Antivirus Vendors Gear Up For Next-Generation Infections

In response, it plans to announce the expansion of Trend Micro Enterprise Protection Strategy, designed to assist in the management of outbreaks across multiple points of the corporate network. The products and services are designed to help IT managers block viruses, remediate outbreaks, coordinate security policies across multiple devices, platforms and systems in different geographic locations and determine the effectiveness of current security investments and procedures.

"What we have done is we have asked ourselves what people have been asking for years: what can we do before the outbreak?" said Bob Hansmann, director of product marketing for Trend Micro.

The service is designed to take the focus away from simply distributing virus signatures to help enterprises detect and block viruses. More complicated threats, such as the Nimda worm and CodeRed, can spread before any virus vendor can distribute signature files. Instead, the service is designed to provide more information and policy controls to contain damage in the initial stages of an outbreak, and more tools to clean and disinfect resources to prevent further reinfection, Trend Micro said.

Prior to 2001, viruses like LoveLetter hit, and then were quickly stopped and cleaned, Trend Micro said. LoveLetter was one of the fastest-spreading viruses seen to date, it reached its height of activity five days from initial launch, and was nearly gone a month later. Today, viruses hang on; certain variants of Nimda are almost as virulent today as when they were released two years ago. And CodeRed infections seem to be increasing, even as the incidence of major outbreaks seems to decline. Two or three year old viruses routinely re-appear and re-infect enterprises.

Internet-borne viruses have gone from simple macro viruses, to e-mail spread viruses, to viruses like Code Red and Nimda, which spread over HTTP and other Internet protocols. Users can re-introduce viruses to a network after the network has been infected. For instance, Windows 2000 shipped by default with the Internet Information Server Web server activated; a user could unplug a clean notebook computer from a clean corporate network, connect to a network infected with Code Red or Nimda, pick up the infection, and then re-introduce the virus back to the corporate network when the user returned to the office, Hansmann said.

HTTP and Trivial FTP (TFTP) are the new channels of choice for viruses, with Instant Messaging emerging as a popular channel. For example the Rodok worm sends instant messages. Users get what appears to be an instant message from a friend, pointing them to a Web site. Once the user goes to the Web site, code is automatically downloaded to infect the user's system.

The net result: viruses are moving faster, and enterprises have to move faster to stop them.

Vincent Weafer, senior director at Symantec Security Response, agreed. Even e-mail viruses are getting more sophisticated; Where in the past they were dependent on Microsoft Outlook to spread, many of the top viruses of 2002, such as Klez and Bugbear, carried their own e-mail engine. Instead of searching the Windows address book for addresses, they search cache memory and temporary directories for e-mail addresses. Viruses are using intentionally malformed MIME to get around scanner detection, and are trying to disable scanners.

Network shares are another emerging channel for viruses. "Typically, in a corporate environment, you have a hardened exterior, with firewalls against the Internet, but inside you have a soft, open environment," Weafer said. Users open up their disk drives to share printers and other network resources, and even at home, users open network shares for filesharing.

Viruses are also moving beyond traditional destruction and vandalism of information. Sircam and Bugbear attempted to steal password information, or drop in a back door trojan to allow attackers to take control of the machine, Weafer said.

Trend Micro is now providing attack-specific cleanup templates to help isolate and rid desktops and servers of virus remains such as hidden guest accounts, registry entries and memory-resident payloads. The templates are part of the services provided through the Trend Micro Damage Cleanup Services, available as standalone server-based software or as a feature in OfficeScan and ServerProtect, Trend Micro's centrally managed antivirus products for corporate desktops and file servers.

Trend Micro Control Manager 2.5 provides centralized management and enterprise-wide coordination for Trend Micro antivirus and content security products and services. It provides a comprehensive view of outbreak activity and acts as central command center to deploy outbreak prevention policies and, later, pattern files across the network. New reporting capabilities are designed to help administrators consolidate information on virus events or unusual activity and create graphical reports for analysis and monitoring.

New enhancements to Trend Micro Control Manager allow enterprises to deploy Outbreak Prevention Policies as soon as they become available.

Policies are key to stopping virus outbreaks early on, even before the development of signature files. Trend Micro said. For instance, if an e-mail virus surfaces with a characteristic subject line, e-mail software can be set to block messages with that subject line. If a worm appears that carries itself over a particular Internet service, network firewalls can be set to block that service -- inconveniencing users, but doing far less damage than an outbreak through those services.

Trend Micro introduced four new versions of its messaging security software. Interscan Messaging Security Suite 5.1 for Windows, Unix and Linux operate at the Internet gateway to scan e-mail content, while ScanMail for Microsoft Exchange Version 6.1 for Exchange 2000 and 3.81 for Exchange Version 5.5 and ScanMail for Lotus Notes 2.6 provide e-mail protection on enterprise mail servers.

ScanMail for Microsoft Exchange 6.1, which runs with Exchange 2000, is available now. ScanMail for Lotus Notes 2.6 NT is available now, with Linux and Solaris versions expected to ship later this quarter. InterScan Messaging Security Suite 5.1 is available immediately on NT and Unix, and the Linux version is scheduled for release later this quarter. ScanMail for Exchange 3.81, which works with Exchange Version 5.5, is also scheduled to ship this quarter. Suggested retail pricing for ScanMail Exchange and ScanMail for Lotus Notes is $24.57 per user for 250 seats, dependent on volume, and the pricing for InterScan Messaging Security Suite is $26.20 at the same seat volume.

The company also introduced InterScan WebProtect 1.5 for the Internet Content Adaptation Protocol (ICAP), designed to block the spread of virus threats such as Nimda and CodeRed, which spread using HTTP as a means of infection. The new version provides integration with Trend Micro's other products, with suggested retail price of $8.80 per user for a 1,000 user license.

Oregon State University has deployed Trend Micro's messaging virus-blocking software on servers used by its 8,500 Microsoft Exchange users. The new version allows the university to deploy the scanning software on a central server, rather than deploying a copy on every one of the university's Internet gateway server.

"The Exchange server isn't taxed, we can offload the work of the Exchange server, and use one interface to check out the status of all machines, see how things are going and what viruses are being caught," said J.J. Seely, systems engineer for Oregon State University College of Business.

Oregon State University hopes to deploy Trend Micro's services to remediate network damage after viruses get loose in the network, even though no virus has gotten loose in the university network for several years.

"Viruses move so fast I'm a little paranoid," Seely said. "But not without cause."

Viruses are stopped from entering the university network by the e-mail gateway software and by Norton AntiVirus on the desktop, which scans removable media such as floppy disk drives and Zip drives.