By Phil Jones

Even though companies such as Symantec Corp and McAfee Associates are now using anti-virus software as a weapon in a larger fight for control of the total security market (CI No 3,066), demand for specialist anti-virus software is not likely to go away completely. The success of the Concept virus – the first ‘macro’ virus – has demonstrated how an ingenious a virus author can successfully outflank an entire industry, and suggests that organizations targeted solely at combating such menaces still have a valuable role to play. Steve White, a senior manager at IBM Corp’s HICL High Integrity Computer Laboratory, points out that the world’s anti-virus experts had long expected a macro virus such as Concept to emerge. However, they were powerless to do anything about it until the first version of the virus appeared. Instead, IBM, along with every other anti-virus software developer, is constantly finding itself playing a reactive as opposed to a proactive role. What is more, although IBM has done its best to recruit a large body of leading anti- virus experts to work at its laboratory, White concedes that IBM cannot hope to combat the world’s virus writers on its own. As Joe Wells, another of IBM’s anti-virus gurus and compiler of the Wild list of currently active viruses, points out: We technical types need each other. The marketing men would like us to keep some things to ourselves, but once we start keeping secrets from each other the only people who win are the virus writers. Concept differs from conventional viruses in some important ways. The most obvious is that it is not restricted to a single operating system. Instead, it is a cross-system virus which uses the scripting language in the Microsoft Word wordprocessor as a means of infiltrating Word documents, regardless of the computer type.

Portable virus Because the virus is written as a macro extension to Word, it is as portable as any other Word product such as a document. Thus, unlike its predecessors which relied chiefly on ‘sneakernet’ to spread them around the world, Concept has become the world’s most prevalent virus in under nine months, because users of Microsoft Word have been busily sending it to one another via electronic mail. It took the anti-virus software community approximately one week to identify Concept and another week to figure out how to cure it. But unfortunately, unless the anti-virus software community is willing to broadcast its solution free on the Internet, anti-Concept fixes still can’t hope to spread as quickly as the virus itself. There is, say experts, only one way in which the spread of Concept and other macro viruses can be stopped once and for all, and that is if Microsoft rewrites its macro scripting language to make it less accessible to virus writers. Unfortunately, in order to do this Microsoft Corp would have to seriously restrict the usefulness of macro language. And in the war against viruses, say the experts, Security almost always comes a bad second to functionality. Another approach which is likely to curtail, if not eliminate the spread of macro viruses is one which seeks to apply virus scanning to electronic mail traffic. Although anyone who has ever sat impatiently in front of a personal computer waiting for a conventional anti-virus scanner to finish its work will find it difficult to believe, several products now exist which claim to be able to open, decode and scan electronic mail traffic without placing a serious burden on the network. The original and perhaps leading example of this new category of anti-virus product is Integralis Inc’s Mimesweeper. Mimesweeper, says David Guyatt of Integralis, is essentially an electronic customs house which sits on an electronic mail gateway, checking the contents of incoming mail and ensuring that it is free of destructive or undesirable content before it is allowed to complete its journey and, potentially, deliver i ts virus-laden cargo directly to the unlucky users’ desktop. Since launching the product 15 months ago, Integralis claims to

have enjoyed unprecedented demand for Mimesweeper. You can sell a lot of products based on fear. But the fact remains that organisations like the US National Centre for Supercomputing Applications say that up to 50% of viruses are being propagated by electronic mail, especially macro viruses, says Guyatt. As one of still only a very few companies with an answer to this problem, Integralis has become the valued partner of a number of different companies, and has taken a leaf out of McAfee’s book by actively seeking agreements with vendors of complementary products. These include, for instance, Checkpoint Software Technologies Ltd, the market leading firewall vendor. Since Integralis brought Mimesweeper to market, the company has acquired 300 customers for the product worldwide, even though its starting price is a stiff $16,000. However, the company’s total revenues are still only $20m annually, so even Guyatt reco gnizes that the future may hold some uncertainties for his company. He is also sanguine enough to admit that, as the market for content scanners such as Mimesweeper heats up, his company is likely to become a hot acquisition target. This year may be the year of the firewall, but next year will be the year of the content scanner, says Guyatt. As companies such as Integralis, McAfee and Symantec jockey for leadership in existing and emerging areas of virus-related security, some experts believe that all attempts to cure the virus problem by conventional means are doomed. IBM says that statistics show that the productivity of virus writers is increasing.

Sabotage files Macro viruses for instance, exist because Microsoft and other applications developers unwittingly provide tools which virus writers can use to sabotage Microsoft files. Meanwhile virus writers, just like anti-virus writers, appear to be in growing contact with one another via the Internet. White argues that the anti-virus community can no longer rely on curing viruses on a case-by-case basis. IBM believes that a convenient paradigm for automating the fight against viruses already exists, namely the mammalian immune system. Researchers at IBM’s HICL have already shown how the development and spread of computer viruses closely mirrors that of real viruses. It was only a short step to concluding that the best way to fight viruses would be to take a leaf out of nature’s book. The problems of reproducing the behavior of an immune system in software are inevitably complex and fraught with risk. For instance, one aspect of natural immune systems is the lethalness of the anti -virus cells produced by mammals. These cells are so deadly that, in natural immune systems, they frequently kill perfectly healthy cells. Fortunately for animals, the fact that they have millions of healthy cells means they can afford to lose one or two to an over zealous anti-virus cell. In a computer network, however, a cell or software agent which destroyed other software objects simply because it did not recognize them could soon do more damage than the viruses it was supposed to be hunting. IBM says that the challenge is to find a way of writing software which can make an educated guess as to whether another piece of software is potentially harmful or not. The first fruits of the program could appear in products early next year. If the IBM HICL researchers succeed, the company will evolve anti-virus technology so powerful that conventional anti-virus software will become redundant. Taken from the December 1996 issue of Computer Business Review.