The specter of a new and potentially mischievous cyber worm has many experts in the security community rethinking how to best defend against computer viruses.
Security experts are glumly greeting a new era in which viruses can spread without users first being tricked into launching infected attachments. They caution that companies can no longer rely on user commonsense as the first line of defense. With the arrival of BubbleBoy, a self-replicating worm that bypasses users and directly infects systems, it's an entirely new ballgame.
"Companies need to ask, 'Am I going to allow all my users to get e-mail from the outside world? Will I strip out macros from files coming in? Should I quarantine any attachments?' " said Vincent Weafer, director of Symantec Corp.'s Antivirus Research Center.
"In the end, companies may have to scan e-mail, and if anything other than plain text comes in, they will strip it out." In essence: Say goodbye to multimedia e-mail.
SECT: The virus in a bubble
BubbleBoy itself is only a concept virus. An anonymous virus writer sent the code to anti-virus firms on Monday, ostensibly to prove his worth. (Almost all virus writers are male.)
The virus uses Microsoft's Visual Basic scripting language, which is tightly integrated with Internet Explorer, to infect Windows 98 and 2000 systems that use Outlook or Outlook Express. After a user opens an e-mail message carrying BubbleBoy, the virus copies a program to the Startup folder. The next time the computer boots, BubbleBoy causes Outlook to send the virus to every user listed in the address book.
The virus has no other payload and, at this juncture, only spreads without doing damage.
The computer virus has not been detected "in the wild" (the term that the anti-virus industry uses for viruses that have infected general users). In fact, the Computer Emergency Response Team at Carnegie Mellon University has not received any reports of the virus from its member companies.
"It looks like it was written to get people's attention," said SARC's Weafer. "The danger is not with this one but with the copycats that will come out in the next few months."
Companies mull security measures
"Gateway filters can remove scripting from Web pages today. All that needs to be done is to expand that technique to e-mail," he said. "Virus scanners will have to look in new places, and users can turn off scripting, which almost no one uses anyway."
Padgett Peterson, principal information security specialist for Lockheed Martin Corp., is one of the people already prepared for the virus and its variants. While he wouldn't talk about the security measures taken at Lockheed, he has a short list of prescriptions for companies and computer users.
In addition, the Internet community is quickly turning distrustful out of necessity, said David Perry, spokesman for Trend Micro Inc., who believes users may eventually have to treat all e-mail as suspect. "How is this affecting the trust relationship?" he asked. "The major cost of this is that users might sit there and consider every e-mail before opening it."
However, most companies should not worry about BubbleBoy and its variants, since such viruses only affect Windows 98 -- a platform that is still not in widespread use in corporations. And those businesses and users using Windows 98 with Outlook Express as their mail reader, need only update their system.
Blame Microsoft for this, too?
Despite claims to the contrary, the concept espoused by BubbleBoy -- infecting users by a Visual Basic script embedded in an HTML-enabled e-mail -- is not new.
"As soon as Microsoft provided HTML-enabled mail readers and scripting in Windows 98, it was inevitable," said Lockheed's Peterson. "We've known that for over two years now. When the first pre-releases came out, the security-conscious (administrators) were pleading with them to take those 'features' out."
Even in the face of a warning from the U.S. Department of Energy's Computer Incident Response Capability posted in December of 1998, Microsoft failed to heed that warning. Several other Visual Basic viruses, including VBS.Freelink, used a similar method to run their code.
At the end of August, the software giant released a patch for the security hole that two months later BubbleBoy would exploit.
Still, Lockheed's Peterson continues to see VB script as essentially useless. "As far as I can see, the only people that uses the capabilities are the virus writers," he said.