Companies put a lot of faith in their antivirus software. But is that software becoming an increasing target for virus and worm writers?
Recently, several viruses and worms have targeted antivirus software and other security features. For example, Goner, Gokar and ZaCker have payloads that try to disable antivirus protection from vendors like McAfee, Norton and others. They also have tried to shut off firewalls like ZoneAlarm.
However, targeting antivirus software is not a recipe for success for a malicious code writer, according to security experts. Viruses that turn off antivirus software are pretty visible as the user sees the product isn't working. Once it's known, it's just a matter of hours before software vendors have a fix ready.
"Most don't necessarily target antivirus software, but their goal is finding a way to disable it," said Vincent Gulloto, senior director for McAfee's Antivirus Emergency Response Team (AVERT).
Those viruses are designed to get around or trick anti-virus software by using specific stealth techniques that allow the malicious code to remain hidden, said David Perry, Trend Micro's global director of education. They make it difficult for antivirus software to see it such as by steering scanners away from the infected areas.
Other viruses use polymorphism, where 40 or 50 copies of the code in different forms are sent. Such an onslaught makes it harder to remove the virus from a system. Other viruses use mutation and scramble themselves every time they infect a new system, Perry said.
Strategies to prevent antivirus virus attacks
Perhaps the first line of defense against viruses that may target antivirus software is keeping signature files updated, said Peter Lindstrom, director of security strategies for Framingham, Mass.-based Hurwitz Group. "The quicker a file gets updated, the better off you are," he said.
For extra security, some users install two or three different antivirus packages, Gulloto said. Installing different software on the same machine usually isn't possible as different packages may conflict with each other, he said. But different packages can be used at various points of entries. For example, some users install one kind of antivirus software on the gateway, one on the Notes or Exchange server and then another on the file server.
Such a strategy could cause more problems than it adds protection. For example, there is the added work of maintaining and updating the three different packages.
"But when something does happen, there would be a lot of finger pointing," said Chris Wraight, technical director with Sophos. "With software from one vendor, you have just one company to turn to for assistance."
Users could add another layer of defense with an application layer security product, Lindstrom suggested. As opposed to looking for certain signatures of a virus, such products monitor the behavior of applications for suspicious activity.
One such product is Okena's StormWatch. StormWatch actually monitor system calls and when it detects an application is acting strangely, it tells the user about it, said Tom Turner, director of marketing for Waltham, Mass.-based Okena. In essence, the product stops the damaging effect of a virus such as writing to a protected section. In a networked environment, the product can stop users from opening an infected e-mail message.