It was the Web's worst attack of worms, a kind of computer virus that replicates itself automatically. Though they sound like science fiction, worms spring from the minds of virus writers, who could be sitting at any computer in the world. Most spread because we do careless things like open e-mail attachments from strangers, but some have evolved to spread through computer networks on their own like plague bacilli that have become airborne.
Such networking skills made headlines last week as Welchia, a network-only worm, grounded Air Canada's check-in system and caused three-fourths of U.S. Navy and Marine Corps computers to surrender. But if anyone thought e-mail worms were sluggish by comparison, Sobig.F was on hand to prove them wrong. In a single day, 1 in every 17 mails sent worldwide came from Sobig.F. At the New York Times, reporters were forced to turn off their terminals. Experts were shocked and awed by the worm's unprecedented clip. "This is the undisputed heavyweight champion of viruses," declared Scott Petry of email-security firm Postini in Redwood City, Calif. Which may be just the kind of recognition Sobig.F's still mysterious author was hoping for.
Virus writers in search of street cred are nothing new. Nor is the billion-dollar antivirus industry that has sprung up since the mid-1980s. Their cat-and-mouse game evolves every time a flaw is found in Microsoft Windows, which runs on 95% of personal computers worldwide. And flaws in Windows are as plentiful as mosquitoes in August. The other problem is the infrastructure of the Internet itself, which is almost as rickety as Northeastern power lines. Up to 70 security holes are noted every week.
So far, most of the exploitation of these flaws is benign or short lived. Of the 77,000 known viruses in the world, all but 900 are known as zoo viruses; that is, their incurably geeky creators simply e-mailed them to antivirus-software firms like proud parents passing around pictures of their new offspring. Roughly 200 viruses are in the wild at any one time. Most simply don't spread well; others are lame attempts at getting you to open an infected e-mail attachment. "Nude pictures of your wife," anyone?
Of the handful that remain, some probably began with innocent intentions. Welchia, also called Nachi, was initially taken for a good worm because it was apparently designed to clean up the cause of the previous week's headlining worm, Blaster. Welchia was like an overly helpful relative who thinks he knows how to handle the plumbing. Once inside a system, it automatically downloaded and installed a Blaster fix from Microsoft's website. But if too many PCs on the same network were trying to do this at once, especially at large corporations, the amount of traffic brought down the network. "Virus writers don't do quality assurance," says David Perry, director of education at Tokyo-based Internet-security firm Trend Micro. "A lot of viruses cause more damage by being poorly written than anything else."
In the case of a well-constructed worm like Sobig.F, no damage is done to the PCs. The network suffers; your hard drive doesn't. On the face of it, Sobig.F's aim is merely that of every species on Earth: to make as many copies of itself as possible. There are five mutations of the basic Sobig worm, apparently tweaked by the same author since its January debut. The one that won the evolutionary lottery is variation Sobig.F, which works so well because it grabs anything that looks like an e-mail address on your hard drive and secretly emails itself to all of them, using one of the addresses to pose as a friendly sender.
Then comes the twist. Running on a built-in timer, Sobig.F was due to instruct infected computers to contact 20 Internet servers worldwide themselves probably infected with a back-door virus that Sobig's author could use as a drop box, leaving nefarious new instructions for his worm there. Investigators succeeded in taking 19 of the computers off-line before that could happen, and the 20th simply directed users to a run-of-the-mill sex site. Either Sobig.F was not intended to cause damage beyond all the disruption, or its author was feeling the heat of the law and worried about leaving a trail, even though virus writers are notoriously difficult to track down because they work through so many layers of infected machines and fake user accounts.