Nathan Davis29 August 2006, 6:21 AM
We have an interesting QA session with Symantec's Vincent Weafer and discover that the new proof-of-concept CPU virus isn't all it was cracked up to be.
Symantec has just filled us in on the nature of the latest proof-of-concept virus to create a storm. Our very own storm in a teacup.
On the issue of whether this is a CPU or operating system flaw, Symantec's senior director of Security Response, Vincent Weafer, told APC, "The virus exploits no flaws in the CPUs. It is using a designed-in feature of the operating system in a slightly unusual way."
Essentially, the flaw is indeed a Windows-specific issue and, through this, it makes use of an ordinary feature in an unusual manner. This feature exists on CPUs that use the 64-bit AMD64 architecture and instruction set -- which, as you may know, Intel calls EM64T. This basically affects all 64-bit capable desktop processors (so not Itanium, for example).
APC had a Q&A session with Vincent Weafer (also posted on Symantec's Security Response blog).
APC: How does the virus function?
Weafer: When an infected file is executed, it functions normally, however when the application wants to terminate (e.g., the user closes it), then the virus code is called. At that time, the virus will seek other files in the directory that contains the currently infected file, and all subdirectories below it. Any Windows executable file, regardless of the file extension (i.e., not just .EXE files), will be infected if it passes a strict set of criteria that the virus carries.
APC: Is it easily detected and, for that matter, avoided?
Weafer: No, the detection is not easy -- the virus [both] hides [and] encrypts itself using a new type of algorithm and uses a new method to gain control of the execution flow. It is easily avoided by not running files from untrusted sources. Additionally, since it is a proof-of-concept, it infects very few files. It does not spread over the network on its own, and does not attempt to leave the infected computer using any method (e.g., by e-mail).
APC: Is this an issue that the CPU designers need to look at or is this more of an operating system issue?
Weafer: It's more of an operating system [issue] but it's not a vulnerability or defect. The author has simply found an unusual means of leveraging an existing function.
APC: Might this also potentially be seen on other operating systems?
Weafer: It's an operating-system feature that is being used as designed, but in a slightly unusual way. The feature is specific to the Windows operating system and exists as a performance enhancement. So, while it is possible that something similar exists in other operating systems, the method that the virus uses is not directly applicable.
So, this is not a problem with processor architecture but rather the result of a feature in Windows being exploited in an unusual way.The more disturbing news here is that this may be the beginning of a new trend in virus development. A trend where viruses are programmed for both 32-bit and 64-bit variations and simultaneously released (or even packaged into the one), thus covering more ground.