Search Engine Optimization, Blog Design, Movable Type Customization, and more.
Mark Carey
Mark Carey



News I've Read

Comments I've Made




Contact Mark Carey

My Sites:

Books as Blogs

Web Dawn

GoogleGuy Says

MT Hacks

Blog Spam Database

Blog Coop

Seinfeld Blog

Mars Rover Blog

Bermuda Blog

Photo Blog

Quote Blog

Media Blog

Sports Forum


Curb Your Enthusiasm

Mark and Michelle's Wedding

Honeymoon in Egypt

Peru Travel Blog

Smells Like Sour

TV Blogs

My sponsered child, Hama from Niger, Africa
A portion of the proceeds from this site help sponsor Hama from Niger. Learn more about blog donations.

Computer worms overwhelm inboxes

Author Message

PostPosted: March 2, 2004 1:11 PM 

As published by

Computer worms overwhelm inboxes
Flood of viruses keep antivirus firms working round-the-clock

By Bob Sullivan
Technology correspondent
Updated: 7:00 p.m. ET March 01, 2004

Finnish virus researcher Mikko Hypponen had simply had enough on Saturday, and set about lighting the wood to heat the water in his sauna. A relentless stream of new viruses was taking its toll on him and his team, which has been working weekends and late nights for weeks now.

Since the discovery of the Mydoom virus in late January, virus writers have been releasing malicious programs at a furious rate. There are some 15 variations of the Mydoom, Netsky, and Bagle viruses still making the rounds, and taken collectively, virus researchers say our e-mail might be more clogged than ever before. Inboxes around the world are teeming with cryptic notes that have simple messages like "Here is the file," or "I want a reply."

When antivirus companies give names to malicious programs, they add letters to virus names as a way of indicating variants, with NetSky.A being the initial version, NetSky.B the second variation, NetSky.C the third, etc. On Monday, researchers were up to NetSky.E, Bagle.H, and Mydoom.H.

With all the variants running around, it's nearly impossible for consumers to know what they are dealing with. And since most of the viruses come with a randomized file names and included text, it is impossible to tell consumers how to spot the malicious programs with the naked eye.

Hypponen, who works for Finland-based F-Secure Corp., has spent the past month trying to plug up the leaky dam that is the Internet, full of malicious programs. It's a cat and mouse game. He and his team scramble to detect new worms soon after they are released, and then update antivirus software around the world before a new virus has a chance get momentum.

It's a battle the antivirus industry certainly isn't winning, and recently, it might be generous to describe the situation as a stand-off.

On Saturday, Hypponen was determined to grab himself a few moments of peace, and things seemed to have calmed for the moment. But just as the water in his sauna reached soothing temperatures, he received another urgent message. A new version of the Bagle virus was spreading. He had to go to work, again.

"I never got to go in the sauna. That really hurts," Hypponen said. "If you look at the whole last month, it's been bad."

Meanwhile, it's Internet users who find themselves in hot water, trying to sidestep the tiny electronic bombs that keep landing in their inboxes.

New Netsky will play annoying sounds
By Monday, the new version of Bagle wasn't Hypponen's biggest concern any more -- a new version of NetSky, the fourth, called NetSky.D, had become the biggest pest of the day.

That virus, discovered on Monday, probably wins for most annoying feature. It instructs infected machines to play a cryptic audio file for three hours on Tuesday morning -- one that sounds a bit like a 1960s-era science fiction movie computer hard at work.

"I think it's pretty close to the worst time ever ... oh, what's this?" said Vincent Gullotto, a researcher with Network Associates Inc. During his interview with on Monday, he received word of yet another NetSky variant, NetSky.E.

In the past eight weeks, Network Associates has signaled its internal virus alarm bell, called a "Virus Outbreak Process," 11 times. Ringing the bell means an entire slate of emergency procedures are set in motion: Researchers have to return to their desks in the middle of the night, major customers receive warnings, the press is notified. Eleven alerts is more than Network Associates issued in 2002.

Vincent Weafer, a researcher for Symantec Corp., said his firm has six different viruses currently rated a medium or high risk. Generally, the company averages one or two a month.

"The only thing that compares with this time is last August, when we had Blaster, SoBig, and Welchia at about the same time," he said.

Virus gang warfare?
There are some theories about why virus activity has picked up in recent weeks, but no one's really sure why. The sexiest of these: rival groups of virus writers are engaged in what might be called Internet gang warfare. The NetSky.C virus included a message taunting authors of another worm, according to Network Associates. Buried inside the computer code was the text:

"We are the skynet - you can't hide yourself! - we kill malware writers (they have no chance!) - [LaMeRz-->]MyDoom.F is a thief of our idea! SkyNet AV vs. Malware."

The virus itself disables many of its predecessors.

"There could be some type of competition going on," Gullotto said. "But there's really no evidence of that." The message is hardly definitive, he said.

Weafer thinks the increase is due in part to the overwhelming success of the Mydoom virus, which began its spread during the last week of January.

Mydoom, called the fastest-spreading e-mail virus ever, left hundreds of thousands of computers infected with back-door programs in its wake. Back-doors make PCs readily available to hackers and virus writers, who use them to jump start the launch of new viruses. Other variations have also left PCs vulnerable to this kind of attack, continually making the job of "seeding" a new virus easier.

"They are definitely leveraging the infected machines out there. There is a critical mass, ... a growing number of knowingly compromised machines they can use," Weafer said. Virus writers continue to build on each other's work, as well, making the creation of a new variant as simple as "plug and play, click and hack," Weafer said.

But perhaps most disturbing, Hypponen said, is that virus writers seem to be taking the cat-and-mouse game with antivirus firms to a new level. Generally, new variants for successful worms take days or weeks to appear, making a natural ebb and flow to the antivirus game, giving researchers time to come up with fixes for each new worm. But the author of the Bagle worm, for example, seems ready with a new variation the moment antivirus firms post their definitions foiling the worm. There have been five new versions of Bagle since Friday night, Hypponen said.

"Whoever is behind it is sitting around waiting for us to respond," Hypponen said. "If the target is to exhaust the antivirus people, he's succeeding at it. My team is really tired. We are working through the night and the weekends."

The best way for consumers to protect themselves is to direct a healthy dose of skepticism at every unexpected e-mail, perhaps more than usual. Terse, awkward-sounding notes should be a tip-off. Suspicious messages should be handled with care, or deleted immediately. Frequently updated antivirus software can also help.

Join the conversation:

Remember personal info?