Evolving viruses threat to many platforms

The virus underground is focusing more attention on getting its programs to hide their tracks and to spread to multiple operating systems, say antivirus experts.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
4 min read
A new virus called Simile.D may not be much of a threat to computer systems, but some of its technical tricks could lead to a rethinking of the principles underlying antivirus software.

The program has code that not only works hard to hide the virus' presence, it also randomizes the program's size so as to make it harder to identify. On top of that, the fourth and latest variant of the virus can spread to both Windows and Linux computers, according to a recently released analysis.

"This is really pushing the boundaries on how to create cross-platform viruses," said Vincent Weafer, senior director of security response for antivirus-software maker Symantec.

The virus is hard-coded proof that a small segment of rogue programmers can create complex code that is still difficult for antivirus software to detect. If more viruses like Simile.D appear, it could leave antivirus companies with a tough trade-off.

With complex viruses such as Simile.D, antivirus software has to try multiple ways of identifying the code to get high recognition rates. And while that might leave PC users protected from such viruses, it would also bog down most computers. On the other hand, efforts to maintain performance may instead let stealthy programs through.

"It is getting us to think about different ways of handling the problems," said Jimmy Kuo, antivirus researcher and McAfee Fellow at security-software maker Network Associates. "What we are worried about is detection taking too long to be useful. If the viruses get so complicated that detection takes forever to detect the virus, than that will cause a problem."

That's more of a threat than Simile.D itself.

If loosed on the Internet, the virus could cause some problems for administrators because of its ability to jump from Windows to Linux and back again. But the virus doesn't do much harm. On Windows systems, it opens a dialog box with the author's name and the name of the virus, and it's programmed to do this only twice, on March 17 and Sept. 17. On infected Linux computers, the virus posts a message with similar content to the console, on March 17 and May 17.

Other attempts have been made to create a virus that infects both Windows and Linux, most notably the year-old Winux or Lindose virus. However, that virus failed to spread. While Simile.D spreads successfully to Linux machines, the risk is lessened by the fact that only systems running in so-called superuser mode can be fully infected. "Superuser" and "user" modes refer to the level of access a user has to a system and the programs on it.

"It is less effective in Linux, especially if the user is running in user mode," said Symantec's Weafer. "It's more likely to infect from a Linux system to a Windows system than the other way around."

Roger Thompson, technical director of malicious code research for security-information provider TruSecure, didn't think the Simile.D virus would be much to worry about, even with its cross-platform attack.

"It's going to be a Code Red and a Nimda--worms that use some new exploit--that are really going to spread," Thompson said.

Nimda, which struck last September, blended several different types of attacks--spreading by e-mail, JavaScript, shared network drives, and vulnerable Web servers--and poked holes in the defenses of many companies, even those with antivirus software.

Nimda, like Simile.D, showed antivirus vendors that the arms race between the virus writers and antivirus researchers is going full tilt.

Simile.D, also known as Etap.D, is an example of a "concept virus," a lab sample created by the virus underground and published for others to see. The major antivirus companies have already incorporated detection into their software, so Simile.D poses little threat to most users on the Internet who regularly download the latest definitions.

Yet, finding ways to detect it weren't easy.

Many antivirus programs detect viruses based on a "digital fingerprint" of the code. For example, the latest variant of the Klez worm, Klez.h, can be easily detected by current antivirus software based on its digital fingerprints.

However, with Simile.D's ability to change its characteristics like a chameleon, that's not possible.

For just such an eventuality, most antivirus programs also look for virus-like behavior and try various types of pattern-matching that are keyed to encryption routines designed to hide a virus, and to the way a virus piggybacks on other programs.

"What you end up doing is a combination of the above, and you look at the code itself," said Symantec's Weafer.

Such techniques are time consuming, however, leaving software makers looking for other ways to maintain system security: "signing" code with a digital signature from a trusted source; keeping a database of acceptable code on the system; and limiting user power on the computer to certain tasks that aren't subject to virus attacks.

But while Simile.D has renewed discussions between antivirus researchers over how best to keep viruses out of systems in the future, standard measures still work, said Network Associates' Kuo.

"We aren't there yet," Kuo said.