Anniversary of Computer Virus No Cause for Celebration

Over several decades, viruses and worms have grown from academic exercises to online threats, wreaking havoc on millions of computers worldwide.

Not everyone agrees on their exact origin, but they date back at least 20 and maybe even 30 years. The idea of using the term "virus" to describe unwanted computer code was first published in 1970, and some accounts detail the spread of the first virus in 1975 as simply the distribution of a game on UNIVACs (Universal Automatic Calculators). The virus Elk Cloner that infected Apple IIs followed in 1982. In 1984 a professor at the University of New Haven wrote a research paper describing possible threats from self-propagating viruses and explored potential defenses against them. He wanted to further investigate antivirus countermeasures, but the National Science Foundation denied his request for funding.

chartThe term "worm" was first used in a 1982 paper by researchers at the Xerox Palo Alto Research Center to describe the automated program they used to update an Ethernet performance-measuring application. However, a bug in the program eventually crashed all 100 of the experiment's computers. The paper cited a 1972 science fiction novel describing a "tapeworm" program spreading around the global networks as the inspiration for the term.

Many virus historians believe that two Pakistani brothers created the first IBM personal computer virus in 1986 as a way to advertise their company, Brain Computer Services. They programmed the Brain virus to overwrite the boot instructions found at the start of system disks, displaying the message "Beware of this VIRUS.... Contact us for vaccination..."

That was only the beginning of viruses that infected floppy disks, hard disks and files. Although viruses and worms took more than a decade to emerge in significant numbers, they soared in subsequent years. By the end of 1990, about 200 viruses had been identified. Today, that number has jumped to more than 70,000.

Even if viruses aren't designed to be intentionally malicious or dangerous, there can be unexpected results if they get outside a controlled environment. The exponential doubling of viral code greatly magnifies minor errors and becomes the difference between a harmless prank and a devastating attack. The ability to propagate across the Internet has allowed this kind of malware to spread very quickly. Although many programs quickly fizzled out, others have far outgrown the intentions of their authors, and small modifications of the original code produced new variants that continued the attacks.

Later, worms evolved into two categories. Some camouflage themselves as interesting e-mail attachments, which execute when opened, infecting systems and mailing themselves to every name listed in the computer's address book. Other worms need no human interaction, infecting computers that have certain security flaws and then using the new host to scan for more computers with the same flaw. These worms are modeled after the Cornell Internet Worm, which overloaded an estimated 3,000 to 4,000 servers, or about 5 percent of those connected to the early Internet, in November 1988.

The growth in popularity of computers and Internet use along with the vulnerability of the Windows platform and other Microsoft programs have allowed the rapid spread of viruses and worms. In 1995 Microsoft accidentally shipped the first macro virus that could infect Word documents. The Concept macro virus rewrote the rules for viruses and they began spreading via e-mail and the Internet. In the early days of viruses it would take months for a virus to spread into the wild. The first successful mass-mailing computer virus was Melissa, a macro virus that started spreading in March 1999, and contained a lot of code from previous viruses.

Today, a virus can spread around the world in a matter of minutes, and virus writers quickly pass techniques for creating the latest worms by posting their toolkits in the virus-exchange underground. Many worms are written in one of several scripting languages, which can be read by even semi-knowledgeable virus writers and changed to release variants in only hours after a major virus epidemic. For example, virus writers latched onto LoveLetter, which struck in May 2000, and cranked out more than 40 variants.

Boot viruses began to diminish in 1997 as macro viruses flourished until 2000, when they too declined as worms began a steady rise. Soon the worms dominated the top ten variants of malicious code. Two months after the major Code Red worm attack of July 2001, Nimda hit the financial industry hard, giving Microsoft a security wake-up call and illustrating the dangers of self-reproducing threats that used multiple vectors of attack. Nimda infected computers through the same flaw Code Red used but also infected shared hard drives, spread itself through e-mail, and created Web pages that spread the worm. Even after Microsoft issued patches for the vulnerabilities, most people were apathetic and failed to download and apply the patches.

To stave off future attacks, companies and Internet providers began filtering e-mail attachments at their gateways, the connections to the Internet. Antivirus software companies try to beat worms at their own game by distributing new virus detection faster than the viruses can spread. However, if a new virus doesn't match any of the types contained in the filtering software's definitions, the scanner won't flag the attachment as malicious code.

The latest Mydoom virus was effective because it initially passed the scanning software. It posed as a harmless text file containing an e-mail message that claimed to be a failed mail transaction from a colleague or friend, offering the believable explanation that the original message had to be translated into a plain-text file for delivery. Even some savvy recipients were duped to open the attached file, which was really an executable file that included a malicious virus. The innocuous subject line of the infected e-mail was "Hello," "Server Report," "hi," "Mail Delivery System," "Mail Transaction Failed," "Status," or "Error."

The SCO Group, target of the original worm's denial of service attack scheduled for February 1 (its fourth in the past 10 months), offered a $250,000 reward for information leading to the virus author's arrest. When a variant targeted Microsoft, they offered a similar reward.

MessageLabs reported that in the first 4 days it had trapped over 5.5 million copies of infected e-mail headed for its clients. At one point, one in every 12 e-mails was laced with this worm, compared to last year's SoBig virus outbreak, which peaked at an infection rate of 1 in 17 e-mails. Other antivirus companies reported that Mydoom (also known as Novarg) generated more traffic than any e-mail worm in history. 

Viruses that have multiple vectors are the worst threat because they can send e-mail, perform a distributed denial of service attack and open a backdoor. The most problematic viruses have been the most recent. The SQL Slammer broke all records for the speed at which it was able to spread, to the point of disabling ATM machines and bringing Internet traffic to a halt. The SoBig Project employed spammed worms to infect PCs that could be used to install spyware, steal financial credentials, act as a front for spamming operations, launch DDoS (distributed Denial of Service) attacks on anti-spam sites, and allow spammers to be virtually untraceable.

Although many worms are benign, they demonstrate serious vulnerabilities, and the sheer volume of traffic can cause effective denial-of-service attacks because of bandwidth consumption. While IBM-compatible computers are the initial target, the network downtime and cleanup costs affect computers on all platforms. Mail servers are overloaded with the sheer volume of bogus messages, and automated responses from filtering software multiply the problem.

Once the latest threat has passed, the opportunity still remains for potential control of infected machines. So everyone should remain vigilant to apply patches, maintain current virus signatures, and otherwise secure their systems. Whether the next attack comes from worms, e-mail spamming of Trojans, newsgroup postings, websites or other methods, one thing is for sure. This kind of malware has gone from being just a nuisance to a permanent menace.