New Software Self-Defends From Viruses
Aug. 27, 2003 -- Who's responsible for big computer virus outbreaks such as the recent SoBig attack? Experts say the answer is — you.
Certainly, poorly-written code in major software programs such as Microsoft's Windows operating systems and balky computer technology can be exploited by hackers and evil-doers.
But computer security experts say irresponsible computer users themselves are often the weakest link in the chain. And they propose to take charge of the situation — by taking over.
For example, despite repeated warnings from the online security community, users are still opening suspicious e-mails. And they haven't been keeping up with the latest security patches.
As a result, virus attacks succeed in a big way. The SoBig virus, for instance, has managed to infect more than 100,000 computers worldwide since it was detected on Aug. 18.
Virus watchers like Keith Peer, president and chief operating officer of Central Command, Inc., an antivirus software maker in Medina, Ohio, have a name for the problem — "Glazing over."
Says Peer: "People have heard about the need to keep antivirus [software] up to date and not to open suspicious e-mails so often that they just glaze over whenever a new warning comes out. They just don't respond anymore."
Keeping Up-to-Date, Automatically
While security firms, anti-virus makers and software companies like Microsoft still press for better computer user education about online security concerns, some say to really help check the rising threat, software will have to get a bit smarter — and possibly more intrusive.
At Microsoft, for example, executives have been contemplating a change in a key feature in its Windows XP operating system called Auto Update. The current version downloads and installs the latest software fixes from Microsoft's Web computers only after users choose to activate it.
By contrast, the new version feature would allow computers running Windows XP to update automatically.
Such an automated feature might have saved thousands of computer users from the MSBlaster worm unleashed on the Internet just prior to the SoBig virus. MSBlaster, also known as LovSan, took advantage of a weakness in Windows software first discovered in July. While Microsoft then released a fix for the weakness, many computer users failed to install it.
That fact hasn't been lost on Microsoft. According to reports, executives at the software giant are now considering whether future versions of the Windows software should have the Auto Update feature set to "on," rather than rely on customers to activate the feature manually.
"While we've not yet committed to a time frame or delivery mechanism, we do believe that enabling Auto Update by default will help ensure customers' PCs are updated in a timelier manner," says Tara Gregory, a spokeswoman for the company.
Spying for Suspicious Software
Other software makers are offering software that seem to take on security threats in an even more proactive way.
Antivirus programs such as Network Associates' McAfee VirusScan and Symantec's Norton AntiVirus have always had automatic update features. Once a new bug is discovered, engineers craft an antivirus code and send it out to every subscribed user.
Bryson Gordon, senior product manager for Network Associates in Santa Clara, Calif., says the latest version of its security program ramps up the arms race against the virus writers.
The feature, called WormStopper, is designed to continually scan a user's computer for patterns of "suspicious activity" — say, a program that starts scanning for addresses stored on the computer, or attempts to change the starting page of your Web browser — and then alert the user to what's happening.
"We don't know it's a new worm, but we do know that something is trying to send e-mail to everyone on your address book," says Gordon. "Based on that, we can block the actual code that is causing that to occur."
With Automated Software, How 'Personal' Is Your PC?
Such steps could lead to much better and safer computers, say some.
"The vast bulk of the problem is machines that are never going to be secure even if the interest in security is very high," says Alan Paller, director of research at the SANS Institute, a security firm in Bethesda, Md. "They're owned by children or by grandmothers or by libraries or by businesses that are busy with other things [than computer security]."
But others wonder if computer users might feel squeamish about software that automatically makes changes to the software on their software. After all, note privacy and legal experts, a PC is a "personal" computer.
"My basic concern is if users' systems are automatically updating, users might not know what is being done," says Seth Schoen, a technologist with San Francisco-based Electronic Frontier Foundation. "Potentially, the vendor could choose to take functions away under the guise that it's part of a security update and users would not be aware that they have done that."
What's more, warns Schoen: "Think a little more deviously. An unscrupulous vendor could present something that is a security update that actually forces incompatibility with competitors' products."
Who's Responsible?
Another concern? If a vendor's software patch crashes a user's computer, it's not clear who would be responsible.
"Software publishers are not frequently sued for software defects," says Schoen. "Take a look in any end-user license agreements and you'll see that manufactures disclaim any warranty for defects."
Security experts like Paller suggest most users, however, will likely opt for proactive approaches such as Microsoft's Auto Update feature — provided it's clearly explained users can turn the option off.
"My guess is that they will joyfully accept [Auto Update], so long as they are given the choice of opting out and taking active responsibility for securing their [own] systems and for any damage their systems do [online]," says Paller.
"In addition to that, a user should have an opportunity when the system has been remotely updated, to decline to receive auto updates and reverse an update once it has been applied," adds Schoen. "Those would be reasonable consumer protections and remove most of the objections most people have."
In other words, users would still have to have a responsible and active role in their own PC's security. And that, say others, is the best defensive tool against hackers and threats overall.
Gordon notes, for example, virus writers still use "social engineering" tricks to get computer users to spread their malicious software. Users can still be duped into clicking on e-mails with alluring subject lines, such as "I love you" or "Anna Kournikova naked," which then launch the latest Web attack.
"Ultimately just patching systems automatically doesn't answer the threat of social engineering," says Gordon. [Virus outbreaks] are going to happen."