Attack of the World Wide Worms

(2 of 2)

The rise of Sobig.F illustrates how easily a determined fiend even a terrorist could sow mayhem. Picture a future Sobig using millions of infected machines to hack into the servers of a major bank. "The virus-writer world and the hacker world have come together," says Vincent Weafer, senior director at Symantec Security Response. "They don't care who you are. Your machine is an asset to them." In the past, hacker groups have been able to make tens of thousands of compromised PCs take part in denial-of-service attacks bringing a website down by repeatedly requesting its home page, tying up all traffic on it. The Blaster worm, which declared its enemy to be "billy gates," pointed some 400,000 host PCs to Microsoft's windowsupdate.com at the same time on the same day. But Microsoft dodged that bullet: its Windows Update service had moved to a new address, microsoft.windowsupdate.com , and shut down the old one.

Nevertheless, there is much to embarrass Microsoft in the latest crop of worms. Blaster and Welchia both relied on the same security loophole that was found in Windows in July. There was a fix available the one Welchia tried to download but it was among dozens the company puts out every month. Windows XP made its debut in 2001 with some 45 million lines of code and a lot of mistakes, many of which have yet to be uncovered. Because of its complexity, "no other product could potentially be so flawed," says Jerry Ungerman, president of Silicon Valley's Check Point Software. No consumer movement has sprung up demanding a Windows recall just yet, but a car with this many problems would be a tort lawyer's joyride.

Not according to Microsoft. "This is more like your car being threatened by a new caliber bullet," says Mike Nash, the company's vice president for security. Still, a Bill Gates memo last year admitted Windows needed to be more "trustworthy." The company placed ads in national newspapers last week reminding users to turn on Windows XP's internal firewall and employ the operating system's automatic-update feature. That is, you can allow the company to fix its unintended mistakes constantly and quietly in the background. Windows XP does not ship with this feature turned on because of the Big Brother factor. But attitudes may be changing. Says Nash: "Customers are more willing to give up their privacy concerns."

Security experts are willing to cut Microsoft a lot of slack. In some ways, they say, Windows is a victim of its success. if rival operating systems like Linux or Mac OS had a 95% market share, the virus writers would be hard at work probing them for holes. Whether they would find as many is a different question altogether. Linux and, to a lesser extent, Mac OS are open source, which means they're subject to constant peer review by engineers and software writers all over the world. The energy that goes into finding fault with Windows exists in the Linux world too, but it's focused on making the code better. To help stave off the competitive threat from Linux, Microsoft recently allowed several governments across the world to take a peek at the precious Windows source code but is unlikely to go fully open source anytime soon.

What Microsoft isn't responsible for are the problems it inherited from the early years of the Internet. All the rules and protocols that govern how computers talk to one another and how e-mail is passed around have been handed down from the 1960s and '70s and are riddled with loopholes. Back then the nascent network was the province of the military and academia. If someone even knew what e-mail was, he or she was likely to be friendly.

As recently as two years ago, it was easy to avoid the impact of most viruses and worms like Melissa and the infamous Love Bug by not using too many Microsoft products. Most of the known security flaws that spurred virus writers had to do with the way Outlook talked to Word or Excel. The greatest danger was having a Microsoft monoculture on your desktop. The digital equivalent of planting only one kind of potato in your fields, it practically invited pests to do their worst.

In the age of smart worms, however, the greatest danger comes from having an insecure high-speed Internet connection combined with a month-old copy of Windows. A firewall a piece of software or hardware that watches your connection night and day and turns away requests from software applications that it doesn't recognize is now as necessary for DSL or cable-modem users as luggage screening at air-ports. But a survey showed that two-thirds of high-speed connections don't have firewalls set up properly.

Until we all get firewalled, the best we can hope for is that most virus writers keep their creations in the zoo, that the Sobig.F writers of this world will turn out to be relatively benign vandals and that investigators will track down the ones who are not. Worms will always be with us, like graffiti on highway overpasses. And with luck, they will be no more annoying.