“Hi! How are you? / I send you this file in order to have your advice / See you later. Thanks.”
the text of e-mail messages infected with the Win32.SirCam.137216 virus which is sent to me about six times per day.
One of the most interesting things about the latest crop of viruses is that they are crap. If you compare today’s hugely successful viruses (in terms of number of infections) with viruses of old you will notice how dumb the viruses of the Oughts are (that’s Oughts as in the ’00s – what else could you call them?).
Want to see clever virus engineering? Check out the “Dark Avenger,” a Bulgarian hacker back in the mists of time otherwise known as the very early ’90s (see www.research.ibm.com/antivirus/SciPapers/Gordon/Avenger.html). Amongst other creations, he invented the infamous “Mutation Engine” that made it very difficult to identify viruses in infected files. This guy was good!
Today, the majority of viruses rely on pretty dumb exploits that usually have a low probability of actually working as planned, usually because the standard of coding is amazingly low. So, how do we explain their enormous success? Simple: The systems they infect are more complex and better connected than they were in the ’90s, but no better engineered to defend themselves against malicious code.
In short, software manufacturers – most notably Microsoft Corp. – have not addressed systems integrity as a core, strategic issue because there’s no money in it. It is a simple matter of economics: Don’t build in what users won’t pay for.
Users – consumers and corporate – will pay for lots of chrome and eye candy, booming sound and features that they’ll never use, but ask them what they will pay for a truly defensible system and they’ll look at you like you’re speaking in Urdu.
And it is this attitude, my friends, that is going to get us all into big trouble. We don’t want to spend the money or the time to make sure our systems are really secure because we think the other stuff we have to do is more important and valuable.
For example, many of you use VPNs to keep traffic between your remote users and the corporation private. This is a nice idea, but usually not a complete solution, as the remote PC can be compromised such that the PC end of the VPN is accessible to nefarious software (think Back Orifice and its spawn).
Now I’ll bet some of you are saying, “Gibbs, get real, it’s a trade-off between usability and cost, and the probability of a compromised remote PC is low enough that the contingent cost of a security breach is acceptable.”
OK, if you want to sound like an actuary, that’s your business. (Definition: An actuary is someone who comes down from the hills after the battle to kill off the wounded to make them easier to classify.)
Just realize that this kind of risk assessment is only applicable for today’s systems and today’s PC environments and that the first virus that is smart enough to mine PCs it infects for “interesting data” to send back to its masters may well spread through the majority of your PC population before you can say “Chapter 11.”
I think it is time for a complete re-think about the issues of security and reliability of networked corporate PCs – particularly those based on any version of Windows – because while we can accept the risk today, the risk tomorrow could be on a scale that is orders of magnitude greater.
Just wait until the virus message reads: “Hi! How are you? / I have your data. / See you later. Thanks.”
Gibbs is a contributing editor at Network World (US). He is at [email protected]