utilize Internet to propagate. More specifically: They use the SMTP (mail) protocol. The CIH virus on the other hand is a traditional binary virus in the aspect that it infects binary files. However, it is the first virus which successfully destroyed hardware (FlashBIOS on some PCs).

Source code for such malicious programs is often spread on the Internet, and one may fear that variants of these programs appear in the future. This was truly the case with Melissa, a fact which is discussed in our article "What to learn from visits by Melissa and her siblings".

One may expect that the propagation of malicious programs by using the Internet is a technique which is going to be popular by writers of such programs. If this is true, it is a great challenge for the virus control companies, as this technique enables malicious programs to propagate much faster than before. The ability to detect new such programs quickly when they are in the wild, as well as sufficient alert procedures are going to be important in the next months and years.

Prosecution of the creators of malicious programs

Another new trend is that it has been more risky to spread malicious programs. Police forces in several countries used vast resources to find the creators of the programs which are discussed in this security info. So far persons suspected to be the authors of both the Melissa and the CIH viruses are identified, and risk huge fines as well as prison convictions. The FBI in USA has set up a special unit which among other tasks is supposed to investigate and alert about such incidents - the National Infrastructure Protection Center. Other countries have similar units.

The fact that being a creator of malicious programs has been a more high-risk "profession", may be one of the reasons why not more such programs has been released in the wake of the three discussed here.

What to expect

Even so - it would be naïve not to expect new, similar, different, worse and sneakier malicious programs in the months and years ahead. How should one create the best protection against this?

Norman expects that one of the paths to follow to accomplish better protection against new viruses, worms and other kind of malicious programs, is to intensify the use of heuristics in the detection. This does not mean that scanning for signatures in program files and documents should be replaced in the near future, but the use of heuristics to identify potentially malicious actions would protect against totally new viruses and worms. Protection even before the signatures in the program are included in the definition files.

In the new release of Norman Virus Control - version 4.7 - one of the features which has been focused upon is improved heuristics.

Per Olav Førland