When the Storm Worm swept through the internet in mid-January, the program's writers took a brute force approach to evading anti-virus defenses: They created a massive number of slightly different copies of the program and released them all at the same time.

On 18 January, the day the misnamed program - a Trojan horse, not a worm - first appeared, more than 350 different variants were released, according to a report penned by security firm CommTouch Software. Four days later, the number of slightly-different versions jumped to more than 7,300. By the end of January, more than 54,000 variants had hit the internet, the report (PDF) stated, each one spammed out by computers previously compromised by the program.

"Virus writers' goals have changed," CommTouch CEO Amir Lev said in an email interview with SecurityFocus. "They are doing 'good' business now. They do not focus on finding vulnerabilities in Microsoft and other products, they look for 'vulnerabilities' (in) the AV (anti-virus) systems."

The technique is effective. While anti-virus program's pattern recognition algorithms, frequently referred to as heuristics, may have stopped a large fraction of the variants, creating signatures to catch all the versions takes time. Response to a new variant - including developing, testing and distributing a signatures - takes hours at a minimum. Responding to thousands can take much longer.

During a January interview, one McAfee researcher underscored the headaches caused by the Storm Worm.

"Every day, it has been a new set of subject lines and new tactics to get people to open these," Allysa Myers, virus research engineer for security software maker McAfee, said in an interview with SecurityFocus. "They have had mass seedings of new variants every day this week."

The program highlights a number of changes in the techniques used by criminal internet groups. The Storm Worm spreads in fairly large, but controlled, bursts of email through previously compromised computers. Each burst typically sends out a custom variant, trying to infect systems before the user updates their anti-virus definitions. The program compromises systems by luring users into opening the attachments of messages with subject lines regarding current news events, including violent storms in Europe - a characteristic that led to the program's naming.

While some other programs have used a similar tactics, the Storm Worm's focus on propagation through sheer permutation carries the trend to a new level. The technique exploits a weakness, not in the software, but in the system. Analysing malicious code requires, for the most part, human researchers, and the coders hope to overwhelm the human component long enough to compromise as many systems as needed.

"Signatures are still needed, but the amount of malware that is being produced and the speed with which it changes means that you need a lot of researchers," said Alex Shipp, a researcher for email security provider MessageLabs.

Other firms have witnessed the trend first hand. In 2006, anti-virus firm Kaspersky Lab added 80,000 virus-pattern records to its product, roughly doubling the number added in 2005, said Eugene Kaspersky, the co-founder and head of research and development for the anti-virus firm.

"This is a competition where the anti-virus companies, I fear, are not in a good position," Kaspersky said.

The Storm Worm is all about creating massive networks of compromised computers that can be controlled by a single group or individual. The networks, known as bot nets, don't need to be large to be useful. A bot net of several thousand computers is more than enough to mount a severe denial-of-service attack or send out a digital deluge of stock spam - common uses for the networks - and, of course, send out more copies of the Trojan horse (this aspect of the Storm Worm is the subject of the first part of this two-part series).

"The guys are very aggressive with the variants, and that has defeated the more simplistic AV engines out there," Arbor Networks senior security researcher Jose Nazario said.

The Storm Worm is likely responsible for creating a bot net that contains more than 20,000 computers and perhaps as many as 100,000, Nazario said. Other evidence appears to indicate that there is more than one Storm Worm-related bot net.

The spread of the Storm Worm has forced anti-virus firms to create better defenses to automatically block such threats, rather than depend on simple heuristics or signatures.

Unlike previous malicious code, such as mass-mailing computer viruses, the Storm Worm is not a program that spreads aggressively on its own. Rather, the Trojan horse awaits orders from a central command post to send out the next round of variants. The control has made the program, if not stealthy, then more difficult to stop. The bursts of new variants make a quick response even more important, and the fact that the variants do not exploit a single vulnerability, but users' trust, make them more difficult to stop.

"Vulnerability-based exploits only require a single, or at most a few, signatures," said Vince Hwang, group product manager for security response at Symantec, the owner of SecurityFocus. "The ones that rely on user interaction are definitely a challenge. It is all social engineering."

Other attacks, known as targeted Trojan horses, exploit a related issue to dodge antivirus defenses. By sending out malicious code to an extremely small number of victims - often fewer than 10 specific individuals - the malicious software attempts to sneak under defenders' radar. Underscoring the less-is-more tactic, programs - such as the Storm Worm and targeted Trojan horses - have not made the monthly top-10 lists of security firms' most pervasive threats. On MessageLabs latest top-10 list, for example, Netsky, MyDoom, and Bagle - viruses that are almost two years old - command six of the 10 slots.

For both variant-heavy threats such as the Storm Worm and sneaky targeted Trojan horses, blocking the threat immediately requires technology that does not need to know about the attack, or its pattern, beforehand. And self-propagation, the hallmark of computer viruses, is no longer an adequate indicator of bad behaviour.

"For over a year now, viruses are not viruses," said CommTouch's Lev. "There are no more epidemics. Instead, they (spammers) use bot nets to send spam and then more malware."

Perhaps the most significant technology under development at various anti-virus firms is typically referred to as behaviour blocking. The technique identifies malicious programs by what actions they take, not by the code that makes them up.

The defense is actually a blast from the past. Anti-virus firms and early developers played with the approach more than a decade ago. Gatekeeper for the Mac, created by Chris Johnson in the early 1990s, detected malicious code by noting suspicious actions. Personal firewalls attempt to block malicious programs from communicating out to the internet.

Several anti-virus firms - including Sophos, F-Secure and Grisoft - are building next-generation behaviour analysis into their products. The modern technique creates a virtual sandbox for any program run on the system and monitors the behavior of the program until a determination can be made of whether the code is malicious or benign.

"If you are seeing something that is obviously poking its head into things that it shouldn't be, then we can shut it down," said Larry Bridwell, vice president of communications for anti-virus firm Grisoft.

Unlike the simple techniques in the past that generally decided whether a program was malicious based on a single action, the latest techniques allow a program to run longer, reducing false alarms.

"What did it take for behavioural analysis to work?" said Bridwell. "Big processors, big memory and big bandwidth. And we didn't have that before."

While viruses make up a smaller portion of threats each year - about 10 per cent of what Grisoft sees are viruses, said Bridwell - don't expect the term "anti-virus" to go away. Grisoft attempted to sell a product as anti-malware and consumers panned it on the name alone.

"To some analysts, some press and every user, it doesn't matter what the program does, it's anti-virus," Bridwell said.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

Related stories

• Storm Worm turns one (18 January 2008)

  https://www.theregister.com/2008/01/18/storm_worm_botnet/

• Mac lambs line up for slaughter (16 January 2008)

  https://www.theregister.com/2008/01/16/mac_malware_concern/

• New Year's Eve greetings disguise Storm Worm attacks (27 December 2007)

  https://www.theregister.com/2007/12/27/storm_worm_seasonal_attacks/

• Storm Worm retaliates against security researchers (25 October 2007)

  https://www.theregister.com/2007/10/25/storm_worm_backlash/

• The balkanization of Storm Worm botnets (15 October 2007)

  https://www.theregister.com/2007/10/15/storm_trojan_balkanization/

• Guessing at compromised host numbers (25 September 2007)

  https://www.theregister.com/2007/09/25/microsoft_malicious_software_removal_tool/

• Storm Worm linked to spam surge (14 September 2007)

  https://www.theregister.com/2007/09/14/storm_worm_analysis/

• Storm Worm descends on Blogger.com (29 August 2007)

  https://www.theregister.com/2007/08/29/storm_hits_blogger/

• VXers rain on YouTube's parade (29 August 2007)

  https://www.theregister.com/2007/08/29/storm_worm_latest/

• Storm Worm of a thousand faces (21 August 2007)

  https://www.theregister.com/2007/08/21/mutating_storm_worm/

• Storm worm authors switch tactics (20 August 2007)

  https://www.theregister.com/2007/08/20/storm_vxers_refine_tactics/

• Universities warned of Storm Worm attacks (17 August 2007)

  https://www.theregister.com/2007/08/17/storm_worm_attacks/

• Fake e-cards signal massive DDoS attack (7 August 2007)

  https://www.theregister.com/2007/08/07/storm_worm_spike/

• Destroying sandboxes (16 July 2007)

  https://www.theregister.com/2007/07/16/sandbox_malware/

• Storm Trojan feeds on Independence Day (4 July 2007)

  https://www.theregister.com/2007/07/04/july_4_storm_trojan/

• Rival malware gangs wage turf war (1 July 2007)

  https://www.theregister.com/2007/07/01/malware_gang_war/

• Unwanted e-card conceals a Storm (29 June 2007)

  https://www.theregister.com/2007/06/29/ecard_storm_trojan/

• MBO splits Star and MessageLabs (12 June 2007)

  https://www.theregister.com/2007/06/12/star_mbo/

• MS anti-Trojan shield fails to protect older Offices (6 June 2007)

  https://www.theregister.com/2007/06/06/ms_anti-trojan_defence/

• PC Tools snags behaviour protection tech (31 May 2007)

  https://www.theregister.com/2007/05/31/pc_tools_novatix/

• VXers push small coc Trojan on unwilling world (2 May 2007)

  https://www.theregister.com/2007/05/02/small_trojan/

• Marshal aims to secure laptop content (30 April 2007)

  https://www.theregister.com/2007/04/30/marshal_pc_content_sec/

• Arc completes MBO (21 March 2007)

  https://www.theregister.com/2007/03/21/arc_mbo_dukes/

• Microsoft's search excels in spreading malware (20 March 2007)

  https://www.theregister.com/2007/03/20/windows_live_malware/

• China displaces Britain as botnet epicentre (19 March 2007)

  https://www.theregister.com/2007/03/19/symantec_threat_report/

• Symantec buys compliance firm (9 March 2007)

  https://www.theregister.com/2007/03/09/symantec_buys_british/

• Solaris offers fix for zero-day vuln (1 March 2007)

  https://www.theregister.com/2007/03/01/solaris_security_worm/

• Imperfect Storm aids spammers (19 February 2007)

  https://www.theregister.com/2007/02/19/storm_worm_stockpatrol/

• Anatomy sheds new light on Storm Worm (9 February 2007)

  https://www.theregister.com/2007/02/09/storm_worm_anatomy/

• Net security from one of the fathers of the biz (22 January 2007)

  https://www.theregister.com/2007/01/22/bill_cheswick_interview/

• Social sites' insecurity increasingly worrisome (5 December 2006)

  https://www.theregister.com/2006/12/05/social_sites_vulnerable/

• Bot spreads through anti-virus, Windows flaws (29 November 2006)

  https://www.theregister.com/2006/11/29/bot_antivirus_windows_flaws/