In the weeks since a malicious
program or "worm" nicknamed Code Red first rampaged across the
Internet, many home-computer users must have wondered what all the fuss
was about.
That's because the original Code Red and later variants had virtually
no effect on the Windows PCs typically found in the home. Instead, the
worms targeted more powerful Windows boxes used for dishing up Web
sites in the corporate world.
Consumers aren't out of the woods, though.
Experts warn that a future Code Red-like worm or other kind of
online virus could represent a grave threat to home-based computers.
Recent attacks show that viruses are getting harder to keep at bay and
harder to kill. What's more, consumers can't assume that anti-virus
software, by itself, will protect them.
Code Red, after all, remains active to this day and has proven
maddeningly difficult to eradicate. It had caused an estimated $2.6
billion in damages related to system inoculations and lost productivity
by the end of August, according to market-research firm Computer
Economics.
"The thing with Code Red was, updating your anti-virus software had
no effect on it," says Chris Klaus, founder and chief technical officer
for Internet Security Systems, an Atlanta-based firm that manages
corporate security.
Other worms endure, too. The infamous SirCam, though detectable by
anti-virus software, shows little sign of abating since its discovery
in July. SirCam had infected 2.3 million ordinary PCs and caused $1
billion in damages by the end of August, according to Computer
Economics.
Computer viruses of any kind are worrisome because they can wreak
all sorts of havoc, from deleting critical computer files and
scrambling PC settings to furiously spreading themselves until computer
networks or Web sites are overwhelmed with unwanted traffic.
A worm, by one definition, is a virus that replicates and propagates
itself via computer disks and memory as well as networks and the
Internet. Though worms may cause little direct damage as they spread,
they can carry harmful payloads -- much as a missile carries a bomb.
Many worms, such as SirCam, arrive attached to an e-mail and need to
be triggered by the recipient. Such "codependent" worms, including Love
Bug and AnnaKournikova, often entice potential victims with promises of
romance or nude pictures, causing recipients to rashly open the
attachments that trigger the problem.
But Code Red needs no human trigger. Such a "loner" worm traverses
the Net looking for a specific vulnerability in a software program.
Upon finding such a "hole," it burrows into a computer and often uses
it as a launching pad for further mischief.
The solution is to "patch" the hole that lets the worm in. Microsoft
has released a software patch for Code Red, but many companies have
neglected to install it.
Worms have been around the Net since the late 1980s, when a college
freshman named Robert Morris unleashed the so-called Cornell Internet
Worm or Morris Worm and overloaded thousands of Internet servers. Since
then, hackers have written a variety of worms but rarely caused
widespread damage.
Code Red is a prominent exception, partly because it effectively
targets Microsoft's industry-dominant Windows operating system. It
specifically attacks corporate computers that run the Windows NT or
2000 operating systems along with a certain kind of Microsoft
Web-server software.
This has made it a headache for network administrators but an
irrelevance for most home-PC users, who typically use different flavors
of Windows such as Windows 98. While Code Red inconvenienced some
consumers by disabling their high-speed DSL modems, which it mistook
for corporate servers, most regular folks remained blissfully immune.
But home users may be more vulnerable the next time, experts warn,
because a future worm may target consumer computers via the Web,
file-transfer and instant-messaging services that are booming in
popularity. Hundreds of holes are potentially ready to be exploited by
malicious hackers, they believe.
New operating systems being released by Microsoft and Apple all but
guarantee that more worms will be crawling the Web. "You're going to
see a race in the hacking community to come up with ways to exploit"
Windows XP and Mac OS X, Klaus predicts.
And although creating a worm such as Code Red from scratch requires
considerable programming skill, tweaking it to make a variant is
relatively easy. "I'll be shocked if we don't see more worms by the end
of the year," the security expert adds.
INFECTION RATES RISE
The speed with which viruses spread is increasing, partly because the Internet has become so pervasive.
"What we're seeing today is a huge infection rate relative to years
ago," says Keith Peer, CEO and president of Central Command, a security
software company based in Medina, Ohio.
Code Red infected up to 300,000 computers in a 12-hour period,
according to one published report. Malicious software now can infect up
to half a million computers in a single day, Peer says.
MessageLabs, a British anti-virus firm with U.S. offices in the Twin
Cities, says it has seen a fivefold increase in the number of viruses
trying to penetrate its security since January 2000.
The company, which specializes in intercepting e-mail-borne viruses
on the Internet before they reach clients' computer networks, saw the
presence of malicious codes increase from one in every 3,000 messages
to one in every 400 messages even before Code Red was unleashed in
July. The numbers rose to one virus for every 200 messages in August,
says Andy Faris, president of the U.S. operations.
Potential victims remain vulnerable because they don't take
appropriate precautions, experts say. If all computer users updated
their anti-virus software regularly and immediately installed all
security-related software patches as they became available, the spread
of computer viruses would likely slow to a crawl. But that never
happens.
"If everyone did these things, we wouldn't be in business," says
Robert Stephens, founder and "chief inspector" of the Minneapolis-based
Geek Squad, an emergency-tech-help firm with a growing roster of
corporate clients.
MASTERS OF DISGUISE
Code Red isn't the only threat lying in wait. SirCam has been a major headache because of its ability to disguise itself.
This has made SirCam more of a danger than worms -- such as Love
Bug, AnnaKournikova and NakedWife -- because those kinds of bugs are
relatively easy to spot. Such worms carry essentially the same message
and subject line as they propagate themselves via victims' e-mail
address books.
But SirCam-carrying e-mails are harder to detect. Subject lines
change because the virus chooses a file at random from an infected
computer's My Documents folder, then uses a subject heading identical
to the file name. This tack helps keep SirCam in circulation.
"I believe it will top all other viruses," Peer says, noting that
it's been reported in 110 countries so far and continues to spread.
SirCam's only give-away lies in the message body: "Hi, how are you?
I send you this file in order to have your advice. See you later.
Thanks." There also is a version in Spanish.
Some viruses are even trickier. One called W32/Allgro-A (or
W32.Allgro@mm or W32/Atirus@m) arrives in e-mail and announces itself
as an anti-virus program. Depending on the day, it will clean out
common viruses if present on a computer.
Some experts applaud this fighting-fire-with-fire approach, saying
worms spread so fast that normal techniques -- downloading anti-virus
"definitions" or installing security-related software patches -- aren't
always effective.
But anti-virus experts such as Vincent Weafer, director of
Symantec's Anti-Virus Research Center in Santa Monica, Calif., say
Win32.All3gro.A@mm or similar programs could have a malicious intent in
a benign guise.
The worst may be yet to come. Some anti-virus experts worry about
future viruses that could be programmed to change on their own instead
of constantly being tweaked by human hackers.
That would make them harder to identify and kill with anti-virus
software, which scans a virus' code for a distinctive "signature," says
E. Kelly Hansen, president and CEO of Sun Tzu Security Ltd., a
Milwaukee computer-security consulting firm.
She says such self-mutating viruses already have been created in
universities as part of research on artificial intelligence, but aren't
"in the wild" yet.
"It's very nerve-wracking," Hansen says. "It's a paradigm shift... What happens when the viruses get smart?"
CHATTY JERRY
They may not be very smart yet, but some viruses have become
conversationalists. A hot topic in the security world, according to
Peer, is the vulnerability of instant-messaging services such as ICQ or
MSN Messenger.
A virus called W32/Jerrym (or Worm.JerryMsg.A or W32.Annoying.Worm)
spreads via MSN Messenger and masquerades as a real person, saying,
"Hey, want me to send my new pic? I took it yesterday."
If users say "yes," "sure" or "OK," the virus sends a file along
with a reply such as "alright, here ya go..." or "I hope you like
it..." Once accepted, the file infects the computer.
Fortunately, the "payload" is benign. It says: "I come in piece
(sic). My name is Jerry. The purpose of me is to spread. I'm not
annoying, dangerous."
But it may be only a matter of time before an angry hacker turns
Jerry into something destructive and improves his stilted
conversational skills to better disguise him, Peer says.
The increasing complexity of viruses poses new threats, says Sharon Ruckman, senior director of Symantec's anti-virus center.
Researchers there were surprised by SirCam's ability to use an
Internet cache for dredging up more e-mail addresses with which to
propagate itself, she says. Previous viruses restricted themselves to
using address books.
Worms such as Code Red employ "blended security threats," meaning
malicious software that combines several different types of code. Code
Red II, for instance, first sought out vulnerabilities in Windows
machines, then dropped a "Trojan horse" program on the computer
intended to open a "back door" for a potential hacker to use in the
future.
Many corporations have taken steps to protect themselves from
viruses, automatically stripping off potentially dangerous executable
files from e-mails that enter their central mail servers. But most home
users "are pretty wide open," Ruckman says.
"I tell my friends to be very paranoid" about unexpected or
odd-looking e-mail even if it came from her address, she says. "I tell
them, "Pick up the phone and call.' ''
FIREWALLS PROTECT
Experts suggest home and small business users take a hint from
corporations and install personal firewall and intrusion-detection
software (see accompanying story), especially if they have high-speed
cable or DSL connections.
They also recommend making regular checks with operating-system
makers to see if new security-related software patches are available.
"They say, "I'm Joe's Burger Shop in South St. Paul and who's going
to want to hack me?' '' says Mike Tippets, director of corporate
marketing for SonicWALL, a security service for small and medium-sized
businesses headquartered in Sunnyvale, Calif.
But high-speed, "always-on" Internet access increases the chances
users will get hit by a roving worm. Many hackers prefer to raid
computers with always-on connections because they want to
surreptitiously gain footholds on the machines before looting their
contents or using them as springboards for further mischief.
Software makers too often automatically enable features that put
users are greater risk for infection, complains Raj Goel, chief
technology officer of Brainlink, a small technical-services provider in
New York City.
For example, some versions of Outlook automatically open e-mail,
which could trigger malicious executable files hidden in the complex
Web-like formatting of messages.
The day is coming when software patches are offered automatically,
just as many anti-virus programs now auto-update rather than making
users do this manually, says Gordon Everest, a professor who teaches
about information systems and databases at the University of
Minnesota's Carlson School of Management.
But security experts wonder whether people will bother taking even
the most basic steps to protect themselves, such as properly
configuring anti-virus software to auto-update.
"I think Code Red was more of a wake-up call," says Klaus at Internet Security System.
But the Geek Squad's Stephens believes otherwise. "It's not a wake-up call. It's just the first big one."
Reach Leslie Brooks Suzukamo at
or (651) 228-5475.
