New Computer Viruses: a Hassle, but Detectable
PITTSBURGH — FORGET Michelangelo, the overblown computer virus that caused such a panic in March. Beware, polymorphics.
These are a new generation of computer viruses. They're called polymorphic because they can take an almost infinite number of forms. That will make virus detection much harder.
"The way we have thought of computer viruses up to now is: Look for the criminal and when you find him, get rid of him," says Peter Tippett, chairman of CERTUS International Corporation, an anti-virus firm based in Cleveland.
The technique is called scanning. The computer searches for strings of code that are contained in viruses. Polymorphic viruses defeat this strategy because they change their code each time they encrypt themselves.
The first polymorphic to appear was the Flip virus in July 1990. It was followed nine months later by Tequila, written by the same Swiss authors. Others began to appear: Spanish Telecom from Spain, Haifa from Israel, Invol from the United States.
Earlier this year, Dark Avenger released his Mutation Engine, which instructs virus writers how to use polymorphic techniques. Pogue, the first virus to use the engine, showed up in January. Many scanning programs have been unable to locate it.
Fortunately, the Mutation Engine has turned out to be more bark than bite. Certus anti-virus researcher Joe Wells, for example, found that by keying on the engine rather than the virus he could detect and scan strings.
"The Mutation Engine is not a threat," says Alan Solomon, a British anti-virus researcher who also cracked the engine's code. But "the existence of polymorphic viruses is a major pain," Mr. Solomon says.
Polymorphic viruses may cause more reliance on check-summing, another detection method. Check-summers monitor for virus-like activity. Unfortunately, they set off many false alarms.