Viruses: The Next Generation
Forging a fiber-optic path across continents faster than you can say, "You've got mail," the amorous parasite lands in digital mailboxes waiting to spread its love. Within an hour of its release, workers in London wake to an expression of affection from their blokes--and before long, e-mail is brought to a screeching halt in the House of Commons, followed by the Pentagon, Ford Motor Company, and a number of dot-com start-ups in San Francisco.
The Love Bug has arrived, and everyone's got it.
The Love Bug, also known as LoveLetter, spread more rapidly and widely than any electronic virus before it, striking 55 million computers (infecting 2.5 to 3 million of those) and causing $8.7 billion in damage, according to research firm Computer Economics. By contrast, Melissa--the fastest-moving virus before LoveLetter--reached about 250,000 computers in March 1999. If you think that computer viruses are growing in speed and number, you're not imagining it.
In 1993, there were 3200 known viruses in the world. Today, there are more than 40,000--though only 200 to 300 of them are actively spreading, or "in the wild." Some 6 to 12 new viruses appear each day, and each generation gets sneakier than the last.
Viruses used to take months or years to spread, but current strains circle the globe in minutes via e-mail. What's more, the homogeneity of the computing world (with Microsoft's Windows, Word, and Outlook everywhere) makes it easy for viruses to infect millions of machines in one swoop.
But experts say we haven't begun to see the worst that viruses can offer. "If the virus writers ever thought through their programs," says Ron Moritz, chief technical officer for antivirus developer Symantec, "we would see much more virulent viruses that would really do damage." In other words, the supervirus-- like the oft-predicted Next Big Quake in California--has yet to materialize. But no one doubts that it will.
According to experts, future viruses won't need you to open an attachment or e-mail to begin inflicting harm; they'll simply activate when you check your e-mail program for new correspondence. We may also see cluster viruses that spawn miniviruses inside your system to attack various sectors and thwart scanning software. There are already cases of rogue Web sites that steal files or passwords from computers, as well as the first viruses for Palm PDAs (see
Researchers agree that the threat viruses pose is getting worse. Educating yourself and securing your computer with the right tools can help you avoid trouble. The experts advise: Disable macros in your applications; download patches for software holes; install a good virus scanner; and get weekly updates to the scanner to catch the latest culprits (for more virus prevention tips, see
But true immunity to viruses doesn't exist. Just as it's hard to stop a crime before it happens, it's difficult to halt a virus before it damages at least a few computers. Some businesses want to make writing or posting malicious code illegal; but opponents argue that such measures would compromise freedom of speech.
Much mystique surrounds viruses and virus writing. But viruses are no real mystery. Nearly anyone with a bit of programming knowledge can write one in less time than it takes to download a Moby track from Napster.
Simply put, a virus is a piece of code that instructs your computer to do something (called the "payload") that you don't want it to do. The payload can be as harmless as inserting an inane quip from
One defining characteristic of a virus is that it replicates itself. It contaminates your system by copying itself into programs, documents, or system files, in the same way that a biological virus copies itself and attacks organs in your body. Once a virus infects these files, its payload can be triggered to go off at any time or in response to an activity such as opening Word or hitting
Macro viruses--those written in macro programming language--account for some 75 percent of viruses in the wild because they're easy to write and disseminate. (For more about types of viruses see
Two other types of malicious code--
Unlike viruses and worms, a Trojan horse doesn't replicate. It's a malicious program that comes disguised as something benign, such as a screen saver or a chess game. When loaded onto your machine, it can capture information from your system or allow someone else to commandeer your computer remotely.
Though most of the computing public has become aware of viruses only in the last five years, they've been around since the 1960s. Early versions existed only as test programs in research facilities. In the late 1980s, a handful of viruses were unleashed by individuals, but these infected primarily university machines and research centers. They traveled slowly via the "sneaker net"--that is, through infected floppies. By the mid-1990s, however, two developments revolutionized virus writing.
Just as airplanes and international travel accelerated the spread of biological viruses worldwide, the Internet and e-mail served to provide convenient vehicles for fast-acting computer viruses that could contaminate hundreds of thousands of machines all around the world. And in 1995, Microsoft introduced WordBasic, a text-based programming language for writing macro commands that vastly simplified the writing of viruses.
The arrival of macros meant that almost anyone could slap together a command telling a computer what to do, embed it in an e-mail attachment, and send it off. The minute a user opened the attached document, the macro would execute, and the virus would infect the system, ready to deliver its payload.
The first macro viruses appeared in 1995. By 1998 there were more than a thousand of them. But the speed at which these viruses spread was still tied to how often people shared infected floppy disks or e-mail attachments. If a user didn't pass the disk or attachment along to someone else, the virus couldn't spread. In 1998, however, the Melissa virus arrived, and suddenly the user was no longer an important factor in the equation.
Melissa arrived as an e-mail attachment. As soon as the recipient clicked on the attachment, the virus used Outlook to mail itself to the first 50 entries in the recipient's address book. Melissa also infected the user's Word document template, so any document created thereafter would be infected and mailed to the first 50 addresses as well. The virus began to spread on a Friday, and by the next Monday it had reached some 250,000 computers, causing companies to close their mail systems and the federal government to launch an investigation. One company reportedly received 32,000 copies of the virus in less than an hour.
A year later, LoveLetter did Melissa one better by mailing itself to every address in a user's Outlook book. As administrators scrambled to shut down infected e-mail systems, they found an average of 600 copies of the virus jamming each user's out-box.
Although the Melissa and LoveLetter viruses were fast moving and fairly annoying, neither destroyed users' hard drives or rendered systems inoperable. Symantec's Ron Moritz says that a supervirus would effectively combine destructive capability with rapid propagation to inflict massive damage in a short time.
The NewLove virus, which followed on the heels of LoveLetter in June, was the closest we've seen to a supervirus, Moritz says. Unlike its predecessor--which infected documents but did not damage operating systems--NewLove corrupted system files, rendering infected computers inoperable. This, combined with the swift spreading capability of LoveLetter, would have resulted in widespread destruction--if it had worked. But, says Moritz, "The author didn't think through the propagation issue, [and the virus] zeroed out Outlook before it could send itself to other systems." In other words, it killed the messenger.
The exact future of viruses is difficult to predict, but they will certainly become more virulent and harder to combat. New technologies and software flaws continue to make the spread of viruses easier, and antivirus techniques must evolve to keep up.
Fred Cohen, the security expert who coined the term "computer virus" in 1983, says that the nature of viruses will continue to evolve. "It's unlikely that anyone will create a virus that will spread to every computer system in the world and destroy everything," he says. "But more-sophisticated viruses would be better targeted and would have much more longevity." He describes a future virus that--once it entered a system--would spawn subvariants, which would in turn spawn their own variants, each affecting the computer in different ways. Detecting and eliminating all of the offspring of such a virus would be difficult.
We've already seen one type of advanced virus that's bound to proliferate in the future. This new variety--the recent Bubbleboy and Kak are examples--comes embedded in e-mail text and activates without users' opening an attachment. A combination worm and virus, it contains HTML coding that exploits a vulnerability in Outlook and Internet Explorer 5x. Once you open the e-mail message, the code copies the virus onto your system--in the case of Kak, into the Windows start-up folder. The next time you launch Windows, the virus delivers its payload.
Recently discovered vulnerabilities in Outlook and Outlook Express would allow some viruses to go a step further--infecting your machine even
The future of viruses, however, doesn't lie in destroying data but in capturing it. Srivats Sampath, president and CEO of
Experts expect to see more Trojan horses that use ingenious methods to get into a victim's system--for instance, a virus/Trojan horse that comes disguised as an electronic invitation or greeting card. Click on a hyperlink in the e-mail, and you're sent to a Web site where rogue code instructs your system to upload files silently to a remote site on the Internet. Experts also anticipate seeing viruses for the Linux operating system as a growing user base makes it a more attractive target for virus writers.
In September, the first virus for a handheld appeared--the Phage virus, which targets the Palm operating system. Though not yet in the wild, Phage infects and destroys all applications on a Palm and can spread when the user shares apps via syncing or beaming. Symantec's Moritz expects more assaults on handhelds in the future. "These are all fairly insecure platforms, and...I have full confidence that people...will develop new attacks [for them]." Antivirus vendors have already developed products to scan handhelds for malicious code.
While individual users and corporations face increased risks from viruses and Trojan horses, the biggest threat, experts say, lies in the potential for malicious code to be used in cyberterrorism. "Vladimir Zhirinovsky [leader of Russia's ultranationalist Liberal Democratic Party] in Russia has publicly stated that countries should...bring the West to its knees by using an offensive virus or Trojan [horse]," says Moritz. "To be honest, I'm surprised that we don't already see these things happening today. This very likely may be the next big threat--to have weapons of mass destruction based on [computer and Internet] technology."
How do you protect yourself? Antivirus software remains your best bet. The programs use two approaches to spot viruses: scanning and heuristics. Scanning looks for signatures--recognizable strings of code that identify a known virus or variant. Heuristics look for abnormal activity, such as a program that attempts to write to your Windows Registry. If your antivirus software is up-to-date, known viruses will get zapped before they can harm your system. (Most vendors update the signatures they scan for weekly--except during rabid outbreaks, when they may post two or three updates a day.)
But today, says Symantec's Moritz, new viruses have the potential to spread faster than humans can respond. And, he says, "Internet viruses can outrun antivirus software."
At present, it takes antivirus vendors 1 to 4 hours to scan and examine a virus, produce an antidote, and deploy it to users. But it takes only a few seconds for a virus like LoveLetter to spread from Tel Aviv to Toledo. So what's a user to do?
Some antivirus companies have begun to adopt automated scan-and-send systems. If their program sees code that does not match a known virus but behaves strangely, it will send the code back to the antivirus vendor for evaluation. But Symantec aims to take the process a step further with its closed-loop technology, included in corporate antivirus packages distributed to clients this past October. The result of a 12-year project developed at IBM's Thomas J. Watson Center under the name Digital Immune System, the program automates detection and antidote distribution in a way not previously attempted. Ultimately, it aims to compress a process that currently takes 1 to 4 hours into 30 minutes.
Here's how the system works: When local scanning software detects suspect activity on a computer, it quarantines the code and sends it to a series of servers, where other software attempts to create a definition for the virus. If the software succeeds, the system delivers the definition to every Symantec client using the system, thus protecting clients who haven't received the virus yet. If the servers fail, Symantec researchers on call around the clock step in to create a definition and return it down the chain. Eventually, the automated update process will be tied to Symantec's LiveUpdate feature, so individual users not on a corporate plan can get new definitions as well.
Critics worry, however, that this process may give antivirus software too much power over your computer. Fred Cohen sees serious potential consequences with authorizing a centralized system to pull files--including those that may be misidentified as viruses--from a client's computer and then deposit unfamiliar code from a remote server onto the client's system. If a hacker were to infiltrate the flow of information back to the client's computer and insert malicious code in it, Cohen says, there would be nothing in place to stop the code from infecting the machine.
Moritz says that the program lets the system administrators choose to view every file going out and coming in, although doing so would slow the rapid response time that is the program's most significant selling point. And he points out that transferring the information through a secure Web protocol such as https would ensure that no one could view or alter files in transit.
But what would happen if Symantec's servers were hit with an attack in the midst of a global virus crisis? "If someone were to attack these servers...at a critical period," Moritz says, "say, when we were trying to deal with a virulent outbreak like the NewLove virus, then they could certainly have a lot of impact."
Antivirus programs can help contain a virus that's in the wild, but some businesses and legislators want to stop viruses at their source. They advocate harsher laws to punish virus writers and even want to outlaw the writing and posting of virus code.
But most virus writers believe that they won't get caught, and they say that laws therefore won't deter them. In addition, in a 1999 case involving encryption, a U.S. Court of Appeals held that computer code is protected under the First Amendment. Furthermore, "malicious" is a slippery term to define. Any code that interferes with the smooth operation of a person's system could conceivably be characterized as malicious.
Legal wrangling aside, new viruses will always exploit software and system vulnerabilities and are bound to evade scanning software when first released. That's why virus education is important.
Sampath and Moritz say that users should be cautious both in opening e-mail and in surfing the Net. "The Internet is like a Mad Max movie--a lot of people with dune buggies and funny haircuts trying to shoot your head off," says Sampath. He advises users to surf the Net with the same caution they'd use while traveling over dangerous streets. "If you go to the grocery store and the drive is through a bad neighborhood, you're going to take a 10-mile detour. But on the Internet we happily browse along, not realizing which neighborhoods [are bad].
"What we're trying to build into people...is that anytime you go on the Internet, you need to protect yourself....We're looking at different ways of getting that message out--short of a virtual hand that comes out of your screen and grabs you."
So is it safe to conclude that antivirus companies won't be running out of business anytime soon? "It's not a bad time to be a security-focused company," says Moritz.
IBM releases the first commercial antivirus product. Intensive antivirus research commences.
Virus-exchange bulletin boards become popular methods for writers of viruses to post and exchange source code.
At the beginning of the year, a modest 9 percent of companies polled have experienced a virus outbreak. By the end of the year, that figure has leaped to 63 percent.
--Some information taken from
You don't need to be paranoid about computer viruses--just alert, aware, and willing to take steps to protect yourself.
Antivirus vendors update their virus definitions--the files they use to spot viruses--every week. For maximum safety, you should update that often, too. Some utilities can automatically add definitions as they become available.
Here's a look at how the LoveLetter virus reached 55 million computers and how authorities tracked the outbreak to its origin. (Dates and times are EDT.)
The virus arrives as an attachment to an e-mail titled "I Love You." In addition to grabbing the Trojan horse, it sends itself to everyone in the user's Microsoft Outlook address book, and deletes or overwrites JPEG and MP3 files.