Battling the unknown virus

Antivirus software makers employ a technique known as "heuristics" to check for suspicious commands within code.

2 min read
Antivirus software makers are recycling some old tricks to combat computer viruses proliferating over the Internet.

The technique, called "heuristics," checks for suspicious commands within software code to detect potential viruses.

Heuristic techniques can detect new viruses never seen before, so they can keep malicious code from spreading. An older method, called signature-scanning, uses specific pieces of code to identify viruses.

Both methods have down sides. Heuristic techniques can trigger false alarms that flag virus-free code as suspicious. Signature-scanning requires that a user be infected by a virus before an antivirus researcher can create a patch--and the virus can spread in the meantime. Most antivirus vendors use both techniques.

"It's time for the industry as a whole to look at different approaches," said Roger Thompson, technical director of malicious code research at ICSA, a for-profit trade group for computer security vendors. "The time-honored method of signature scanning is a little worn and weary given new viruses coming out."

Aladdin Knowledge Systems, which just added heuristics-based technology to its line of antivirus technology, claims it can snare 85 percent of the new viruses without many false alarms.

The recent Melissa virus showed that heuristics are not foolproof, as some viruses slip through the antivirus screen and must be fought with the traditional methods.

Melissa was a macro virus that spread quickly because it self-replicated, sending email from the infected machine to recipients in that user's address book. Melissa illustrates why macro viruses worry antivirus researchers.

"Melissa was trivial technically and important strategically," said ICSA's Thompson, mainly because it demonstrated the kinds of disruptions a computer virus can cause, he said.

"Macro viruses are easy to create and easy to modify," said Carey Nachenberg, chief researcher at Symantec's antivirus research center. To combat viruses like Melissa, heuristics are a must, he said.

Macros are a simple programming language used to build templates in Lotus Notes or Microsoft Excel. Because of their simplicity, they can be used to create macro viruses, said Chris Christiansen, security analyst at International Data Corporation.

"There are rumored to be numerous automated applications that automatically generate macro viruses," said Christiansen, saying they are available on Web sites used by malicious hackers. "An unsophisticated user could write a macro virus or take a corporate macro and corrupt it, then replace a legitimate macro."

Today antivirus researchers are closely watching another virus -- the Pretty Park virus, which is currently circulating in France -- that posts passwords and other identifying data to Internet chat sites. So far, it's a low level alert because its self-replicating function apparently doesn't work.

Overall, a higher percentage of macro viruses could be caught, said Alladin chief technology officer Shimon Gruper, at the cost of more false alarms.

"Not everything gets caught, so you still need a rule to catch it," said Susan Orbuch, spokeswoman for Trend Micro. "When there was a lot of fear about Melissa variants, we quickly put together some heuristics to combat it."