Homepage e-mail virus attack could have been prevented

Security: Users slow to update anti-virus software, as Reuters helps Symantec on code. Bill Goodwin reports

Security: Users slow to update anti-virus software, as Reuters helps Symantec on code. Bill Goodwin reports

Questions were raised this week about the adequacy of corporate anti-virus protection measures after another-mail virus swept across the globe.

The homepage virus flooded corporate e-mail systems in Europe, New Zealand and the US last week, slowing down e-mail delivery and forcing some companies to close their e-mail servers.

The virus is the latest in a series of e-mail viruses which reproduce by mailing copies of themselves to addresses contained in the contacts database of the Microsoft Outlook mail program.

The first, Melissa, caused widespread damage when it struck in March 1999. It was followed by the Lovebug in May 2000, and the Anna Kournikova virus in February this year.

"Companies have had a full 365 days to learn the lesson. It's rather astonishing that people are still being taken in," said Graham Cluley, senior technology consultant at Sophos.

Homepage moved rapidly around the world after the first outbreaks were reported in the Netherlands last Tuesday evening. It spread throughout Asia Pacific, New Zealand and Australia, before striking Europe and the US on Wednesday morning.

At its peak, one in every 50 e-mails travelling through the internet had been infected, according to estimates by anti-virus company MessageLabs.

The outbreak took more than 23 hours to bring under control. But a second smaller outbreak struck some 36 hours later, when company employees caught up with their e-mails.

Despite its similarity to the Kournikova virus, Homepage managed to evade anti-virus software from major suppliers including Sophos, Trend and Symantec.

Although the suppliers rushed out patches, many IT departments were slow to update their anti-virus software, permitting the spread of the virus.

Unlike the Lovebug, which erased certain types of files, the payload of Homepage was more embarrassing than destructive.

The virus used the contacts database on Microsoft Outlook to e-mail messages containing the phrase "Hi! You have got to see this page! It's really cool."

Users who clicked on the attached file, Homepage. HTML.vbs, were taken at random to one of four pornographic web sites.

Despite its low-level payload, the rapid spread of the virus clogged servers, delayed communications and, in some cases, led to significant clean-up costs.

At least two large UK companies were forced to close down their e-mail servers for a day to deal with the virus.

Experts say that the embarrassing content of the outbreak could also have damaged the reputations of some companies, particularly those unlucky enough to have e-mailed it to their clients.

Although the author of the virus has yet to be identified, there has been speculation that Homepage was deliberately created as a marketing tool for the pornographic web sites.

An analysis of the sites has shown that all four are owned by the same company. If there is a link between the authors and the web sites, a criminal investigation could easily trace perpetrators.

The UK's newly formed Hi-Tech crime unit, however said this week that it was not mounting an investigation into the outbreak. "We can't investigate every virus," said a spokesman.

Homepage is the second virus to have been written using a simple virus-writing program readily available on the internet, called vbswg. The kit, which was also responsible for the Anna Kournikova virus, reduces virus writing to a few simple points and clicks.

The author of Homepage may have altered the code manually, to escape detection from anti-virus software that would otherwise recognise viruses produced by the kit, experts believe.

How to stop e-mail viruses
IT departments caught on the hop by the Homepage virus could easily have protected their systems by blocking all e-mails with vbs or double file extensions, experts said this week.

The payload in Homepage was contained in a Visual Basic e-mail attachment called Homepage.HTML.vbs, an unusual file that could have easily been intercepted.

"There really is a simple thing that a systems administrator can do to prevent this sort of virus - block vbs files coming into your organisation. I challenge anyone to find a legitimate reason why they need vbs files coming into their desktops," said Graham Cluley, senior technology consultant at Sophos.

Although blocking vbs files could have prevented the widespread propagation of Homepage, it may not be a panacea for every company.

David Rippon, chairman of the Elite group of IT directors, said the growth of offshore programming meant that many UK IT departments were using the Internet to exchange vbs files with programmers in India.

"Some companies would not want to have turned off vbs files, because that's how they do offshore work," he said.

Virus experts have warned that virus writers would simply begin hiding viruses in other file extensions if widespread blocking of vbs files occurred.

Bill Goodwin
[email protected]

Read more on Antivirus, firewall and IDS products