January 18, 2000 Web posted at: 3:05 p.m. EST (2005 GMT) by Mark Leon

From...

(IDG) -- Year-2000 viruses proved to be as impotent as the infamous year-2000 bug itself. As the long-anticipated date approached, fears grew that hackers would take advantage of the millennium to launch new attacks. But it didn't happen, and Charles Rutstein, an analyst at Forrester Research, in Cambridge, Mass., is not surprised.

"We have been saying for the last six months that the millennium would be a complete nonevent as far as viruses are concerned," Rutstein says.

He cites two reasons for this. "First of all, most virus writers had better things to do on New Year's Eve than to sit around and watch their creations take life. Secondly, even though the propagation rate for new viruses is much faster than before, the notion that any virus writer could time a virus outbreak to occur exactly on the eve of Y2K is ludicrous."

The worst problems came from malicious code that took advantage of year-2000 fears.

"Some of our biggest challenges came from people springing Y2K hoaxes," says Don Jones, director of Y2K readiness at Microsoft, in Redmond, Wash. "There was one that claimed to be from Microsoft Support.com, and another claimed to be from Bill Gates."

They were both bogus and contained malicious macro code.

"A lot of our customers don't realize how vulnerable they are to this kind of hoax," Jones says.

Technically, the year-2000 bug itself could qualify as a Trojan horse virus. If it rears its head, it will do something unexpected the hallmark of a Trojan horse. In this case, the unexpected action is simply that the program with the bug is still running. Such year-2000 problems are a direct consequence of the fact that programmers never expected their code to last so long.

Although year 2000 didn't initiate the onslaught of viruses expected, the proliferation of computer viruses today has been ushered in by technical innovations such as the Internet that created infinite opportunities for unsuspecting technology users to be thwarted.

So even though Jan. 1, 2000, came and went without much incident on the virus front, IT managers will need to be ever more vigilant about protecting their companies from a business-halting virus outbreak as the new millennium brings increased dependence on the Web and interconnectivity of networks.

A hacker's dream

Imagine an exploding population of homogeneous organisms, with each one able to initiate intimate contact with any other. Add a small group of wily predators who love to tinker with the forces of nature, and the stage is set for artificially induced epidemics.

	ALSO
$12.1 billion reportedly spent to ward off computer viruses in 1999

This describes exactly the present state of affairs in information systems, and the increased vulnerability to viruses and malicious code, according to Carey Nachenberg, chief researcher at Symantec's anti-virus research center, in Cupertino, Calif.

"It is very different from anything we have seen before," Nachenberg says. "For the first time, we have a computing monoculture. Monocultures in the natural world are extremely vulnerable to pests such as viruses."

The same is true, he adds, in the not-so-natural world of computing.

"By the end of last year, there were more than 200 million PCs connected to the Internet," Nachenberg says. "Ninety percent of these are Windows machines running the same applications, such as Word, Microsoft Exchange, and Excel."

The reasons for concern do not stop there. Not only do the unscrupulous have a bigger field to play in, they also have tools that are easier to use and potentially more dangerous.

"The advent of macro and script viruses -- viruses written in Macro languages such as Word Macro and VBScript -- makes it fairly easy to write new ones," says Vincent Gulotto, director of Avert, the emergency response team at Network Associates (NAI), in Santa Clara, Calif.

MORE COMPUTING INTELLIGENCE

IDG.net home page

InfoWorld home page

InfoWorld forums home page

InfoWorld Internet commerce section

E-BusinessWorld

Reviews & in-depth info at IDG.net

IDG.net's personal news page

Year 2000 World

Questions about computers? Let IDG.net's editors help you

Subscribe to IDG.net's free daily newsletter for IT leaders

Search IDG.net in 12 languages

News Radio

Fusion audio primers

Computerworld Minute

ActiveX and Java add to this problem, says Sal Viveros, group marketing manager for total virus defense at NAI.

"This is mobile code. As it becomes easier to use, we will see more mobile virus code," Viveros says, adding that this kind of mobile virus code is particularly scary because it can be activated simply by surfing to a Web site.

It can also be argued that Microsoft is a victim of its own success when it comes to malicious code. It is precisely because Windows is the predominant platform that almost all attacks are targeted at the Windows environment. And most of these are completely impotent on the Macintosh. Malicious applets, however, could change this. Steve Lipner, manager of the security response team at Microsoft, points out that because Java is cross platform, it might offer an even more tempting target for hackers. "A Java virus will run on Microsoft, Sun, Apple, and just about anywhere else," Lipner says.

But Ken Bereskin, director of O.S. technology at Apple, says that Mac users have been fortunate that the more malicious, Internet-borne, macro viruses have no effect on the Macintosh.

Most analysts and users agree that it is only a matter of time before the invasion of the bad applets begins.

Don't panic ... yet

Anti-virus software vendors such as Symantec and NAI enjoy a steady revenue from selling protection from just these kinds of threats, so IT professionals must take such warnings with healthy skepticism. However, analysts tend to support all of the above concerns. And while they, too, stress the need for calm, they also caution against complacency.

"When macro viruses first came on the scene, most viruses were still written in assembly language or machine code," says Roger Thompson, technical director of malicious code research at ICSA, a computer security research company in Reston, Va. "And they were spread by physically transporting infected floppies from one machine to another. In those days, we recommended that you upgrade your anti-virus software every two to three months."

Now it can be as often as every few hours.

"Anti-virus software that automatically updates itself makes sense in the present environment," says Ron Krantz, chief IT architect at Niagara Mohawk Power, in Syracuse, N.Y. "Vendors like Anti-Virus Pro offer four or five fixes a day."

This may sound a little extreme to IT managers who support thousands of clients. Krantz emphasizes that businesses need to find the right balance when implementing an anti-virus solution.

"Rarely will you need to get updates that often," Krantz says. "The vendors are already very quick to get fixes out to everyone when a new virus appears. So daily updates will matter only if you are the unfortunate one to get hit first."

Another factor, according to Krantz, is resource allocation. In other words, productivity lost from constant software upgrades can easily be greater than the productivity lost from a new virus.

"It takes time to download the new fixes to each desktop," Krantz says.

No-hands attack strategy

Two of the biggest anti-virus vendors, NAI and Symantec, are scrambling to make their anti-virus code smart enough to automatically upgrade only when necessary. This method has yet to be proven, but if successful, it could give network managers a little more breathing room.

Anti-virus software operates by scanning for a match with a signature file. These signatures are the fingerprints that identify malicious code. Signature scanning technology is mature, and the software is now quite effective. But no matter how good the software is, it can't finger a new virus unless that virus's signature is known and filed in a repository.

When viruses used to spread primarily via "sneakernet," upgrades to such databases every few months were usually adequate to protect most networks. But Web and e-mail viruses have increased the rate of transmission by several orders of magnitude. "Today, it is entirely possible that a virus which surfaced for the first time in Malaysia could show up on your desktop the very next day," Forrester's Rutstein says.

This is why NAI and Symantec are working to completely automate the process of providing signature updates. NAI calls it the AutoImmune system, and Symantec has its Digital Immune system. Neither is fully functional yet, but both employ heuristic technology to identify suspicious code.

"Think of it like this: If you see someone walking down your street wearing a mask and carrying an automatic weapon, you might get suspicious," Symantec's Nachenberg says. "Our heuristic software is designed to recognize suspicious code."

Once that code is identified, the software will automatically send a copy to the vendors' labs. The code is analyzed, and if it is indeed malicious, experts will create both a signature file and a fix. These will then be sent via the Internet as automatic upgrades.

"Ideally each workstation will be capable of detecting what it thinks is a new virus," says Thompson. "And it should be able to get a response in 30 minutes."

Batten down the hatches

Whether these solutions will really offer users the security they promise remains to be seen. Meanwhile, IT managers struggle to make do.

"We are considering doing virus scanning on all incoming e-mail," Krantz says, but he adds that there are some major problems with implementing such a solution.

"It is expensive, it creates a bottleneck at the mail server, and it isn't clear that such a scan will be all that effective," Krantz says.

This last concern is a direct consequence of the new methods employed by hackers

"We aren't just scanning for binary code inside an executable anymore," Krantz says. "The bad code could be hidden in a password-protected Zip file or encrypted in SMIME [Secure MIME]. These are things we can't even scan."

So as new applications and systems continue to open doors for hackers, and the interconnected Internet landscape expands, IT managers will have to keep closer watch over their growing networks in the coming years. At the same time, IT can count on anti-virus vendors to work on fighting the latest exploits.