• PC World
• »Security

Defense Against the Worm

Computers and networks were once based largely on proprietary hardware and software, which made it difficult to create a one-size-fits-all worm. The rise of a homogeneous computing infrastructure has led to a proliferation of worms, Trilling said.

So many people and companies are standardizing on the same software and hardware, one worm can infect many systems, he said. With today's powerful software and hardware, just about any miscreant can create and test a worm, and the rise of the Internet makes it all too easy to spread it.

By January 2001, experts predict there will be 300 million Internet users, and if they're all using basically the same types of systems and software, one worm can reach them all, he said.

And just wait until more home users get broadband, he said. Most threats today hit corporations because of their always-on connections. Individuals become more vulnerable when they're connected fulltime.

Traditional virus-fighting methods can't cope with worms, Trilling said. Antivirus companies such as Symantec and its competitors will have to react much faster and work more proactively, he said. Today Symantec can respond to a new virus within 48-hours, which is plenty of time. But it won't be fast enough when new worms begin appearing daily.

An effective firewall can help defend against worms. But Trilling said antivirus vendors need to create a more automated system to create and deploy fixes faster, he said, Human beings don't operate at the speed of the Internet. The need will be to spread a cure at a faster rate than the threat moves.

And what if villainous programmers begin pumping out worms every 10 seconds? Traditional software can't handle it, he said. Corporations and users will have to stop using programs with macros, they'll have to strip executable content at the Internet gateway, before it reaches the computers.

Two new technologies could help to fight worms, too. Digital immune systems will automatically detect suspicious behavior and automatically forward samples to a company like Symantec. The company replicates the infection, creates and tests a cure, and ships it to subscribers automatically. The approach can work, but it's still reactive, he said.

A more future-looking technology is called behavior blocking. It looks at the operating system and watches what a program is doing. If a program acts weird--such as deleting files it didn't create--it can flag it as malicious. Today this approach is still prone to too many false positives, but down the road it will be more viable, he said.

Regardless of what method proves best, it's time people and companies started thinking about the worm problem more seriously, he said. It might not be a 15-year-old that launches the next one: It could be someone intent on causing more serious damage.