Malicious code comes of age

I got hit with a particularly nasty virus the other week. OK, so it was chicken pox. (Don’t laugh – that can be pretty serious for an adult.) Betcha you thought I was going to say Code Red, didn’t you?

In all seriousness, I have found myself thinking about viruses a lot more than usual. It may be psychological – embarrassing as it is – I had to take a recent mandatory hiatus for a few days in order to recover, which gave more time than usual to do some serious thinking about, well, a lot of things. And, while I was catching up, or trying to, with e-mail at home, I got at least 30 virus attachments sent to me (of the coded variety). I didn’t open any of them, so as far as I know, my computer is clean. But I remember thinking: “This time, it’s different.”

In this industry, there are always lots of computer virus alerts. So many warnings come to me in a day that I scan the contents and delete the message, usually without giving them a second thought. So, why does this one – Code Red and its variants – seem distinct?

For one thing, the volume and worldwide coverage, which has crippled Web servers from Asia to New Zealand, to North America, is astonishing, though not unique – Melissa and ILOVEYOU also accomplished that. But (and I hate to give credit) the alarming truth seems to be that virus writers are actually getting smarter. This is not an easy task – they were a highly-intelligent group to begin with.

Consider the amount of international collaboration that is necessary to morph things so quickly. Often it isn’t the initial virus or worm that’s damaging, so much as it’s variants. The effort, the speed, and the sheer brain power and psychology that goes into these bent offerings is enough to boggle the mind. It’s like open source on steroids – a Linus Torvalds dream gone horribly wrong. These are no longer just script kiddies playing at annoyance. These are malicious, well-thought-out attackers.

Just in case you’ve spent the last couple weeks in a cave (not a bad idea, if you just happened to be covered in spots), Code Red and Code Red II are worms that exploit a hole in Microsoft Corp.’s Internet Information Server (IIS) software, that let nefarious users misappropriate an unknowing victim’s machine. The worm has garnered an unprecedented amount of press coverage over the past couple of weeks as it wreaked havoc in hundreds of thousands of Web servers and affected the performance of countless other networks, DSL routers and switches. Compounding the problem is the fact that many IT professionals may not be digging deep enough to fix the problem because, according to industry experts, untold millions of devices also run embedded IIS. Without patching everything, there is a real risk of spreading a Code Red II Trojan horse, that, once inside an IIS machine, lets anyone with a Web browser destroy or manipulate files.

Serious stuff. And despite numerous warnings, evidence has shown people aren’t really taking serious precautions, including, ironically enough, Microsoft itself. In a perfect example of not practising what one preaches, the software giant confirmed recently that Code Red infected at least two servers used for its Hotmail Web-based e-mail service. This was after the company announced the importance of downloading its patches to fix the problem. How are we to take things seriously if companies like Microsoft cannot even manage to do so? Who can we trust? It’s beginning to feel like the X Files.

It gets worse. According to a noted worm expert (and yes, there is such a thing), the damage done so far is only the tip of the iceberg of what is possible. Jonathan Wignall, a member of an independent security council in the U.K., spoke recently at a European hackers conference, saying that most worms have been “amateurish” in construction, and capable of much more than has been evidenced so far.

Amateurish?? If that’s true, I don’t want to see a slick, professional version. The future could get scary. And here I thought chicken pox were bad.