Klez virus brings new threat to business

A leading security expert has warned that the success of the Klez.h virus last week could lead to an explosion of copycat viruses...

A leading security expert has warned that the success of the Klez.h virus last week could lead to an explosion of copycat viruses that could undermine corporate security policies and even hinder the crackdown on online paedophilia

A key feature of the Klez.h is the way it changes the e-mail sender address to fool the user into thinking the e-mail has come from someone they know.

This could create a potential alibi for someone accused of inappropriate use of e-mail, either by sending out business-critical information from an organisation or by spreading pornography.

Peter Sommer, a security expert at the London School of Economics, said, "People who distribute paedophilia, for example, could use this in their defence as a technical explanation."

They could argue that they were not the perpetrators of kiddie porn, said Sommer, adding, "This could cause an additional burden in a lawsuit."

Klez does not yet carry a very damaging payload, but Sommer said, "Now the [Klez] technique has been widely distributed, we may see copycat viruses with greater sophistication."

Most businesses that have updated their anti-virus software have, so far, emerged relatively unscathed from the Klez.h virus but it has raised new management issues for hard-pressed IT departments.

Companies with virus protection could still find their staff named in the sender field of a Klez e-mail.

One e-mail administrator in a large business told CW360.com that some staff had received "undeliverable" e-mail alerts for messages they did not send.

"We're assuming that someone outside the company with one or more of our people in their address book has fired off the virus, which happened to pick one of our addresses to spoof as the sender."

The virus was stopped by anti-virus software running on the e-mail gateway at the company. But the gateway itself could cause companies embarrassment.

Often when a virus is detected the sender of that virus is alerted that they may have a virus on their computer. With Klez, the sender's e-mail address is spoofed so that a business may, inadvertently, send the automatic response to someone whose computers have not been infected.

To minimise this sort of disruption, Alex Shipp, anti-virus technologist at MessageLabs, advised businesses to disable the auto-response mechanism on their AV gateways. "Switch off the AV gateway response temporarily until Klez.h dies down," he explained.

Symantec said it was receiving 3,000 inquiries a day and had taken more than 35,000 customer enquiries about Klez.h since the outbreak began.

The MessageLabs VirusEye activity monitor has rated Klez.h as the third most virulent virus of all time after BadTrans and Sircam.

Read more on IT risk management