Essay Preview: Viruses
Report this essay
The Future of Viruses on the Internet
Lots of Little Tremors, a Few Big Quakes
There are many different phenomena, both natural and man-made, that come in different sizes. In many cases, the small things come quite often, and the big things only rarely. Small earth tremors are much more common than large earthquakes. Slight rises in the level of a river are much more common than floods. Virus incidents that involve only a few machines are much more common than major outbreaks involving hundreds of systems.
When the distribution of incidents is skewed in this way, we tend to get good at handling the small incidents; they become routine and expected, and our solutions will be efficient and well-tested. Large incidents, since they happen rarely, are handled on a more ad hoc basis; maybe we know who will be on the Crisis Team (assuming that someones remembered to update the list as people changed jobs), but exactly what the team will do once its assembled will be determined on the fly to fit the case. Thats why the Crisis Team has to contain some of the best people we have available.
Conditions change. If the probability of a large incident increases rapidly, we can be caught unawares, and the number of large incidents can easily overwhelm an ad hoc crisis-based approach that depends on large problems being few and far between. On the other hand, if we can see the change coming, we have a chance to develop methods that can handle the majority of large incidents as smoothly as we already handle the small ones.
How will the continued growth of the Internet change the pattern of virus spread and similar threats? Is our current paradigm of virus containment sufficient for the future?
Viruses and the Internet
At present, computer viruses are a constant low-level annoyance. Every company knows that it ought to have anti-virus software, and that virus protection is a cost of doing business, just like backup and fire insurance. Small virus incidents are common and routine. In organizations that do centralized incident management and reporting and have anti-virus software well deployed, most incidents involve only one or two systems; the virus is caught before it can spread farther than that .
When new viruses are discovered, anti-virus software is updated to deal with them on a cycle of weeks or months. Anti-virus vendors generally offer monthly updates, and in a typical corporate environment new updates are installed every one to six months. Because it takes a typical new virus many months, or even a few years, to become widespread, this is reasonable. The recent rise of macro viruses, which can become widespread in just a few months, has put some downward pressure on these time-scales, but not changed their general magnitude. It is still feasible to deal with new viruses through a largely manual process: a customer finding a new virus sends it in to a vendor, the vendor analyses it by hand and returns detection and repair information to the customer, and other customers get the information over the next months, in their regular updates.
The Internet currently plays a comparatively small role in the spread of viruses. No common virus today is network-aware; all of them require help (generally accidental help) from users in order to spread. So the Concept virus spreads over the Net only when someone mails an infected document to someone else, or makes one available on their Web site. Virus authors have taken advantage of the ease of anonymous posting to distribute copies of their viruses via Usenet News, but since the viruses themselves do not make use of Usenet to spread further, this is a one-time “planting” event, not a continual spread. Since all these network transmission methods rely on manual action, manual responses have been adequate to deal with them.
There are two major trends in Internet technology that will have an impact on virus spread in the next few years: one is the increasing ubiquity and power of integrated mail systems, and the other is the rise of mobile-program systems.
Integrated mail systems such as Lotus Notes and Microsoft Outlook make it very simple to send anything to anyone, and to work with objects that you receive. They also support application programming interfaces (such as MAPI and the Notes API) that allow programs to send and process mail automatically. To the extent that these systems increase the rate at which people intentionally share programs (including documents with embedded macros), the rise of these systems will increase the rate at which manual virus spread of the kind that were used to occurs. As these systems, and standards such as MIME, make it easier to send compound objects across the Internet, rather than just within ones local workgroup, the possible range of manual spread also increases. We will consider other implications of these systems in a moment.
Mobile-program systems are systems that are designed to allow programs to move on their own from one system to another. The most widely-hyped examples today are Java and ActiveX. At the moment, this technology is used almost exclusively to allow a program to move from a Web server to a browser client and execute there; but with the integration of Java into Lotus Notes, and ActiveX into Microsofts mail systems, this is already changing. Unlike traditional mail systems, mobile-program systems are generally designed with some sort of security in mind: some idea that a program that arrives from somewhere else should not always be trusted and obeyed the same way a program launched from the local desktop would.
On the other hand, mobile-program systems are complex, and both Java and ActiveX have been found to have security bugs which allowed untrusted mobile programs to do things they should not have been able to do. There is no reason to think that the last bug has been found; we will continue to see security bugs uncovered in these systems, and it would be foolish to assume that they will continue to be found by the good guys before the bad guys get around to using them. These bugs may be exploited in direct attacks against particular sites, or to manually install traditional viruses on many machines at once. They may also enable entirely new network-aware viruses and worms. (There is no firm theoretical line between a virus and a worm. In general a virus is a fragment of code that embeds itself in some pre-existing file that gets