The Stealthy War Between Virus Creators
April 5, 2004 -- Like the war on terrorism, there's a secret battle going on right now that affects hundreds of millions of people worldwide. And it is happening — right on your computer.
Recent computer viral outbreaks of the MyDoom, NetSky and Bagle e-mail bugs show that malicious online software, or "malware," is still a growing security threat.
Make that, "rapidly growing."
Computer security expert note that in the past three months since these infamous computer viruses made their online debut, each have already spawned nearly two dozen distinct variations.
"In the past, we saw different variants of viruses, but they were often buggy and didn't work in a lot of [computer] environments," says Craig Schmugar, a research manager for antivirus maker McAfee. Now, "There are hundreds of new viruses in an average week, and they're getting more complex, they work often across different [computer platforms]."
The reasons for the rapid rise of rascally code are many. But concerned experts point to a particularly disturbing trend: Malware creators are cranking out more and increasingly sophisticated bugs in order to prove who's the top dog when it comes to dirty online tricks.
Invisible Insults
The proof, they say, are in the vulgar taunts aimed at the software industry and other virus writers hidden within their various creations.
For example, in one variant of the Bagle virus discovered early last month, its creator or creators encrypted a line of text that said, "Hey, Netsky… don't ruine [sic] our business, wanna start a war?"
By the next day, antivirus researchers discovered a new version of the NetSky bug, complete with an embedded line that read: "Skynet Antivirus — Bagle — you are a looser!!!!"
But more than just verbal abuse, antivirus analyzers note that each successive bug and variant is becoming increasingly sophisticated in finding and exploiting vulnerable computers in order to spread.
The original MyDoom virus, for example, is believed to have used the popular peer-to-peer (P2P) file-sharing network KaZaA to help spread itself. Now, some of the newer bugs are encoded with their own P2P networks based on a system called WASTE, which was created and subsequently abandoned by a division of AOL.
By using its own P2P networking, says McAfee's Schmugar, virus writers can create their own "back door" — or hidden entrances — into an infected computer and use the machine to spread other bugs, junk e-mail, attack other computers, and perhaps steal personal information.
Cooperative Destruction
And compounding the problem: Rival malware coders aren't above piggybacking on each other's exploits.
"Other virus writers are writing [programming] scripts to find those [security] exploits to infect them, deactivating the [malware] code already there and run their own code," says Bruce Hughes, director of malicious code research for security firm TruSecure.
Such was the case during the height of the struggle between the NetSky, Bagle and MyDoom last month, says Hughes. One variant, he says, had a "kill list" of about 90 programs or instructions that included other viruses, popular antivirus software and "firewall" security measures.
Nor are virus creators keeping quite about their latest exploits. In fact, most even welcome other authors to use their malicious code — and improve on it.
"In the past, malware writers had to disassemble popular viruses and recreate their own version," says Hughes. "Now, they're all sharing [their] source code on infected computers. Anyone can go out there and pick it up."
Combine all these factors together, and it's easy to see why security researchers and Internet companies are concerned about the marked increase in the number of online viral outbreaks.
And while the recent variants haven't reached epidemic proportions, it may be only a matter of time.
"For [virus writers] to win, they have to infect a lot of us," says Hughes. "At most, we've seen three [virus] variants released in one day. What happens if they can release 10 an hour? I'm scared that they can release hundreds of them in a day. How do we stop this?"
Caught in the Middle
Unfortunately, countering the cyber hostilities isn't clear, simple or even known.
Internet service providers and experts still hold that the first line of defense still lies with educating users about the dangers and using the appropriate security software, namely antivirus programs and firewalls that protect computers from unauthorized traffic.
But despite recent outbreaks, many average online users — especially those using fast, always-on, broadband connections — remain disturbingly unaware and unprotected from the threat.
According to a recent online industry survey, only a third of broadband users — the fastest growing population of online users — have the proper online security tools in place and updated to protect against the latest threats.
So, many ISPs are looking at ways to boost their security. Most provide — and in some cases, automatically install — security software on subscriber's computers when they join the network. But ISPs, such as Verizon DSL, Comcast Cable, and SBC/Yahoo! are taking a more proactive approach by monitoring their networks for sudden spikes in online traffic in an effort to nip any attack in the bud. "There are definitely things we can look at, such as more aggressive monitoring tools, and attack signatures," says Michael Jordan, a security analyst with Verizon DSL. "But there's not a lot out there that works at a scale of 10 [million] to 20 million customers. There's some defense, but it's really back on the consumer. There's only so much an ISP can do without running afoul of a user's privacy."
Other security experts say that a more security-conscious shift in the industry should help out as well. As part of its "secure computing" initiative, Microsoft is pushing more security features and fixes in its popular software. Its updated Outlook e-mail programs, for example, will automatically warn users of messages that contain possible malware and possibly even block certain file attachments unless otherwise instructed by the user.
"The shift we're seeing, partly from Microsoft and others, is that enabling more security features as 'on' by default is good," says Schmugar. "They're recognizing that by disabling certain features as 'open' by default leave everyone vulnerable by default."
But it will take time for these changes among the industry and consumers to occur. Until then, online users might have to put up with the idea that we're just collateral damage in the war among the malware creators.