X
Tech

New turn in old war on macro viruses

Will behavioral scanning keep computers safe against macro viruses? Symantec says it can.
Written by Robert Lemos, Contributor
ORLANDO, Fla. -- Personal firewalls have become all the rage to protect home computer systems against the Internet's vandals. Now, the concept is being adapted to protect those same computers from macro viruses and Trojan horses.

On Friday, anti-virus firm Symantec Corp. (symc) showed off technology to stop viruses that use scripting to infect, manipulate and destroy programs and data on computers by blocking the use of certain commands commonly used by malicious code.

The technique has resulted in a much higher success rate against macro viruses, said Mark Kennedy, architect with Symantec's Anti-virus Research Center during a presentation on Friday. Extensive research on the potentially dangerous scripts have identified many "that have not been used by a worm, but could be in the future," he said.

"That is why the success rate is so high."

Scripting languages are sets of commands aimed at making automating tasks on computers easy. Unfortunately, they also allow virus writers to make viruses and Trojan Horses that run on a variety of platforms.

The first macro virus -- WM/Concept.A -- appeared in 1995, took two weeks to find its way onto the list of the most frequent viruses and stayed on the list for almost 18 months.

In the past two years, more than 500 different viruses (not variants) have appeared. Of those, 87 percent were macro viruses, according to Bruce Burrell, anti-virus team leader for the University of Michigan, who found that in most cases, anti-virus firms protect against viruses before the digital antigens make it onto the Internet.

Despite that, the current method of detecting viruses -- scanning programs for content that matches a predefined list of virus definitions -- has many problems, said Nick Fitzgerald, an independent consultant with Computer Virus Consulting Ltd.

The virus definitions need to be constantly updated and, as a result, anti-virus firms are locked into an arms race with virus writers.

The technique to be used by Symantec will instead identify potentially dangerous script functions and prevent any program from using them, unless previously OK'd by the system administrator or home user.

The method heralds back to the behavioral filters used in the past by anti-virus software makers that would block any access to specific functions not sanctioned by the user.

At the Black Hat Security conference in July, A. Padgett Peterson, corporate information security officer for Lockheed Martin Enterprises Information Systems, presented a short list of such Windows Script functions that could be blocked to prevent attacks such as Melissa and LoveLetter.

There is a weakness to the defense, said consultant Fitzgerald.

"You have to design the software for each scripting language that you want to monitor," he said. "JavaScript will need new software. PERL will need new software."

Yet, in the end, keeping up with changes in scripting services could be far easier than keeping track of the more than 50,000 virus variants in the wild today.

Editorial standards