Lawmakers slam anti-virus biz

Threat level definition

Lawmakers slam anti-virus biz
Kevin Poulsen, SecurityFocus 2000-05-10

Love Letter worm was an "utter, abject failure" of industry, says one Congressman. Industry blames liberal judges.

Expand all | Post comment

Virus? 2000-05-11
Anonymous (1 replies)

Virus? 2000-05-11
Anonymous (1 replies)

Not a virus, a feature! 2000-05-12
Anonymous

Well. the industry is *sort* of right.... 2000-05-11
Anonymous (1 replies)

Well. the industry is *sort* of right.... 2000-05-17
Anonymous

laws 2000-05-11
Anonymous (1 replies)

laws 2000-05-12
Anonymous

There IS a magic bullet, common sense. 2000-05-11
Anonymous (3 replies)

There IS a magic bullet, common sense. 2000-05-11
Anonymous (1 replies)

There IS a magic bullet, common sense. 2000-05-12
Anonymous (1 replies)

There IS a magic bullet, common sense. 2000-05-12
Anonymous

There IS a magic bullet, common sense. 2000-05-12
Anonymous

There IS a magic bullet, common sense. 2000-05-15
Anonymous

not a/v politics to blame 2000-05-11
Anonymous (1 replies)

Not just politics, but profits, as well. 2000-05-12
Anonymous

the surefire way not to get a virus..... 2000-05-11
Anonymous (2 replies)

the surefire way not to get a virus..... 2000-05-11
Anonymous

the surefire way not to get a virus.....? 2000-05-12
Anonymous

Put the blame where it belongs 2000-05-11
Anonymous (1 replies)

Put the blame where it belongs 2000-05-11
Anonymous

The absolute closest thing to a magic bullet is..... 2000-05-11
Anonymous

The US Gov. CAN'T be that stupid! 2000-05-11
Anonymous (1 replies)

The US Gov. CAN'T be that stupid! 2000-05-11
Anonymous

How about penalizing MS for such a stupid E-mail client design 2000-05-11
Anonymous (1 replies)

How about penalizing MS for such a stupid E-mail client design 2000-05-12
Anonymous

This is ridiculous! 2000-05-11
Anonymous

Valuable Employees 2000-05-11
Anonymous

Obviously Congress's House Science Committe isn't familar with something called Civil Rights 2000-05-11
Anonymous (1 replies)

Obviously Congress's House Science Committe isn't familar with something called Civil Rights 2000-05-11
Anonymous

Listen to the panel 2000-05-11
Anonymous

who does he think he is? 2000-05-11
Anonymous

Virus? 2000-05-11
Anonymous

Civil Rights 2000-05-12
Anonymous

Awareness 2000-05-12
Anonymous

Maybe Microsoft should be Sued for sloppy security 2000-05-12
Anonymous (1 replies)

Maybe Microsoft should be Sued for sloppy security 2000-05-12
Anonymous (2 replies)

Maybe Microsoft should be Sued for sloppy security 2000-05-15
Anonymous

Maybe Microsoft should be Sued for sloppy security 2000-05-15
Anonymous

Do you honestly think that heuristics could have detected this thing? 2000-05-12
Anonymous (1 replies)

Do you honestly think that heuristics could have detected this thing? 2000-05-12
Anonymous

Misinformed public 2000-05-12
Anonymous

Try this... 2000-05-12
Anonymous

Role of the Businesses Who got Sacked 2000-05-12
Anonymous

oh my heavens 2000-05-12
Anonymous (1 replies)

oh my heavens 2000-05-12
Anonymous (1 replies)

oh my heavens 2000-05-15
<ntaddict (at) hotmail (dot) com [email concealed]>

Anti-Virus companies to blame? please 2000-05-12
Anonymous (1 replies)

Anti-Virus companies to blame? please 2000-05-12
Anonymous

"figured out a way to block this" 2000-05-12
Anonymous

Criticism of AV industry and Microsoft are both justified 2000-05-17
Anonymous

I used to work in the Anti-Virus industry (for about six years) and when Microsoft brought out the VBScript and Scripting Host concepts I could see both the good and bad sides...

'ILuvYou', and other VBScript 'viruses' that are currently circulating, are only the tip of the iceberg. The threat of VBScript-based viruses/worms is that introduction of polymorphism to the virus code will render (dare I say ALL?) current concepts in "anti-virus" software redundant.

As the virus/worm is in text form, and interpreted by the Scripting Host so as to become active, the use of conventional virus-scanning techniques will NOT work as they rely on "tried-and-true" methods such as search strings...

For example, Consider the following VBScript code snippet which is contained in a current virus:

dim octa

dim octb

dim octc

dim octd

Now consider this snippet - in which one variable name has been changed throught the virus text file:

dim octa

dim octb

dim octc

dim octe

According to my tests on a number of current AV products (and their latest virus-signature files) the first file is detected but the second one is not...

Would the AV indusytry therefore identify the second file as a variant? or a new virus?

But what if the virus included a simple polymorphism routine that changes the names of all the "variables" within the virus/worm script during the replication procedure... The above code snippet could become

dim V09GH

dim AAB09

dim HD3ED

dim QJ832

And each time the virus spreads its text will be different even though its functionality will be exactly the same. How will the anti-virus software fair? It will fail on all counts!!!

Anti-Virus companies have been warned - they were warned last year with Melissa, They were warned this year with "ILuvYou" and its variants.

The AV companies need to re-develop their technology to cater for this style of virus/worm OR Microsoft will need to re-engineer all their software to be less virus/worm friendly and possibly remove the presence of all forms of "scripting hosts" from all versions of Windows.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/32/1938#1938

Privacy Statement
Copyright 2009, SecurityFocus