Viruses: The Next Generation

Much mystique surrounds viruses and virus writing. But viruses are no real mystery. Nearly anyone with a bit of programming knowledge can write one in less time than it takes to download a Moby track from Napster.

Simply put, a virus is a piece of code that instructs your computer to do something (called the "payload") that you don't want it to do. The payload can be as harmless as inserting an inane quip from South Park into your department's status report. Or it can be as damaging as erasing your hard disk or installing a secondary program that lets someone else take over your system.

One defining characteristic of a virus is that it replicates itself. It contaminates your system by copying itself into programs, documents, or system files, in the same way that a biological virus copies itself and attacks organs in your body. Once a virus infects these files, its payload can be triggered to go off at any time or in response to an activity such as opening Word or hitting Ctrl-P. One part of the Melissa payload activated whenever the time of day matched the date. So at 4:10 on April 10, a quote from The Simpsons would pop up on the screen.

Macro viruses--those written in macro programming language--account for some 75 percent of viruses in the wild because they're easy to write and disseminate. (For more about types of viruses see "How It Works: Viruses.")

Two other types of malicious code--worms and Trojan horses--share some characteristics with viruses but aren't categorized as such. A worm replicates like a virus but doesn't alter files or zap data. Instead, it slithers through network connections, collecting addresses of other systems on the network and passing copies of itself from PC to PC, thereby clogging the network.

Unlike viruses and worms, a Trojan horse doesn't replicate. It's a malicious program that comes disguised as something benign, such as a screen saver or a chess game. When loaded onto your machine, it can capture information from your system or allow someone else to commandeer your computer remotely.

Though most of the computing public has become aware of viruses only in the last five years, they've been around since the 1960s. Early versions existed only as test programs in research facilities. In the late 1980s, a handful of viruses were unleashed by individuals, but these infected primarily university machines and research centers. They traveled slowly via the "sneaker net"--that is, through infected floppies. By the mid-1990s, however, two developments revolutionized virus writing.

Just as airplanes and international travel accelerated the spread of biological viruses worldwide, the Internet and e-mail served to provide convenient vehicles for fast-acting computer viruses that could contaminate hundreds of thousands of machines all around the world. And in 1995, Microsoft introduced WordBasic, a text-based programming language for writing macro commands that vastly simplified the writing of viruses.

The arrival of macros meant that almost anyone could slap together a command telling a computer what to do, embed it in an e-mail attachment, and send it off. The minute a user opened the attached document, the macro would execute, and the virus would infect the system, ready to deliver its payload.

The first macro viruses appeared in 1995. By 1998 there were more than a thousand of them. But the speed at which these viruses spread was still tied to how often people shared infected floppy disks or e-mail attachments. If a user didn't pass the disk or attachment along to someone else, the virus couldn't spread. In 1998, however, the Melissa virus arrived, and suddenly the user was no longer an important factor in the equation.

Melissa arrived as an e-mail attachment. As soon as the recipient clicked on the attachment, the virus used Outlook to mail itself to the first 50 entries in the recipient's address book. Melissa also infected the user's Word document template, so any document created thereafter would be infected and mailed to the first 50 addresses as well. The virus began to spread on a Friday, and by the next Monday it had reached some 250,000 computers, causing companies to close their mail systems and the federal government to launch an investigation. One company reportedly received 32,000 copies of the virus in less than an hour.

A year later, LoveLetter did Melissa one better by mailing itself to every address in a user's Outlook book. As administrators scrambled to shut down infected e-mail systems, they found an average of 600 copies of the virus jamming each user's out-box.

Although the Melissa and LoveLetter viruses were fast moving and fairly annoying, neither destroyed users' hard drives or rendered systems inoperable. Symantec's Ron Moritz says that a supervirus would effectively combine destructive capability with rapid propagation to inflict massive damage in a short time.

The NewLove virus, which followed on the heels of LoveLetter in June, was the closest we've seen to a supervirus, Moritz says. Unlike its predecessor--which infected documents but did not damage operating systems--NewLove corrupted system files, rendering infected computers inoperable. This, combined with the swift spreading capability of LoveLetter, would have resulted in widespread destruction--if it had worked. But, says Moritz, "The author didn't think through the propagation issue, [and the virus] zeroed out Outlook before it could send itself to other systems." In other words, it killed the messenger.

The exact future of viruses is difficult to predict, but they will certainly become more virulent and harder to combat. New technologies and software flaws continue to make the spread of viruses easier, and antivirus techniques must evolve to keep up.

Fred Cohen, the security expert who coined the term "computer virus" in 1983, says that the nature of viruses will continue to evolve. "It's unlikely that anyone will create a virus that will spread to every computer system in the world and destroy everything," he says. "But more-sophisticated viruses would be better targeted and would have much more longevity." He describes a future virus that--once it entered a system--would spawn subvariants, which would in turn spawn their own variants, each affecting the computer in different ways. Detecting and eliminating all of the offspring of such a virus would be difficult.

We've already seen one type of advanced virus that's bound to proliferate in the future. This new variety--the recent Bubbleboy and Kak are examples--comes embedded in e-mail text and activates without users' opening an attachment. A combination worm and virus, it contains HTML coding that exploits a vulnerability in Outlook and Internet Explorer 5x. Once you open the e-mail message, the code copies the virus onto your system--in the case of Kak, into the Windows start-up folder. The next time you launch Windows, the virus delivers its payload.

Recently discovered vulnerabilities in Outlook and Outlook Express would allow some viruses to go a step further--infecting your machine even before you read the message. No such virus currently exists, but a specimen like this could launch the minute you checked your e-mail. You can download a patch for the Outlook flaw from our Downloads library, but more vulnerabilities of this type are bound to crop up again.

The future of viruses, however, doesn't lie in destroying data but in capturing it. Srivats Sampath, president and CEO of McAfee.com, warns, "We're going to see an increasing number of malicious Web sites that will try to steal information from you while you are browsing." McAfee researchers say they've already received numerous reports of sites that auto-download a Trojan horse capable of sending information back to its author. So far, security companies have no solution to this threat. Some protective software will tell you when a site tries to download something to your system, but most firewalls can't yet tell you when a site is trying to siphon information from you. However, the latest version of McAfee.com's personal firewall and privacy service--which debuted in September--informs surfers when a site is trying to read files or take information.

Experts expect to see more Trojan horses that use ingenious methods to get into a victim's system--for instance, a virus/Trojan horse that comes disguised as an electronic invitation or greeting card. Click on a hyperlink in the e-mail, and you're sent to a Web site where rogue code instructs your system to upload files silently to a remote site on the Internet. Experts also anticipate seeing viruses for the Linux operating system as a growing user base makes it a more attractive target for virus writers.

In September, the first virus for a handheld appeared--the Phage virus, which targets the Palm operating system. Though not yet in the wild, Phage infects and destroys all applications on a Palm and can spread when the user shares apps via syncing or beaming. Symantec's Moritz expects more assaults on handhelds in the future. "These are all fairly insecure platforms, and...I have full confidence that people...will develop new attacks [for them]." Antivirus vendors have already developed products to scan handhelds for malicious code.

While individual users and corporations face increased risks from viruses and Trojan horses, the biggest threat, experts say, lies in the potential for malicious code to be used in cyberterrorism. "Vladimir Zhirinovsky [leader of Russia's ultranationalist Liberal Democratic Party] in Russia has publicly stated that countries should...bring the West to its knees by using an offensive virus or Trojan [horse]," says Moritz. "To be honest, I'm surprised that we don't already see these things happening today. This very likely may be the next big threat--to have weapons of mass destruction based on [computer and Internet] technology."

How do you protect yourself? Antivirus software remains your best bet. The programs use two approaches to spot viruses: scanning and heuristics. Scanning looks for signatures--recognizable strings of code that identify a known virus or variant. Heuristics look for abnormal activity, such as a program that attempts to write to your Windows Registry. If your antivirus software is up-to-date, known viruses will get zapped before they can harm your system. (Most vendors update the signatures they scan for weekly--except during rabid outbreaks, when they may post two or three updates a day.)

But today, says Symantec's Moritz, new viruses have the potential to spread faster than humans can respond. And, he says, "Internet viruses can outrun antivirus software."

At present, it takes antivirus vendors 1 to 4 hours to scan and examine a virus, produce an antidote, and deploy it to users. But it takes only a few seconds for a virus like LoveLetter to spread from Tel Aviv to Toledo. So what's a user to do?

Some antivirus companies have begun to adopt automated scan-and-send systems. If their program sees code that does not match a known virus but behaves strangely, it will send the code back to the antivirus vendor for evaluation. But Symantec aims to take the process a step further with its closed-loop technology, included in corporate antivirus packages distributed to clients this past October. The result of a 12-year project developed at IBM's Thomas J. Watson Center under the name Digital Immune System, the program automates detection and antidote distribution in a way not previously attempted. Ultimately, it aims to compress a process that currently takes 1 to 4 hours into 30 minutes.

Here's how the system works: When local scanning software detects suspect activity on a computer, it quarantines the code and sends it to a series of servers, where other software attempts to create a definition for the virus. If the software succeeds, the system delivers the definition to every Symantec client using the system, thus protecting clients who haven't received the virus yet. If the servers fail, Symantec researchers on call around the clock step in to create a definition and return it down the chain. Eventually, the automated update process will be tied to Symantec's LiveUpdate feature, so individual users not on a corporate plan can get new definitions as well.

Critics worry, however, that this process may give antivirus software too much power over your computer. Fred Cohen sees serious potential consequences with authorizing a centralized system to pull files--including those that may be misidentified as viruses--from a client's computer and then deposit unfamiliar code from a remote server onto the client's system. If a hacker were to infiltrate the flow of information back to the client's computer and insert malicious code in it, Cohen says, there would be nothing in place to stop the code from infecting the machine.

Moritz says that the program lets the system administrators choose to view every file going out and coming in, although doing so would slow the rapid response time that is the program's most significant selling point. And he points out that transferring the information through a secure Web protocol such as https would ensure that no one could view or alter files in transit.

But what would happen if Symantec's servers were hit with an attack in the midst of a global virus crisis? "If someone were to attack these servers...at a critical period," Moritz says, "say, when we were trying to deal with a virulent outbreak like the NewLove virus, then they could certainly have a lot of impact."

Antivirus programs can help contain a virus that's in the wild, but some businesses and legislators want to stop viruses at their source. They advocate harsher laws to punish virus writers and even want to outlaw the writing and posting of virus code.

But most virus writers believe that they won't get caught, and they say that laws therefore won't deter them. In addition, in a 1999 case involving encryption, a U.S. Court of Appeals held that computer code is protected under the First Amendment. Furthermore, "malicious" is a slippery term to define. Any code that interferes with the smooth operation of a person's system could conceivably be characterized as malicious.

Legal wrangling aside, new viruses will always exploit software and system vulnerabilities and are bound to evade scanning software when first released. That's why virus education is important.

Sampath and Moritz say that users should be cautious both in opening e-mail and in surfing the Net. "The Internet is like a Mad Max movie--a lot of people with dune buggies and funny haircuts trying to shoot your head off," says Sampath. He advises users to surf the Net with the same caution they'd use while traveling over dangerous streets. "If you go to the grocery store and the drive is through a bad neighborhood, you're going to take a 10-mile detour. But on the Internet we happily browse along, not realizing which neighborhoods [are bad].

"What we're trying to build into people...is that anytime you go on the Internet, you need to protect yourself....We're looking at different ways of getting that message out--short of a virtual hand that comes out of your screen and grabs you."

So is it safe to conclude that antivirus companies won't be running out of business anytime soon? "It's not a bad time to be a security-focused company," says Moritz.

Kim Zetter is a senior associate editor and Stan Miastkowski is a contributing editor for PC World.The Evolution of Viruses

1983: Virus researcher Fred Cohen coins the term "computer virus" in a research paper.

1987: Brain, the first computer virus, is released. It infects the boot sector of 360KB floppy disks and uses stealth techniques to leave the computer unaware of it. Stoned (the first virus to infect the Master Boot Record) is released. It scrambles the hard drive's MBR, preventing a system from booting.

1988: The first antivirus software is released by an Indonesian programmer. It detects the Brain virus, excises it from a computer, and immunizes the system against further Brain attacks.

The Internet Worm is released onto the nascent Net and brings down about 6000 computers.

1989: Dark Avenger appears. It infects programs quickly, but the subsequent damage happens slowly, permitting the virus to go undetected for a long time.

IBM releases the first commercial antivirus product. Intensive antivirus research commences.

1990: Sophisticated virus types such as polymorphic viruses (which modify themselves as they spread) and multipartite viruses (which infect multiple locations in a machine) appear.

Virus-exchange bulletin boards become popular methods for writers of viruses to post and exchange source code.

1991: Virus construction kits, which allow almost anyone to build a virus easily, appear on virus exchange boards.

At the beginning of the year, a modest 9 percent of companies polled have experienced a virus outbreak. By the end of the year, that figure has leaped to 63 percent.

1992: Michelangelo, the first virus to cause a media frenzy, is set to overwrite parts of infected hard drives on March 6, the Renaissance artist's birthday. Sales of antivirus software soar, though only a few cases of actual infection are reported.

1994: The author of a virus called Pathogen in England is tracked down by Scotland Yard and sentenced to 18 months in jail. This marks the first time a virus writer is prosecuted for promulgating damaging code.

1995: Concept, the first macro virus, appears. Written in Microsoft's Word Basic language, it can run on any platform that Word runs on--PC or Macintosh. Concept triggers an explosion in the number of viruses written, because macro viruses are so easy to create and disseminate.

1999: The Chernobyl virus, which renders the user's hard drive and data inaccessible, hits in April. Though it infects few computers in the United States, it inflicts widespread damage overseas. China sustains damages of more than $291 million. Turkey and South Korea are also hit hard.

The Melissa virus strikes hundreds of thousands of computers worldwide. It uses Microsoft Outlook to mail itself to 50 people in a user's address book, making it the first virus capable of jumping from one computer to another on its own.

2000: The LoveLetter virus, launched from the Philippines, sweeps over Europe and the United States within 6 hours. It infects some 2.5 million to 3 million machines, causing an estimated $8.7 billion in damage.

--Some information taken from Joe Wells's timeline.