Did anti-virus firms' protections fail?

Anti-virus sites could not be accessed all of Thursday. New variants poke holes in recently updated virus scanners. What's going on?
Written by Robert Lemos, Contributor

In the months following the outbreak of the Melissa virus, did security software makers lapse into complacency? Vowing they would be ready for the next great rush to download new definitions to their software, virus scanners beefed up their servers and connections. Symantec alone quadrupled, and then quadrupled again, the number of servers it housed.

All the while, the White House assured citizens it was on the job by delivering a proposal to upgrade the nation's information infrastructure.

But it took just six hours for the 'ILOVEYOU' outbreak to shatter that illusion of security.

The resulting havoc matched that caused by the Denial-of-Service attacks that brought down eight major Web sites in February: Access requests flooded the security companies from, seemingly, all over he Web.

Hundreds of thousands -- if not millions -- of users received the forwarded email, which resulted in tens of thousands of computers being infected. The crush of people simultaneously looking for information overwhelmed the anti-virus Web sites, leaving consumers frustrated about being left in the collective dark.

In the aftermath of the attack, the National Infrastructure Protection Center, a joint agency handling cybercrime investigations, came under fire from Senator Robert Bennet, R-Utah, for being slow on the draw. Bennet now wants to hold congressional hearings on the matter.

Oddly enough, the anti-virus industry is finding support from one of its fiercest detractors.

"It's not the fault of the AV vendors," said Rob Rosenberger, editor of the Computer Virus Myths site. "They are doing everything in their power to get the updates to the people who need them."

Instead, Rosenberger saved his buckshot for the news media, which he said was guilty of hyping up the virus to drive readers to news sites.

In part, the controversy can be explained as the natural reaction that accompanies unexpected interruptions of normalcy. "One of the big challenges is what do you do when things are normally quiet, but suddenly 6 million people go to your site and keep pressing the reload button," said David Chess, an anti-virus researcher with IBM's T.J. Watson Laboratory.

Chess suggested that the industry consider creating a system that distributes new virus definitions throughout the Web, mimicking the design of an existing IBM project known as the Digital Immune System. Loosely based on its biological counterpart, the Digital Immune System finds fixes and then teaches all its nodes about the new virus. Users getting on the Net after the virus is detected should automatically be updated with the fix.

Symantec has partnered with IBM to deploy the system. "With the immune system, we can reduce our response time to minutes," said Vincent Weafer, director of Symantec's Antivirus Research Center. "Now the question is how do you change the reaction of users? How do you get them not to click on something that is unknown?"

Educating the user needs to be a top priority to prevent such hysteria in the future, said Dan Schrader, chief security analyst with rival Trend Micro. Trend's site maxed out at 6,000 connections per second, Schrader said. "The last thing we want is to not have our service available to customers."

Even disabling Visual Basic script is not a total solution, he said. "The moment that a JavaScript or ActiveX Script does not work, users will turn scripting back on."

As for law enforcement, investigations take time, said Deborah Weiermann, spokeswoman for NIPC. "There had to be time to dedicate to the virus and to damage and containment, and as soon as there was time to put out warnings, the NIPC did so," she said.

"It was done as expeditiously as possible."

Would you prosecute British Gas for making it possible to put your head in the oven and turn the gas on? Chris Long is taking no prisoners with this one, he accuses users who got the ILOVEYOU virus of having the IQ equivilent to a pin mould.

Go to the TalkBack forums to say your piece and read others thoughts and brushes with the ILOVEYOU virus.

What do you think? Tell the Mailroom. And read what others have said.

Go to ZDNet's ILOVEYOU Special Report

Editorial standards