Related Resources • Goner worm • Gokar worm • EICAR Test Center • Virus Encyclopedia • Glossary of terms

Elsewhere on the Web • Wininit.ini file deletion • TrueSecure Corp.

Detection can sometimes be a tricky proposition at best, with new threats worming their way onto a system before antivirus updates are released to detect it. What happens when these as yet undiscovered viruses disable the antivirus protection on the system? While specific software had been targeted in the past, a wide scale assault against a variety of vendors began in July 2001, when the ApBot worm was discovered targeting a large number of antivirus software, Trojan detectors, and even firewall products. In October of the same year, W32/Toal emerged, attempting to terminate antivirus processes in memory. In December 2001, two new worms were discovered that seemed to have the same goal. The Goner worm first tried to delete certain files related to the security software and, if that failed, used a WININIT.INI file to delete them on the next system startup. A week later, the Gokar worm emerged, again attempting to shutdown the realtime components of popular antivirus programs.

Paolo Iorio, an Italian programmer, recently demonstrated the ease with which some of these programs can be shutdown. Paolo created a tool that uses simple operating system calls to seek out and disable antivirus from McAfee®, Panda®, Kaspersky® and F-Prot®. Paolo did not design the tool for malicious purposes, but rather to point out the ease with which this could be done. While specific detection for the tool is a simple matter to address, this treats merely the symptom and not the underlying cause.

Roger Thompson, Director of Malicious Code Research for TruSecure Corporation said, "The idea of viruses attacking antivirus software is not new. In fact, these are known as Retro viruses. The Peach virus, for example, was released in 1992 and deactivated Central Point Anti Virus, and there have been zillions since. In the early to mid nineties, antivirus developers put considerable effort into resisting Retro viruses, mostly quite successfully, but over the last few years, antivirus developers have noticeably designed away from this paradigm. I assume this is in response to customer requirements. I'm sure it makes updating easier, and it (easier attacking) is probably regarded as a cost of doing business."

He also said, "It is important to understand, however, that all software can be attacked by other software. It is just that some is easier than others. All that is really needed is an attacker who is bright enough to look for the soft underbelly."

Some underbellies may be softer than others. Though both Paolo and the Goner worm (among others) have successfully demonstrated how simple it can be to disable some security software, at least one vendor, Zone Labs, developers of ZoneAlarm firewall, has taken proactive steps to prevent their products from being disabled. In a recent press release regarding the Goner worm, ZoneLabs asserted that "both ZoneAlarm and ZoneAlarm Pro are unique in their pioneering implementation of multiple self-defense measures against malicious code attacks." Indeed, independent testing of ZoneAlarm indicates neither the WININIT.INI routine nor the method employed by Paolo can be used to disable their firewall protection. Third party testing indicates that Alladin's eSafe Protect is also immune to these methods. Interestingly, the Goner worm presumably targeted eSafe (among a host of other products), seeking to delete the file ESAFE.EXE. However, there is no file by that name in any of the eSafe software.

Whether other vendors follow suit and protectively armor their protection against trivial assaults remains to be seen. In the interim, it might not be a bad idea for users to keep a close eye on their protection and ensure it is indeed still installed and working.