Attack of the World Wide Worms

By Chris Taylor/San Francisco Monday, Aug. 25, 2003
    • Illustration for time by Bill Mayer

    Where's A power outage when you really need one? Last Friday computer cops and the FBI were racing against time to shut down 20 computers — in a world of millions — before a restless piece of software code called Sobig.F reached them first. Sobig.F was already ripping through home PCs and business networks like Godzilla on a Tokyo rampage. If you logged on to the Internet last week, chances are you received an email from Sobig.F. Whatever instructions the worm might have got from those 20 Internet servers, investigators knew, had the potential to make Sobig.F so much bigger.

    It was the Web's worst attack of worms, a kind of computer virus that replicates itself automatically. Though they sound like science fiction, worms spring from the minds of virus writers, who could be sitting at any computer in the world. Most spread because we do careless things like open e-mail attachments from strangers, but some have evolved to spread through computer networks on their own — like plague bacilli that have become airborne.


    LATEST COVER STORY
    Mind & Body Happiness
    Jan. 17, 2004
     

    SPECIAL REPORTS
     Coolest Video Games 2004
     Coolest Inventions
     Wireless Society
     Cool Tech 2004

    PHOTOS AND GRAPHICS
     At The Epicenter
     Paths to Pleasure
     Quotes of the Week
     This Week's Gadget
     Cartoons of the Week

    MORE STORIES
    Advisor: Rove Warrior
    The Bushes: Family Dynasty
    Klein: Benneton Ad Presidency

    CNN.com: Latest News

    Such networking skills made headlines last week as Welchia, a network-only worm, grounded Air Canada's check-in system and caused three-fourths of U.S. Navy and Marine Corps computers to surrender. But if anyone thought e-mail worms were sluggish by comparison, Sobig.F was on hand to prove them wrong. In a single day, 1 in every 17 mails sent worldwide came from Sobig.F. At the New York Times, reporters were forced to turn off their terminals. Experts were shocked and awed by the worm's unprecedented clip. "This is the undisputed heavyweight champion of viruses," declared Scott Petry of email-security firm Postini in Redwood City, Calif. Which may be just the kind of recognition Sobig.F's still mysterious author was hoping for.

    Virus writers in search of street cred are nothing new. Nor is the billion-dollar antivirus industry that has sprung up since the mid-1980s. Their cat-and-mouse game evolves every time a flaw is found in Microsoft Windows, which runs on 95% of personal computers worldwide. And flaws in Windows are as plentiful as mosquitoes in August. The other problem is the infrastructure of the Internet itself, which is almost as rickety as Northeastern power lines. Up to 70 security holes are noted every week.

    So far, most of the exploitation of these flaws is benign or short lived. Of the 77,000 known viruses in the world, all but 900 are known as zoo viruses; that is, their incurably geeky creators simply e-mailed them to antivirus-software firms like proud parents passing around pictures of their new offspring. Roughly 200 viruses are in the wild at any one time. Most simply don't spread well; others are lame attempts at getting you to open an infected e-mail attachment. "Nude pictures of your wife," anyone?

    Of the handful that remain, some probably began with innocent intentions. Welchia, also called Nachi, was initially taken for a good worm because it was apparently designed to clean up the cause of the previous week's headlining worm, Blaster. Welchia was like an overly helpful relative who thinks he knows how to handle the plumbing. Once inside a system, it automatically downloaded and installed a Blaster fix from Microsoft's website. But if too many PCs on the same network were trying to do this at once, especially at large corporations, the amount of traffic brought down the network. "Virus writers don't do quality assurance," says David Perry, director of education at Tokyo-based Internet-security firm Trend Micro. "A lot of viruses cause more damage by being poorly written than anything else."

    In the case of a well-constructed worm like Sobig.F, no damage is done to the PCs. The network suffers; your hard drive doesn't. On the face of it, Sobig.F's aim is merely that of every species on Earth: to make as many copies of itself as possible. There are five mutations of the basic Sobig worm, apparently tweaked by the same author since its January debut. The one that won the evolutionary lottery is variation Sobig.F, which works so well because it grabs anything that looks like an e-mail address on your hard drive and secretly emails itself to all of them, using one of the addresses to pose as a friendly sender.

    Then comes the twist. Running on a built-in timer, Sobig.F was due to instruct infected computers to contact 20 Internet servers worldwide — themselves probably infected with a back-door virus — that Sobig's author could use as a drop box, leaving nefarious new instructions for his worm there. Investigators succeeded in taking 19 of the computers off-line before that could happen, and the 20th simply directed users to a run-of-the-mill sex site. Either Sobig.F was not intended to cause damage beyond all the disruption, or its author was feeling the heat of the law and worried about leaving a trail, even though virus writers are notoriously difficult to track down because they work through so many layers of infected machines and fake user accounts.

    2. Previous Page
    3. 1
    4. 2