'Legacy viruses' lie in wait

Old viruses do not die but merely remain dormant, according to experts at an antivirus conference

Antivirus experts speaking at the Association of anti-Virus Asia Researchers (AVAR) conference have told delegates that old computer viruses are still a threat.

While so-called "legacy viruses" are slowly dropping off, old malicious code is lying in wait to strike at current systems. Survey data analysed by researchers indicates many threats presumed by system administrators to be extinct are more accurately described as "dormant", speakers told conference attendees in Sydney today.

One researcher, Larry Bridwell of ICSA labs, says these inactive viruses are analogous to fish thought to have disappeared from the seas. No one thinks much of them until "some fisherman in Madagascar pulls one out on a line".

There are not many viruses that have actually managed to become truly extinct, he says. However it's a trend that is likely to shift as certain types of infection vectors, such as floppy disks, become obsolete. Others are likely to burn themselves out because they’re too destructive or because the virus writer has written an expiry date into the virus’s code, he explained.

Symantec's US-based senior director of Security Response, Vincent Weafer, agrees with Bridwell. However, he says legacy threats only represent a threat to complex environments. "For a single user it's trivial. If you have a million machines in a number of different places then it’s a complex problem to deal with," he told ZDNet Australia.

Emerging technologies will also become a breeding ground for old fashioned viruses, such as boot sector nasties, he said. "If you take some of the smart cards that are coming out… you could see some of these coming back."

Another area of discussion at the AVAR 2003 conference is the effect of traditional Win32 viruses on 64-bit Windows platforms. Computer Associates' Sha-Li Hsie and Oleg Petrovsky told delegates there's no urgency for antivirus vendors to rush in developing 64 bit scanning software to cater for the newer systems.

According to the two experts, current scanning technology is capable of detecting 64 bit threats, an opinion shared by Eric Chien, Symantec’s chief researcher, Security Response. "They’re saying that 32 bit [antivirus] is good enough on a 64 bit platform. That may be the case... but those AV programs will need to be updated," he said.

The only issues he cites for creating an entirely 64-bit based scanning engine are performance-related. "The only issue there isn’t the detection side of things, but in performance. You’re going to get better performance if you run a native 64 bit app," he said.

The annual AVAR conference brings together antivirus researchers from Australia, Canada, Hong Kong, Iceland, Ireland, Japan, New Zealand, the UK and the US every year. This year is the first time the conference has taken place in Australia. This year's theme has been broadened to cover "malicious code", such as worms, Trojans and viruses, and not just "computer viruses".