Virus Writers: The End of The Innocence?
Abstract
Earlier research has empirically demonstrated the cyclic nature of virus writing activity: as virus writers “age out”, new virus writers take their places. Enhanced connectivity amplifies the existing problem and various technical factors result in new types of virus writers surfacing as the cycle repeats.
However, a new variable has recently been introduced into the cycle: high profile legal intervention. The virus writing community now has experienced visits by concerned law enforcement personnel; there have been arrests and there will be sentencings. New laws are being considered, enacted, and acted upon. Thus, the virus writing scene is no longer a casual pastime of kids on local Bulletin Board Systems.
What has been the impact, perceptually and operationally, of these visits, arrests, and sentencings? In other words, as the virus problem gets more and more “real world” attention, where are we actually going in terms of shaping acceptable behavior in our virtual communities and what, if any, effect are these legal interventions having on the impact of viruses upon users’ computers?
In order to produce a scientifically meaningful answer to this question, pre and post intervention data on various aspects of the virus problem have been gathered. We solicited opinions on a variety of topics related to computer viruses and legal countermeasures via e-mail and direct survey. Opinions are not only interesting; they must be considered, as we know the opinions of today shape how people behave in the future. However, we are also concerned with immediate real-world impact. To this end, impact will be examined in terms of viruses found both In the Wild[1] (ItW) and on the World Wide Web (WWW), as a function of time. The data gathered before and after various types of high profile intervention is considered; in particular we are interested in any decrease noted in the graph of virus growth both ItW and on the WWW, and in online references to legal concerns.
An analysis of the data is presented and suggestions for future research are made.
Introduction
During the last eight years, a wealth of information has been gathered concerning virus writers and the various motivations behind their work (Gordon, 1994a; Gordon, 1994b; Gordon, 1995; Gordon, 1996; Gordon, 1999). In this paper, that earlier research is expanded upon and updated to consider an increasingly important facet: intervention by legal/government bodies.
It is natural, given the way societies tend to develop, that antisocial activities tend to lead to legislation designed to contain or eradicate the activities. This paradigm of control is influencing both technological development and societal direction (Gordon, 1994b). There is now increased pressure on the legislature and law enforcement to deal with a problem which purportedly costs corporations millions of dollars per year (Cobb, 1998). The goal of this paper is to gain insight into the efficacy of high-profile legal countermeasures, and assess how well they achieve the objective of lessening the spread of computer viruses.
In order to accomplish this analysis, this paper is structured as follows: First, the research to date is summarized, in order to provide the reader with insight on the “generic” virus writer, the target of laws and intervention. Second, the legal countermeasures which are in place at the time of writing are discussed, outlining the goal of legislation, and summarizing the laws employed in past high-profile arrests of virus writers. Next, the potential drawbacks and costs associated with this approach are discussed, to provide a counterpoint to the intuitively obvious application of laws and high profile interventions as a solution to the “problems” of virus writing. The lack of useful metrics as to the effectiveness of the legal approach is covered, before discussing a research methodology that provides scientifically valid data for assessing the result of the interventions. Finally, results of this research are presented, analysing the effectiveness of laws in the prevention of virus writing and various forms of distribution.
Virus Writer Demographics
Research published by (Gordon, 1994a) examined the demographics of a large number of virus writers. This was accomplished by the use of surveys, email interviews, online chat and in-person sessions. The data gathered was used to assess the ethical development[2] of individual virus writers, with a view to understanding why they chose to write viruses, and what, if anything, was likely to deter them.
The paper focused on four primary groups of people: the adolescent virus writer, the college student, the adult virus writer, and the ex-virus writer. The findings for each group are summarized below [3].
The Adolescent
Studies of the adolescent virus writer were remarkably consistent. The data tend to show that the adolescent virus writer is ethically normal and of average/above average intelligence. Responses from members of this group showed respect for their parents and for authority (to some degree). While members of the group tended to understand the difference between what is right and wrong, (i.e. directly damaging data that belongs to other people is wrong) they typically did not accept any responsibility for problems caused when their own viruses appeared in the wild.
The College Student
Members of this group also appeared to be ethically normal on the Kohlberg scale. Despite expressing that what is illegal is “wrong”, members of this group were not typically concerned about the results of their actions related to their virus writing.
The Adult
Of the four classes studied, the adult virus writer was the smallest, and the only one which appeared to be ethically abnormal, appearing below the level of ethical maturity which would be considered normal on the Kohlberg scale.
The ex-virus writer
Once again, this group was ethically normal. The ex-virus writers typically cited lack of time and boredom with virus writing as the primary motivator for the cessation of their “hobby”. Appearing socially well adjusted, the ex-virus writer seemed to bear no ill-will toward other virus writers, and was undecided concerning the ethical legitimacy of virus writing.
These results are of particular relevance to the question of legal countermeasures. The virus writing adults in the study appeared to be below the norms in ethical development; adults who are below these norms are more likely to be motivated by fear of punishment than by respect for law. For the adult virus writer, therefore, it is not the laws that are important, but their perception of the likelihood of being prosecuted under those laws. For the minors involved, the presence of laws is unlikely to be very effective for several different reasons that will be discussed in more detail later. For the youngest virus writers, it tended to show that virus writing was a naturally self-limiting phenomenon, and that the “perpetrator” would tend to cease their activity without the need for legal intervention.
The research shown above was completed in 1994. The update of the paper two years later (Gordon, 1996) showed some disturbing trends related to virus writers at the higher age limits considered. Whereas virus writers were typically aging out as their ethical development continued, mixed messages from many different sources appeared to make virus writing appear “less wrong”, pushing up the age of aging out, if the process occurred at all.
Legal and High Profile Intervention
According to (ICSA, 1999) the median cost of virus disasters is $1,750, with some respondents reporting costs of up to $100,000 in a single virus incident. Another study (Ernst, 1998 cited in Cobb, 1998) suggests that virtually every organization in the world has experienced at least one virus infection, and that viruses continue to cause businesses hundreds of millions of dollars each year in damages and lost productivity. Given the purported high cost[4] to businesses it is not surprising that some people have looked to the law for help in dealing with the problem.
Legal intervention in the case of the Melissa virus has been highly publicized. Regarding this case, (Jenislawski, 1999) citing ICSA, states
“This case, the company says, proves that virus writing is ‘indeed illegal’, despite arguments to the contrary. [This prosecution] will be a decisive event that will tend to reduce the relentlessly increasing threat and resultant risk of computer viruses to society as a whole. By locking up perpetrators, the cycle of mounting numbers, rate, and virulence of computer viruses will get at least a pause and perhaps, a reversal. ‘”
(Tippett, 2000), suggests that Congress look at making it illegal to write a computer virus. “Making a bomb is illegal but writing about how to make a bomb is not”, he noted. “But with a computer virus, the words are the bomb”. (Kabay, 2000a) calls for a view of computer programs as “not speech”. [5]
How effective are these legal counter-measures likely to be in addressing problem of viruses found in the real world? In (Lemos, 1999) we read
“Despite an expected four- to five-year sentence for admitted Melissa virus writer David L. Smith, the number of new viruses appearing on the Internet appears to be accelerating as the end of the millennium draws near, anti-virus firms said Friday.”[6]
Laws to combat computer crime are not new. The first comprehensive proposal for computer crime legislation was a federal Bill introduced in the US Congress by Senator Ribikoff in 1977. (Schjolberg , 2000). Since that time, many U.S. states have introduced various computer crime laws, several of which mention viruses specifically (Bordera, 1997).
Some of these laws and statutes even attempt to define what a virus is. For example (Bordera, 1997) cites the revision of the State of Maine’s statute title 17-A, ßß 431 to 433 (West Supp. 1996)
“any instruction, information, data or program that degrades the performance of a computer resource; disables, damages or destroys a computer resource; or attaches itself to another computer resource and executes when the host computer program is executed.”
The State of Maine has a particular subsection dealing with viruses, ß433c, citing
“intentional or knowing introduction or allowing the introduction of a computer virus into any computer resource, having no reasonable ground to believe that the person has the right to do so.”
The offense is classified as a Class C crime.
In (Froehlich, Pinter, and Witmeyer, 2000) documentation of differentiation between naivete and malice is made:
“The 1994 Computer Abuse Act tries to deal differently with those who foolheartedly launch viral attacks and those who do so intending to wreak havoc. To do this, the Act defines two levels of prosecution for those who create viruses. For those who intentionally cause damage by transmitting a virus, the punishment can amount to ten years in federal prison, plus a fine. For those who transmit a virus with only "reckless disregard" to the damage it will cause, the maximum punishment stops at a fine and a year in prison.”
There have since been various committees formed worldwide that have attempted to deal with the problem from a legal perspective (Schjolberg, 2000). From some of these committees international laws addressing computer crime have emerged, some of which address virus issues specifically. For example, in 1995, the Iranian Government approved a computer crime law prepared by the High Council of Informatics. Program damage caused by viruses, Trojan horses, worms, and logic bombs are spelled out in this law. Other countries have laws that forbid the spreading of and in some cases the writing of, computer viruses (Iran, 2000). How have the existing laws been used so far? First, we will consider three individual cases.
Research by (Akdeniz & Yaman, 1996) documents the case of Dr. Joseph Popp, an American who was apprehended and arrested by the FBI at the end of 1989. Dr. Popp had sent free computer diskettes to ~20,000 people in London and around the world; these disks contained a program which supposedly assessed the user’s risk of contracting the AIDS/HIV virus, but which in reality introduced a trojan horse to the users computer. According to Akdeniz,
“Recipients of the disk were warned that their computers would stop functioning unless they paid the license fees of £225 to a bank account in Panama. This case is thought to be the world’s most ambitious computer crime. While Dr. Joseph Popp was extradited to the UK, his case never came to trial due to a deterioration of Popp’s mental state; he was found mentally unfit to stand trial.”
(Taiwan, 1999) describes how, in 1999, the Computer Crime Unit traced the CIH virus to a young man then serving in the military. He confessed he had written the virus, claiming he was motivated by pure research, and had not himself spread the virus. According to this report,
“if it were determined that Chen Ying-hao had maliciously disseminated the virus, he could be sentenced to time in jail. However, many creators of computer viruses are computer jocks, most of whom write viruses to show off their computer acumen. As Chen Ying-hao likely belongs to this ilk, and since under the article in question a prosecution can only be brought if a complaint is made, it has thus far not been possible to charge Chen, for lack of sufficient evidence. Prosecutors are currently reviewing the case.”
Christopher Pile, known as the “Black Baron” in the computer underground, was sentenced to 18 months on 15 November 1995. Pile was charged with violations of Section 3 of the Computer Misuse Act 1990. He pled guilty to five charges of gaining unauthorized access to computers, five of making unauthorized modifications and one of inciting others to spread the viruses he had written.
Laws – Effective?
In order for a crime involving a virus to be prosecuted, it must first be reported. Minnesota statute ßß 609.87 to .89 presents an amendment which clearly defines a destructive computer program, and which designates a maximum imprisonment or 10 years; however, no cases have been reported. Should we conclude there are no virus problems in Minnesota?
In (Grable, 1996) the ineffectiveness of the laws, both Federal and New York State, as a solution to the virus problem are clearly spelled out:
“Both the federal and New York state criminal statutes aimed at virus terror are ineffective because the methods of enforcement… The combination of the lack of reporting plus the inherent difficulties in apprehending virus creators leads to the present situation: unseen and unpunished virus originators doing their damage unencumbered and unafraid. Add to that the slap on the wrist afforded to even the most infamous of virus propagators, and the recipe is right for even greater damage from malevolent software.”
How likely are laws to affect the young virus writer? We first examine legal intervention related to young people engaged in other antisocial activities.
(McDowall & Loftin, 2000) analyze the success of curfew laws in controlling crime. They state that while several police departments report a decrease in youth offenses after the enforcement of curfew ordinances (Bilchik, 1996) claim that statistics supporting the efficacy of curfew laws in reducing crime rest on uncertain comparison groups, and that few evaluations have considered more than a single area. They conclude there is not strong evidence that the curfew laws reduce juvenile offending or victimization rates. However, despite this lack of evidence, these laws have been embraced by many communities; (Hemmens & Bennett, 1999) state that while it is unclear whether they are effective in reducing crime, it is clear that they are being embraced by communities across the country (Davidson, 1997).
In other studies of youths living in areas where anti-social activity is normal, some youth may accept confronting danger and being involved in these activities as features of living in such environments (Halliday & Graham, 2000). There is insufficient data to conclude if this phenomenon maps to virtual environments.
Research by (Foglia, 1997) supports the hypothesis that while the possibility police involvement, or legal sanction does not offer significant deterrence for youths who engage in antisocial behaviours, they are likely to be influenced by parents and peers. In (Gordon, 1994a), the conclusion that the “common” young virus writer is not likely to be affected by laws is supported, citing both the non-universality of the laws as well the mixed messages sent societally to the young people as they integrate into the cyber-culture.
Difficulty in sentencing minors is also to be considered; some research is being done in this area. (Simpson, 1999) examines research into state statutes in the United States that help make parents legally responsible for personal injury or damage to property made by their minor children. There are details on a case in Minnesota (the land of no viruses J), and another in Oregon, where such provisions currently exist.
Finally, we must not ignore the mixed messages sent to young people regarding virus writing. (ZiffDavis, 1999) reports
“[the firm that hired the virus author]…competed with a score of high-tech rivals attempting to lure [the virus author]...”
“’Our chairman felt he [the virus author] was a rare computer professional and we decided to accept him with an open heart,’ said Wahoo spokeswoman Vivi Wang.”
Contrast that to the alleged writer of the Melissa virus, David L. Smith. Apprehended at the beginning of April, Smith is looking at a maximum sentence of 40 years if convicted in New Jersey State Court. The immense differences in punishment illustrate a large rift in perceptions over the seriousness of computer viruses.
Lack of Metrics
Perhaps one of the reasons that there are so many different opinions on the effectiveness of legislation is that little quantitative data has been gathered. How does one go about measuring the effectiveness of a law? While it is tempting to simply measure the number of arrests as a function of time and law, this is not a good approach given the small number of virus writers who have been arrested and tried. Indeed, this lack of arrests is one of the primary indicators used by some to argue that laws are not a good deterrent.
One of the ways in which we can judge the efficacy of law as a deterrent is the overall view of society toward the acts which have been criminalized (Bagaric, 1999). However, we must be careful not to impose our view of the act on others when attempting to use the criminalization as a “proof” that the act is “wrong”. For example, the use of marijuana is a criminal offense in some places/situations; in others, it is a misdemeanor, and in yet others, it is an acceptable act.
New Metrics and Research Techniques
As virus writing is a relatively infrequent “crime”, a better measure of efficacy might be to study the number of times this “crime” has resulted in viruses let loose into the user community. However, how shall we define this output of “crime”? While it is true that in practical terms, a measure of the virus problem can be derived from the infection rate per 1000 PCs, this figure is affected by far more than just the number or activity of virus writers. New types of virus, a virus “getting lucky”, or simply press coverage for a well-known virus can skew this number. Similarly, the total number of known viruses is not necessarily a good indicator, as this number is somewhat artificial in its creation. Thus, we propose the following new metrics for measuring, albeit indirectly, the efficacy of legislation with respect to the virus “problem”.
One possible way of measuring the prophylactic effect of laws is obvious: ask! Based upon previous research, we have built a reliable and open dialogue with many of today’s more visible virus writers.
As this “known” population is relatively small (but has a large impact on many developments in the virus world) a directed survey was created and administered. Questions (shown in the results section) were initially distributed via electronic mail and in-person sessions to virus writers in North and South America, Asia, Europe and Australia. The questionnaire was also posted to the Usenet News Group alt.comp.virus. The theory is that by re-administering the questionnaire after a high-profile criminal case concerning viruses, any suppression in the tendency to write viruses could be documented.
Unfortunately, the sentencing of David Smith has been delayed several times, so at this time the administration of the post-test questions and analysis of that data is not possible. Following the sentencing of David Smith, the post-test will be administered and the results posted on the online version of this paper[7]. One drawback with this approach is that we expect some virus writers to become more socially aware as they “age out”; thus a significant delay between administering the two tests could make the results difficult to interpret for individual subjects. However, the average population should remain reasonably static, making the test a possible metric for evaluation of effectiveness of laws.
As intimated above, the full measure of the scope of the virus “problem” itself is extremely hard to measure. How “bad” is the “problem”? Can it be measured by the number of known viruses on a particular date? The number of viruses encountered “In the Wild”? The infection rate per 1000 PCs?
The answer to this question depends partly on perspective and partly on the need for the measurement. For example, from the perspective of the anti-virus researcher working in a non-automated environment, the scope of the problem is probably based upon the sheer number of viruses, as he must deal daily with all incoming virus, analyzing, meticulously naming and prioritizing them, creating cures, etc. For the researcher in an automated environment, the measurement is likely to be those viruses which cannot be handled automatically and which she must deal with manually. For the end user, the infection rate per 1000 PCs in environments which are representative of his or her own is a vital statistic. However, from the perspective of the legislator, the scope of the problem is probably related to the sheer number of problematic viruses - viruses which are highly publicized and brought to his attention - as this is a direct measure of the number of “illegal” or “undesirable” acts occurring (not allowing for natural corruption of existing viruses etc[8]).
As it seems unlikely that writing a virus that never ever is distributed would be made illegal in The United States, we propose that a suitable measure of the problem for a legislator is the number of viruses found “in the wild”. Thus, it might be interesting to correlate the rate of change of the number of new viruses in the wild with high-profile prosecutions of virus writers. To this end, we have charted viruses “in the wild” as a function of time. If a noticeable decrease in the number of new ITW viruses is observed following an arrest/sentencing, the case could be made that the trials were helping the overall computer user population.
Another metric for the efficacy of laws is the availability of viruses on the WWW. We performed an in-depth analysis using one popular search engine, with the keyword of “virii”, as a way of locating web sites that appeared to have content bearing further analysis. Once again, if the number of “virus exchange” web sites (sites containing live viruses or viral source code) could be shown to decrease with new legislation/prosecution, there would be evidence for the effectiveness of the current legislative attempts at controlling the spread of computer viruses.
Finally, there is the question of a possible backlash against legislation outlawing the development and distribution of computer viruses. As tracing a virus author is extremely difficult if the virus writer takes adequate precautions against a possible investigation, there is a possibility of a backlash against any legislation which a person or group deems unconstitutional or as an infringement.[9]
To this end, a survey was conducted at the 2000 DEFCON conference held in Las Vegas. The conference, attended by many “white hat and black hat hackers” represents an important part of the computer security “counter culture”, and in many ways attracts the exact group that laws against virus writing would be aimed at. We selected people randomly as they entered the conference foyer[10]. To help ensure people could understand the survey questions, and answer coherently, the selection was done on the first day of the Conference, early in the day, in order to sample people before they were intoxicated.
Results
The results from direct interviews provide an entirely subjective (but collectively representative) view of how people said they felt about the following four questions:
1. What (if any) impact do you believe the arrest of David Smith has had on virus writing and virus distribution to date?
2. What (if any) do you believe is a fair and just sentence for David Smith?
3. What do you believe his sentence will actually be?
4. What (if any) impact do you think the sentencing of David Smith will have on virus writing and virus distribution post-facto?
We shall now consider each question in turn, and show data from several differently classified sources.
The Impact of the Arrest of Smith
The following results are broken down into those involved in the virus writing/virus exchange scene, and those who are not (primarily, but not exclusively, virus researchers)
Virus writers and exchangers:
“I'm not sure I've seen any change in virus distribution. There's as little interesting code being released as there was, and as much crap as ever. More to the point, those who are clueful knew that someone was going to be 'tracked down' and 'busted' soon. Those who are clueful aren't releasing code anyway (at least, not to the public). Those who aren't clueful don't understand how David Smith got busted and are probably still doing what they were doing before Smith got busted.
If anything, the effect was on virus writing. There were probably people out there who thought about writing viruses for fun, but got scared out of it for fear of 'getting busted'. I don't think we'll see it making a big impact on the quantity or quality of viruses out there-- but it probably stopped a few kids from 'turning to the dark side'. :)” (Anonymous, 2000a)
“His arrest has made some authors more cautious about handing out their work to just anybody, or even putting their name on it. However at the same time, it has outraged many other authors who are now using it as an excuse [and justification] to speak out about the ills of our society, and dare I say "justice" system.
I'd say that overall it has balanced things out, and had no real long term effect in the minds of authors, it's only set a legal precedent.” (Anonymous, 2000b)
On the writers side, none. Foul things can happen when you code such programs, and most writers know that already. The thought of a guy getting screwed by media hype is not going to stop most people from coding what they think is interesting.
The distribution side is a bit different. Alot has changed since the shitstorm (pardon me, but there is no nicer way to describe it) of april 99. The loss of the sourceofkaos server was a big deal to us. The vx scene had a voice, and was stripped away due to the incident. The guy who hosted (we knew him as jtr) it was running the machine at his place of business. He was placed on paid leave for a few weeks, and was let go. Im sure the fbi had a field day sorting through that box. Media, the av industry, government organizations would connect to the irc which didnt help much, due to kids that didnt really know the half of what was going on a spreading rumors and publicly discussing things that they shouldnt have. Ugh, it was a mess. Those were some stressful days. This has changed alot on the distribution side. People are afraid to release information. I was the first one to come forward and give the source of iworm.zippedfiles to the public because i had to. After the minimal heat it created, a handful of news articles and such on how the fbi was in search of its author, nobody (well, only a handful had the source in the first place) wanted to come forward with it. Posting source code is not breaking the law in most of the world. People should be afraid. (Anonymous, 2000c)
Antivirus researchers:
“It has had the impact that many very active virus writers have "retired" (seen anything from the 1nternal guy any time recently?), others have become less productive, and many have refrained from releasing their viruses into the wild. I think that if Smith wasn't arrested so swiftly, we would have seen much more Melissa variants and many more from them would have been released into the wild in a similar fashion.
Of course, sooner or later this beneficial effect will wear off. People tend to forget, and young people, like most virus writers are, tend to forget even faster. That's why the law enforcement must not "sleep on their laures" (sic) but must prosecute similarly swiftly offenders like Mr. Smith in the future, too.”(Bontchev, 2000)
“I would hope that maybe it has scared away few would-be writers or discourage some from distributing their creations but I have seen no clear evidence of this. I'd say there would have to be at least *some* positive effect from this (I just don't have any evidence for that though.)”(Stiller, 2000a)
“It did not have any and will not have any. Virus writer wrote, write and will go on writing viruses, whether one of them folks was, is or will be sentenced or not. …None. We do not saw a change after Black Baron was arrested and I do not saw a decrease of new viruses...” (Marx, 2000a)
Two other responses are worth further examination. First, from the ever-scientific (and correct!) Mich Kabay (Kabay, 2000b)
“Don't know without research. What I hope is that it will discourage some of the virus writers, but that's pure conjecture.”
The second sums up a practical point of view with good evidence behind it:
“Very minimal. Most virus writers (in my opinion) think that it was a fluke that he got caught. Very little, I thing that a one off situation will not change the ways of virus writers. Only if a lot of writers - distributors where caught would this make a impact.” (Pineda, 2000).
Fair and just sentence for David Smith:
Virus writers had mixed opinions.
“Hard to call. I don't really know the facts of the case. If he was maliciously distributing the code, I don't have much in the way of sympathy.” (Anonymous, 2000d)
“An apology for ruining his life of future employment in the computer industry, a smile, and a handshake from every person that has cursed him. And perhaps a job. That's right”. (Anonymous, 2000e)
“To be honest, I really haven't been following the David L Smith case. But I'd say approx. 10 years max. As I once studied the law and jail sentances in an assignment about the meaning of life imprisonment (my best bit of school work that was) - and Life is only about 15-20 years. Computer data is far less important than human life, and should be judged accordingly” (Anonymous, 2000f)
“A slap on the wrist. Im not saying it was right to post a virus to a newsgroup from a stolen aol account. What he has already had to deal with should be enough though. I don't think anyone would go the same route twice. Being held at gunpoint and treated as a terrorist is a bit disturbing im sure. Jail time or fines wont help, nor will locking him away trying to set an example to others. Look at kevin mitnick, doing almost 5 years without a trial and denied bail hearings. Have people stopped or even cut back on cracking machines? Of course not.” (Anonymous, 2000g)
Antivirus researchers expressed a variety of opinions:
“He certainly deserves substantial jail time and fines.” (Stiller, 2000b)
“That's for the judges to decide. He has to be punished. Something like a year in prison and a BIG fine would do.” (Gryaznov, 2000)
“I personally believe that David was stupid, rather than malicious, and I therefore think the sentence should be similar to the one handed out to the author of the famous 'Internet Worm' (whatever that was - I'm not sure)” (Shipp, 2000b)
“… a suspended prison sentence (or time already served), some community service that will mean nothing to him, a fine he won't be able to pay, all resulting in an extremely high paying job in the field of computer security for an obscure consulting firm who will brag about their proven expertise in computer viruses.” (Pichnarczyk, 2000)
What will the sentence will actually be.
Virus writers were uncertain; a typical response is shown here:
“It will probably begin by looking insanely harsh, and come out to something that is soft on prison time, and nasty for his future. Some of that 'unable to be within 500 yards of a computer' bullshit, probably. “(Anonymous, 2000h)
Antivirus researchers opinions were diverse:
“Probably a small amount of jail time”. (Stiller, 2000c)
“I think he will get a large fine, and 10 years.” (Shipp, 2000)
“Some years arrest... maybe much too long, even if the virus clean-up etc. costs very much.” (Marx, 2000b)
“Suspended sentence, probation for a couple of years, specific interdiction of further computer-virus writing, and a fine of a few thousand dollars.” (Kabay, 2000c)
What (if any) impact do you think the sentencing of David Smith will have on virus writing and virus distribution post-facto.
Virus writers were consistent within their grouping:
“None. It is the fear of being caught that is more important to an author, than the results that occur after. For example, even if this particular case was settled in David's favour, he would still be ruined in the computer industry. That's enough.” (Anonymous, 2000i)
“None. Things like this only effect people when its in the spotlight. Its all said and done, its old news, the media wont rave about it, the end. It wont be forgotten, but it wont effect the future. Nothing changed from the black baron did it?” (Anonymous, 2000j)
Antivirus researchers:
“Marginals will stop. Hard-core will continue. After the Next One (tm) goes down, more will stop”. (Thompson, 2000b)
“It depends upon the amount of media exposure and the severity of his sentence. I expect it would discourage some virus writers from distributing their creations.” (Stiller, 2000d)
“Future arrests so as to make them commonplace will have such an effect. The precursor to that is "interest" from the authorities. As David Smith is responsible for creating the "interest," he will have had a tremendous impact on the future of such. But only if the authorities maintain the vigilance” (Kuo, 2000)
“An overly harsh sentence / treatment could make him into a martyr (cf. Kevin Mitnick). Too light a sentence would reduce the deterrent effect.
Overall, not a great deal, I strongly believe that the probability of getting caught is as important as the severity of the sentence in deterring potential criminals. For example, it is illegal to smoke in lifts (sorry, elevators in American translation) in HK, and lifts have signs saying the penalty is HK$5000. However, I often enter a lift and smell cigarette smoke, and I have never seen or heard of someone being fined. The chance of getting caught is (virtually) nil, so the heavy fine is no deterrent. If the fine was HK$100, but offenders were caught 50%+ of the time, the practice would quickly stop. Very few virus writers or distributors have been caught, so the severity of punishment is small deterrent.” (Dyer, 2000)
“It's a mixed message. On the deterrent side, it's the classic "they'll think twice because they might go to jail" (if my desired sentence is carried out). On the flip side, it also shows virus writers how hard it is to prosecute & convict, as well as suggesting new methods for not getting caught. Ultimately, the impact will be low until the conviction volume increases.” (Renert, 2000)
Survey Results and Analysis
This data shows an interesting cross section of views from both the anti-virus community and the Virus Writer/vX community. Interestingly, the vX community seems less convinced that laws will help the situation. This position does not appear to be based upon a vested interest in the unsuitability of laws, but a genuine feeling within the community that legislation will not be an effective preventative.
Perhaps the most cogent summary of this logic comes from (Dyer, 2000) quoted in response to Question 4, “Will the arrest and sentencing of David Smith have any long-term impact?”: if the law will not be enforced or is unenforceable, it has little effect regardless of the penalties.
Table 1 shows a summary of the results from our survey:
Yes
No
Maybe
Virus Writers
Has the arrest of Smith had any impact in the virus writing community?
0
11
0
Will it have any long-term impact?
0
11
0
AntiVirus Researchers
Has the arrest of Smith had any impact in the virus writing community?
8
7
1
Will it have any long-term impact?
7
6
3
*NB: Incidental comments include (1) too harsh sentences would be bad (2) more computer ethics classes would help and (1) requires more research
Table 1: Survey data. A questionnaire concerning the impact of the arrest of David Smith was presented to two different groups: those involved or in some way associated with virus writing, and those active in the anti-virus community. Note the strong reaction from the virus writers, who were emphatic that neither Smith’s arrest nor any conviction/sentencing would influence them or the virus writing community in general.
Interestingly, the data is reasonably similar to a comparable survey conducted in (Briney, 2000). In the Briney survey, an informal poll was conducted among 25 well-known information security professionals, asking “will the sentencing of David Smith reduce virus writing”. Of the 25 respondents, 11 said, “No”, the Smith conviction will not deter others, while 9 said, “Maybe”. Only 5 said “Yes”.
The Number of Viruses In The Wild
Figure 1: The Number of Viruses on the WildList as a function of time. This graph shows the number of viruses reported on the WildList as a function of time. The top (red) line shows the total number ofviruses in the wild, the middle (green) line indicates just those viruses that are on the top portion of the WildList. Finally, the bottom (blue) line shows the number of new viruses added to the top part of the list per month.
As described above in the section New Metrics and Research Techniques, the total number of viruses In The Wild could be used as a metric of the efficacy of laws. In particular, we are interested in any discontinuity noted in the graph of viruses both newly ItW and also on the total number of viruses.
Before analysis can take place, the following descriptors should be made clear. The x-axis on the graph represents months of the WildList. The top (red) line represents the total number of viruses on the WildList, and the middle (green) line is those viruses reported by two or more reporters. Finally, the bottom (blue) line represents the rate of addition of new viruses per month. [Note that this information was only tracked from month January 1996, and so before this time the value is set to zero.]
The large discontinuity in the first two lines around January 1999 is an artifact of the change in methodology in the reporting structure of the Wildlist which resulted in a significant cleaning of the Wildlist data; rules concerning how long a virus must go unreported before being dropped from the list were enforced, leading to a significant drop in the total number of viruses listed. Note no corresponding discontinuity in the lower line; this is due to the fact that the corrections were not related to the rate of addition of new viruses, merely the renormalization of those already reported.
Figure 2: Detailed view of the number of new viruses added to the top portion of the WildList per calendar month. The red line shows the number of new viruses added to the WildList per month. The red stars indicate high-profile interventions. Note that there is no obvious drop in the rate of new viruses after these interventions.
As the most interesting, and arguably most relevant, data is the rate of new viruses becoming prevalent ItW, Figure 2 shows a detail of this data: On this graph, we have added stars to note prominent virus/trojan interventions or prosecutions[11]. As can be seen, the graph presents no clear evidence of any suppression in the rate new viruses were added to the Wildlist. While it can be argued that the data is (a) noisy (b) made up of more than one factor (that is, perhaps if there were no prosecutions, the graph would show a much-increased gradient) (c) lagging behind of real-world events due to the time it takes for a newly-released virus to spread and reporting cycles, one must also agree that the Wildlist data provides no evidence to indicate that these high profile cases and prosecutions have helped depress the virus problem as measured by the rate of addition of new viruses in the wild.
As this paper represents a snapshot of ongoing research and data gathering, not all the results have yet been gathered. One important metric proposed in the proceeding section was to measure the availability of computer viruses on the WWW. In order to do this, we measured the number of hits generated upon searching for the word “virii”, using the Google™ search engine[12]. We examined each site to see if it offered viruses. The following results were noted:
On March 15, 2000 Google results netted 5080 for “virii”. A manual examination of the first 1000 hits netted 65 sites with viruses (in executable or source code form) available for download. This means that approximately 6.5% of those sites surveyed contained live viruses or source code.
On August 18, 2000, Google results netted 20,600 results for “virii”. An examination of the first 360 hits showed 102 sites with viruses (in executable or source form). This means that 28% of the sites surveyed contained viruses; a significant increase over the first data set.
It should be noted that the interesting figure in this experiment is not the total number of hits, but the percentage of those hits which contain viruses. As can be seen from the results, the percentage of sites which contain the word “virii” that also have live viruses has increased. While some optimization in search ordering may be responsible for this increase, this change in percentage is not likely to be due to a simple increase in the number of sites surveyed. Thus, this test does not show any convincing evidence for a decrease in the availability of computer viruses – if anything, viruses are more readily available now than ever before. After the sentencing of Smith, it will be interesting to note any effect on these figures.
One interesting by-product of the research was that some web authors noted that laws (or more correctly, fear of legal consequences) have certainly suppressed the dissemination of virus samples from some of the sites. Here are some examples of verbiage used on some of the sites:
Figure 3: Screen shot from a vX site on August 8, 1999
Figure 4: Screen shot from a vX site on January 1, 1999
However, new sites have taken their places, including this one in The Netherlands, where such activity is illegal.
Figure 5: Screen shot from a vX site in August, 2000.
DEFCON Survey Data
A survey regarding reactions to proposed virus-writing legislation was also conducted. In this portion of the study, we chose the population of attendees at DEFCON (www.defcon.org), and asked two questions (The exact questionnaire is reproduced in Appendix A; however, the questions were posed verbally using the document as a reference):
¨ If virus writing were to be made illegal, would that make you less likely to write a virus (noted as Group 1); more likely to write a virus (noted as Group 3); or make no difference to your likelihood of writing a virus (noted as Group 2)?
¨ Given that what a person thinks is generally viewed as their own business, and that intentionally going out to cause someone problems with a virus by intentionally infecting their computer is viewed as “not ok”, where on this scale of “how far would you go” do you personally draw the line at acceptable behaviour?
Then, we presented ordinally scaled actions ranging from those that would be almost universally accepted as right/okay, to an action that was almost universally accepted as wrong[13]. The resulting data is presented below as a set of histograms.
There are several different levels of analysis that can be performed on these data. At the simplest level, we can examine the data related to the first question: what was the stated effect of proposed laws. Interestingly, it seems that there is a significant set of people who claim that the criminalization of virus writing would encourage them to write computer viruses. Based upon verbal comments by the respondents, this was primarily due to their feeling that such a law would unfairly restrict their free speech.
Next, one can examine whether there is any correlation between the first answer and the second; that is, if we group the sample set based upon their reaction to laws, does one group appear more ethically developed than the other? Calculating the sample mean and standard deviation from each of the groups, we see that it is difficult to show any significant differences on the samples answers to question II based upon group. This is partly due to the fact that the data is clearly not normally distributed, although a visual analysis of the data does also tend to show a strong relation between the different groups.
Figure 6: The effect of laws. Respondents were grouped depending on answer: those who would be deterred by laws (Group_01), those for whom laws made no difference (Group_02), and those who would be incited to write viruses by a new law (Group_03). Thus, new laws may cause an increase in the number of computer virus writers.
The fact that individuals with a low tolerance for virus exchange in general expressed that proposed legislation against virus writing would make it more likely they would write a virus is interesting.
It would be interesting to compare this data with that from students in a computer science course, in order to get some measure of the another population. However, in ad hoc studies conducted by the author within such environments, at least the reaction to proposed new laws appears to be similar.
Finally, it is interesting to note that some individuals mentioned that letting a virus you have written out of your own personal control accidentally was much more wrong than giving that virus to a friend; “stupidity” was cited as more wrong than intentional distribution.
Conclusions and Suggestions for Future Research
The focus of this research has been to gauge the impact of legal and high-profile intervention to the problem of damage caused by computer viruses. The data has shown that laws are of some limited effect in certain sections of the population, but that there could be a backlash in the United States to a law that was viewed to be a violation of an individual’s rights to speech. While the free speech question as it pertains to computer viruses is unclear, this is immaterial: the key issue is that there are certain segments of the computing population within the United States who would view such a law to be unconstitutional, and state they would act accordingly. Further research on the likelihood of follow-through on electronic civil disobedience would appear to be an important next step in assessing the impact of legislation directly aimed at virus writing. Additionally, as the virus writing subculture is an international population, civil-disobedience and activism crossover between populations with laws and without laws bears further investigation.
A comparison of the number of viruses in the wild to high-profile virus writer cases/actions does not show any clear correlation with a decrease in the creation of new viruses. Indeed, despite much effort, the rate of addition of new viruses to the WildList appears to be increasing.
Tests and assessments should never be interpreted in isolation; thus, considering the strength of the responses can be as important in seeing the overall picture as the consideration of the statistical data. Additionally, this “strength of conviction” must be considered alongside the worldview of the population. Consider that any laws created/enforced are aimed at a very small, but active virus writing community; the strength of conviction related to the DEFCON data seems to indicate that the creation of such laws would actually create more new virus writers than deter existing ones. This, coupled with the relative unenforceability of such laws could lead to a situation that is actually worse than the one we have currently.
Thus, examining all the data currently available, we are unable to show that the aggressive legislation directed toward, or intervention related to, virus writers will have any positive impact on the virus “problem” as defined by a number of different metrics.
We await the outcome of the post-sentencing interviews with interest. If the interviews show a significant change from their pre-sentencing results, proponents of thorough police follow-up of virus writers will have some hard data with which to back up their position. Conversely, if there is no appreciable difference in the data, we must, as a judiciary, re-evaluate the costs associated with pursuing legal remedies and high-profile “legal” interventions to a primarily sociological phenomenon.
Perhaps instead of attempting to raise support for making virus writing illegal, the energy and associated funds currently being expended would be better spent on education, with legal action or high profile intervention reserved for cases where an individual’s clear and direct intent to damage could be shown.
An obvious objection to the lack of interventions is, quite simply, that the virus author should be held responsible for the results of his creation. After all, whether an infection occurs as the result of direct action from the virus writer (i.e. the virus is written, and uploaded to a Usenet News Group, masquerading as a legitimate utility) or is put into circulation via the WWW (i.e. clearly labeled as a virus on a virus exchange WWW site), the fact remains: someone created the virus that is responsible for the infection. The question is what, if any, responsibility does the creator of the virus hold?
In cases where a direct relationship between the virus author and a crime involving his virus can be shown, adequate existing legal measures can be applied. However, in cases where a virus author claims a “right” to make his or her virus freely available, or gives the virus away to knowing and willing recipients, but does not directly cause an infection, should we assume the question of responsibility dissipates? Opinions on the degree of responsibility vary, but one respondent’s comments on this issue bear further examination:
“Shouldn’t they really know by now that these things can cause problems whether they mean for them to or not!?”
Unfortunately, in many cases we continue to see a typical pattern of older virus writers “aging out”, while a new, inexperienced batch is still being birthed. By the time a virus writer is of age to know better, and to recognize the impact of these actions on others, they are already beginning to disassociate with their virus writing activities. Thus, while in some ways there is an “end of innocence” by those who realize their mistake, and exit the field, there is a complete pipeline of new authors just beginning their exploration. For this reason, it is flawed to simply assume that there is no innocent in the virus writing world; far from it: there are many.
This innocence and naivete, combined with the rapidly accelerating growth and evolution of technology, create a problem that is far more complex than socio-technological problems of the past. Other technologies that have been hugely influential on our societies have developed relatively slowly, thus enabling us to keep pace, predict future trends, and impart values related to those technologies to our young people. Now, however, the technology upon which we are attempting to base our projections is evolving rapidly. As the virus writing subculture continues to evolve, we are likely to see an exacerbation of problems relating to the technologies we are developing. The real question is how to best deploy our resources to protect us from this learning process, in which we are all participants.
Bibliography
Akdeniz & Yaman. 1996. The Computer Misuse Act 1990: an Antidote for Computer Crime First Published in Web Journal of Current Legal Issues in association with Blackstone Press Ltd.
Anonymous, 2000a-j. Private e-mail correspondence. Used with permission.
Bagaric, M. 1999. Sentencing: The Road to Nowhere. Volume 21 Number 4. December. The Sydney Law Review. University of Sydney, Australia.
Bilchik, S. 1996. Curfew: An Answer to Juvenile Delinquency and Victimization? OJJDP Juvenile Justice Bulletin .
Bontchev, V. 2000. Private e-mail correspondence. Used with permission.
Bordera, M. The Computer Virus War: Is The Legal System Fighting or Surrendering? Computers & the Law Project. Computers and Law, University of Buffalo School of Law.
Briney, A. 2000. Private e-mail correspondence. Used with permission.
Cobb, S. 1998. Taming Wild Code. Information Security Magazine. April.
Davidson, M. 1999. Do you know where your children are? Reason Online. November. http://www.reason.com/9911/fe.md.do.html
Dyer, A. 2000. Private e-mail correspondence. Used with permission.
Foglia, W. 1997. Perceptual deterrence and the mediating effect of internalized norms among inner-city teenagers. Journal of Research in Crime & Delinquency, Vol. 34 Issue 4, p. 414
Froehlich, J., Pinter, E. & Witmeyer, J. 2000. Making The Time Fit The Crime. Legal Column Archives. http://www.fmew.com
Gordon, S. 1994a. The Generic Virus Writer. From the Proceedings of the International Virus Bulletin Conference. Jersey, Channel Islands. pp.121 – 138
Gordon, S. 1994b. Faces Behind the Masks. Secure Computing Magazine. November 1994.
Gordon, S. 1995. Technologically Enabled Crime: Shifting Paradigms for the Year 2000. Computers and Security Journal. December 1995.
Gordon, S. 1996. The Generic Virus Writer II. From the Proceedings of the International Virus Bulletin Conference, 1996. Brighton, UK. pp. 177 – 188.
Gordon, S. 1999. Viruses in the Information Age. Virus Bulletin. June, July, & August. 1999. http://www.badguys.org/vb3part.htm
Gryaznov, D. 2000. Private e-mail correspondence. Used with permission.
Halliday, C. & Graham, S. 2000. Personality & Social Psychology Bulletin, May 2000, Vol. 26 Issue 5, p. 5480.
Hemmens, C. & Bennett, K. 1999. Juvenile curfews and the courts: Judicial response to a not-so-new crime control strategy, Crime & Delinquency, Jan99, Vol. 45 Issue 1, p99.
Grable, J. 1996. Treating Smallpox with Leeches: Criminal Culpability of Virus Writers and Better Ways to Beat Them at Their Own Game. Computers & the Law Project. University of Buffalo School of Law.
ICSA. 1999. ICSA Releases 1999 Computer Virus Prevalence. http://www.icsa.net/html/press_related/1998/virusprev98.shtml
Iran. 2000 http://www.gpg.com/homePages/peik/policies.htm
Jenislawski, S. Melissa Virus Author Admits $80 Million in Damage. http://www.policy.com/news/dbrief/dbriefarc439.asp
Kabay, M. 2000a. Viruses are not Speech. Virus Bulletin. “Comment” July 2000
Kabay, M. 2000b. Private e-mail correspondence. Used with permission.
Kabay, M. 2000c. Private e-mail correspondence. Used with permission.
Kohlberg, L. 1981. The Meaning and Measurement of Moral Development. Clark University Press. Worcester, MA.
Kuo, J. 2000 Private e-mail correspondence. Used with permission.
Lemos, R. 1999. 'Tis the Season for Computer Viruses. http://www.zdnet.co.uk/news/1999/49/ns-12098.html. December.
Marx, A. 2000a. Private e-mail correspondence. Used with permission.
Marx, A. 2000b. Private e-mail correspondence. Used with permission.
McDowall, D. & Loftin, C. 2000. The Impact of Youth Curfew Laws on Juvenile Crime Rates. Crime & Delinquency, January 2000, Vol. 46 Issue 1, p.76.
Panzl, B. & McMahon, T. 1989. Ethical Developmental Theory and Practices. From the 71st Annual Meeting of the National Association of Student Personnel Administrators. Denver, Colorado.
Pichnarczyk, K. 2000 Private e-mail correspondence. Used with permission.
Pineda, R. 2000. Private e-mail correspondence. Used with permission.
Renert, C. 2000 Private e-mail correspondence. Used with permission.
Schjolberg, S. 2000. The Legal Framework- Unauthorized access to Computer Systems. Byrett, Norway.
Shipp, A. 2000a. Private e-mail correspondence. Used with permission.
Shipp, A. 2000b. Private e-mail correspondence. Used with permission.
Simpson, Michael. 1999. Laws That Make Parents Pay. National Education Association Today, Mar99, Vol. 17 Issue 6, p25.
Stiller, W. 2000a. Private e-mail correspondence. Used with permission.
Stiller, W. 2000b Private e-mail correspondence. Used with permission.
Stiller, W. 2000c Private e-mail correspondence. Used with permission.
Stiller, W. 2000d Private e-mail correspondence. Used with permission.
Thompson, R. 2000. Private e-mail correspondence. Used with permission.
Tippett, P. 2000. http://www.thesunnews.com/news/stories/2074548.htm
Taiwan, 1999. Caught in the Net. Is Cyberspace a new haven for crimes. Taiwan He@dlines. No. 70. http://www.taiwanheadlines.gov.tw/19991214/1999121413.htm
ZDNET, 1999. http://www.zdnet.co.uk/news/1999/51/ns-12354.html
Appendix A
These questions were presented verbally to a random sampling of attendees of the DEFCON conference.
Some people want the writing of self-replicating computer code to be illegal. If this were to become a reality, would you be:
(a) Less likely to write self-replicating code
(b) Not influenced one way or the other (makes no difference)
(c) More likely to write self-replicating code
Given that what a person thinks is generally viewed as their own business, and that intentionally going out to cause someone problems with a virus by intentionally infecting their computer is viewed as not ok, where on this scale of “how far would you go” do you personally draw the line at acceptable behaviour?
1. Thinking about writing the virus
2. Talking on a BBS about how you might write the virus
3. Writing the virus on your own computer, but never giving it to anyone.
4. Writing the virus on your own computer and having it escape accidentally
5. Writing the virus on your own computer and giving it to one or two friends
6. Writing the virus and uploading it to a VX site, labeled as a new virus.
7. Writing the virus and posting it to Usenet labeled as a useful application
8. Writing the virus and deliberately infecting other people’s computers with it.
--------------------------------------------------------------------------------
[1] Using The WildList (http://www.wildlist.org)
[2] based upon the Kohlberg model (Kohlberg, 1981; Panzl & McMahon, 1989)
[3] other models produced similar results
[4] social effects related to lack of trust are outside the scope of this paper
[5] an in-depth discussion of viruses as speech is outside the scope of this paper
[6] this assertion is examined later in this paper
[7] http://www.av.ibm.com, http://www.badguys.org
[8] Liabilities and legislation related to naturally occurring software or hardware induced corruptions are beyond the scope of this paper.
[9] further discussion on cyber-activism or civil disobedience is outside the scope of this paper
[10] 161 subjects, 90% confidence level, 6.0 confidence interval
[11] Popp, Pile, Ing-hau, Smith
[12] Google displays web sites based on page-rank. Thus, it retrieves pages based on the number of other pages which point to it. Therefore, the more highly visited pages are ranked first, with new pages being added as they become more popular
[13] Time did not allow the preparation of a true Likert scale; this would be an interesting project for future research.
RUPAK SEARCH ENGINE
Custom Search
white paper for computer virus, case study of computer virus
Virus Bulletin 2010: A Retrospective
Abstract
We look back on the years 2000-2010 from the perspective of the anti-virus industry. Four technology trends were responsible for substantial changes in the computing environment, which formed a backdrop for the virus problem. (1) Pervasive computing devices are now the dominant way that people interact with the digital world, far outnumbering traditional PCs, and the shift in architecture was responsible for both new problems and new protections. (2) The decline of Moore's Law resulted in dramatically falling chip prices, resulting both in their commoditization and much more widespread use throughout the world. (3) Broadband access to the Internet from most of the developed world put much of the Earth's population online all the time. (4) The rise of e-commerce has affected every sector of the economy; the digital economy now rivals its material counterpart. We review the most significant viral disasters in the past ten years, showing how they could have been predicted from these technology trends, and usually avoided. To the contrary, we show how the anti-virus industry actually responded, often after the fact. While anti-virus technology has evolved significantly since the year 2000, with several technological marvels to its credit, perhaps the most surprising change is that few end users are even aware that it exists any more.
Introduction
Welcome to Virus Bulletin 2010. I’m Steve White. Some of you may recall that I was involved in the anti-virus industry back all those years ago, when it first began. On this twentieth anniversary of the first Virus Bulletin conference, the nice people at VB asked me to come back to say a few words. Figuring that you might all be tired of hearing the same old predictions of what the future will be like, I’m going to use this opportunity to look back at the last ten years in the anti-virus industry: the years 2000 through 2010.
2000: The New Millennium
In many ways, the beginning of the New Millennium was surprisingly boring. The “Y2K Virus”¨, as it was called all too often, did not cause widespread havoc. Nor did it fry all of the computers in the world, bankrupt entire countries or lead to the end of the world. As the wave of midnight spread over the South Pacific and then on to the rest of the world, the biggest surprise was that almost nothing happened.
The news media, which had spent the previous year focusing on worst-case scenarios, worked hard to find anything at all, in any country whatsoever, that happened as a result of the Y2K problem. Sure, there were a few minor problems, but fewer than happened on any normal day due to normal computer problems.
There were, of course, computer virus problems that year, and a couple of them were quite significant at the time. They largely centered on the fact that the most popular applications – the mail and document applications from Microsoft Corp. – were themselves programmable, and were the medium in which viruses spread¨. It was the first year in which a self-mailing virus really hit big, becoming the most rapidly spreading, most widespread virus up to then¨. And even so, it took 24 hours to spread all around the world (since it still required people to arrive at work, open their mail and look at what was called an “attachment”). I doubt that more than a few techies even remember the name of that virus.[1]
What I remember is that anti-virus companies still weren’t prepared to handle it. It still took them many hours to make a solution to the new virus widely available. It took some of them days just to get it right. Imagine – days – when the virus itself sprinted around the world with the speed of the rising sun! And this was after several self-mailing viruses the previous year made it more than apparent that the problem had reached a critical point¨.
There were two other important events that year, though I don’t think many people realized how important they were at the time. The first thing that happened was that several anti-virus companies teamed up with mail and other providers to integrate anti-virus products into some of the infrastructure of the Internet¨. Some people at the time viewed this as a great marketing move, capitalizing as it did on the publicity that self-mailing viruses had gotten, but perhaps conferring only a small increment in real virus protection. Those of you who have followed this technology realize how wrong they were! (More about that later.)
The second thing that happened is that some very basic immune system technology was deployed for the first time. In fact, I was part of the team that developed it at IBM Research, in a joint effort with Symantec Corp¨. We were pretty proud of it at the time. It really did find new viruses, analyze them, and distribute cures for them, and it did it fairly quickly compared to what other companies could do then. Still, looking back on it, it seems rather primitive. And there were a lot of skeptics who thought it wouldn’t work as well as what they were already doing, or wouldn’t work at all.
2001: The Zuzu Virus
The Zuzu Virus¨ was a heinous and costly event, of course, but in retrospect it was probably inevitable. It started on March 22, 2001 with a trickle, then a flood of panicky messages posted on various Internet newsgroups from what appeared to be hundreds of companies around the world. They said that some new, terrible virus had hit their company, that it was wreaking havoc, and that they were unable to cope with it.
At the same time, anti-virus companies got copies of a very large, very complex virus that contained the string “What is Zuzu?” Given the obvious urgency of the situation, anti-virus gurus started analyzing it right away. It was easy to see that the virus had all sorts of code related to mail, network-based spread, password cracking, etc. But its size and complexity meant that no one would understand what it did for quite a while.
The news media picked up the story¨. Managers of anti-virus groups were interviewed, saying that this was the most complex virus ever seen and it could be capable of just about anything. Security experts were interviewed, saying that this was just the kind of thing they had feared for years. Could this be the killer virus, the media asked, the virus that really does bring down the Internet? Maybe, they all agreed, maybe it is.
Security teams at hundreds, perhaps thousands of companies, responded quickly. Not wanting to get hit themselves, they did what they had done in previous epidemics – they shut down their mail systems, since this was the primary way that epidemics spread at the time. But, because it was not understood how the virus was propagating or what effects it had, they did more – they shut down their Internet connections altogether and disabled their internal networks as well. They were prepared to wait out the epidemic.
Then things started getting odd. News reporters, eager to do follow-up stories on the initial warnings, sought interviews with officials from severely affected companies. They found a lot of companies that had shut down their networks, and these made very effective stories. They found a few small companies that claimed their computers had crashed because of the virus. But, and this was the odd part, they found very few companies that would say they had been hit. And none of them could actually produce a copy of the virus.
It is a measure of the naiveté of the time that it was not until the next day that the underlying story emerged. It turned out that the newsgroup postings were almost all forged.[2] There was a Zuzu Virus – the one that anti-virus companies had – but it was not spreading wildly around the world. In fact, it was not spreading at all. In fact, it had never spread anywhere.
The whole thing was a publicity stunt gone horribly wrong. A public relations firm named MacIntyer Knox Oldsen & Urquhart had the clever idea of generating buzz for their customer Zuzu Industries, an Internet security start-up, by attaching its name to a virus scare. Unfortunately for everyone, this worked far too well. Damages to businesses from cutting off their network access were estimated at over a billion dollars.
The resulting liability suits sank Zuzu Industries almost immediately¨. It was followed into bankruptcy soon thereafter by the ill-considered MacIntyer Knox Oldsen & Urquhart¨. The news media concluded that the anti-virus industry had blown the problem out of all proportion¨.
There was a trendy term in use around that time: “viral marketing”. I don’t think this is what it meant, but it certainly fell out of use very quickly after the Zuzu incident.
2002: A Little Tea Party
Now I know you remember the Tea Party of 2002! Even those of you from outside the U.S. remember this. It was the early evening of April 15, the day on which income taxes must be reported to the U.S. government. The Internal Revenue Service (the “IRS”), which collects federal taxes in the U.S., had made a big and rather successful push to get people to file their taxes electronically. So, millions upon millions of people were typing on their PCs, finishing their electronic tax forms, and submitting them over the Internet.
At the same time, a new virus had been released and was spreading rapidly via mail. It came as an “attachment” to mail with the subject line “IRS announces 10% tax break for electronic filing”. It first appeared on the east coast of the U.S., and was subsequently thought to have originated in Reston, Virginia. With a subject line like that, and on the very day when taxes were due, perhaps it is not surprising that it spread like wildfire across the U.S., infecting a large but still unknown number of home computers.
The Tea Party Virus¨, as it became known, did three things. Like any self-mailing virus of the time, it sent itself to everyone in the victim’s address book. That was typically a few dozen to a few hundred people. Then it looked for files from a few common tax return programs and, if it found them, changed them so that more money was owed to the government. The amount was not so large as to be obvious, but was large enough to be particularly annoying to the people said to owe it.
The third thing the virus did was to delete itself, and all evidence of itself except for the changes to the tax files themselves. This turned out to be the most important characteristic of the virus.
Of course, anti-virus companies got samples of this virus within minutes of its first appearance. But it was highly polymorphic, using techniques that had been widely discussed in anti-virus circles but not incorporated into automated defenses at that time. So, it sat in queues at various companies until human virus analysts got around to looking at it. By then, it was much too late. The Tea Party Virus had infected thousands, perhaps millions, of home computers, and corrupted as many tax returns – returns that had already been submitted to the IRS.
By the next morning, news of the virus was all over the media¨. It was the major story of the week. The IRS, seeking to calm worried taxpayers, announced that they had put their best people on it, that they were working closely with anti-virus companies, and that the situation was well in hand. As you might recall, it wasn’t. There was no way of telling which tax returns had been corrupted. Indeed, if anti-virus software hadn’t caught the virus with heuristic detection in the first place and the virus had actually activated and had a chance to cover its tracks, there was no way of knowing if the virus had ever been on a user’s system.
And that was the trick. The IRS didn’t know which returns had been corrupted. The users didn’t know if the virus had been on their system. There was no way to tell who owed what the government claimed, and who owed less. Not unless everyone went through their records in great detail and did their tax calculations again.
After weeks of agonizing denials that they had an intractable problem, the IRS finally conceded that they could not determine which tax returns were correct and which were corrupted. Their only recourse was to ask all taxpayers who had submitted electronic forms (and there were a lot of them!) to file their tax returns again – on paper¨.
It was the right thing to do, but it caused serious delays in settling how much money taxpayers owed, and delayed many tax refunds by months. The resulting public outcry prompted the U.S. Congress to pass legislation requiring all federal agencies to install and run anti-virus software on all of their systems, and to filter incoming and outgoing traffic for viruses¨. They also banned electronic filing of tax returns, which is why, to this day, we still submit them on paper every year¨.
Now the clever among you will have noticed that none of the things the Congress did would have actually prevented the Tea Party Virus, or in fact diminished it in any way.
But the Congress felt they had to do something.
Later that same week in April, a man named Martin Fennig was arrested and charged with writing the Tea Party virus. He was subsequently convicted in what appeared to be a fairly straightforward case. The conviction was overturned on appeal for procedural errors by the investigators and Fennig was freed¨. While there are various theories about who might have written the Tea Party Virus, no one else was ever charged.
2003: Pervasive Pervasiveness
In 2003, another seminal event occurred though, again, few people realized how seminal it would be for the anti-virus industry. For the first time since the early 1980’s, the PC was no longer the most prevalent computing platform in the world¨. It had been overtaken, as widely predicted, by what were then called “pervasive computing devices.”[3] These were Personal Digital Assistants, WebPhones, and most devices running the low-end operating systems from The Windows Company.
These devices were aimed at people who used them as special-purpose artifacts – designed to do a few tasks and nothing else. These people were not interested in general-purpose computing, and were certainly not interested in becoming system administrators for a half-dozen such devices. So the manufacturers did the obvious thing. They relieved their customers of the responsibility of system administration by doing it for them. Almost all of these devices had subscription features that allowed the manufacturer to update the device automatically with bug fixes and feature enhancements. As you know, this strategy was very successful.
Anti-virus companies were working on protection for these devices, but these were not usually high-priority projects. Sure, viruses had been written for virtually all of the environments used by these devices, but no viruses were actually spreading in any significant way. Anti-virus efforts were not, therefore, fabulously aggressive. There was basic technology to scan some objects, or to prototype a simple heuristic or two but, with few exceptions, there was not a concerted effort to protect these platforms against future threats.
2004: With Sugar, Please
In July of 2004, the Java 4 standard was announced¨. It included a new security model called “Sugar” ¨. The Java Group had focused on security since Java began. In this release, they focused on enterprise-wide, and even global, administration of security. Behavior Control Lists (BCLs), which were introduced in Java 3, were greatly extended so that developers and administrators could enforce very fine-grained restrictions on the operation of a Java applet or application. Developers could specify the behaviors that needed to be allowed for the program to run. Administrators could specify policies for what behaviors were allowed globally, for each software developer, or for each program.
Having extended BCLs, the Java Group also put into place a clever hierarchical management scheme for it. An enterprise could establish and enforce a global BCL policy, and each division within the enterprise could add its own local BCLs. BCLs and their management structure were set up to be dynamic. They could be modified or updated relatively quickly. A change in the global BCL policy could be reflected across an enterprise in an hour or so.
Anti-virus companies viewed this as an opportunity to expand their existing services of examining programs and declaring them to be either viruses or Trojan horses. They offered services in which they would certify that the BCLs associated with a given app were correct, that is, both needed by the program and not generally dangerous if used. Subscribers to the service could get updates to the BCL certifications and deploy them very quickly to every Java installation they had. The anti-virus companies offered to certify programs developed by others, initially for a fee and then, when that proved unpopular with the development community, for free. Curiously, this was not a commercial success. It seems that developers felt they could do this better themselves, and companies did not want to rely on anti-virus vendors to certify the software they used.
Ominously, the Sugar architecture was not adopted by The Windows Company, which continued to pursue its strategy of promoting a competing active content language that did not have a similar security architecture¨.
2005: The Digital Economy
As quickly as the Web had become a major social force during the 1990s, this last decade saw the dramatic rise of the global digital economy. First seeking broader markets for their services and more competition among their suppliers, companies started finding, contracting with, and doing business with other companies over the Net. It was clear that these first few sparks would burst into a bonfire as soon as the number of these businesses reached critical mass. It was clear that it would transform the global economy. What surprised everyone, as they had been surprised by the Web a decade earlier, was how quickly it happened.
By 2005, there was no longer any doubt that the world was in the midst of an economic revolution that would be bigger than the Industrial Revolution. Company after company rushed to solidify their presence in the digital economy, eventually automating much of their routine business processes and supplier relationships. Opportunities for new companies that facilitated business in this new world were at an all-time high.
This was the revolution that carried Lixxuid[4] into global prominence. What started as a small Australian-based Internet bank in late 2000 grew explosively to become the twenty-fifth largest bank in the world by 2005 – an event unprecedented among financial institutions – by facilitating financial transactions for businesses in this digital economy¨.
Then, on August 9, 2005, Lixxuid’s luck ran out¨. It was mid-morning in Melbourne, and usage of their primary transaction gateways went through the roof. Almost simultaneously, their phones filled with customers reporting that their transactions were not being processed. It took over an hour for worried administrators to confirm what they feared: they were under attack.
At first, they thought it was hackers, since it looked initially like a common kind of denial of service attack. But, each time they thought they had a handle on the problem, it grew worse. By the end of the first day, they were under attack by more computers than they could count.
The attackers turned out not to be hackers, but viruses, using a variant of the VDP (Viral Distributed Ping) attack.[5] The number of attackers kept increasing because the number of infected systems kept increasing in those first few hours.
You may not remember, but anti-virus companies did pretty well during this incident. They got copies of the virus right away, and had solutions for the virus available well before the sun set in Melbourne. (Some companies had a solution much faster than others, for reasons that modesty forbids me to mention.)
What did not go well was actually eliminating the virus. While almost everyone had the capability of automatically updating their virus definitions and cleaning any new viruses off of their systems, very few people had this feature turned on. Indeed, most corporations still required manual approval to distribute definitions, either because they had extensive in-house testing procedures or because they didn’t want to be the first ones to distribute definitions that might cause internal problems¨. That was probably a good and conservative choice for their own companies. But it meant that the VDP-XX virus could gain an early and firm foothold in hundreds of companies, and tens of thousands of households, worldwide. And all of them were aimed at Lixxuid.
Lixxuid issued a hasty press release, suggesting that they would take legal action against companies and individuals who did not take rapid measures to prevent their systems from attacking their bank. The media picked this up and made it part of almost every story they ran¨. This got the attention of lots of people, especially in the more litigious countries, and lots of people and companies made sure they updated their anti-virus software to eliminate the virus.
The viral population peaked early in the second day. Lixxuid system administrators worked around the clock, and had achieved some reduction in the incoming flood of traffic, but not nearly enough to control the attack. It took another day and a half before a combination of anti-virus software, media warnings, and hastily-crafted network filters brought the attacking traffic down enough that Lixxuid could once again process transactions, and even then only slowly.
But the damage had been done. Lixxuid’s doors had been closed for just over three days, and the world does not appreciate a bank that closes its doors. On the first day that Lixxuid reopened for business, they bled to death from customers withdrawing their money and closing their accounts. It is, by now, the most analyzed bank failure in history¨.
Police and investigatory agencies from around the world joined in the search for the perpetrator or perpetrators of this crime. The search went on for many months. Whether it was because those responsible were crafty or just very, very quiet, no one was ever arrested. To this day, theories abound¨.
In the following year, over 50 copycat attacks were stopped before they started by anti-virus protection that was already in place, and several authors of the copycat viruses were arrested and ultimately convicted¨. Whether any of these copycat authors was the author of the original VDP-XX virus is not known.
2006: Moore’s Wall
2006 brought a worrisome realization. For decades, Moore’s Law¨ was the foundation on which progress in computing was built – the nearly unshakable belief that advances in silicon technology would lead to chips whose performance doubled every 18 months.
A prescient article by an Intel engineer in 1999¨ suggested that, in the following decade, the chip industry faced a series of very difficult obstacles. The oxide layer, which allows transistors to be switched on and off, would become so thin – just a few atoms thick – that it would no longer be an effective insulator for the switching current. Dopants, which create free electrons for the switch’s current, would become so sparse that the transistors themselves would be unreliable. Solutions to these problems, the article pointed out, were not obvious.
Still, people in the chip industry, and throughout the computing industry, were unfazed. Moore’s Law would continue its inexorable climb one way or another, they assured each other. It had always been thus, they reasoned, and thus it would always be. Unfortunately, their optimism was not borne out.
New ways of building transistors on chips to avoid these problems turned out to be difficult to manufacture. New chip architectures to deal with the inherent unreliability of the transistors turned out to be more elusive than hoped.
For a few years, everyone watched the performance curve deviate ever so slightly from Moore’s Law. That had happened before, they said, and it always gotten back on track. They were sure that someone, somewhere, would find a solution to these problems.
But by 2006 the trend was clear. Chip performance was not increasing as rapidly as predicted. Despite tremendous efforts, the problems had not been solved. We now refer to this as “Moore’s Wall”¨ – the wall into which the chip industry ran, headlong, and with dramatic consequences.
The optimists are with us always. Now they tell us that new technologies are just around the corner. 3D devices¨. Molecular computing¨. Quantum computing¨. They assure us that we will soon return to those halcyon days, that Moore’s Law will rise again in a new realm as it has before, that Moore’s Wall will be known to our children only as Moore’s Lapse¨. And I think they’re right. What is not clear is how long it will take to perfect these new technologies, to make them manufacturable, to make them reliable, to make them affordable. What is not clear is how long Moore’s Lapse will be.
In 2006 Intel, then the world’s pre-eminent maker of microprocessor chips, introduced the Intel Googlium™ microprocessor and, at the same time, announced that Moore’s Law was at an end, that decades of easy performance increases were over, at least for the time being¨. The Intel Googlium™ was to represent the last significant silicon-related performance enhancement of the decade.
2007: The Unwiring of India
Moore’s Wall had an interesting effect. As it became harder to compete on raw chip performance, basic chips became cheaper. And this happened at the same time as the world piled into the digital economy. Several progressive countries made big bets on these two trends. India was probably in the forefront.
The “unwiring” of India, started in 2003, was declared complete in 2007¨. High-bandwidth wired access was available in all major urban areas along with moderate-bandwidth wireless access. This accelerated massive buying of now-cheap network devices in India, contributing further to their dramatic worldwide price decline. In the space of a few years, this snowball effect spread devices throughout the developed world and much of the developing world. Today, the people at this conference are constantly connected to the Internet through the half-dozen devices that we carry or wear all the time. This was a big change.
The ubiquity of these new devices was not missed by the virus writers¨. Device viruses became the dominant virus problem. Anti-virus companies scrambled to update their device technologies to handle the plethora of new viral carriers, and hook them into their automated defenses.
2008: Nothing Happens
In 2008, nothing happened. Well, nothing directly relevant to the anti-virus industry, anyhow. I suppose that people in the U.S. would regard the election of President Clinton as significant.
2009: A Solution Emerges
Each decade seems to have brought with it a standard architecture to address the virus problem of the time, and this decade is no different. As in previous decades, the solution addresses the new problems that have emerged:
Internet-based spread. Virtually all viruses today spread primarily via the Internet. Naturally, there are viruses that spread by other means, and the anti-virus industry is always issuing breathless press releases about some tricky new way a virus spreads. But nothing even comes close to Internet spread in terms of pervasiveness and speed. So, most of the virus incidents seen by real people are spread via the Internet ¨. Fortunately, the Internet is an important part of the solution. Ten years ago, the idea of integrating anti-virus software with commercial mail services was new. Now, no one in their right mind would subscribe to a mail service that did not filter out viruses. (There are people who do, and while they seem to have a kind of “herd immunity” because almost everyone else has filters, they do get more virus infections than the rest of us.¨) As active content became a part of standard XML business transactions between companies, and after viruses showed up there as well¨, nearly every business-to-business transaction facility now includes integrated virus filters¨. Similarly, device hubs quietly watch for viruses in transmissions to and from the many devices we now carry with us or wear¨. At the endpoints – the devices we all carry around – manufacturers nearly universally integrate anti-virus software into these devices before we purchase them.
Administrative overhead. As the demands of anti-virus updates on system administrators, and particularly end users, became more severe, the industry took that burden upon itself. Just as other kinds of software are updated automatically by the company that develops them – correcting bugs or adding features – anti-virus software is largely updated automatically. Anti-virus software was one of the first kinds of software to need continuous updates, and anti-virus companies were among the first to pioneer the subscription models that have become common throughout the software industry. Coupled with network-based virus filtering and nearly universal integration of anti-virus software into devices before they are purchased, automated updates mean that most users are blissfully unaware that they even have anti-virus software. It has become part of the firmament of nature in cyberspace.
Rapid epidemics. When I first got involved in the anti-virus field back in the late 1980’s, when personal computer viruses were just beginning, those viruses spread on floppy diskettes, that is, on physical media that one person would hand to another person. This was really slow! It took a typical virus months or even years to become prevalent around the world, if it ever did¨. These days, viruses sweep around the word in hours or minutes. The anti-virus industry has responded with technology for rapid, network-based response to epidemics. The goal of this technology is the same as for the early immune system in 2000 – find new viruses, craft cures for them, distribute and install the cure everywhere, and do this faster than the viruses themselves can spread. But I must admit that the solution that has evolved is quite a bit faster and more comprehensive than what we put together in 2000! It would have been hard to imagine back then.
Complex viruses. The virus writers didn’t go to sleep during the last decade - unfortunately! They have continued to develop techniques that tax even our current, very impressive, anti-virus technology. A decade ago, industry pundits predicted that scanning – looking for strings within a file that would indicate a virus – would fall by the wayside, to be replaced by¨. That didn’t happen, but viral defense did evolve to blunt the tactics of the virus writers. One virus-writing tactic that emerged – at first by accident and later, I think, on purpose – was Lurking¨: making it hard to find a virus via simple scanning technology that performed only a very simple examination of certain parts of certain objects in the system. The anti-virus industry was forced to move to more comprehensive scanning – scanning all parts of all objects, and doing some fairly sophisticated analysis during the scan. This all took time, and a naïve implementation would have been very, very slow. The anti-virus industry came up with a clever solution – use various heuristics, long relegated to second-class status as virus detectors – as filters in front of scanners¨. That is, heuristics are now used as a first check for whether an object might be infected. The front-line heuristics are very fast, and eliminate most objects as not being infected. Any remaining objects are passed to second-line heuristics that are a bit slower and a bit more precise. And down the line until the object is passed to scanners, and then verifiers, to determine with great precision and certainty that it is infected, and with which virus it is infected.[6] Among these front-line heuristics are the nearly abandoned change detectors of twenty years ago¨, which can tell quickly if an object has changed since it was last checked for viruses; if it has not, if it was not previously infected, and if the virus detector has not been updated, it’s not necessary to check it again.
Small devices. Earlier in the decade, it was widely believed that devices – the computing devices we carry and wear – would require radically different anti-virus technology, at least to protect their internal environment. They were, it was argued, so small – with hardly any memory at all - so small that it would not be possible to fit the ever-growing PC-based anti-virus products into them. Interestingly, this turned out to be right – and wrong. It was right in that the monolithic, stand-alone applications that were typical of anti-virus protection then would not fit. Nor would the ever-growing scanner-based virus definition files – certainly not with as many viruses as we have cataloged today. But it was also wrong; it was not necessary to stuff old programs into new devices. In retrospect, the solution was obvious. The heuristic hierarchy that solved the speed problem for complex viruses is the first half of the solution. Most of the time, it’s not necessary to have anything running in the devices except the first-level, or maybe the second-level, heuristics. And those are typically small and fast. The second half of the solution is the Internet. If it’s ever necessary to actually scan an object inside a device, it’s not necessary to scan it for all 500,000 known viruses. Intermediate heuristics can easily cut the search down to a few hundred viruses at most¨. These devices can easily cache virus definitions for the viruses you’re actually likely to see. For all the rest, the definitions can simply be paged in from the next level up in the network. In fact, the networks of anti-virus vendors are now all hierarchical, caching the least information possible in the customer devices and systems, staging the less-used information in intermediate servers and gateways, and connecting them to the automated analysis facilities and human analysts that are at the pinnacle of the pyramid¨. The Internet makes it all one global system.
2010: Hello? Hello?
Here it is 2010. The anti-virus industry has been working on the virus problem for over twenty years. All in all, things seem to be going pretty well this year. There have been no major virus incidents, no overblown virus hoaxes. The nearly seven billion residents of the planet have gone about their daily routines – shopping, gossiping, composing symphonies, and waging war – all without thinking very much about computer viruses. And that’s how it should be.
There is one thing that’s just a little bit odd recently. In the past few days, the phones[7] have been acting up. It seemed to happen at the same time as an automated update of the operating system from The Windows Company for the phone component of devices.
At first, I thought my glasses had stopped working, but everything other than the audio channel was fine. Then I noticed it in my earring too, and then my sketchpad. You may have had the same experience. There was a news alert a few minutes later¨. This has never happened before, at least not this widespread. It’s still not clear what’s going on. The media are saying it’s a virus¨. We’re not sure yet. Hopefully we will know more during VB 2010 itself and I’ll be able to tell a more complete story.
Three Decades
It’s instructive to see where we’ve come over the last three decades.
In 1990, virus incidents were called urban myths, “like rumors of alligators in the sewers of New York”¨. In 2000, it was so clear that viruses were real, and presented such an immediate problem, that businesses would close their network connections when they heard rumors of viruses. In 2010, the problem may be under control, at least for the time being.
In 1990, there were around 50 viruses. In 2000 there were around 50,000. In 2010 there are nearly 500,000.¨
In 1990, virus defenses consisted of scanning tools that were often unreliable and hard to use. Anti-virus companies typically took a month or more to react to a new virus, which was fine because it took the viruses even longer to spread around the world.¨ In 2000, virus defenses had matured to suites of products on multiple platforms that were deployed around the world. Customers had simple Internet connections to anti-virus vendors to submit suspicious objects and receive virus definition updates. Anti-virus companies typically reacted to a new virus in days – sometimes less if it appeared to be a major customer problem.¨ In 2010, virus defense consists of global distributed systems, with components in nearly every endpoint device and Internet way station in the world. Anti-virus companies typically react to a new virus in minutes, and it’s a good thing too, as that’s how fast viruses spread around the world.
We have come a long way.
Lessons Learned
In the last decade, there have been a few dramatic virus incidents that, in some way, affected millions of people. There have been spectacular hoaxes, after which everyone blamed everyone else for not figuring them out earlier. Viruses moved to new parts of the computing ecology, almost always festering in these new niches before anti-virus technology was available to cope with them. Somehow, the world muddled through it all. In short the last decade was, for the virus problem and the anti-virus industry, much like the previous one.
The anti-virus industry had a tough job in keeping up with the changing virus problem and the many new niches for viral mischief. In general, they did a great job. We can breathe the same sigh of relief that we did in 2000 when the Y2K bug did not destroy the world: through all the virus problems, the vast majority were handled quickly and efficiently and we are, after all, still here. In the process, the anti-virus industry created several technological marvels, pioneering vendor-maintained endpoint software and creating global automated defenses. Anti-virus technology has become like air: ubiquitous, vital for our survival, and almost completely invisible.
Nevertheless, some people say that the anti-virus industry is still more reactive than proactive, waiting for problems to occur in a new viral niche before creating a solution for them. They say that the self-mailing viral epidemics of a decade ago went on far too long before there was an effective solution, that the Tea Party Virus could have been done years before but the industry still wasn’t ready for it, that the virus that sank Lixxuid could have been prevented. Perhaps they’re right. To be fair, it is difficult to anticipate exactly which niche will become populated with viruses, and users do not often change their behavior in the absence of a clear and present danger. Still, the stakes are increasing, and it is becoming more and more problematic to be behind in protecting new areas of the computing environment.
I wonder what will happen in the next ten years?
Note
[The editors of the VB 2010 conference proceedings apologize for the temporary unavailability of the touch-references in this paper. As soon as this week’s widespread device problems are straightened out, we are sure the touch-references will work just fine.]
Disclaimer
This paper attempts to take a humorous look at what might happen in the next ten years of the anti-virus field. The author is not actually from the future, and doesn’t actually know how things will turn out. The events described in this paper are not actually historical facts, have not yet happened, and might never happen. Except for IBM, Microsoft, Symantec, Intel, the Love Letter virus and me, the names of companies, viruses and people are entirely fictional. Sheesh.
--------------------------------------------------------------------------------
[1] It was the “Love Letter” virus.
[2] Curiously, a few postings turned out to be genuine, in the sense that real people thought they had the virus, panicked, and posted hysterical pleas for help.
[3] It’s amusing to think back on this, really. Would Henry Ford have referred to “pervasive transportation devices”, or Thomas Edison to “pervasive illumination devices”? Yet, just a few years ago, the idea that computing elements would be embedded in everything seemed so surprising that people invented a specific term for it.
[4] The company’s name was pronounced “Liquid”.
[5] I hope you don’t mind if I avoid going into detail about this attack. While it was an obvious attack years before it happened, and is nearly as easy today, there have been mercifully few events like it since then. I’d be happy if that trend continued.
[6] If a heuristic says that an object might be infected, but a lower-level heuristic (or the scanner/verifier) says it is not, it is a candidate to be forwarded and analyzed via immune system technology.
[7] It’s an interesting lesson in the spread of technology that today, in most developed countries, you no longer buy a device that would have been called a “phone” ten years ago. The falling price of components and the ubiquity of devices led to an audio facility being built into just about everything. It was too cheap not to do.
back
Abstract
We look back on the years 2000-2010 from the perspective of the anti-virus industry. Four technology trends were responsible for substantial changes in the computing environment, which formed a backdrop for the virus problem. (1) Pervasive computing devices are now the dominant way that people interact with the digital world, far outnumbering traditional PCs, and the shift in architecture was responsible for both new problems and new protections. (2) The decline of Moore's Law resulted in dramatically falling chip prices, resulting both in their commoditization and much more widespread use throughout the world. (3) Broadband access to the Internet from most of the developed world put much of the Earth's population online all the time. (4) The rise of e-commerce has affected every sector of the economy; the digital economy now rivals its material counterpart. We review the most significant viral disasters in the past ten years, showing how they could have been predicted from these technology trends, and usually avoided. To the contrary, we show how the anti-virus industry actually responded, often after the fact. While anti-virus technology has evolved significantly since the year 2000, with several technological marvels to its credit, perhaps the most surprising change is that few end users are even aware that it exists any more.
Introduction
Welcome to Virus Bulletin 2010. I’m Steve White. Some of you may recall that I was involved in the anti-virus industry back all those years ago, when it first began. On this twentieth anniversary of the first Virus Bulletin conference, the nice people at VB asked me to come back to say a few words. Figuring that you might all be tired of hearing the same old predictions of what the future will be like, I’m going to use this opportunity to look back at the last ten years in the anti-virus industry: the years 2000 through 2010.
2000: The New Millennium
In many ways, the beginning of the New Millennium was surprisingly boring. The “Y2K Virus”¨, as it was called all too often, did not cause widespread havoc. Nor did it fry all of the computers in the world, bankrupt entire countries or lead to the end of the world. As the wave of midnight spread over the South Pacific and then on to the rest of the world, the biggest surprise was that almost nothing happened.
The news media, which had spent the previous year focusing on worst-case scenarios, worked hard to find anything at all, in any country whatsoever, that happened as a result of the Y2K problem. Sure, there were a few minor problems, but fewer than happened on any normal day due to normal computer problems.
There were, of course, computer virus problems that year, and a couple of them were quite significant at the time. They largely centered on the fact that the most popular applications – the mail and document applications from Microsoft Corp. – were themselves programmable, and were the medium in which viruses spread¨. It was the first year in which a self-mailing virus really hit big, becoming the most rapidly spreading, most widespread virus up to then¨. And even so, it took 24 hours to spread all around the world (since it still required people to arrive at work, open their mail and look at what was called an “attachment”). I doubt that more than a few techies even remember the name of that virus.[1]
What I remember is that anti-virus companies still weren’t prepared to handle it. It still took them many hours to make a solution to the new virus widely available. It took some of them days just to get it right. Imagine – days – when the virus itself sprinted around the world with the speed of the rising sun! And this was after several self-mailing viruses the previous year made it more than apparent that the problem had reached a critical point¨.
There were two other important events that year, though I don’t think many people realized how important they were at the time. The first thing that happened was that several anti-virus companies teamed up with mail and other providers to integrate anti-virus products into some of the infrastructure of the Internet¨. Some people at the time viewed this as a great marketing move, capitalizing as it did on the publicity that self-mailing viruses had gotten, but perhaps conferring only a small increment in real virus protection. Those of you who have followed this technology realize how wrong they were! (More about that later.)
The second thing that happened is that some very basic immune system technology was deployed for the first time. In fact, I was part of the team that developed it at IBM Research, in a joint effort with Symantec Corp¨. We were pretty proud of it at the time. It really did find new viruses, analyze them, and distribute cures for them, and it did it fairly quickly compared to what other companies could do then. Still, looking back on it, it seems rather primitive. And there were a lot of skeptics who thought it wouldn’t work as well as what they were already doing, or wouldn’t work at all.
2001: The Zuzu Virus
The Zuzu Virus¨ was a heinous and costly event, of course, but in retrospect it was probably inevitable. It started on March 22, 2001 with a trickle, then a flood of panicky messages posted on various Internet newsgroups from what appeared to be hundreds of companies around the world. They said that some new, terrible virus had hit their company, that it was wreaking havoc, and that they were unable to cope with it.
At the same time, anti-virus companies got copies of a very large, very complex virus that contained the string “What is Zuzu?” Given the obvious urgency of the situation, anti-virus gurus started analyzing it right away. It was easy to see that the virus had all sorts of code related to mail, network-based spread, password cracking, etc. But its size and complexity meant that no one would understand what it did for quite a while.
The news media picked up the story¨. Managers of anti-virus groups were interviewed, saying that this was the most complex virus ever seen and it could be capable of just about anything. Security experts were interviewed, saying that this was just the kind of thing they had feared for years. Could this be the killer virus, the media asked, the virus that really does bring down the Internet? Maybe, they all agreed, maybe it is.
Security teams at hundreds, perhaps thousands of companies, responded quickly. Not wanting to get hit themselves, they did what they had done in previous epidemics – they shut down their mail systems, since this was the primary way that epidemics spread at the time. But, because it was not understood how the virus was propagating or what effects it had, they did more – they shut down their Internet connections altogether and disabled their internal networks as well. They were prepared to wait out the epidemic.
Then things started getting odd. News reporters, eager to do follow-up stories on the initial warnings, sought interviews with officials from severely affected companies. They found a lot of companies that had shut down their networks, and these made very effective stories. They found a few small companies that claimed their computers had crashed because of the virus. But, and this was the odd part, they found very few companies that would say they had been hit. And none of them could actually produce a copy of the virus.
It is a measure of the naiveté of the time that it was not until the next day that the underlying story emerged. It turned out that the newsgroup postings were almost all forged.[2] There was a Zuzu Virus – the one that anti-virus companies had – but it was not spreading wildly around the world. In fact, it was not spreading at all. In fact, it had never spread anywhere.
The whole thing was a publicity stunt gone horribly wrong. A public relations firm named MacIntyer Knox Oldsen & Urquhart had the clever idea of generating buzz for their customer Zuzu Industries, an Internet security start-up, by attaching its name to a virus scare. Unfortunately for everyone, this worked far too well. Damages to businesses from cutting off their network access were estimated at over a billion dollars.
The resulting liability suits sank Zuzu Industries almost immediately¨. It was followed into bankruptcy soon thereafter by the ill-considered MacIntyer Knox Oldsen & Urquhart¨. The news media concluded that the anti-virus industry had blown the problem out of all proportion¨.
There was a trendy term in use around that time: “viral marketing”. I don’t think this is what it meant, but it certainly fell out of use very quickly after the Zuzu incident.
2002: A Little Tea Party
Now I know you remember the Tea Party of 2002! Even those of you from outside the U.S. remember this. It was the early evening of April 15, the day on which income taxes must be reported to the U.S. government. The Internal Revenue Service (the “IRS”), which collects federal taxes in the U.S., had made a big and rather successful push to get people to file their taxes electronically. So, millions upon millions of people were typing on their PCs, finishing their electronic tax forms, and submitting them over the Internet.
At the same time, a new virus had been released and was spreading rapidly via mail. It came as an “attachment” to mail with the subject line “IRS announces 10% tax break for electronic filing”. It first appeared on the east coast of the U.S., and was subsequently thought to have originated in Reston, Virginia. With a subject line like that, and on the very day when taxes were due, perhaps it is not surprising that it spread like wildfire across the U.S., infecting a large but still unknown number of home computers.
The Tea Party Virus¨, as it became known, did three things. Like any self-mailing virus of the time, it sent itself to everyone in the victim’s address book. That was typically a few dozen to a few hundred people. Then it looked for files from a few common tax return programs and, if it found them, changed them so that more money was owed to the government. The amount was not so large as to be obvious, but was large enough to be particularly annoying to the people said to owe it.
The third thing the virus did was to delete itself, and all evidence of itself except for the changes to the tax files themselves. This turned out to be the most important characteristic of the virus.
Of course, anti-virus companies got samples of this virus within minutes of its first appearance. But it was highly polymorphic, using techniques that had been widely discussed in anti-virus circles but not incorporated into automated defenses at that time. So, it sat in queues at various companies until human virus analysts got around to looking at it. By then, it was much too late. The Tea Party Virus had infected thousands, perhaps millions, of home computers, and corrupted as many tax returns – returns that had already been submitted to the IRS.
By the next morning, news of the virus was all over the media¨. It was the major story of the week. The IRS, seeking to calm worried taxpayers, announced that they had put their best people on it, that they were working closely with anti-virus companies, and that the situation was well in hand. As you might recall, it wasn’t. There was no way of telling which tax returns had been corrupted. Indeed, if anti-virus software hadn’t caught the virus with heuristic detection in the first place and the virus had actually activated and had a chance to cover its tracks, there was no way of knowing if the virus had ever been on a user’s system.
And that was the trick. The IRS didn’t know which returns had been corrupted. The users didn’t know if the virus had been on their system. There was no way to tell who owed what the government claimed, and who owed less. Not unless everyone went through their records in great detail and did their tax calculations again.
After weeks of agonizing denials that they had an intractable problem, the IRS finally conceded that they could not determine which tax returns were correct and which were corrupted. Their only recourse was to ask all taxpayers who had submitted electronic forms (and there were a lot of them!) to file their tax returns again – on paper¨.
It was the right thing to do, but it caused serious delays in settling how much money taxpayers owed, and delayed many tax refunds by months. The resulting public outcry prompted the U.S. Congress to pass legislation requiring all federal agencies to install and run anti-virus software on all of their systems, and to filter incoming and outgoing traffic for viruses¨. They also banned electronic filing of tax returns, which is why, to this day, we still submit them on paper every year¨.
Now the clever among you will have noticed that none of the things the Congress did would have actually prevented the Tea Party Virus, or in fact diminished it in any way.
But the Congress felt they had to do something.
Later that same week in April, a man named Martin Fennig was arrested and charged with writing the Tea Party virus. He was subsequently convicted in what appeared to be a fairly straightforward case. The conviction was overturned on appeal for procedural errors by the investigators and Fennig was freed¨. While there are various theories about who might have written the Tea Party Virus, no one else was ever charged.
2003: Pervasive Pervasiveness
In 2003, another seminal event occurred though, again, few people realized how seminal it would be for the anti-virus industry. For the first time since the early 1980’s, the PC was no longer the most prevalent computing platform in the world¨. It had been overtaken, as widely predicted, by what were then called “pervasive computing devices.”[3] These were Personal Digital Assistants, WebPhones, and most devices running the low-end operating systems from The Windows Company.
These devices were aimed at people who used them as special-purpose artifacts – designed to do a few tasks and nothing else. These people were not interested in general-purpose computing, and were certainly not interested in becoming system administrators for a half-dozen such devices. So the manufacturers did the obvious thing. They relieved their customers of the responsibility of system administration by doing it for them. Almost all of these devices had subscription features that allowed the manufacturer to update the device automatically with bug fixes and feature enhancements. As you know, this strategy was very successful.
Anti-virus companies were working on protection for these devices, but these were not usually high-priority projects. Sure, viruses had been written for virtually all of the environments used by these devices, but no viruses were actually spreading in any significant way. Anti-virus efforts were not, therefore, fabulously aggressive. There was basic technology to scan some objects, or to prototype a simple heuristic or two but, with few exceptions, there was not a concerted effort to protect these platforms against future threats.
2004: With Sugar, Please
In July of 2004, the Java 4 standard was announced¨. It included a new security model called “Sugar” ¨. The Java Group had focused on security since Java began. In this release, they focused on enterprise-wide, and even global, administration of security. Behavior Control Lists (BCLs), which were introduced in Java 3, were greatly extended so that developers and administrators could enforce very fine-grained restrictions on the operation of a Java applet or application. Developers could specify the behaviors that needed to be allowed for the program to run. Administrators could specify policies for what behaviors were allowed globally, for each software developer, or for each program.
Having extended BCLs, the Java Group also put into place a clever hierarchical management scheme for it. An enterprise could establish and enforce a global BCL policy, and each division within the enterprise could add its own local BCLs. BCLs and their management structure were set up to be dynamic. They could be modified or updated relatively quickly. A change in the global BCL policy could be reflected across an enterprise in an hour or so.
Anti-virus companies viewed this as an opportunity to expand their existing services of examining programs and declaring them to be either viruses or Trojan horses. They offered services in which they would certify that the BCLs associated with a given app were correct, that is, both needed by the program and not generally dangerous if used. Subscribers to the service could get updates to the BCL certifications and deploy them very quickly to every Java installation they had. The anti-virus companies offered to certify programs developed by others, initially for a fee and then, when that proved unpopular with the development community, for free. Curiously, this was not a commercial success. It seems that developers felt they could do this better themselves, and companies did not want to rely on anti-virus vendors to certify the software they used.
Ominously, the Sugar architecture was not adopted by The Windows Company, which continued to pursue its strategy of promoting a competing active content language that did not have a similar security architecture¨.
2005: The Digital Economy
As quickly as the Web had become a major social force during the 1990s, this last decade saw the dramatic rise of the global digital economy. First seeking broader markets for their services and more competition among their suppliers, companies started finding, contracting with, and doing business with other companies over the Net. It was clear that these first few sparks would burst into a bonfire as soon as the number of these businesses reached critical mass. It was clear that it would transform the global economy. What surprised everyone, as they had been surprised by the Web a decade earlier, was how quickly it happened.
By 2005, there was no longer any doubt that the world was in the midst of an economic revolution that would be bigger than the Industrial Revolution. Company after company rushed to solidify their presence in the digital economy, eventually automating much of their routine business processes and supplier relationships. Opportunities for new companies that facilitated business in this new world were at an all-time high.
This was the revolution that carried Lixxuid[4] into global prominence. What started as a small Australian-based Internet bank in late 2000 grew explosively to become the twenty-fifth largest bank in the world by 2005 – an event unprecedented among financial institutions – by facilitating financial transactions for businesses in this digital economy¨.
Then, on August 9, 2005, Lixxuid’s luck ran out¨. It was mid-morning in Melbourne, and usage of their primary transaction gateways went through the roof. Almost simultaneously, their phones filled with customers reporting that their transactions were not being processed. It took over an hour for worried administrators to confirm what they feared: they were under attack.
At first, they thought it was hackers, since it looked initially like a common kind of denial of service attack. But, each time they thought they had a handle on the problem, it grew worse. By the end of the first day, they were under attack by more computers than they could count.
The attackers turned out not to be hackers, but viruses, using a variant of the VDP (Viral Distributed Ping) attack.[5] The number of attackers kept increasing because the number of infected systems kept increasing in those first few hours.
You may not remember, but anti-virus companies did pretty well during this incident. They got copies of the virus right away, and had solutions for the virus available well before the sun set in Melbourne. (Some companies had a solution much faster than others, for reasons that modesty forbids me to mention.)
What did not go well was actually eliminating the virus. While almost everyone had the capability of automatically updating their virus definitions and cleaning any new viruses off of their systems, very few people had this feature turned on. Indeed, most corporations still required manual approval to distribute definitions, either because they had extensive in-house testing procedures or because they didn’t want to be the first ones to distribute definitions that might cause internal problems¨. That was probably a good and conservative choice for their own companies. But it meant that the VDP-XX virus could gain an early and firm foothold in hundreds of companies, and tens of thousands of households, worldwide. And all of them were aimed at Lixxuid.
Lixxuid issued a hasty press release, suggesting that they would take legal action against companies and individuals who did not take rapid measures to prevent their systems from attacking their bank. The media picked this up and made it part of almost every story they ran¨. This got the attention of lots of people, especially in the more litigious countries, and lots of people and companies made sure they updated their anti-virus software to eliminate the virus.
The viral population peaked early in the second day. Lixxuid system administrators worked around the clock, and had achieved some reduction in the incoming flood of traffic, but not nearly enough to control the attack. It took another day and a half before a combination of anti-virus software, media warnings, and hastily-crafted network filters brought the attacking traffic down enough that Lixxuid could once again process transactions, and even then only slowly.
But the damage had been done. Lixxuid’s doors had been closed for just over three days, and the world does not appreciate a bank that closes its doors. On the first day that Lixxuid reopened for business, they bled to death from customers withdrawing their money and closing their accounts. It is, by now, the most analyzed bank failure in history¨.
Police and investigatory agencies from around the world joined in the search for the perpetrator or perpetrators of this crime. The search went on for many months. Whether it was because those responsible were crafty or just very, very quiet, no one was ever arrested. To this day, theories abound¨.
In the following year, over 50 copycat attacks were stopped before they started by anti-virus protection that was already in place, and several authors of the copycat viruses were arrested and ultimately convicted¨. Whether any of these copycat authors was the author of the original VDP-XX virus is not known.
2006: Moore’s Wall
2006 brought a worrisome realization. For decades, Moore’s Law¨ was the foundation on which progress in computing was built – the nearly unshakable belief that advances in silicon technology would lead to chips whose performance doubled every 18 months.
A prescient article by an Intel engineer in 1999¨ suggested that, in the following decade, the chip industry faced a series of very difficult obstacles. The oxide layer, which allows transistors to be switched on and off, would become so thin – just a few atoms thick – that it would no longer be an effective insulator for the switching current. Dopants, which create free electrons for the switch’s current, would become so sparse that the transistors themselves would be unreliable. Solutions to these problems, the article pointed out, were not obvious.
Still, people in the chip industry, and throughout the computing industry, were unfazed. Moore’s Law would continue its inexorable climb one way or another, they assured each other. It had always been thus, they reasoned, and thus it would always be. Unfortunately, their optimism was not borne out.
New ways of building transistors on chips to avoid these problems turned out to be difficult to manufacture. New chip architectures to deal with the inherent unreliability of the transistors turned out to be more elusive than hoped.
For a few years, everyone watched the performance curve deviate ever so slightly from Moore’s Law. That had happened before, they said, and it always gotten back on track. They were sure that someone, somewhere, would find a solution to these problems.
But by 2006 the trend was clear. Chip performance was not increasing as rapidly as predicted. Despite tremendous efforts, the problems had not been solved. We now refer to this as “Moore’s Wall”¨ – the wall into which the chip industry ran, headlong, and with dramatic consequences.
The optimists are with us always. Now they tell us that new technologies are just around the corner. 3D devices¨. Molecular computing¨. Quantum computing¨. They assure us that we will soon return to those halcyon days, that Moore’s Law will rise again in a new realm as it has before, that Moore’s Wall will be known to our children only as Moore’s Lapse¨. And I think they’re right. What is not clear is how long it will take to perfect these new technologies, to make them manufacturable, to make them reliable, to make them affordable. What is not clear is how long Moore’s Lapse will be.
In 2006 Intel, then the world’s pre-eminent maker of microprocessor chips, introduced the Intel Googlium™ microprocessor and, at the same time, announced that Moore’s Law was at an end, that decades of easy performance increases were over, at least for the time being¨. The Intel Googlium™ was to represent the last significant silicon-related performance enhancement of the decade.
2007: The Unwiring of India
Moore’s Wall had an interesting effect. As it became harder to compete on raw chip performance, basic chips became cheaper. And this happened at the same time as the world piled into the digital economy. Several progressive countries made big bets on these two trends. India was probably in the forefront.
The “unwiring” of India, started in 2003, was declared complete in 2007¨. High-bandwidth wired access was available in all major urban areas along with moderate-bandwidth wireless access. This accelerated massive buying of now-cheap network devices in India, contributing further to their dramatic worldwide price decline. In the space of a few years, this snowball effect spread devices throughout the developed world and much of the developing world. Today, the people at this conference are constantly connected to the Internet through the half-dozen devices that we carry or wear all the time. This was a big change.
The ubiquity of these new devices was not missed by the virus writers¨. Device viruses became the dominant virus problem. Anti-virus companies scrambled to update their device technologies to handle the plethora of new viral carriers, and hook them into their automated defenses.
2008: Nothing Happens
In 2008, nothing happened. Well, nothing directly relevant to the anti-virus industry, anyhow. I suppose that people in the U.S. would regard the election of President Clinton as significant.
2009: A Solution Emerges
Each decade seems to have brought with it a standard architecture to address the virus problem of the time, and this decade is no different. As in previous decades, the solution addresses the new problems that have emerged:
Internet-based spread. Virtually all viruses today spread primarily via the Internet. Naturally, there are viruses that spread by other means, and the anti-virus industry is always issuing breathless press releases about some tricky new way a virus spreads. But nothing even comes close to Internet spread in terms of pervasiveness and speed. So, most of the virus incidents seen by real people are spread via the Internet ¨. Fortunately, the Internet is an important part of the solution. Ten years ago, the idea of integrating anti-virus software with commercial mail services was new. Now, no one in their right mind would subscribe to a mail service that did not filter out viruses. (There are people who do, and while they seem to have a kind of “herd immunity” because almost everyone else has filters, they do get more virus infections than the rest of us.¨) As active content became a part of standard XML business transactions between companies, and after viruses showed up there as well¨, nearly every business-to-business transaction facility now includes integrated virus filters¨. Similarly, device hubs quietly watch for viruses in transmissions to and from the many devices we now carry with us or wear¨. At the endpoints – the devices we all carry around – manufacturers nearly universally integrate anti-virus software into these devices before we purchase them.
Administrative overhead. As the demands of anti-virus updates on system administrators, and particularly end users, became more severe, the industry took that burden upon itself. Just as other kinds of software are updated automatically by the company that develops them – correcting bugs or adding features – anti-virus software is largely updated automatically. Anti-virus software was one of the first kinds of software to need continuous updates, and anti-virus companies were among the first to pioneer the subscription models that have become common throughout the software industry. Coupled with network-based virus filtering and nearly universal integration of anti-virus software into devices before they are purchased, automated updates mean that most users are blissfully unaware that they even have anti-virus software. It has become part of the firmament of nature in cyberspace.
Rapid epidemics. When I first got involved in the anti-virus field back in the late 1980’s, when personal computer viruses were just beginning, those viruses spread on floppy diskettes, that is, on physical media that one person would hand to another person. This was really slow! It took a typical virus months or even years to become prevalent around the world, if it ever did¨. These days, viruses sweep around the word in hours or minutes. The anti-virus industry has responded with technology for rapid, network-based response to epidemics. The goal of this technology is the same as for the early immune system in 2000 – find new viruses, craft cures for them, distribute and install the cure everywhere, and do this faster than the viruses themselves can spread. But I must admit that the solution that has evolved is quite a bit faster and more comprehensive than what we put together in 2000! It would have been hard to imagine back then.
Complex viruses. The virus writers didn’t go to sleep during the last decade - unfortunately! They have continued to develop techniques that tax even our current, very impressive, anti-virus technology. A decade ago, industry pundits predicted that scanning – looking for strings within a file that would indicate a virus – would fall by the wayside, to be replaced by
Small devices. Earlier in the decade, it was widely believed that devices – the computing devices we carry and wear – would require radically different anti-virus technology, at least to protect their internal environment. They were, it was argued, so small – with hardly any memory at all - so small that it would not be possible to fit the ever-growing PC-based anti-virus products into them. Interestingly, this turned out to be right – and wrong. It was right in that the monolithic, stand-alone applications that were typical of anti-virus protection then would not fit. Nor would the ever-growing scanner-based virus definition files – certainly not with as many viruses as we have cataloged today. But it was also wrong; it was not necessary to stuff old programs into new devices. In retrospect, the solution was obvious. The heuristic hierarchy that solved the speed problem for complex viruses is the first half of the solution. Most of the time, it’s not necessary to have anything running in the devices except the first-level, or maybe the second-level, heuristics. And those are typically small and fast. The second half of the solution is the Internet. If it’s ever necessary to actually scan an object inside a device, it’s not necessary to scan it for all 500,000 known viruses. Intermediate heuristics can easily cut the search down to a few hundred viruses at most¨. These devices can easily cache virus definitions for the viruses you’re actually likely to see. For all the rest, the definitions can simply be paged in from the next level up in the network. In fact, the networks of anti-virus vendors are now all hierarchical, caching the least information possible in the customer devices and systems, staging the less-used information in intermediate servers and gateways, and connecting them to the automated analysis facilities and human analysts that are at the pinnacle of the pyramid¨. The Internet makes it all one global system.
2010: Hello? Hello?
Here it is 2010. The anti-virus industry has been working on the virus problem for over twenty years. All in all, things seem to be going pretty well this year. There have been no major virus incidents, no overblown virus hoaxes. The nearly seven billion residents of the planet have gone about their daily routines – shopping, gossiping, composing symphonies, and waging war – all without thinking very much about computer viruses. And that’s how it should be.
There is one thing that’s just a little bit odd recently. In the past few days, the phones[7] have been acting up. It seemed to happen at the same time as an automated update of the operating system from The Windows Company for the phone component of devices.
At first, I thought my glasses had stopped working, but everything other than the audio channel was fine. Then I noticed it in my earring too, and then my sketchpad. You may have had the same experience. There was a news alert a few minutes later¨. This has never happened before, at least not this widespread. It’s still not clear what’s going on. The media are saying it’s a virus¨. We’re not sure yet. Hopefully we will know more during VB 2010 itself and I’ll be able to tell a more complete story.
Three Decades
It’s instructive to see where we’ve come over the last three decades.
In 1990, virus incidents were called urban myths, “like rumors of alligators in the sewers of New York”¨. In 2000, it was so clear that viruses were real, and presented such an immediate problem, that businesses would close their network connections when they heard rumors of viruses. In 2010, the problem may be under control, at least for the time being.
In 1990, there were around 50 viruses. In 2000 there were around 50,000. In 2010 there are nearly 500,000.¨
In 1990, virus defenses consisted of scanning tools that were often unreliable and hard to use. Anti-virus companies typically took a month or more to react to a new virus, which was fine because it took the viruses even longer to spread around the world.¨ In 2000, virus defenses had matured to suites of products on multiple platforms that were deployed around the world. Customers had simple Internet connections to anti-virus vendors to submit suspicious objects and receive virus definition updates. Anti-virus companies typically reacted to a new virus in days – sometimes less if it appeared to be a major customer problem.¨ In 2010, virus defense consists of global distributed systems, with components in nearly every endpoint device and Internet way station in the world. Anti-virus companies typically react to a new virus in minutes, and it’s a good thing too, as that’s how fast viruses spread around the world.
We have come a long way.
Lessons Learned
In the last decade, there have been a few dramatic virus incidents that, in some way, affected millions of people. There have been spectacular hoaxes, after which everyone blamed everyone else for not figuring them out earlier. Viruses moved to new parts of the computing ecology, almost always festering in these new niches before anti-virus technology was available to cope with them. Somehow, the world muddled through it all. In short the last decade was, for the virus problem and the anti-virus industry, much like the previous one.
The anti-virus industry had a tough job in keeping up with the changing virus problem and the many new niches for viral mischief. In general, they did a great job. We can breathe the same sigh of relief that we did in 2000 when the Y2K bug did not destroy the world: through all the virus problems, the vast majority were handled quickly and efficiently and we are, after all, still here. In the process, the anti-virus industry created several technological marvels, pioneering vendor-maintained endpoint software and creating global automated defenses. Anti-virus technology has become like air: ubiquitous, vital for our survival, and almost completely invisible.
Nevertheless, some people say that the anti-virus industry is still more reactive than proactive, waiting for problems to occur in a new viral niche before creating a solution for them. They say that the self-mailing viral epidemics of a decade ago went on far too long before there was an effective solution, that the Tea Party Virus could have been done years before but the industry still wasn’t ready for it, that the virus that sank Lixxuid could have been prevented. Perhaps they’re right. To be fair, it is difficult to anticipate exactly which niche will become populated with viruses, and users do not often change their behavior in the absence of a clear and present danger. Still, the stakes are increasing, and it is becoming more and more problematic to be behind in protecting new areas of the computing environment.
I wonder what will happen in the next ten years?
Note
[The editors of the VB 2010 conference proceedings apologize for the temporary unavailability of the touch-references in this paper. As soon as this week’s widespread device problems are straightened out, we are sure the touch-references will work just fine.]
Disclaimer
This paper attempts to take a humorous look at what might happen in the next ten years of the anti-virus field. The author is not actually from the future, and doesn’t actually know how things will turn out. The events described in this paper are not actually historical facts, have not yet happened, and might never happen. Except for IBM, Microsoft, Symantec, Intel, the Love Letter virus and me, the names of companies, viruses and people are entirely fictional. Sheesh.
--------------------------------------------------------------------------------
[1] It was the “Love Letter” virus.
[2] Curiously, a few postings turned out to be genuine, in the sense that real people thought they had the virus, panicked, and posted hysterical pleas for help.
[3] It’s amusing to think back on this, really. Would Henry Ford have referred to “pervasive transportation devices”, or Thomas Edison to “pervasive illumination devices”? Yet, just a few years ago, the idea that computing elements would be embedded in everything seemed so surprising that people invented a specific term for it.
[4] The company’s name was pronounced “Liquid”.
[5] I hope you don’t mind if I avoid going into detail about this attack. While it was an obvious attack years before it happened, and is nearly as easy today, there have been mercifully few events like it since then. I’d be happy if that trend continued.
[6] If a heuristic says that an object might be infected, but a lower-level heuristic (or the scanner/verifier) says it is not, it is a candidate to be forwarded and analyzed via immune system technology.
[7] It’s an interesting lesson in the spread of technology that today, in most developed countries, you no longer buy a device that would have been called a “phone” ten years ago. The falling price of components and the ubiquity of devices led to an audio facility being built into just about everything. It was too cheap not to do.
back
Subscribe to:
Posts (Atom)
