Since one of the first computer viruses appeared in 1982, successive generations have grown increasingly malicious and tough. This year has seen explosive growth in activity. And experts say the problem isn't going away any time soon.
By DAVE GUSSOW
Published August 16, 2004
At the time, Rich Skrenta saw his creation as nothing more than a little fun by a curious high school student.
Living in Pittsburgh, he wrote an odd little computer program that would make subtle changes on discs used in Apple II computer programs, and it could replicate itself.
The 50th time a disc carrying the program was used, a poem would appear on the monitor screen:
It will get on all your disks
It will infiltrate your chips
Yes it's Cloner!
It will stick to you like glue
It will modify ram too
Send in the Cloner!
It didn't seem like a big deal at the time, though one of Skrenta's teachers and some of his friends were not amused. But in 1982, Skrenta had blazed a trail with one of the first, if not the first, computer viruses.
Today, there is nothing harmless or fun about computer viruses. Successive generations have grown increasingly malicious in their intentions and virulent in their ability to survive defenses. Many of today's viruses are not pranks, but are instead criminal efforts to mine personal and financial information from computers.
Thousands of viruses, worms and other malicious code, or malware, are being sent over the Internet each year, costing businesses and consumers billions of dollars to fight. And this year has seen an explosion in activity.
"This year, we've never seen anything like this," said Ed Skoudis, author of Malware, Fight Malicious Code and an instructor at the SANS Institute, a computer security think tank in Maryland. "It's incredible. It starts to get overwhelming."
Cloner didn't spread far, with no public Internet to help distribute it, but a few years later it got a mention in Time magazine. Skrenta, 37 now and co-founder of the Topix.net news Web site, has no regrets about creating the virus.
"If I hadn't developed cloner, it's not like viruses wouldn't have come into existence anyway," Skrenta, of Palo Alto, Calif., said. "The times were just ripe for the idea to get out there. I don't think I opened some Pandora's box."
In fact, going back to the 1970s, computer scientists talked about the idea of viruses, chiefly as a way to patch flaws in software. The term virus itself didn't come along until 1983, defined in an academic paper, and by then researchers had discovered a dark side to viruses, as Fred Cohen, the paper's author, wrote: "Their potential threat is severe."
At that point, the idea of viruses had escaped the labs where they were studied and entered the real world, computers and networks. Early infections such as Cloner could only spread with the exchange of floppy discs, but the Internet changed that. The first Internet worm slipped out in 1988, and the '90s saw increasing sophistication in the threat as e-mail became a carrier and the Internet's rise gave new distribution routes.
In 1988, the CERT Coordination Center at Carnegie Mellon University received just six incident reports of virus infection. Growth was modest for years, reaching 3,734 incidents by 1998. But then: 21,756 incidents in 2000, 52,658 in 2001 and 82,094 in 2002. Last year? 137,529.
Yet numbers tell only part of the story.
* * *
People who write malicious code are called a lot of things, but if you ask some experts, such as Cohen, innovative is not one of them. Cohen, a research professor at the University of New Haven, says even more damaging viruses and attacks are possible, but malware writers just aren't trying new things.
"No surprises since 1992," Cohen wrote in an e-mail interview. "That's when I basically gave up doing more research because I figured I knew then as much as I would ever know about the subject. Nothing has proven my view wrong yet."
In fact, experts say, although attacks have multiplied, more stealth-like techniques are in vogue, and the motives have changed from vandalism to financial gain, the basics of malware have remained predictable.
Each new generation builds on the foundation created by previous generations and exploits vulnerabilities in software and unsuspecting users.
"We see the same common type of attack over and over and over again," said Kevin Houle, a member of the CERT technical staff.
Software companies continue to leave weaknesses in their products, he says, and attackers still trick people - something experts refer to as "social engineering" - into doing things such as opening e-mail attachments or running programs they shouldn't.
"What we've seen over the course of the last 15 years, there's no reason (to believe) it won't continue," Houle said. "Unsafe computing practices are still very common and social engineering is still very effective. It's not a new thing. Attackers have found that it works well, so they use it more and more."
There are more malware writers, who have more tools and techniques available, much of it shared over the Internet, which makes it easier to develop more powerful attacks.
Skoudis from the SANS Institute says attackers are using more bots, automated programs, for distribution, particularly for spam, and to cover their tracks. Some writers are getting better at making their codes invisible to defenses.
Among other things, that means computer users don't have to open an e-mail attachment or click on a program to get in trouble. Download.Ject, or Scob, came from Russia and infected Web sites that used Microsoft software. A user only had to visit an infected site to trigger a secret download of a Trojan horse that carried a keyboard-logger that would record a user's typing, which is how they capture passwords to personal information.
In an unusual move last month, SANS and other security experts recommended that people stop using Microsoft's Internet Explorer browser, saying its flaws made going online "like playing the lottery."
Because of its huge market share with Windows, Internet Explorer and its Office productivity suite, Microsoft has been heavily targeted by virus-writers looking to inflict maximum damage. And it has been criticized for being lax on security.
"Microsoft is one of many who write poor code," Cohen said. "Generally the inability to prevent even the things we have known how to prevent for 30 years or more demonstrates a lack of due diligence.
"They could spend $1 per line of code and detect far more than 99 percent of current exploited vulnerabilities but they don't even do that. It is a pitiful performance by the vendors."
And there's another issue to consider: Malicious code doesn't just disappear. Even after a well-publicized outbreak and the followup patches come out, the code still can be lurking on some server, waiting for an opening on an unprotected computer or network. Code Red hit thousands of computers in 2001, and Houle says CERT still gets reports about it.
* * *
Antivirus software, firewalls to block intruders from gaining access to a computer and other defenses such as Spybot and Ad-aware for removing spyware are all necessary tools for today's computing. But it's still not enough.
"Things like that are useful, but they shouldn't be a false sense of security because they protect against known things and not unknown things," CERT's Houle said. "Just because I have antivirus doesn't mean I should feel safe about everything I come across."
That puts a burden on users to be aware of software defects, to remain vigilant about security alerts and problems and to download patches and updates when they're available.
More technical solutions also are in the works, says Chris O'Connor, IBM's director of security strategy. One such example, particularly aimed at businesses, is an enhanced hardware-software system that requires, among other things, that people who log on to networks digitally verify that the machine they are using is approved for the network and they are who they say they are. Then, the network can check the machine's health, determine if any changes have occurred and either allow or block full access.
"I think you're going to see a bulletproof set of interactions," O'Connor said. Detecting problems earlier and isolating infected machines will help control the spread and could discourage attackers.
And, like consumers, businesses are suffering, too. According to a survey of 400 "security decisionmakers" by the Yankee Group, 83 percent said their businesses had been infected by viruses or worms last year, even after spending much time and money on defenses.
O'Connor says some businesses are taking more steps, including requiring that employees use company-owned machines at home instead of their personal computers and setting more stringent rules about access.
Despite greater awareness of the problem, CERT's Houle says, the problem isn't going away any time soon.
"As defense techniques get better, attack techniques adapt," Houle said. "It's definitely going to be an evolving situation."
Information from Times files was used in this report. Dave Gussow can be reached at gussow@sptimes.com or 727 771-4328.
