By Alex Salkever Hollywood could not have made up a more menacing sequel. Let's call it Blaster Worm II: Attack of SoBig. Hot on the heels of the Blaster Worm scare, another nasty virus virus spread out across the Internet in late August, taking over mail programs of vulnerable machines running Microsoft (MSFT) operating systems and then replicating themselves from computer to computer via bogus e-mails. The sixth and worst variation, SoBig.f, hit on Aug. 19.
In the end, the Feds and good geeks worldwide saved the day, unraveling the secret code for the SoBig worm just in time to prevent mass calamity. On Aug. 21 a team of Finnish antivirus experts discovered encrypted code that held the identity of 20 sleeper computers connected to broadband links. The SoBig author had included commands that would direct the untold thousands of infected computers to call in to those sleeper machines and download a mysterious Web link on Friday, Aug. 22, at 3 p.m. EST. The link could have contained code to launch a new and more serious attack, the experts feared. In fact, it seems it only redirected machines to a porn site, but the idea of huge numbers of infected computers coming under outside control simultaneously has a distinctly ominous edge.
U.S. law enforcement may also be on the trail of the worm author. The FBI has served a subpoena to a Phoenix, Ariz., Internet service provider for tracking information. And a massive digital posse continues to search for clues on the Net that might reveal the origins of SoBig.
"POLLUTED PROTOCOL." While a major crisis was averted, the SoBig virus still managed to infect half a million computers worldwide, crashing mail servers and sending hundreds of millions of bogus messages using a technology called multithreading that allows programs to send multiple messages simultaneously. The back-to-back chaos from Blaster and SoBig caused delays in Amtrak trains, closed banks in Norway, and interrupted Internet service at department stores in Singapore. Departments at several state governments shut down to deal with infected machines, and Air Canada's check-in systems checked out under the weight of the attack.
The worms also hit university networks, where thousands of users log in from often unprotected home PCs. The timing, as tech staffs were ramping up for the back to school rush, could not have been worse. "It has been a nightmare. We've got 2,000 systems here and we are barely keeping our heads above water," says William Richter, a technology specialist at Edinboro University, a state school in Western Pennsylvania.
Damage estimates range from $500 million to more than $1 billion in lost productivity, hours wasted, and lost sales. Clearly, in terms of cyber-misery, the past two weeks have set a new high-water mark. "There's an incredible amount of [virus] activity, and collectively, it's becoming very annoying," says Dave McCurdy, CEO of the Internet Security Alliance (ISA), a nonprofit advocacy and education group based in Arlington, Va. Chris Belthoff, a senior security analyst at antivirus software maker Sophos, worries about the eventual impact: He thinks such worm attacks are turning e-mail into "such a polluted protocol that it's quickly becoming unusable from a business perspective."
VIRUS MUTATION. That might be a bit of an overstatement. But even Sophos' mail servers -- patched, updated, and armored against the SoBig attack -- slowed under the bombardment of e-mail traffic unleashed by the SoBig worm. Technically, Apple (AAPL) machines weren't supposed to be vulnerable to the Microsoft-targeted virus. Yet, Apple users with the misfortune of having their e-mail address stored in a machine infected by SoBig also had to spend a good deal of time erasing bogus e-mails. In fact, increasingly, anyone who surfs the Net will find they have been either directly or indirectly affected by the rising tide of malicious software floating on the Web.
This latest generation of worms has led to speculation that spammers and virus writers have formed a sinister alliance that could turn infected machines into hard-to-track, and hard-to-stop, spam-delivery mechanisms (see BW Online, 8/12/03, "Unholy Matrimony: Spam and Virus").
It isn't much of an imaginative stretch to think of terrorists using these same tactics. The viruses are advancing rapidly from crude to cunning. In the SoBig worm, key sections of code were encrypted, forcing dozens of security experts to work around the clock just to understand what the virus had been programmed to do. "SoBig is not your average teenage kid writing code from his basement. This is professional and well executed," says Mikko Hypponen, director of antivirus research at security company F-Secure. At the same time, the number of attacks launched and software vulnerabilities reported are soaring. The World Wide Web is looking more and more like the Wild, Wild West, with peaceful settlers caught in the crossfire.
LOCK-DOWN. Security experts have long considered home PCs with always-on broadband connections as the most vulnerable to attacks. This weakness is quickly growing into a gaping hole in the Internet's infrastructure. Belthoff and other antivirus experts estimate that, while many corporate, government, and university systems caught the worms, by far the largest percentage of infected machines belonged to home users unschooled in information security.
Yet there finally seems to be a dawning awareness among Jane and Joe Home-User that it's a dangerous world out there, and they must keep their computers safe, much as they secure their homes and cars. Says the ISA's McCurdy: "The computer is not like a television. You don't plug it in and leave it. It takes constant updating and personal involvement in maintaining security."
How to get millions of PC users up to speed has remained a thorny topic for some time. For the past year, Microsoft has been installing its operating systems with some of the paths that could be used by attackers turned off as a default setting. Now, grudgingly, the company will likely make the rudimentary firewall installed on all WindowsXP machines a default setting.
SHOCK ABSORBERS. Then there's America Online (AOL), which has launched an ad campaign touting its new tools to scan subscriber systems for vulnerabilities and provide them with antivirus software and firewalls to guard their desktop. Microsoft, likewise, put together a Web site to teach users how to lock down their machines by activating the firewall and using antivirus equipment.
These moves are a decent start. But the battle to get home users to wise up about Web security has only just begun. Security experts estimate 5% or less of home users are running firewalls. A significant percentage of home users have installed antivirus software. But considering that SoBig caused this mess with only 500,000 machines and the number of PCs on the Net around the globe is in the hundreds of millions, there are still more than enough PCs without antivirus software to allow big worm and virus outbreaks.
In this environment, the AOL approach of building protection into its subscriber software package has significant merit. Still, worms and viruses can sneak into even more heavily guarded corporate networks. So AOL and other ISPs surely will face the continuing threat of infection, and must educate the public of the threat.
Security mandates may ultimately be the only way to go. For example, ISPs, cable companies, or satellite signal providers might require all users to have a live, updated firewall and antivirus software on all PCs in the house before being allowed to log into a continuous high-speed connection. And software makers need to look harder at their code in order to prevent hackers from exploiting weaknesses. While the Feds and security experts fought SoBig to a standoff, Microsoft announced two more flaws in their software that required patching. That could very well presage a long, tough year fighting worms and viruses. Salkever is Technology editor for BusinessWeek Online and covers computer security issues weekly in his Security Net column