The Year Ahead: The future of viruses

In 2002, users and companies got a respite from the disruptive viruses of 2001. But a more sophisticated generation of worms is on the way

The year 2002 may have been a relatively quiet for virus attacks, but security experts say that this is likely to be the calm before the storm. In 2003, they say, new breeds of computer attacks are likely to emerge that are capable of knocking out millions of computers around the Internet in a matter of minutes. "These techniques are now being discussed, and algorithms are being made available," said Mikko Hypponen, manager of anti-virus research at F-Secure. "It's just a matter of time before somebody tries them out in the real world." The concepts under discussion, Hypponen said, are known as a Warhol worm -- so called because it could create a huge outbreak in 15 minutes -- and a flash worm, which could do the same thing in 15 seconds. "The typical reaction time to a major new incident is two to three hours. If (the attack) takes 15 minutes, you have no chance," Hypponen said. Experts have different theories as to why there have been fewer major virus attacks in 2002 than the previous year, but there is no denying that the difference has been marked. F-Secure ranked nine attacks in 2001 as Level 1 -- the most serious ranking -- but only two as of late 2002. In 2001 there were 43 Level 2 attacks, dropping to 13 by late 2002. "What's special was 2001. That was by far the worst year in history. Out of the 10 largest virus cases ever, seven of them happened (in 2001)," Hypponen said. "This year has been a bit quiet, but it has not been that different from 2000." He argues that tougher anti-terrorism legislation in the wake of the 11 September attacks has had some impact on how virus writers behave, and noted that more attacks began to show up beginning around 11 September, 2002. A 11 September-themed virus was found, though it did not make headlines, and shortly afterwards the destructive Slapper and Bugbear worms hit the Internet. Upping the ante
Eric Chien, chief researcher for Symantec Security Response, argues that cybercriminals have been struggling throughout 2002 to deal with the advances made in virus destructiveness in late 2001. "There used to be things like Loveletter, which were script viruses written in plain English text. Script kiddies were copying them, modifying them and distributing new variants," he said. "But with Code Red and Nimda, those things are difficult to create. You have to understand the code underlying them, low-level things like assembly code and operating systems. It's harder now to get the fame and glory." An innovation of Nimda and Code Red was that they did not rely on users downloading and executing an email attachment. "These use hacker exploits and combine them with viruses so that they can execute on their own. You can now be infected without your downloading anything or knowing anything about it," said Chien. "Really what has happened is that the bar has risen on how fast and how hard viruses can hit." The Linux-based Slapper worm included an innovation that is likely to reappear in a more dangerous form in the future: it establishes a peer-to-peer network among affected servers, enabling a hacker to take over the servers and use them to attack another Web location -- known as a distributed denial of service attack (DDoS). Another watermark security event in 2002 was the attack on the root servers of the domain name system (DNS), which translates Web domain names such as into numeric Internet protocol addresses. While the attack caused little damage, security experts say it was probably just a test. "It was a rather trivial attack... and all but four of the servers went down," Chien said. "In the past, corporations were worried about their email server, but today that's the least of their worries. If there are no packets going across the Atlantic, it doesn't matter if your email server is up or down." Being neighbourly on the Internet
While the bar has risen for what constitutes a really dangerous virus, it has also become more difficult for the simpler generation of email-borne script viruses to succeed, experts argue. This is partly because users are more wary of what they click on, and partly because of more aggressive antivirus measures by ISPs and companies. "In 2000, Loveletter was the largest ever virus case. It wouldn't be as successful today, because at least some users have a clue. They know they shouldn't be clicking on a VBScript attachment." Some companies have begun filtering Internet content much more closely, dropping all VBScript files and .bat files, as well as detecting strange patterns of email traffic that could be the signs of a a spreading virus. More far-reaching virus remedies include Internet Protocol version 6 (IPv6), which prevents the "spoofing", or faking, of email headers, and self-healing computer systems that spontaneously react to attacks. But these will not be really effective until they are universal, which could take years. In the mean time, the best protection against new generations of attacks will have to be education, says Symantec's Chien. "We are no longer responsible only for our own machine," he said. "If you're connected to the Internet, you need to be a good neighbour. Some home users on ADSL aren't concerned about viruses, but their machine could be leveraged to attack someone else. Users have to learn that they're responsible for the Internet as a whole."

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section. Have your say instantly, and see what others have said. Go to the Security forum. Let the editors know what you think in the Mailroom.