By Mark Ward
Technology Correspondent, BBC News website
Virus writers have adopted a new tactic to try to make sure their malicious programs reach as many victims as possible.
Instead of releasing Windows viruses intermittently, many creators of worms and trojans are pumping them out with increasing frequency.
For a while new variants of one virus, called Mytob, were appearing every hour. Some viruses appear in hundreds of different guises.
This tactic is designed to fox security firms that use software to scan e-mail attachments for the signatures of known viruses.
The variants are appearing far faster than firms can analyse them and update their scanners to spot the malicious code.
The tactic seems to be paying off. Currently, Mytob variants are filling 14 of the positions in the Top 20 threats list collated by security firm Sophos.
Spot and scan
James Kay, chief technology officer at mail filtering firm Blackspider, said the accelerating number of virus variants highlighted the dangers of simply relying on e-mail scanners to catch viruses.
"If you have lots of viruses to combat and a limited amount of resources, you have to choose which ones you are going to patch," he said.
This can mean that protection against some viruses, typically ones that appear in small numbers, is unavailable for a long time. These unnamed viruses can then go on to catch out more people than they would otherwise.
"There's a connection between the window of exposure and the volume of a virus," he said.
If anti-virus companies could produce patches within three hours of the first appearance of a virus, outbreaks would almost disappear, suggests research by Andreas Marx of the independent AV-Test Organisation of the Institute of Technical and Business Information Systems at the Otto-von-Guericke University in Magdeburg.
However, Mr Marx's work has found that although response times from anti-virus companies are improving it still takes them, on average, 10 hours to update scanners and produce patches for new malicious programs.
Novel threat
A study carried out by security firm Checkbridge found that, on some days, scanning programs missed more than one-third of e-mail borne viruses.
To gather its statistics Checkbridge ran two million e-mail messages sent over five days through three well-known e-mail scanners. None of the tested programs caught all the viruses.
On the best day the top-performing scanner caught 97% of the malicious programs in the body of messages. By contrast on one day only 64% of the infected messages were spotted by one scanner.
"Even using two scanners is not going to catch all the viruses all the time," said John Turley, managing director and founder of Checkbridge.
Also necessary were programs that use general rules, called heuristics, to spot unknown variants that resemble known viruses.
"Heuristics are essential, otherwise it's just not going to work," he said.
Future versions
James Key from Blackspider said it used scanners, heuristics and programs that can take a broad view of what is happening to a mail server.
If an e-mail server is suddenly struck by thousands of messages bearing the same attachment, it was a fair bet that a virus outbreak was under way, said Mr Kay.
But Graham Cluley, senior technology consultant at Sophos, said few mail security firms relied solely on scanners to spot and stop viruses getting through to users.
"Anti-virus is not just about finding known viruses," he said. "We use a heuristic system that will predict what future variants look like."
He said that companies should also ensure that their e-mail gateways use simple rules, such as refusing messages bearing program files, to help viruses getting through.
Most large anti-virus companies were now 24-hour operations that can deal with the 1,000 or so viruses and variants they see every month. Many update their scanning programs hourly to keep up with the evolution of viruses.
While this helps large companies, it can mean home users will be the most likely to be caught out.
"The main people suffering are the home users who have always been more laid back about their security," said Mr Cluley.
http://news.bbc.co.uk/1/hi/technology/4080420.stm