Computer World Battles Faster-Moving Viruses
A new generation of self-spreading computer viruses has researchers worried that the days of slow-moving, low-level infections are over.
Since the creation of computer viruses in the mid-1980s, thousands of them have come and gone, most dying before causing any damage.
But three strains of these fast-moving viruses infected computers worldwide earlier this year and two more surfaced last month.
The first was a virus from France called Happy99. It became one of the most widespread diseases to afflict home computers. In March, the Melissa virus struck, spreading faster and wider than any virus in the past. Then three months ago, a plague known as ExploreZip appeared, again propagating itself over the Internet with unusual speed.
In September, two new viruses surfaced. Cholera is an infection similar to Happy99, Melissa and ExploreZip, and two weeks ago anti-virus software maker Network Associates put out an alert on a virus called Suppl that belongs in the same class.
Each of the infections used a different technique, but what tied them together was not only their ability to replicate themselves, a traditional feature of computer viruses, but also to spread on their own--a new twist that allowed them to cover the globe in a matter of days.
“We’re at a turning point in the history of viruses,” said Steve R. White, head of anti-virus research at IBM’s Thomas J. Watson Research Center. “They have automated the process of spreading so that it doesn’t depend on you or me anymore. Now all the old methods of dealing with viruses just won’t work.”
Anti-virus programs have so far contained the new infections. Researchers at IBM and anti-virus software maker Symantec are working on the next generation of countermeasures, which involve fighting the automated viruses with automated defense systems that can find a cure and inoculate computers in a matter of hours.
But the unexpected success of self-propagating viruses points to the increasing fragility of an interconnected world. Anti-virus companies concede they have fallen behind in the seesawing battle over the health of the digital cosmos.
“The goal is to be faster at coming up with a fix than the virus is at spreading itself,” said Carey Nachenberg of the Symantec AntiVirus Research Center. “We’re not faster than Melissa, but in two years we will be.”
For all the fears of computer viruses, the traditional strains move at a snail’s pace compared with the speed of modern communications. It can take weeks or even years for some viruses to move any appreciable distance--and by that time the anti-virus forces have long since created a cure.
Those that manage to spread typically depend on the most old-fashioned of methods--having a human being send them to a computer using e-mail or the even lower-tech method of transferring a diskette.
Now consider Melissa’s method. The virus was attached to Microsoft Word documents and sent via e-mail to unsuspecting computer users. When the document was opened, the virus would spread to a part of the Word program, ensuring that any new document would also be infected.
Melissa’s extra twist was a feature that made it grab the first 50 entries in the user’s e-mail address book and send them a copy of the infected document. The process repeated itself on the next group of computers.
The result of this exponential growth was impressive. One organization reported that the virus generated up to half a million e-mail messages in under three hours.
“There’s no doubt Melissa was a major change,” said Richard Jacobs, president of Sophos Inc., an anti-virus software maker. “People used to over-report viruses, but this year Melissa was a much greater problem than anyone expected.”
These recent viruses fall into a special category known as “worms,” a name that was taken from a 1975 science-fiction story in which a program called a “tapeworm” was used to bring down the computer system of a totalitarian government.
Worms, which were created in the early 1980s at Xerox’s Palo Alto Research Center, are programs that can reproduce and execute instructions on their own. They are, in essence, self-propagating viruses aimed at spreading over networks.
Xerox invented worms to help maintain large computer networks, such as sensing idle computers so they could be put to use on problems that needed more processing power.
But even in those early days, the destructive ability of worms was apparent. Through a glitch, one of Xerox’s worms spun out of control and brought down all 100 computers connected to the network.
There has been only one or two major worm attacks before this year. The most notorious was a 1988 outbreak of the Morris Worm.
Created by Robert Morris Jr., the worm burrowed through several security weaknesses in networks using the Unix operating system and, once inside, scanned for addresses of other computers and dispatched copies of itself.
The Morris Worm was able to propagate with frightening speed, shutting down about 10% of the computers connected to the Internet, according to CERT Coordination Center, an Internet security clearinghouse created specifically because of the damage caused by that first worm.
Nachenberg of Symantec believes that the reemergence of worms with Happy99’s arrival in January stems from a convergence of forces that has been brewing for years, creating a digital ecology that favors fast-moving infections.
As recently as a decade ago, the computing world was a hodgepodge of machines, most of which were not connected to one another.
Today, almost all personal computers use Microsoft’s Windows software and Intel microprocessors. As with biological viruses, the millions of identical hosts have made transmission easier.
A key piece that has fallen into place only in the last four years was the introduction of Windows 95, which brought a set of powerful tools that viruses could use to manipulate the computer through common programs such as Word and Excel.
The last piece of the puzzle was the growth of the Internet, which linked millions of computers together, giving viruses an easy path to spread.
The three conditions have enabled viruses to move quickly--a key factor because of the widespread use of anti-virus software programs, which can update themselves on a daily basis.
“Homogeneity, connectivity, programmability,” Nachenberg said. “Everything is ripe to be attacked. What is preventing them is law enforcement and whatever ethics are left in the world.”
The most recent worms are not as autonomous as the Morris Worm. They still have depended on humans to activate them by opening the infected files sent via e-mail.
But anti-virus experts believe the time is coming when the fully autonomous worm could make a comeback.
IBM’s White said the only viable solution to the worm problem is to move faster than the worms by fully automating the virus-fighting process.
IBM has been developing a virtual immune system since the early 1990s that is aimed at automatically detecting viruses, analyzing them and creating a cure that can be sent out to all of its customers--in essence, immunizing them--in a matter of hours.
Symantec is using a piece of the system to detect and analyze so-called “macro” viruses, which attach to programs such as Word and Excel. Melissa, in addition to being a worm, is a macro virus.
When a virus is detected with IBM’s system, it is sent in encrypted form over the Internet to a central computer, where it is decrypted and placed in a kind of virtual petri dish. The dish is a full simulation of a working computer that takes place inside a large IBM computer.
White said that IBM is working on simulating not just a single computer, but whole networks of computers so it can analyze more complex viruses not in hours or days, but possibly minutes. Much of the system should be in place next year.
But even with these techniques, he conceded that they can only contain viruses and could be overwhelmed if the number of worms increased to an unmanageable level.
“There is no perfect solution,” Symantec’s Nachenberg said. “Our strategies at best are reactive.”
(BEGIN TEXT OF INFOBOX / INFOGRAPHIC)
Electronic Epidemic
The number of viruses has increased substantially over the past few years. More important, a new type of virus has appeared. Called “worms,” these viruses are created to spread automatically. They account for a minuscule portion of the total number of viruses, but because they spread so quickly they account for a large percentage of the infections.
Number of Viruses (In thousands)
1999: 44,600 year to date
1989: 250
*
Infection Rate (Per 1,000 PCs each month)
1999: 88 year to date
Source: Sophos Inc., ICSA Computer Virus Prevalence Survey: 1999
When the Worm Turns
A few basic rules can go a long way toward protecting your computer from viral infections.
* Regularly use anti-virus software and set it to automatically scan the computer and all incoming files. Don’t forget to schedule your anti-virus program to update itself with new inoculations from the maker’s Web site.
* Do not open e-mail attachments unless you know the sender and know what the attachment contains.
* Do not download programs from the Web or load programs from disks unless you trust the source.
Online Sources for Help
A variety of free anti-virus scanners are available on the Internet. To keep up with the latest computer virus news and to check your computer with free virus-scanning programs, visit these sites:
* McAfee Anti-Virus Center
https://www.mcafee.com/centers/anti-virus
* Symantec Anti-Virus Research Center
https://www.symantec.com/avcenter
* CERT Coordination Center Security Alerts
https://www.cert.org/nav/alerts.html