Print
Discuss
Send to friend
RSS feedsIt seems that hardly a week goes by when computer viruses aren't making headline news. The release of the SQL Slammer and Sobig worms last January, followed by the MSBlast.exe worm in August, graphically illustrate how the nature of these attacks is ever increasing.
They also show that, although viruses have been around for over 20 years, computer users generally are still unable to ensure that they have enough immunity to resist infection.
In fact, in many cases the computer world had weeks and sometimes months of advance warning about vulnerabilities, yet the latest attacks have caused havoc for companies and consumers worldwide.
While virus code has always had some kind of nefarious intent, in 2003 the world was caught unawares by the virulence and effects of the new generation of viruses that have linked virus writers to organised crime and identity theft.
This has been clearly demonstrated by the various mutations of the Sobig worm, with most experts in agreement that the spammers are casting a curious eye at the ease with which they can use viruses to hijack people's computers to act as mail servers for spam. It seems that fortune rather than fame is becoming a prime motivator.
The key questions being asked today are not just 'how can I protect myself or my organisation?', but 'what's the cost of being hit and recovering from it?'
In this feature, Personal Computer World takes a look at the origins of the computer virus, and asks whether it's possible for consumers and business to keep up with the ever-increasing threats.
The origins of the computer virus
Amazingly, as far back as 1949 the foundations for computer viruses were discussed when scientists developed theories for self-replicating programs.
The term 'computer virus' has become a catch-all for malicious code, but there are three main threats: viruses, Trojans and worms.
A virus is a program that runs without consent with the sole purpose of 'infecting' other computers, typically by attaching the virus code to programs such as .com and .exe files.
Worms, like viruses, move autonomously across networks, including the internet, and again often arrive via email but can spread because of bugs in software.
Trojans work on the principle of stealth. They do not spread autonomously, but must be introduced to into system designed either as a harmless looking attachment to an email, via a worm or downloaded from the internet in the belief that they're something else.
In 1981, the first viruses were aimed at Macintosh computers with Apple Viruses 1, 2, and 3 spread via computer games. Most computer experts agree that the first PC virus was created in 1986.
Using Dos and floppy disks as the vectors, or means of transportation, the 'Brain' virus was developed by two programmers in Pakistan.
Its intention, supposedly, was to protect copyright, but it proved that viruses could use floppy disks as a vector to access Dos and infect.exe files.
In 1992 a polymorphic engine arrived. This is a piece of software that encrypts viruses, where each virus looks different, such as the Smeg virus in 1995, but the vector and means of spreading the virus was still the floppy disk.
This year also saw the appearance of virus construction kits such as PS-MPC, G2 and IVP, which could generate large numbers of different (but related) viruses.
Around 1994, as Windows operating systems and applications became standard, new vectors began to appear such as Office macros and Visual Basic Script (VBS) and we saw viruses leap from Dos to Windows.
Initially the viruses used floppy disks to propagate, but 1988 is credited as the first year in which the internet was used for transport (for the Morris worm). Subsequently, with increased public use of the net, virus propagation exploded.
A typical example for the first serious macro attacks was the Melissa virus in 1999; for VBS it was the I Love You worm in 2000. However, these variants required human action, such as opening a file attachment, to trigger replication and spread.
Then in 2001 we began to see a second generation of attacks with Code Red, Nimda and Swem. These active worms arrive via the internet, then leverage networks, system and application vulnerabilities such as Microsoft Outlook as vectors and spread without human action.
Replication targeting and identification of victims is automatic and many are often blended threats, such as Swem, which attempts to shut down firewalls and antivirus protection. And the one constant in virus growth can be boiled down to one thing: the internet.
State of play today
For computer experts, 2002 was by all accounts the quietest for several years on the virus front. True, it had its moments with nearly 1,000 new viruses appearing each month.
Not all were released into the wild or were so derivative of previous viruses that computer security and antivirus software companies were able to pick up and nullify them before any damage could be done.
Generally companies and individuals could, if they kept abreast of the updates released, cope with threats such as Klez and Magistr. So after 2001, dubbed by IT experts as the worst ever year for virus attacks, 2002 was a hiatus.
Then in January 2003, Finnish computer experts began to warn that this could be the worst ever year for viruses.
In October, the latest report from internet security firm Symantec covering the period from January to June 2003 made grim reading and appears to prove the Finnish prediction.
Companies worldwide are now experiencing up to 38 attacks per week from computer viruses and hackers.
Attackers are being helped by a number of factors. Over 1,400 new software vulnerabilities are discovered every week and virus writers are becoming quicker at exploiting these holes.
Also, the top 10 virus attacks have targeted non-public services such as Microsoft SQL and file sharing, common to both home and corporate systems. This means that the number of potential victims is higher, as companies and consumers are taking longer to apply critical patches.
What's ahead
Future threats will be a blend of viruses, Trojans and worms that will use multiple vectors to spread. So a worm may include a routine to load a Trojan onto your system, while a Trojan could be used to run a virus.
Attacks will continue to make use of applications such as Internet Explorer and Microsoft Internet Information Services, but increasingly we are seeing instant messaging software and peer-to-peer (P2P) sites being used as means of spreading viruses.
Unlike attacks such as 1999's Melissa virus, which did not do anything particularly dangerous (although it placed a heavy load on organisations' local area networks), today we are seeing viruses with a far nastier agenda.
In September 2003 Dr Gerhard Eschelbeck, chief technology officer at computer security firm Qualys, warned in a speech to the US Congress: "Network security attacks are increasing in number and sophistication. New and evolving attacks are capable of spreading faster than any possible human response effort."
We saw this with the Slammer (aka Sapphire) worm. Propagation speed was its novel feature. In the first minute, the infected population doubled in size every 8.5 seconds.
The worm achieved its full scanning rate (over 55 million scans per second) after approximately three minutes, after which the rate of growth slowed down somewhat because significant portions of the network did not have enough bandwidth to allow it to operate unhindered. Most vulnerable PCs were infected within 10 minutes of the worm's release.
Sobig variants had a secret mission. William Hancock, vice president and chief security officer at Cable and Wireless, said: "Sobig.E is the first worm to use hacking technology wrapped around a spam delivery engine."
Sobig is transmitted as an attachment to an email. Once the attachment is opened, it directs the computer to send copies of the virus to email addresses used by the target computer.
At first it seemed that all the virus did was visit a pornography site, but soon it emerged that the virus drops a Trojan program called La La into infected systems which then, according to Alex Shipley of Messagelabs, deleted the Sobig worm.
However, La La allows infected systems to be hijacked and used as open relays for spamming. Additionally, the fifth variant Sobig-E SMTP engine is multithreaded, an upgrade to previous versions of the worm, allowing it to send email more efficiently. So far there have been six variants (up to Sobig-F) and more are expected.
The time lag before a new version is released is between -7 and +35 days, with respect to the worm's pre-programmed self-termination date. So Sobig-G is, at the time of writing, expected any time soon. So far it's believed that earlier versions have just been exercises.
Sobig-F's downfall was that it grabbed attention by very rapid network spreading and by needlessly sending hundreds of copies to the same addresses, thus undermining its own need for stealth.
The MSBlaster (or Lovesan) worm took advantage of a security hole discovered in Windows 2000, XP, NT and Server 2003. As well as causing chaos and annoyance by spreading and crashing machines, MSBlaster ordered the infected computer to launch a so-called Denial of Service attack against Microsoft's website.
The constant crashing meant that those infected were unable to stay online long enough to download the patch from Microsoft.
Home PC user Mike Rowbotham told PCW: "To download the patch would have taken me about 15 minutes with my internet connection, but every time I switched on my computer a timer would pop up on my screen and warn me that the computer was going to shut down in 60 seconds."
Then along came Dumaru, found on 19 August, playing on people's fears of Lovesan. This worm sends an email message which appears to come from support@microsoft.com.
It claims to fix the vulnerability but actually installs a Trojan allowing a virus writer to remotely control an infected PC.
The real impact of viruses: Part 2
See also:
Stronger corporate defences make poorly protected home users easier targets 24 Sep 2004
Hit by the world's worst virus? Scrub your PC clean with this free tool. 05 Sep 2003All Antivirus and Firewall Protection
del.icio.us
Digg this
reddit!
