ÐÇ¿Õ´«Ã½

The ANNUAL VIRUS BULLETIN (VB) International Conference is a major event in the anti-virus calendar, offering the perfect opportunity for experts to share their research interests, discuss methods and technologies and set new standards (as well as meet with – and learn from – those who put their technologies into practice in the real world).

During September, MessageLabs intercepted 86 million e-mail borne viruses, or one in every 21 e-mails scanned (33.27 per second), so it’s little wonder that computer viruses – and their prevention – remain such a hot topic for users in the business community.

In the past, the VB International Conference has focused solely on computer viruses and similar malicious code, and has always been divided into two streams – technical and commercial. For the first time, this year the event spilled over into a third day and covered topics relating to spam and anti-spam measures that companies can introduce.

Highlights of VB 2004

For those that didn’t have the chance to attend the Chicago Conference, here are some of the highlights. The event kicked-off with an informative and humorous presentation on the history of viruses. Did you know, for example, that the humble computer virus celebrates its 21st birthday this month, and that the first documented virus was created by US student Fred Cohen as an experiment in computer security? You do now! This was followed by an analysis of mass-mailing virus lifecycles, which proved to be a massively popular topic.

Also up for discussion were Microsoft’s plans to ship a new scripting platform known as Microsoft Shell (MSH). This is based on .NET. Although similar to the current Command Interpreter (cmd.exe), it’s a far more powerful language. Unfortunately, it’s also easy to create malware by using it: it’s robust enough to allow the creation of both classic viruses as well as e-mail worms. Another MS interface for the virus writers to play with...

We were all warned not to underestimate the dangers of script viruses. Once a popular type of virus – think of the LoveBug and Anna Kournikova, which we’ve written about in SMT’s Secure IT section on many occasions – script viruses have faded into the shadow of other more fashionable virus languages like the currently dominant Windows 32 Executable. Yet while script viruses are currently in the doldrums, they have the potential to re-emerge once Microsoft’s new scripting language is made available.

How to beat spam filters

The first-ever anti-spam talk at the VB International Conference outlined the tricks used by spammers to beat spam filters. Using data captured on various honeypots (ie systems designed to attract spam for the purposes of studying the latest trends and refining spam filters), we were informed of how spammers’ tricks have developed over time.

One of the most interesting pieces of research at the Conference was presented by an industry expert who established that the average virus signature delay time has been reduced from 12 hours to ten during the past 12 months, which appears to be good news.

However, other new research suggests that if software vendors were able to reduce the window of vulnerability to three hours or less, mass-mailing viruses could virtually be eliminated. Seven hours may not seem like too wide a gulf, but MesageLabs intercepted more than 150,000 copies of the MyDoom.A worm within the first seven hours of the outbreak, demonstrating just how crucial a time period it really is.

Each new piece of malware requires anti-virus vendors to develop and release a signature to identify and protect against it. Businesses then have to undergo automatic or manual virus updates. By removing the need for updates, it’s possible to greatly reduce the risk

It’s fair to say that the success of mass-mailing viruses is aided by the traditional signature-based approach to virus protection, mainly because it’s inherently reactive. The process that has to be instigated for every single new virus, worm or Trojan is labour intensive and (most significant of all) pretty time-consuming.

Each new piece of malware requires anti-virus vendors to develop and release a signature to identify and protect against it. Businesses then have to undergo automatic or manual virus updates. Even if a company is updating its anti-virus software every ten minutes, it can’t do so until the vendor in question releases a signature (and the reaction times vary wildly across the industry).

Security solutions haven’t evolved

The crux of the problem lies in the fact that security threats have evolved, but many of the solutions used to fight them have not. First generation anti-virus software relies upon much the same model as it did 20 years ago and, during that time, virus writers have become most effective at exploiting the window of vulnerability. They’re using increasingly sophisticated methods of rapid dissemination.

This latest analysis of anti-virus software vendor reaction times confirms that the gap between virus discovery and signature releases has a dramatic impact on the extent and longevity of an outbreak. With the industry average standing at ten hours, there’s obviously a great deal of work still to be done by the anti-virus software vendors.

For businesses in particular this sends out an extremely clear message. Any company that has not already implemented protection beyond anti-virus software at the desktop, server or gateway should seriously consider looking further afield. There are now services available that are capable of identifying and protecting against both known and unknown viruses, without the need for any signatures. By removing the necessity for updates, it’s then possible to greatly reduce the risk. A great message for the Board of Directors!

The Annual Virus Bulletin (VB) International Conference in 2005

Next year, the Annual Virus Bulletin (VB) International Conference will take place in Dublin from 5-7 October.

It’s a ‘must attend’ event for security experts and those with a responsibility for (or an interest in) corporate IT security. Reserve the date in your diary now!