Why Some Classic Viruses May Come Back to Haunt a Corporate Network Near You

The ghosts of viruses past are never far away. Recently, a German computer manufacturer discovered it was shipping PCs that contained a variant of the Stoned virus called Angelina—a 15-year-old boot sector virus. Over the last year, there has been a resurgence of file infector, or parasitic, viruses as well: Not too long ago, W32/Virut began infecting .exe and .scr files, causing significant damage to a number of computer systems.

“Over the last six months, we’ve seen some nasty parasitic infectors and old-school destructive viruses,” says Dave Marcus, security research and communications manager at McAfee. While such viruses account for only 10 percent of all the malware that exists, static malware like bots and Trojans are still far more common. Recycled threats are on the radar of the major antivirus vendors, Marcus says.

“Our view is that viruses will always be lurking in your desk drawer, maybe getting dusty, but one day they will catch up,” says Graham

Cluley, a senior technology consultant at Sophos. That is why the antivirus vendor never delists virus signatures from its products. “There is a lag time between when viruses are detected and when they actually become extinct,” says Robert Freeman, team lead, X-Force Protection Technologies, part of IBM Internet Security Systems (ISS). “And due to Internet connectivity, many [viruses] that really shouldn’t be prevalent are not yet extinct.” That’s because today, many viruses of old can replicate through e-mail or peer to peer—technologies that were not as prolific in the age of floppy disks.

Marcus says that the choice to remove certain virus signatures is dependent on a few factors. “There is such a cyclical nature to malware that we don’t like to completely remove the capabilities to deal with them. We may disable some based on the fact that most operating systems no longer utilize the old functions those viruses require. However, we try and leave them in the collection database, but consider downgrading their need.” Cluley says the practice of determining which viruses can be removed from the database is often more effort than it’s worth. If a vendor does decide to delist something, it’s usually due to performance issues, says Cluley. “Rather than spend nine months redesigning their antivirus, the simpler fix is to reduce the amount of malware it addresses until they’re ready with their new engine.”

ISS points to behavioral and heuristic techniques (see accompanying story) as perhaps better ways to solve the problem of polymorphic malware. That way, ghosts like Angelina won’t be so easy to recycle once their signatures become too old to recognize.