Feeds

Virus toolkits are s'kiddie menace

Industry split on best defence

  • alert
  • submit to reddit

SANS - Survey on application security programs

Much has been made of the developer's decision to pull the toolkit behind the Anna Kornikova virus - but anti-virus experts have warned that many such toolkits are readily available and just as easy to use by would-be vandals.

Last week the creator of K]Alamar's Vbs Worms Creator, used to create the Kornikova virus,pulled the toolkit from virus-creation Web sites, reportedly after pressure from friends appalled at the harm inflicted by Anna.

But there are many more toolkits capable of generating malicious code.

Anti-virus firms reckon that most viruses are developed using widely available toolkits. But there is widespread disagreement about a; the number of toolkits available to the public, and b; the best approach to deal with the potential threat.

According to Jack Clark, European product manager at Network Associates, there are perhaps 100 virus creation toolkits, though some are not particularly popular and so fail to grab the attention of anti-virus vendors.

Virus creation toolkits first came to prominence with the emergence of macro-viruses; and now toolkits to produce worms, boot sector and file viruses are all within easy reach, Clark says.

"The Anna Kornikova virus was the first time a virus created from a toolkit has spread so rapidly but there will be more," he predicts. While awareness of security issues has been raised by the publicity surrounding the Anna bug, 'script kiddies' may be encouraged to experiment with virus writing, he says.

Neil Barrett, technical director at Information Risk Management, confirms that no particular skill is needed to use virus-creation toolkits.

"It's trivial to use these toolkits. If you can use a point and click Windows-style interface and drive a web browser then it's simplicity itself to produce some surprisingly sophisticated viruses," he says.

IRM uses virus toolkits to create Trojans which are then used to check the security of his clients' networks.

The toolkits may have some legitimate uses, but in the vast majority of cases a used to create malicious code, and the antivirus industry is split on the right approach to take in defending against the problem.

Network Associates' Clark says the right approach is to include generic detection within anti-virus software, so that any virus produced with a particular toolkit will be automatically detected. Lack of generic detection means users of products from, for eample, rival Sophos, have to update their protection each time a new variant of a virus comes out.

According to Graham Cluley, senior technology consultant for Sophos, the inclusion of generic detection in antivirus software can trigger false alarms; for this reason Sophos preferrs to temper its use of generic detection, or heuristics, in its products.

The more important lesson to learn from virus outbreaks such as the Anna Kornikova virus and the Love Bug is that firms should consider blocking visual basic scripting and files with double extensions, both tricks used in the Anna bug, Cluley advises.

So toolkits are a problem; so why then can't security firms exert pressure on ISPs to stop hosting them, in the same way they pull sites containing offensive porn?

Or maybe security firms are secretly happy they allow virus creation to flourish - after all these keep anti-virus firms in the spotlight and helps them sell their software to frightened punters.

NAI's Clark denies this, saying it lacks the clout to exert pressure on ISPs to pull virus toolkits; besides, toolkits could be easily spread in newsgroups.

"We're not the Mafia and we don't have the ability to get ISPs to pull virus creation kits from Web sites," Clark says. "Its not as if we can tell them if they don't act they'll wake up with the head of a Trojan horse in their bed." ®

External links

"Confession" by Anna bug author

Related stories

Anna Kournikova bug drops harmlessly onto the Net
Anna Kournikova virus spreading like wildfire
Users haven't learned any lessons from the Love Bug
Which country has the most virus infected PCs?
PC World virus scans offer no real protection
Anna-bug author OnTheFly 'fesses up

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.