Cyberspace Sherlocks Hunt Virus Vandals
Joe Wells keeps thousands of viruses locked inside his bedroom closet.
They aren’t stored in vials, but on floppy disks. And instead of names like anthrax or rabies, they are called Helloween and Maltese Amoeba.
These are not human pathogens, but computer viruses. And Wells’ bedroom, inside a home on a quiet cul-de-sac in Thousand Oaks, is a kind of Centers for Disease Control of the electronic world.
Wells, 44, spends much of his time hunched over three computers that sit next to his bed. One is his laboratory rat, a PC that he purposely infects with viruses to see how they spread and what damage they cause.
The other computers keep him in touch with anti-virus experts around the globe. These “spies”--mostly researchers like Wells--let him know when a new strain of the Stoned virus spreads from Finland into Sweden, or when Ripper moves from Japan to Hong Kong.
Wells and his spies collect samples of new viruses and classify them using a system that resembles science’s genus-phylum-species hierarchy. Each month, he publishes a list of viruses that have been observed “in the wild,” that is, anywhere they are not wanted.
His “Wild List” is updated monthly and checked by the dozens of companies that make anti-virus software, an industry that did not exist a decade ago but now earns $100 million a year in sales.
Wells is a member of a small fraternity of experts who battle the nameless, faceless high-tech vandals writing viruses from lairs as far-flung as Taiwan and the Czech Republic.
“They’re kind of like arsonists,” he said of his mostly adolescent foes. “A lot of them are kids playing with matches, but there are a few who are putting together Molotov cocktails and throwing them through windows.”
Like any computer program, viruses are nothing more than a series of instructions for a computer to follow. But while most programs are designed to perform helpful tasks, viruses are designed to spread and sometimes harm.
Their number has multiplied from a handful in the late 1980s to more than 7,500. But the threat they raise has been held in check by improvements in programs designed to detect and kill them. Only about 200 viruses are known to exist in the wild. The rest are kept in collections, or “zoos.”
But Wells and other experts are increasingly nervous about their ability to keep pace in this digital arms race. They are nervous not so much because virus writers are getting smarter, but because the ever-expanding cyberspace favors the enemy.
Topping their fears is the Internet, the worldwide computer network that Wells believes could be the electronic equivalent of the Kinshasa Highway.
When it was built across Africa in the 1970s, the highway replaced a treacherous series of dirt roads and brought modern transportation to the continent’s heart. But researchers say it also greatly accelerated the spread of AIDS.
The Internet could pose a similar threat because in linking millions of computers through modems, it erases one of the most effective barriers slowing viruses’ ability to spread: physical separation.
Until now, viruses were most often spread through the swapping of floppy disks. But experts say the Internet will be teeming with even more programs sent out to do shopping, gather news articles and perform other chores. These self-propelled programs could carry viruses so far so fast that existing anti-virus defenses would be virtually impotent.
This looming problem will be one of the key topics at the National Computer Security Assn.’s annual virus conference in Washington on Monday. It will be one of the two times each year that the world’s virus experts gather to discuss their work.
“In a worst-case scenario, viruses that take advantage of wide connectivity and powerful new software could shut down one-third of the Internet for a week,” said Peter Tippett, president of NCSA. “And if we are complacent, we could have a worst-case scenario.”
The Virus Writers
That they are called viruses is appropriate. Like their biological counterparts, they cannot multiply unless they attach themselves to other living organisms--in this case, other programs. They use their hosts’ energy to fuel their efforts to propagate, tricking the computer into doing their illicit bidding.
Sometimes the virus simply tells the computer to post copies of itself on any program within reach.
Sometimes the virus tells the computer to flash a message on the screen. The Industrial virus quotes from the Dire Straits’ song “Industrial Disease,” then posts this warning: “You should have protected your disk better. This could have been a dangerous virus.”
And sometimes the virus tells the computer to crash.
What viruses do depends on the whims of their creators. So who are these digital terrorists who seem to hold the fate of so many computer users in their hands?
“They’re bright, bored, young, almost all male, and they seek group reinforcement,” Tippett said. Most are high school or college students, he said, and almost all grow out of virus writing by their mid-20s.
Those characteristics describe Dark Angel, a former virus writer who asked that his real name not be published.
“There are really two categories of virus writers,” said the 21-year-old math major at a Massachusetts university. “The first would be people who are doing it because they’re angry at someone--these are very rare to my knowledge. More common is the sort of person who’s just kind of bored.”
Dark Angel (most writers choose similarly dramatic “handles”) started writing viruses in high school. He said he often wrote viruses on his parents’ computer in the idle hours after school while waiting for them to come home from work.
Like many others, Dark Angel was a shy teenager with a budding interest in computers who stumbled into virus writing after he caught one by accident.
“It was on some kind of disk I got,” he said. “I didn’t know enough to do anything with it except be scared of it.”
But he was intrigued enough to want to find out more. Soon, he got another virus, this time intentionally, from a classmate who modified one of the most widespread early viruses, Jerusalem. Within a year, Dark Angel had taught himself assembly--the most common programming language used for writing viruses--and was crafting contagions.
“I can’t exactly defend what I do,” he said. “But when you’re young and bored, either you go out and start doing drugs, you go out and start committing crimes, or you bum around all day. I just did something different.”
Increasingly, virus writers are joining gangs that publish their creations, as well as scathing critiques of rival gangs’ work, in crude virtual magazines on the Internet. Dark Angel was a member of Phalcon/Skism, one of the first gangs. More recent arrivals include NuKE and the Australia-based VLAD.
Most virus writers insist they do not mean to cause harm. VLAD members say it is against their group’s policy to infect others. “We just [print] them in the magazine,” said Qark, one of VLAD’s founders. “If someone gets infected, it was someone else who spread it, not us.”
But anti-virus experts say publishing these magazines is damaging enough. Virus collectors make copies from the magazines and post them on Internet sites where almost anyone can get them.
Assessing the Cost
The damage viruses cause is real, and it can be costly to repair. Three years ago, Rockwell International Corp. in Seal Beach was struck by a virus that had been carried by disks from a business partner in Switzerland.
Although the virus did not delete data or destroy disks, it did clog computers and took months to eradicate. Rockwell estimated that the cleanup cost $44,000, including hundreds of hours spent by technicians or lost by workers.
On Monday, NCSA plans to announce the results of a recent survey of 300 large companies. It will show that all but six had been infected by a computer virus in the last two years. One in eight had experienced a disaster--defined as when more than 25 computers are infected simultaneously--during the first two months of 1996.
Writing viruses is illegal in some countries, such as England. That’s not true in the United States, although it is against the law to infect others’ computers with them. Only one person has been convicted of a virus-related crime: a Cornell University graduate student who infected government computers in 1988. Robert T. Morris was charged under a 1986 law that made it a felony to break into a federal computer network. He was fined $10,000 and ordered to do 400 hours of community service.
Even if laws were tougher, tracking down virus writers would still be nearly impossible. So instead of stopping writers, it falls upon researchers like Wells to figure out ways to stop their viruses.
“I don’t have any respect at all for virus writers,” he said. “They’re taking a weapon you can’t aim and firing it.”
Virus Scares
One of the more controversial aspects of the virus world is the uneasy interdependence between virus writers and the companies that make millions of dollars selling anti-virus software.
Some virus writers like nothing more than the challenge of creating new ways of avoiding detection. And they find it almost as delightful when their virus achieves the recognition of being added to the list of suspects that popular scanners are programmed to detect.
For the companies, nothing boosts sales like a virus scare. Some say no one took advantage of that better than John McAfee, founder of the largest such software company.
McAfee, who has since left the Santa Clara-based company that bears his name, was criticized in 1992 for hyping the notorious Michelangelo virus. He was widely quoted as saying that the virus, which erases computer data on the March 6 anniversary of the artist’s birth, might affect as many as 5 million computers.
Michelangelo turned out to be a dud, infecting at most a few thousand PCs worldwide. But sales of anti-virus software soared. McAfee’s company benefited more than most, and today the company estimates that it controls about 68% of the anti-virus software market.
Just a few weeks ago, the company was again using Michelangelo in its marketing, and alluding to the latest big scare. “Survived Michelangelo yesterday?” asked a full-page ad in the New York Times on March 7. “You might not dodge Word Macro Virus tomorrow.”
The Word Macro Virus, which attaches itself to tiny programs embedded in Microsoft Word documents, is one of the few viruses that appears to be living up to its hype. It first appeared in August, but already has been spotted by 22 of Wells’ 37 spies in more than a dozen countries.
Nevertheless, it will probably be contained soon, experts say, in largely the same way other viruses have been stamped out.
When a new virus appears, experts disassemble it and look for a short strand of code--an electronic signature--that is unique to it. The signature is then added to a burgeoning list that anti-virus programs are designed to detect.
Building Up Immunity
Wells is among the best in the business at disassembling viruses. A wiry man with a thin mustache, he is regarded as a sort of industry librarian, a free-lance researcher with an encyclopedic knowledge of nearly every virus ever discovered.
He stumbled into his career in much the same way many virus writers get their start. He had held a variety of jobs, but computers always had appealed to his expansive curiosity. In his spare time, he taught himself programming and dreamed up ways to turn his avocation into a career.
In 1989, at a computer show in Santa Barbara, he was talking with an exhibitor about the then-novel subject of viruses. The man said he had caught a virus in his Northern California computer store. Wells persuaded him to send him a copy. A few weeks later, a floppy disk arrived in the mail, carrying a strain of Jerusalem.
“I disassembled it to see what the code looked like, played with it, tested it, just sort of watched it,” said Wells, a father of four.
For the last 18 months, he has been working on what he considers the most promising plan to confront the threat posed by the Internet. At IBM’s virus lab in Hawthorne, N.Y., he and a handful of other researchers are developing what they hope will be the electronic equivalent of the human immune system.
“My body can recognize the measles, chickenpox and all the things I got when I was a kid,” said Jeff Kephart, manager of anti-virus science at IBM. “But there are a whole bunch of colds I haven’t gotten yet. When I do, my immune system will say this is something new and start adapting itself. In a few days it will know what this thing is and kill it.”
The computer immune system will work in a similar way, only faster, he said. When a computer encounters something that isn’t on the list of known viruses, but nevertheless behaves like one, it will ship off a sample of the contagion across the Internet to IBM’s lab, where it will undergo a battery of tests.
In minutes, the virus will be replicated and disassembled until a signature is extracted and a cure developed. The antidote will then be sent to the infected machine.
“We can even do better than the real biological system,” Kephart said. “Having developed a cure, we can send it to other computers” before they have been infected.
Wells is a bit more restrained: “I don’t know if it’s the ultimate answer,” he said. “But it’s an answer.”
Over the last seven years, Wells has watched viruses evolve in thousands of ways. He has seen them try to hide behind dummy files to avoid detection, wrap themselves in layers of encryption, and mutate wildly so that experts can’t zero in on a single signature.
Wells has grown skeptical that viruses will ever be eradicated, and has come to believe that their future can be seen in the history of their biological counterparts.
“It used to be that penicillin would wipe viruses out, but now there are viruses that live off penicillin,” he said. “I suppose computer viruses will keep cropping up the same way. The game is far from over.”
(BEGIN TEXT OF INFOBOX / INFOGRAPHIC)
Fighting Viruses
Since computer viruses started appearing in the late 1980s, they have been held in check by monthly anti-virus software updates. But the Internet may spread viruses so fast that traditional protection may no longer work. Researchers at IBM hope to contain this threat with a defense modeled on the human immune system. How it works:
1. Warning the user: The software not only combats known viruses, but responds to any program that behaves like a virus--that is, those that multiply.
2. Seeking help: After the user is notified, copies of the suspicious files are sent over the Internet to IBM labs.
3. Identifying the culprit: The files are disassembled and exposed to expendable programs called “goats.” If there is a virus, an antidote is developed.
4. Curing and protecting: IBM sends the antidote back to the infected computer, and inoculates other nearby machines at risk.
Source: IBM
Researched by GREG MILLER / Los Angeles Times
Start your day right
Sign up for Essential California for news, features and recommendations from the L.A. Times and beyond in your inbox six days a week.
You may occasionally receive promotional content from the Los Angeles Times.
