Viruses Tag Along

If there's one thing that anti-virus software makers fear—aside from a mass change of heart by the virus writers—it's the creation of a virus-delivery mechanism that evades detection by their signature-based products. The development of detection files for every new virus is the meat and potatoes of what anti-virus vendors do. Because each virus is unique, anti-virus products require new signatures to detect each one, even those that are simply variants of previous malware. Without the signatures, anti-virus software is essentially blind: Not only won't it be able to stop the virus, but it also won't even be able to alert the user that a virus may have come through.

This nightmare scenario is, in fact, playing itself out right now. The latest round of variants of the Bagle virus—Bagle.Q, R, S and T—to hit the Internet has employed a delivery technique that slips past gateway and desktop anti-virus protection, as well as firewalls and intrusion detection systems. Like most other viruses, these viruses spread via e-mail. However, they do not include an attachment infected with the actual viral code, which is the delivery mechanism of choice for most virus writers. Instead, the new wave of Bagle variants sends a blank e-mail to random recipients. Once the message is opened, or even viewed in the preview pane in Outlook, Bagle exploits a flaw in Internet Explorer and automatically downloads the virus code from a remote server through TCP port 81.

Read Full Story