Monday, Sep. 01, 2003
Attack Of The World Wide Worms
By Chris Taylor/San Francisco
Where's A power outage when you really need one? Last Friday computer cops and the FBI were racing against time to shut down 20 computers--in a world of millions--before a restless piece of software code called Sobig.F reached them first. Sobig.F was already ripping through home PCs and business networks like Godzilla on a Tokyo rampage. If you logged on to the Internet last week, chances are you received an email from Sobig.F. Whatever instructions the worm might have got from those 20 Internet servers, investigators knew, had the potential to make Sobig.F so much bigger.
It was the Web's worst attack of worms, a kind of computer virus that replicates itself automatically. Though they sound like science fiction, worms spring from the minds of virus writers, who could be sitting at any computer in the world. Most spread because we do careless things like open e-mail attachments from strangers, but some have evolved to spread through computer networks on their own--like plague bacilli that have become airborne.
Such networking skills made headlines last week as Welchia, a network-only worm, grounded Air Canada's check-in system and caused three-fourths of U.S. Navy and Marine Corps computers to surrender. But if anyone thought e-mail worms were sluggish by comparison, Sobig.F was on hand to prove them wrong. In a single day, 1 in every 17 mails sent worldwide came from Sobig.F. At the New York Times, reporters were forced to turn off their terminals. Experts were shocked and awed by the worm's unprecedented clip. "This is the undisputed heavyweight champion of viruses," declared Scott Petry of email-security firm Postini in Redwood City, Calif. Which may be just the kind of recognition Sobig.F's still mysterious author was hoping for.
Virus writers in search of street cred are nothing new. Nor is the billion-dollar antivirus industry that has sprung up since the mid-1980s. Their cat-and-mouse game evolves every time a flaw is found in Microsoft Windows, which runs on 95% of personal computers worldwide. And flaws in Windows are as plentiful as mosquitoes in August. The other problem is the infrastructure of the Internet itself, which is almost as rickety as Northeastern power lines. Up to 70 security holes are noted every week.
So far, most of the exploitation of these flaws is benign or short lived. Of the 77,000 known viruses in the world, all but 900 are known as zoo viruses; that is, their incurably geeky creators simply e-mailed them to antivirus-software firms like proud parents passing around pictures of their new offspring. Roughly 200 viruses are in the wild at any one time. Most simply don't spread well; others are lame attempts at getting you to open an infected e-mail attachment. "Nude pictures of your wife," anyone?
Of the handful that remain, some probably began with innocent intentions. Welchia, also called Nachi, was initially taken for a good worm because it was apparently designed to clean up the cause of the previous week's headlining worm, Blaster. Welchia was like an overly helpful relative who thinks he knows how to handle the plumbing. Once inside a system, it automatically downloaded and installed a Blaster fix from Microsoft's website. But if too many PCs on the same network were trying to do this at once, especially at large corporations, the amount of traffic brought down the network. "Virus writers don't do quality assurance," says David Perry, director of education at Tokyo-based Internet-security firm Trend Micro. "A lot of viruses cause more damage by being poorly written than anything else."
In the case of a well-constructed worm like Sobig.F, no damage is done to the PCs. The network suffers; your hard drive doesn't. On the face of it, Sobig.F's aim is merely that of every species on Earth: to make as many copies of itself as possible. There are five mutations of the basic Sobig worm, apparently tweaked by the same author since its January debut. The one that won the evolutionary lottery is variation Sobig.F, which works so well because it grabs anything that looks like an e-mail address on your hard drive and secretly emails itself to all of them, using one of the addresses to pose as a friendly sender.
Then comes the twist. Running on a built-in timer, Sobig.F was due to instruct infected computers to contact 20 Internet servers worldwide--themselves probably infected with a back-door virus--that Sobig's author could use as a drop box, leaving nefarious new instructions for his worm there. Investigators succeeded in taking 19 of the computers off-line before that could happen, and the 20th simply directed users to a run-of-the-mill sex site. Either Sobig.F was not intended to cause damage beyond all the disruption, or its author was feeling the heat of the law and worried about leaving a trail, even though virus writers are notoriously difficult to track down because they work through so many layers of infected machines and fake user accounts.
The rise of Sobig.F illustrates how easily a determined fiend--even a terrorist--could sow mayhem. Picture a future Sobig using millions of infected machines to hack into the servers of a major bank. "The virus-writer world and the hacker world have come together," says Vincent Weafer, senior director at Symantec Security Response. "They don't care who you are. Your machine is an asset to them." In the past, hacker groups have been able to make tens of thousands of compromised PCs take part in denial-of-service attacks--bringing a website down by repeatedly requesting its home page, tying up all traffic on it. The Blaster worm, which declared its enemy to be "billy gates," pointed some 400,000 host PCs to Microsoft's windowsupdate.com at the same time on the same day. But Microsoft dodged that bullet: its Windows Update service had moved to a new address, microsoft.windowsupdate.com and shut down the old one.
Nevertheless, there is much to embarrass Microsoft in the latest crop of worms. Blaster and Welchia both relied on the same security loophole that was found in Windows in July. There was a fix available--the one Welchia tried to download--but it was among dozens the company puts out every month. Windows XP made its debut in 2001 with some 45 million lines of code and a lot of mistakes, many of which have yet to be uncovered. Because of its complexity, "no other product could potentially be so flawed," says Jerry Ungerman, president of Silicon Valley's Check Point Software. No consumer movement has sprung up demanding a Windows recall just yet, but a car with this many problems would be a tort lawyer's joyride.
Not according to Microsoft. "This is more like your car being threatened by a new caliber bullet," says Mike Nash, the company's vice president for security. Still, a Bill Gates memo last year admitted Windows needed to be more "trustworthy." The company placed ads in national newspapers last week reminding users to turn on Windows XP's internal firewall and employ the operating system's automatic-update feature. That is, you can allow the company to fix its unintended mistakes constantly and quietly in the background. Windows XP does not ship with this feature turned on because of the Big Brother factor. But attitudes may be changing. Says Nash: "Customers are more willing to give up their privacy concerns."
Security experts are willing to cut Microsoft a lot of slack. In some ways, they say, Windows is a victim of its success. if rival operating systems like Linux or Mac OS had a 95% market share, the virus writers would be hard at work probing them for holes. Whether they would find as many is a different question altogether. Linux and, to a lesser extent, Mac OS are open source, which means they're subject to constant peer review by engineers and software writers all over the world. The energy that goes into finding fault with Windows exists in the Linux world too, but it's focused on making the code better. To help stave off the competitive threat from Linux, Microsoft recently allowed several governments across the world to take a peek at the precious Windows source code but is unlikely to go fully open source anytime soon.
What Microsoft isn't responsible for are the problems it inherited from the early years of the Internet. All the rules and protocols that govern how computers talk to one another and how e-mail is passed around have been handed down from the 1960s and '70s and are riddled with loopholes. Back then the nascent network was the province of the military and academia. If someone even knew what e-mail was, he or she was likely to be friendly.
As recently as two years ago, it was easy to avoid the impact of most viruses and worms like Melissa and the infamous Love Bug by not using too many Microsoft products. Most of the known security flaws that spurred virus writers had to do with the way Outlook talked to Word or Excel. The greatest danger was having a Microsoft monoculture on your desktop. The digital equivalent of planting only one kind of potato in your fields, it practically invited pests to do their worst.
In the age of smart worms, however, the greatest danger comes from having an insecure high-speed Internet connection combined with a month-old copy of Windows. A firewall--a piece of software or hardware that watches your connection night and day and turns away requests from software applications that it doesn't recognize--is now as necessary for DSL or cable-modem users as luggage screening at air-ports. But a survey showed that two-thirds of high-speed connections don't have firewalls set up properly.
Until we all get firewalled, the best we can hope for is that most virus writers keep their creations in the zoo, that the Sobig.F writers of this world will turn out to be relatively benign vandals and that investigators will track down the ones who are not. Worms will always be with us, like graffiti on highway overpasses. And with luck, they will be no more annoying.