When I turned 17, I went to a Toronto bar with a couple of friends to celebrate and had a few too many beers. I was underage, but nobody seemed to care much about ID in the early ’70s. Walking up Yonge Street after the bar closed, we passed a newspaper box. In those days, you did not have to deposit a quarter to unlock the security door before picking up your paper. Nobody seemed to care much about security back then, either. People paid for their papers. I, on the other hand, pulled a pile of papers out of the box and tossed them into the air. “Extra! Extra!” I shouted, and my friends laughed.
Looking back, I know my stunt took no courage, intelligence or wit. And I absolutely regret the stupidity, and waste, of my actions. Hey, if I was 17 today, I might be writing viruses.
Consumers may think of virus writers as idiot savants: idiots for writing viruses that wreak havoc on computer systems around the world, and savants for figuring out how to do it. But most virus writers are just idiots. They know how to find Web sites that describe how to create and send viruses, and then blithely copy the work of others, complete with typos. Such acts take no courage, intelligence or wit.
While industry insiders try not to stereotype virus writers, they admit that most people who write viruses are male, between the ages of 14 and 24, ruled by the raging hormones of adolescence. They are doing it for kicks and are not especially gifted, says Chris Wraight, technology consultant at Sophos, an anti-virus software developer in Boston.
“They can come in all shapes and sizes, from diverse cultures and economic backgrounds, male and female,” says Sarah Gordon, senior research fellow with Symantec Security Response. Virus writers can be “the boy next door, the woman processing your HR requests, or the lifeguard at your local leisure centre. Alternatively, he or she may be half a world away.”
“They’re usually young kids, computer geeks, who are motivated in the way that graffiti artists are. They want to leave their mark but want to do it anonymously. They really showing off in most cases,” says Calvin Gotlieb, Professor Emeritus with the University of Toronto. They tend to target Microsoft applications so they can get the biggest bang for their efforts but “they’re not brilliant. Even some of the most successful viruses are not too complex.”
That’s why there have been very few viruses written for computers running the Macintosh and Linux operating systems. However, Linux is gaining in popularity and Professor Gotlieb predicts that virus writers will start to pay more attention to computers running on Linux. As if to make him seem prescient, Linux users were hit with a new virus shortly after he was interviewed for this article.
Not all virus writers are controlled by their hormones. There are sophisticated virus writers who create unique viruses that immature adolescents copy. Then there are virus writers with hacking skills who create viruses like Bugbear, which hit as I was researching this article. Technically a mass-mailing worm, Bugbear has keystroke-logging and backdoor capabilities. The worm also attempts to terminate the processes of various antivirus and firewall programs.
Authorities are also concerned that some virus writers and hackers may belong to political groups intent on inflicting cyber-terrorism.
“Viruses are rarely politically motivated, and do not make very good weapons for the terrorist,” says Gordon. However, she does not downplay the overall threat of cyber-terrorism.
“As a society we are being naive if we think it’s only the drive-by hackers of the world” who are experimenting with viruses, says James Teel, director of security solutions for 3Com Corp. “Espionage hackers” and “terrorists networks” are out there, he warns. They may not have yet inflicted 9/11 damage on cyberspace, but government agencies and companies must remain vigilant and guard against them. However, Teel agrees that terrorists will use more than viruses should they launch an orchestrated attack on cyberspace.
Wraight says stricter enforcement and prosecution, complete with firmer penalties, might deter those who distribute viruses. However, he points out that many virus writers are outside the reach of North American law enforcement agencies – located in Pacific Rim or Eastern Europe countries where CD-ROM piracy is rampant because the countries have lack or non-existent copyright laws and there are few laws to deal with those who create and distribute viruses.
But even governments will use nefarious computer tactics to achieve political ends. The Chinese government has been accused of attacking web sites run by members of the banned Falongong movement, notes Professor Gotlieb.
Virus writers are not to be confused with hackers who know technology intimately and who sometimes use knowledge for nefarious means. While the skill set of the hacker is more developed than that of the virus writer, we are seeing the gradual blending of the two due to the convergence of viruses and hacking, says Gordon.
If you wonder when the deluge of viruses will end, don’t hold your breath. Just like each new generation of children discovers Dr. Seuss and The Cat in the Hat, each new generation of adolescents creates viruses. That’s why corporations and individuals should be prepared for an increased onslaught of computer viruses, according to MessageLabs, a British antivirus software firm that predict the growth rate of viruses will “vastly outpace” the growth rate of e-mail use.
In addition, viruses are becoming more sophisticated. Unfortunately, we can expect to see more so-called blended viruses, such as Nimda, that use multiple methods of attack. Nimda spread via e-mails and infected Web pages and servers. Then there are the e-mails that link to Web addresses that, if visited, automatically send a virus to the user’s computer. No attachment required.
While PC users and network managers have to gear up for the expected onslaught, experts warn that users of mobile devices and pocket PCs should also take action to protect their technology from the from wireless viruses. It is estimated that less than five per cent of wireless devices on the market are protected by antivirus software, yet the dynamic growth of the mobile device market is well documented. It is estimated that 483 million wireless units will be sold to users globally, and one third of the world’s population will own a wireless device, by 2008. The majority of these devices will have wireless data capabilities. PDA shipments in 2001 totalled 13.1 million units, an 18 per cent increase from 2000. The number of mobile wireless Internet users is expected to expand 18-fold, from approximately 39 million worldwide at the end of 2000 to approximately 729 million in 2005.
By 2004, wireless devices such as personal digital assistants and mobile phones will surpass the number of personal computers used today, and more than 1.5 billion of these devices will be equipped with wireless capabilities.
Considering the damage viruses can do to computers, data and productivity, it should come as no surprise that the IT security industry will see across-the-board growth in the next few years, according to both International Data Corp. and Dataquest Inc. Framingham, Mass.-based IDC reports that the market for managed security services could hit US$2.2 billion by 2005, while San Jose-based Dataquest predicts the market for security software should reach US$4.3 billion by the end of this year.
“Enterprises are looking particularly at defensive security technologies such as antivirus software, intrusion-detection systems and firewalls,” said Colleen Graham, an industry analyst at Gartner’s Software Industry Research group.
Small- to mid-sized companies don’t have the resources to construct appropriate defences and will look to outside firms for help, according to IDC. However, the owners and managers of smaller firms also lack security awareness and tend to react after a hit, rather than act to prevent one.
When it comes to protecting your computers, the total number of viruses that exist is not as important as the number that are actively spreading, says Gordon. (Visit www.wildlist.org for an idea of viruses reported worldwide.) Industry experts agree that companies should use multi-layered protection – antivirus software, firewalls, intrusion detection systems and other means – to combat viruses.
“You can reduce your risks by using products that update themselves automatically,” says Gordon. This will minimize the risk of a virus exploiting a security hole or slipping in under the radar because someone forgot to update the antivirus software.
Finally, its critical to remember that viruses are not just a technical problem, but a social one as well, says Gordon. “That means, not only do you need to protect your computers, but you need to talk to your staff about their own computing behaviour.” They should only open documents or attachments they are explicitly expecting, keep their desktop antivirus software up and running and know who to contact in case of a virus emergency.
CONTAINMENT IS CRUCIAL
Sometimes, no matter what you do to keep viruses off your network, you get hit, says James Teel, director of security solutions for 3Com. If a self-replicating virus breeches perimeter protection and your antivirus software is not up to date, you have to contain it or suffer the consequences – enterprise-wide.
“We subscribe to the theory of defence in depth,” he says, referring to network security as an onion. Peel away one layer of security and you should find another. Like 3Com’s hardware-embedded firewall, which controls the flow of information from a user’s computer or from computers in a particular department. If, for instance, a salesperson has no reason to access accounting files or the e-commerce server, then the embedded firewall will not allow a virus that hits the sales department to reach accounting or the server.
The embedded firewall is not reliant on the host operating system to run, so it is not open to Windows NT vulnerabilities, for instance. Only the IT security administrator can make the policy change required to allow a person or department to move beyond the embedded firewall.