For computer security experts, 2003 started with the Slammer Internet worm and went downhill from there. The year, which included four major worm and virus outbreaks in August alone, has been labeled the "year of the worm" and "the worst year ever" by more than one computer security expert.
All that activity meant good news for antivirus software companies such as Symantec. It was bad news for organizations of all kinds, which expended precious resources disinfecting everything from desktop workstations to airline reservation systems and ATM networks that were hobbled by virus outbreaks.
Will 2004 bring more of the same, or will it be remembered as the year in which Internet users "took back the streets" from virus writers, malicious hackers, and spammers? A little bit of both, say corporate security experts and computer virus specialists.
No Relief in Sight
When it comes to computer viruses and worms, Internet users will not see any letup in virus outbreaks in 2004. This is despite high-profile prosecutions of some virus authors and a Microsoft bounty on the head of the original authors of the Blaster and Sobig viruses, according to Chris Belthoff, senior security analyst at Sophos.
Prosecutions and bounties do not prevent crime in the physical world, and they should not be expected to work any better online, Belthoff says. Such programs also misinterpret the motivation of virus writers, who are often looking for attention and recognition rather than financial gain, he adds.
The threat of a so-called "zero day attack," when a virus or worm exploits an unknown and unpatched software vulnerability, also looms as a worst-case scenario. A Blaster-style worm based on a zero day vulnerability could damage computer networks and leave administrators with few options to protect network resources, he says.
Microsoft's operating systems and products will continue to be targeted by hackers and virus writers in 2004, according to Belthoff and others.
Security exploits relying on buffer overflows in Microsoft product code will still be the most common avenue of attack. Hackers are also exploring "internal" vulnerabilities in Windows, like the Remote Procedure Call security holes that produced Blaster, as well as Microsoft's .Net Web services framework, Internet Information Server Web server, and Windows 2003 Server, according to one exploit writer who uses the online handle "wirepair."
The wealth of new, unexplored code for .Net makes it fertile ground for hackers, agrees Mikko Hypponen, director of antivirus research at F-Secure in Helsinki.
"One thing that's interesting about attacks in an environment like .Net is that a successful worm will hit multiple platforms: desktops, laptops, as well as mobile phones and [personal digital assistants]," he says.
The year brought some small victories for law enforcement and for Internet service providers and corporations that were drowning in a flood of unsolicited commercial e-mail, or spam.
America Online, EarthLink, and others won big legal settlements against spammers. And in December, President George W. Bush signed the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act. The new law imposes criminal penalties of up to a year in jail for common spamming practices like hacking into someone's computer to send spam or setting up e-mail accounts using false information to send bulk spam.
But e-mail users shouldn't expect to see a decrease in the amount of spam they receive, says Andrew Lochart, director of product marketing at e-mail-filtering firm Postini.
"The nature of the Internet [e-mail] protocols, especially SMTP, makes it far too easy for dedicated spammers to hide themselves, and we're seeing a lot of [spam] activity moving offshore, outside of U.S. jurisdiction," Lochart says.
Postini estimates 80 percent of the 1 billion e-mail messages it processes each week are spam. The company believes that number might go as high as 90 percent by the end of 2004, Lochart says.
Spammers are also finding new ways around laws and antispam security measures, Belthoff says. For example, after free e-mail service providers and network administrators clamped down on the accounts and insecure servers spammers use to send mail, the mass-mailers turned to computer viruses to create networks of zombie home computers that distribute their e-mail. Sophos estimates 30 percent of the spam its researchers see comes from IP addresses that belong to consumer machines. Two years ago, hardly any spam came from such sources, he says.
Incidents of online identity theft will also increase in 2004, spurred by a brisk international market for stolen credit card numbers and personal identity information, security experts say. Organized criminal groups in Russia and South Korea are using targeted malicious hacking and so-called "phishing" Web sites to harvest information on thousands of online users, according to Richard Stiennon, research vice president at Gartner.
But the security news in 2004 will not be all bad, experts agree. The next 12 months will find corporations deploying more security technologies more precisely and with fewer problems, Stiennon says. "It's getting to the point where we know what we need to do and there are good solutions out there, but now we have to execute," he says.
Microsoft's efforts to strengthen its operating systems' security and products will also close a number of well-worn avenues for hackers and virus writers, Stiennon says. Those changes include a new version of the Internet Connection Firewall, now called the Windows Firewall, in the forthcoming Windows XP Service Pack 2. The new security features will be activated by default, and Microsoft is changing its Remote Procedure Call to make it harder for attackers to exploit that service. Recent worms such as Blaster and Nachi used a security vulnerability in RPC to infect Windows machines.
Subsequent changes to Windows will integrate antivirus and content-filtering technology with the operating system, making it easier for Windows users to block attacks, Stiennon says. A default firewall for the Windows desktop will be a marked improvement for many users, enabling them to spot virus and Trojan activity that otherwise goes unnoticed, agrees Bruce Hughes, director of malicious-code research at TruSecure ICSA Labs.
However, the seeds of change Microsoft plants in XP SP2 might take years to bear fruit, Hughes says. "We're still seeing viruses that use [Microsoft] Outlook address book vulnerabilities, and the cumulative patch for that came out two years ago," Hughes says.
Finally, the 2004 presidential election will continue to focus public and media attention on the security of embedded operating systems in everything from electronic voting kiosks to ATMs, experts say.
Security flaws, the increasing use of embedded versions of Windows, and the near-total dominance of the TCP/IP networking protocol make it likely virus and worm outbreaks will affect private networks used by ATMs, utilities, and other critical systems, even if those systems don't run Windows, F-Secure's Hypponen says.
"In the old days, these systems used proprietary protocols that were immune to Internet worms. Now you have embedded systems connected via TCP/IP to corporate intranets and office systems. Internet worms like Blaster and Slammer, because they try every possible [Internet] address, will find these systems, which hackers would never find, and end up in places nobody imagined," he says.
Such outbreaks have started to raise questions about the wisdom of creating homogenous populations of computers running Microsoft software, Stiennon says. "One thing that changed dramatically in 2003 was the world's acceptance of the philosophy of 'Microsoft everywhere,'" he adds.