Viruses: Past, present and future

Two sides to every coin. Sadly, that applies to the Internet too. And viruses occupy a large chunk of the other side of the 'Internet coin'. A major threat always viruses are now even more threatening with more computers connecting to the Internet every day. Come on, if Microsoft's Hotmail and Linux web servers are vulnerable so are we.

Symantec, publisher of the popular anti-virus program Norton Anti-Virus, is one of the forerunners against the fight against viruses also runs the Symantec Anti-Virus Research Center (SARC). Here's an exclusive interview with Eric Chien, Chief Researcher at SARC.

Of course Symantec has not revealed all. What other concerns do you think need to be addressed? YES

Q. Could you tell our readers who you are and what your job at Symantec is?
A.Eric Chien, Chief Researcher at Symantec AntiVirus Research Center for EMEA (Europe Middle East Africa). SARC EMEA is based in Leiden, Netherlands where we research current and future malicious code threats. There is no such thing as an average day. Every day is different and each day could be the next virus outbreak. In general, we are programming code to combat new threats and creating fixes for immediate threats.

Q. People's concern on viruses rose over the last year. How much is there a reason for that paranoia?
A. Viruses have changed dramatically over the last few years. This is primarily due to networking. In the past, in order for a virus to jump from one machine to another, it required a human to copy it onto a floppy disk and pass the floppy disk to another person. Today, viruses via networks (the Internet) can email themselves out to everyone you know without your knowledge. They no longer have geographic barriers. Before we used to see outbreaks in certain geographic regions because in order for a virus to get around the world, it required a person to board a plane, and fly to another country. Today, a virus can go from the Phillipines to Switzerland and all around the world in a matter of minutes.

In addition, to the increased propagation speeds, networking has also made payloads (damaging effects) of viruses much more dangerous. In the past, the worst that might occur is a virus would delete all your data. Hopefully, you had backups. However, today, viruses can open backdoors into your computer and over the Internet a malicious virus writer can connect to your computer. There he can control your computer, copy files from your computer, and plant files onto your computer. Imagine if your company confidential information is taken off your computer and publically placed on some website. That is much more damaging then your data being deleted.

So you've got something to tell me? YES

Q. What do you think were the "important" viruses in 2000?
A. Clearly, VBS.LoveLetter had a big impact. It demonstrated that viruses were a problem to the average computer user. Before, viruses were something system administrators needed to worry about, but today viruses can affect the grandmother at home to the latest high-tech e-commerce business.

Q. What can we expect for 2001?
A. Today, when we look at the top ten, all of the infectors are network aware malware. That is, malicious software (malware) that can utilize the network -- find other computers to copy itself to, email itself out to other users. That couldn't be said a year ago. Clearly, network aware malware has come to fruition. We expect to see more of the same. Today, generally a virus isn't a threat unless it has some sort of network component. That network component is what causes it to spread so fast and be so potentially dangerous.

We also see virus writers branching out. We see virus writers beginning to use security holes as part of their viruses. For example, WScript.Kakworm uses a security hole that allows it to drop a file on your system when you simply read your email. In addition, they are reaching out to new platforms. As we become more mobile, we expect viruses to become mobile as well. We already have viruses for the Palm Pilot and malicious code for other devices is not far behind. VBS.Telefonica replicated on Windows systems, but also used email to SMS gateways to spam mobile telephones.

Q. We saw the first virus for PDAs, the first PHP-virus, cell-phone "viruses". Is it going to a direction, where people need a virus-scanner for their microwave or their razor, because computers and embedded systems are going to be used everywhere?
A. Eventually, that may be true and we already see some of it today. For example, Symantec already has a scanner for the Palm Pilot. Virus scanners as we see them today, probably will not just be squeezed into these devices. Instead, they will be redesigned. For example, there is no need to scan for Windows viruses on your Palm Pilot (yet). In addition, when we talk about cell-phones, they currently don't have the resources to support a traditional virus scanning application. Instead, you will probably see things like behavior blockers (applications that don't exactly identify malicious code, but simply block potentially damaging behaviors) or secure operating systems built into these types of devices. This will generally be transparent to the user. We also see expansion into ensuring you have a 'clean pipe' For example, if all the data to your WAP enabled phone must go through a central WAP gateway, then putting a solution on the gateway itself and ensuring the pipe of data coming down to your phone is clean is the best solution rather than attempting to have scanners on each device.

Q. When is a virus a "virus"? Are worms viruses?
A. Technically worms are simply a subset of viruses. The definition of a virus is simply a program that self-replicates. Note that it doesn't need to delete data or do all these bad actions. Of course, those however, are the ones we are often most worried about. When we compare a virus to a worm, we state that the vector of infection of a virus is objects (such as files) on a computer. The vector of infection for a worm are computers as a whole within a network. For example, a virus will try to infect as many files on a single computer. To jump from one computer to another, it requires a human to copy that file to another computer. The goal of the worm isn't to infect as many files on a computer, but rather to infect as many computers on a network. They seek out other computers that are accessible from your computer and copy themselves there. And from those computers find more computers.

Of course Symantec has not revealed all. What other concerns do you think need to be addressed? YES

Q. The internet has become a part of the computer. After people got in touch with the internet there was the computer "and" the Internet. Right now it's the computer "with" Internet. The strategy of a lot of firms is to get web-based applications (for example Microsoft's .NET-strategie). Shouldn't there be more concerns about the security and the possibilities, that there will be for virus-writers with this new kind of applications?
A. There is always a trade off between security and functionality. The more functional, the less secure. As we move forward with networking and as networking becomes even more ubiquitous in our computing enviroment, there is more chance for viruses to spread from one computer to another and affect more people. This is clearly a concern. We are working with many vendors in many differnet areas from mobile devices to networking software to try to alleviate or at least mitigate the risk. However, no matter if you are using a machine with a 9600 baud modem or if you have ADSL, there are some general guidelines that will always remain true. One of those is to practice safe computing. As you allude to, this can't be stressed enough now that so many computers are inter-connected.

Safe computing practices include simple rules such as deleting attachments from unknown people. It is about using the same common sense we use on the street when we are online. For example, if you were walking on the street and someone from the World Health Organization came up to you and said 'Eat this piece of candy and it will prevent you from ever becoming sick again', I doubt you would take that piece of candy. But when people receive emails that state 'This is from Microsoft, run this program and it will make your Internet speeds faster, and fix all the software bugs on your computer', instead of ignoring it, they double-click and run the program unknowningly running some malicious code. We should do as our mothers told us and not take candy from strangers. In addition, if you receive an unexpected email attachment from someone you do know, you should treat it like a knock on your door at 3am in the morning.You should verify the person really sent it to you first.

As we are networked, we also have to take responsibility for more than just our computer. When we connect to the Internet, we are connected to millions of other computers all around the world within seconds of each other. So, while you may not care that some virus destroyed your data on your computer (because you just use it for games), your friends might care that you unknowingly sent them hundreds of emails messages clogging up their Inbox. For virus writers, the interconnectivity means faster spreading, further reaching, and more damaging viruses.

Q. Ok, now kinda dumb, why do people code viruses?
A. We see two major reasons. First, they do it for the same reason people spray paint graffiti on walls. They want to get their name in lights. They want to be able to tell their friends 'Look at what I created' Secondly, virus writers often do it to flex a technological muscle. They see it as a technological challenge to create viruses and more so, new types of viruses that take advantage of new techniques to allow them to propagate faster, farther, and undetected.

Q. How sophisticated are viruses today (loveletter was an easy one, because it used the naivety of the user as starting-point: look at mail, start code by opening the attachment)?
A.The most technologically sophisticated viruses aren't always the most successful. Often, simplicity wins out. Of all the factors, social engineering plays a big role. VBS.LoveLetter wasn't any technological achievement. When you look at the code, you can see that parts of it are based on previous viruses which did not spread as far or fast. What caused VBS.LoveLetter to spread so far and so fast is the message that states it is a love letter from someone. Who doesn't like to get a love letter? People were curious and intrigued enough to double click on the message.

Viruses are more sophosticated than ever before and they have a greater playing field as well with our interconnectivity. Viruses today can jump thousands of kilometers from one computer to another in seconds. They can update themselves via the Internet allowing them to continually change. A recent example is W32.Hybris Using security exploits in software with bugs, they can attempt to execute when the user simply reads their email (for example, WScript.KakWorm). In addition, we are seeing more cross-infectors. These are viruses that infect more than one type of object. For example, there are viruses that infect Word documents along with Win32 executable files, and also create a VBS (Visual Basic Script) file.

Despite their sophistication, we still see untouched breeding grounds for viruses. This is obviously just the beginning of the history of computer viruses. What is most unfortunate is even if virus writers stopped writing viruses today, the problem would never go away. Viruses have a life of their own. Once, a virus is out in the wild infecting computers, there is no guarantee it will ever be extinct.

Q. There are no more so many boot viruses, because the floppy has lost it's status as data transporter. Internet is the new way to get data. How do you think will be the evolution of the viruses in the future?
A.Viruses follow technology. Where ever technology goes, viruses will go as well. For example, we have clear tracking trends that show when Windows9x/NT was released, boot viruses dropped dramatically. This is simply because some boot viruses don't work properly under Windows9x and don't work at all under WindowsNT. DOS file viruses have followed a similar demise. With the evolution to Windows, DOS file viruses no longer had hosts to infect. So, in the future, network aware malware will become common place. The majority of infectors will all have some sort of network routine. We will see viruses move to devices from smartphones to embedded systems. Whereever technology goes, expect viruses to follow.