They first detected it at 1.03pm, 15 days ago. An innocuous attachment in an e-mail sent from Russia triggered a minor alarm at the Global Operations Centre of Messagelabs, a leading e-mail security firm. No one paid it much attention. Just another new virus, one of the handful that are trapped, analysed and blacklisted every day in the darkened bunker in Gloucester, south-west England, they call the war room.
Here a large map of the world hangs over rows of terminals. A staff of pale, young operators work around the clock, filtering more than 30-million e-mails a day for the British government, banking giant Lloyds TSB and other large organisations. Incomprehensible code spools down their monitors like the screens from The Matrix. Viruses, spam and other “malware” are checked upstream by expensive super-processor towers before they can reach their clients’ computers.
Initially, the number of copies of the new virus — christened MyDoom after a misspelling of “my domain” in its code — were small, just a few hundred.
Unexpectedly, within just a few hours, MyDoom numbers started to rise: to 40 000, then to 80 000, then 100 000. “We were on the phone to everyone,” says anti-virus technologist Alex Shipp. “‘Drop everything. Get your anti-virus signatures out as soon as possible.'”
It was too late. After eight hours MyDoom spiked. Millions of copies poured across the Internet and all hell broke loose. E-mail servers around the world buckled. By the time it reached its peak last Tuesday, one in 12 e-mails was MyDoom-generated. This tiny sliver of code had wiped out the records of August’s Sobig and the legendary Lovebug worm of 1999 to become the fastest-spreading virus to date.
MyDoom, like most viruses, was easy to detect, but stopping it spreading was another matter. Messagelabs’ heuristic virus-recognition engine, known as Skeptic, spotted it instantly. Unable to use this lightning corporate filter, home users and small companies had to rely on anti-virus software that has one main flaw. Most of it relies on constantly downloaded fingerprints or “signatures” to recognise and block newly discovered viruses.
“Once a signature is installed, you’re protected,” says Paul Woods, chief information security analyst at Messagelabs. “The problem arises in the time between the virus appearing and the signature being released and installed — the so-called ‘window of vulnerability’.”
Eight hours during peak European and American business hours was more than enough time for the super-distributed virus to reach critical mass. By 9pm on Monday, thousands of people were opening it. It began replicating exponentially, shedding millions of copies of itself in all directions.
MyDoom’s genius was to disguise itself as an error message. “Mail delivery failed: returning message to sender” reads one of its terse subject lines. A text or Zip file of the message appears to be attached. Open it and the virus is activated and thousands fell for the ruse.
Worse things, however, were in store for the Utah-based software company SCO. In an act of apparent terrorism, MyDoom and all its copies were programmed to attack www.sco.com simultaneously at 4.09pm on February 1. Right on time, more than a million computers attempted to load the company’s Web homepage three times a second. The site buckled under the demands being made of it, before SCO disconnected it from the Internet.
Another less successful variant of the virus, MyDoom.B, tried a similar attack on Microsoft.com, but it was shrugged off.
The experts agree on one thing: there will be many more viruses to come.
“These things come in two or three-month cycles,” explains Shipp. “After a big virus, everyone becomes extra vigilant with their anti-viruses, but after a while, it tails off. They forget or can’t be bothered. That’s when another virus sneaks through.” It’s also easy to make viruses. Freely available toolkits can auto-generate them at the touch of a button.
Virus outbreaks may be dramatic, maintain experts, but they are just occasional annoyances compared with spam. A massive 62% of all e-mail in the world is now spam. On a visit to Britain last week, Bill Gates signalled Microsoft’s focus on developing e-mail technology to allow recipients to verify the sender of e-mails. “This is critical for security,” he said, “and for getting rid of spam.”
While welcoming the comments, some security experts are more pessimistic, even fatalistic. “E-mail is dying,” says Mikko Hypponen of F-Secure Corporation. “It’s coming to its end.” Any day now, he says, a MyDoom-style virus could quickly overload and break the entire e-mail system without a chance of recovery — simply by sending out millions of generic, unfilterable messages in a loop, round the clock, forever. Then we would have to drop e-mail as we know it. Every e-mail server, every e-mail client in the world.”
“There’s so many computers out there using old operating systems with the date and time set incorrectly or with their battery flat,” he says.
“Lots of viruses are coming out of those machines.” Also, many people simply don’t use anti-virus software. Now, and in the future, it will always be this underclass of uneducated users who will spread the infection.
“Eventually, there may be two Internets,” he says. “A clean one where security is part of the infrastructure, and a ‘dirty Internet’ for all the old insecure technologies and people who just can’t be bothered.” — Â