Mind the bugs don't bite

The success of the Love Bug attack illustrates the limitations of anti-virus software, writes Brian Clegg.

The success of the Love Bug attack illustrates the limitations of anti-virus software, writes Brian Clegg.

Last year's Love Bug attack with its LoveLetter virus attachment has shown that, although anti-virus software is necessary, it is not enough protection, particularly against trojan horse attacks.

Viruses can occur in three ways. Scripts (simplified programming languages) occur within applications, a virus can be sent within HTML and they can reside in the operating system itself.

LoveLetter used the operating system's scripting. Previous versions of Windows had been criticised because, unlike Unix, they did not have a scripting language. Such scripting is used by system operators for repetitive tasks and was welcomed when it was included in Windows 98 and Windows 2000 as Visual Basic scripting.

Unfortunately, like any other executable, a Windows script sent as an attachment is easily run by double-clicking. LoveLetter was such a script.

Graham Cluley, head of corporate communications at anti-virus specialist Sophos, said the answer is simple - turn off Windows Scripting Host (WSH).

This is controlled from the Windows set-up tab in the control panel's add/remove programs section. Within accessories is a check box for WSH. By default this is on - switch it off and a PC is safe from a LoveLetter attack.

Peter Morris, head of technology for programming consultancy The Mandelbrot Set, agrees. "In the old days you had to use batch files to get things done. Now ordinary users do not think programming. If you need to automate a process, there's nothing possible with Windows scripting that couldn't be done in Visual Basic," he says.

Script embedded in HTML should be safe but, due to a technical loophole, the Bubbleboy virus was able to attack from within the body of an e-mail. This was especially dangerous as the virus was activated by opening the mail.

Microsoft published a fix that prevents such attacks, but many companies did not deploy it, and a subsequent, still very active virus, called Kakworm used the same mechanism. Details of the fix can be found in Microsoft's security bulletin.

The biggest source of viral attacks remains application scripts - particularly Word and Excel macros. Legitimate macros in Word documents are uncommon, and recent versions of the word processor disable incoming macros by default.

With Excel, things are less simple. Part of the reason for the ubiquity of the spreadsheet is the ability to build-in programming to handle more sophisticated processing than can be achieved with a cell formula. Where possible, incoming spreadsheet data should be in the form of CSV files. These read into Excel but cannot carry scripts. Similarly, RTF format can be used for word processing, although there is less need if Word is set to disable scripts. Recent Microsoft applications can use security certificates to confirm the origin of the file. If security loopholes are covered, it is necessary to launch an attachment to trigger a virus attack.

A vital protection is an education policy on attachments. Do not assume that anti-virus software will keep you safe - make your users attachment-aware. With a moment's thought, the text of the message is often suspicious enough to make the reader wary. This was certainly true of LoveLetter, although the Mother's Day variant was more subtle.

The Mother's Day virus claimed to be a confirmation of credit card payment, with the invoice attached. Many enraged users clicked to see how they had been charged for something they did not buy. More cunning was the official sounding "Symatec anti-virus update" that urged users to use the attached Visual Basic script to update their anti-virus software.

Basically, these are trojan horses which coax the end-user into opening an apparently innocuous message that contains a hidden virus. Morris says the most deadly of these was ExploreZip, the virus that appeared in users' mail boxes like a Zip file. He says it is particularly easy for a virus author to create a virus which masquerades as an e-mailed photograph from a friend. When opened, the virus will present a seemingly genuine Windows message warning that the image is corrupt. But, unknown to the user, a virus will be running on the PC.

A useful clue can be found in file extensions. Anything executable should be handled carefully. The Love Letter script had the extension .TXT.VBS - as many PCs are set to hide extensions like VBS, this would have shown as the harmless .TXT.

It is worth making sure that Windows Explorer shows all extensions. But extensions are easy to overlook. For more safety, inbound e-mail virus checkers can exclude executable attachments and scripting files, but this policy usually needs to be applied on a user-by-user basis. One alternative is to use a viewer like Quickview. This enables the user to right-click an attachment and see its contents without engaging the application and triggering a virus.

Microsoft could also do more. If, for example, it was not possible to execute an attachment directly from Outlook, instead showing a dialog saying "this is a VB script file that could be a virus", it is unlikely that LoveLetter would have succeeded.

Morris goes further, suggesting that the operating system could trap the effects of viruses, preventing them from starting processes or overwriting files. He points out that the file protection system in Windows 2000 automatically restores any deleted system files - a similar process could protect documents.

Morris says that Windows 2000 offers an almost totally secure system against viruses. He believes that with just a little more work Microsoft could prevent any unauthorised code from running.

An unexpected effect of the Microsoft judgment might be to reduce virus attacks, says Cluley. Viruses spread quickly because a high percentage of systems use the same operating system and applications. If Microsoft's grip on the desktop was loosened, competition would lessen the devastation. Diversity, as evolution demonstrates, is a survival trait.

However, Microsoft chairman Bill Gates has warned that any splitting up of his company would make it more difficult to protect users against virus attacks.

The LoveLetter virus attack has shown the dangers that scripts can cause. Anti-virus software is an important safeguard, but is not enough. Only a combination of prevention and vigilance can minimise the potential risk.

Protection top 10

1. Turn off Windows Scripting Host.

2. Use RTF (Rich Text) format for receiving word processing documents.

3. Use CSV format (commas, tabs or hyphens to separate tabular data) when receiving spreadsheets.

4. Do not open attachments unless you are expecting them.

5. Implement the Microsoft fix against Bubbleboy-style attacks.

6. Have a nominated address for forwarding hoax virus warnings to.

7. Use viewer software to read unsolicited files.

8. Block executable and script attachments.

9. Use centrally updated anti-virus software.

10. Make sure users understand macro warnings from applications.



Read more on Antivirus, firewall and IDS products