Computer Viruses: On the Offensive

Human frailty, spam and a dangerous Microsoft Windows vulnerability combined to produce a flood of new Internet worm attacks in August. There were four major worm infections, including the Aug. 11 appearance of W32.Blaster, a virulent new worm that exploits a flaw in a Windows protocol.

Blaster spread worldwide in a matter of hours, infecting hundreds of thousands of machines. A poll of 1,100 organizations by TruSecure found that almost 21 percent were infected by Blaster. As Blaster tailed off, new worms emerged that exploited the same vulnerability. At the same time, a new version of the Sobig worm, Sobig.F, began bombarding e-mail accounts around the world.

But contrary to appearances, the recent spate of large outbreaks does not herald the arrival of a more dangerous generation of worms. Blaster took very little skill to write and improvements in Sobig’s ability to self-replicate was the reason for its virulence.

Media attention given to the worm outbreaks is also to blame, says Neel Mehta, a research engineer at Internet Security Systems X-Force. “Virus writers get recognized, and that encourages them and others,” he says. While experts tend to agree on the reasons behind the new worm outbreaks, there is less consensus about what to do to stop them in the future.

Most agree that antivirus vendors need to do a better job of weeding out security holes in their products. Companies also need to be better about promptly applying software patches.

But others lay blame at the feet of antivirus companies, which still require their customers to apply patches to be protected against new threats. “Traditional antivirus protection is very reactive in nature. Antivirus vendors don’t know about a new virus until their switchboards start to light up with calls from their customers, then it’s a race against time,” says Mark Sunner, CTO at MessageLabs, an e-mail security provider.