Whiz-bang new features can sell software, but will they make a computer virus spread faster?
Several antivirus firms warned users this week of a new worm that uses encrypted plug-ins to change features, can camouflage itself in an email written in one of four languages, and uses newsgroups to communicate with its brethren.
Called Hybris, the Internet worm is "perhaps the most complex and refined malicious code in the history of virus writing", said Eugene Kaspersky, head of antivirus research firm Kaspersky Lab, in a statement Monday.
That doesn't mean it's more dangerous, said Vincent Gullotto, director of Network Associates' antivirus emergency response team. "We have seen some technically good viruses that don't become successful and poorly written ones that do become successful," he said. "Technology itself won't make the difference between a huge outbreak like Melissa [and a dud] -- social engineering will make the difference."
Both Network Associates and Kaspersky Lab have added protections against the worm to their newest antivirus definitions, said both companies.
Written as a Windows 32-bit application, Hybris appears as in attachment to an email message from someone the victim knows. The email's subject line and body, as well as the name of the attachment, can be written in English, French, Spanish, or Portuguese, and generally refers to sex or pornography. The sender will appear to be "Hahaha".
If the user opens the attachment, Hybris infects the Windows networking software, known as Winsock32.dll, on the host computer, and will store a copy of itself in the Windows system directory. The worm then essentially wiretaps the computers, looking for email messages to which to send itself.
Perhaps the most advanced feature of the worm is its support for up to 32 encrypted plug-ins that it can download from the Internet. With the plug-ins, any of the worm's attributes can be changed, including how it infects the text it includes in email and from where it downloads new updates. "The components themselves give the virus writer the possibility to modify his creation 'in real time', and in fact allow him to control infected computers worldwide," said the Moscow-based Kaspersky in a statement.
Kaspersky Lab has already identified five plug-ins that
- infect all ZIP and RAR archives on a computer's hard drives
- send messages with encode plug-ins to the virus research newsgroup alt.comp.virus
- find and infect machines that have already been compromised with the well-known SubSeven backdoor
- encrypt copies of itself to avoid detection
- create random subject, body, and file names in four languages.
Last weekend, the alt.comp.virus newsgroup was swamped with almost 3,000 messages from the worm, containing what looked like garbage text. In reality, the mangled text consisted of new features that the worm could download from the Web.
That's analogous to the virus scene at large, said Rob Rosenberger, editor of the Virus Myths home page and a frequent antivirus industry critic. "There is so much trashy virus material out there, this seems to be one that has the A-V industry earning their pay for once," Rosenberger said.
He acknowledged that the worm had some interesting features, but said Kaspersky's warning added up to a shrewd public relations move. "They are not the first to do so, and they definitely won't be the last," Rosenberger said.
Despite the Russian company's warning, the writer of Hybris may have been more interested in creating cool technology than in creating a worm that spreads.
Not all virus and worm writers aim to infect other people's computer, said "Evul", a virus writer and webmaster of Coderz.net, a site where interested programmers can exchange their code. "Some writers are extremely skilled and do code things which are extremely challenging," Evul said. Other writers "like to see [their viruses] go nuts".
Many writers copy viruses already available, adding little that is original. For that reason, virus writers are generally denigrated as poor programmers.
In many cases, however, it's those poorly programmed viruses and worms that do the most damage, said Fred Cohen, a computer science professor and independent security consultant. "All the viruses that we know about are the big, bold ones," he said. "On the other hand, there are some viruses that are relatively successful, but you don't even know they are there."
Cohen believes that the only way to stop computer viruses is to put an end to "mobile code" such as script and macros. "We can't do much to stop people from writing viruses, but we do have control over the environment," he said.
Take me to the Virus Workshop
Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.