Analysts: Costly "Love" virus underscores security flaws

[William Knowles <wk () C4I ORG>]

http://news.cnet.com/news/0-1003-200-1814907.html?tag=st.ne.1002.tgif.1003-200-1814907

By Paul Festa and Joe Wilcox
Staff Writers, CNET News.com
May 4, 2000, 1:10 p.m. PT

A new virus sweeping through computer systems today will likely be the
most costly yet and could put new pressure on software companies to
address code-writing techniques that have led to persistent security
problems, analysts said.

The virus, dubbed "I Love You," has already affected thousands of
corporate sites, according to security firm Symantec, some of which
were forced to shut down their email systems in an effort to choke it
off.

A partial list of those affected by the virus confirmed by CNET
News.com were Silicon Graphics, the Department of Defense,
DaimlerChrysler, The Motion Picture Association of America, the
Federal Reserve and Cox Cable.

The cost of lost business for such defensive actions alone could far
outstrip costs attributed to previous attacks by viruses such as
Melissa, which rang up a stinging $80 million price tag. Unlike
Melissa, the I Love You virus has the ability to destroy data, which
could drive potential costs considerably higher. The virus wipes out
certain pictures and music files.

"In terms of spreadability, this will outrank everything we've seen so
far," said Vincent Weafer, director of Symantec's AntiVirus Research
Center (SARC). "Just based on initial reports of infections and
potential infections, we're talking thousands of corporations around
the world."

Mike Wittig, chief technology officer of firewall maker CyberGuard,
would not estimate how much the outbreak could cost corporations. But
given that the virus has shut down major organizations and potentially
"10,000 companies or more are infected," billions of dollars in
damages "would not be an unreasonable estimate," he said.

Analysts and victims of the virus say the parallels with Melissa
extend largely to the mechanics of transmission and the silencing of
some email systems. Beyond that, today's worm is leaving Melissa in
the dust.

"This one is not that different from Melissa, and it spread
outrageously fast," said Michael Zboray, chief technology officer for
market researcher Gartner Group. As with Melissa, many companies'
first response was to shut down email systems, paralyzing operations.

"In any kind of communications-intensive company, email is the de
facto standard for communicating inside and outside the company,"
Zboray said.

He would not estimate potential damages other than to say they would
be in the billions of dollars.

Others agreed that I Love You has the ability to leave greater
destruction in its wake than did earlier viruses.

"This is going to be expensive to clean up in two areas," said
security consultant Richard Smith. "It's going to be a big mess for
companies to clean up their mail servers, and that's going to be much
like the Melissa cleanup. But there is also file deletion, so if you
are a Webmaster with files on your hard drive, there's the possibility
of lost work here."

Gartner Group estimates that in general, 40 percent of email messages
coming into businesses have "dirty" attachments.

"Many of these are merely irritating but benign infections," Zboray
said. "You literally have to view your business as an island that you
are defending, because the outside world is dirty, and it's not going
to (get) clean."

Pointing fingers at programmers Some analysts said the I Love You
attack points to deep security problems. They noted that the virus
takes advantage of well-known exploits involving Visual Basic script
files, which end in the extension ".vbs." Visual Basic is a high-level
programming language developed by Microsoft that is graphically
oriented.

Most Web administrators should know better than to run ".vbs"
attachments from unknown sources, Smith said. But through shared
drives on a network, a misstep by one person could infect an entire
organization and fuel the spread exponentially.

"If you're in an organization you can also mount drives that are on
your servers," Smith explained. "In my old organization, we used to
mount two or three server drives on an individual computer; Drive 'F,'
for instance, on everyone's computer would be a particular drive
attached to a server. So if someone in the organization runs the
virus, it could infect files on Drive F. If someone else tries to run
those files, it could further spread the virus."

Zboray harshly criticized Microsoft for releasing a programming
language with the "wrong security posture" to businesses and the
public. "Visual Basic script and the macros are proving to be a
disaster. This is just happening over and over again. We have to get
away from this hostile active content that is coming in through Word
documents, Excel spreadsheets and the browser.

"You can say a lot of things (about) how Java's not good, and you can
say JavaScript has a lot of flaws," Zboray said. "But the security
posture from which they were designed was the right posture. The
security posture from which ActiveX and VBScript were designed is the
wrong posture."

For its part, Microsoft attributes the ongoing security issues not so
much to inherent problems with Visual Basic script and its macro
language, but to bad people misusing good software.

"We include scripting technologies because our customers ask us to put
them there, and they allow the development of business-critical
productivity applications that millions of our customers use," a
Microsoft representative said. "Obviously, the technology can be
misused by human motivation, and that's why we provide the security
features for the customers to judge when the programs should be run or
not."

The Microsoft representative said that since last night, the software
maker had been working with major virus makers to combat the problem,
and that by this morning, most companies had updated their virus
definitions to detect the bug.

Microsoft is recommending as a first line of defense deleting email
messages with the "I Love You" subject line. Long term, the Redmond,
Wash.-based software maker also recommends that corporations
reevaluate their email practices and always keep antivirus signature
files up to date.

Companies also must educate employees "not to run a program from an
origin you don't trust," the Microsoft representative said.

If there is a lesson to be learned from the outbreak and the speed at
which the virus spread, it is how unprepared companies are--even those
that added extra measures after the Melissa attacks, analysts said.

"The only thing that works is to have centralized management of the
virus systems on people's desktops," Zboray said. "We have an
established record now; this is the only feasible recovery plan. You
count on the virus vendor to update the signature fast...but only
centralized management ensures you can update quickly and
effectively."

CyberGuard's Wittig said many companies can minimize attacks by using
tools they already have.

"Many companies don't enable the email scanning features that are
available in a lot of today's firewalls, either because of awareness,
complexity or performance reasons," he said. "Adding virus scanning
has a performance impact on your network."


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".