System Alert: You've Got...Worms
As anyone who has an e-mail account knows, the past few weeks have seen unprecedented virus attacks on computers around the world. With names like Sobig, Blaster, and Welchia, these viruses are the bane of many an IT department -- not to mention an "I-was-here" calling card for their nose-thumbing authors. No longer confined to e-mail attachments, the latest worms can spread through the Internet, wreaking havoc as they take advantage of vulnerabilities in exposed computers. A company's entire network can be brought to its knees in minutes -- and many recently were -- as infected machines become mass-mailers that cause the virtual equivalent of clogged arteries.
Was the recent spate of attacks just more of the same -- or are virus writers beginning to infect computers with other gains in mind? Experts at Wharton and elsewhere weigh in on possible motives, what businesses should do to protect themselves -- and which industry sectors stand to gain from the chaos.
Malicious Code or Marketing Tactic?
Some media reports suggest that a few of the present crop of viruses differ from those that infected computer systems in the past. One difference, they say, is that these bugs can capture e-mail addresses as well as IP addresses "that can later be used to generate massive amounts of spam." How real is that concern? While it's tempting to wonder whether the latest viruses are being unleashed with a profit motive -- and the goal of using computers to send spam -- most people agree that it's unlikely.
"The haxors [a term derived from "elite hacker"] and 'script kiddies' who write viruses actually hate spammers," notes Dan Hunter, a professor of legal studies at Wharton. "It doesn't seem likely that they would get into bed together. The recent big viruses have been e-mail viruses because it's easy to exploit -- since Microsoft Outlook is so pervasive and so buggy -- and they cause huge problems. Most people run some type of mail client, as exploited by Sobig; quite a few people run SQL Server, as exploited by Slammer. This explains the pervasiveness of mail viruses better than the idea of a grand conspiracy of spammers."
What's more, says Hunter, it's not worth the grief: "Viruses are clearly illegal in many jurisdictions, whereas spam isn't. Why would a spammer, or a conspiracy of spam enablers, subject herself to criminal prosecution when it's unnecessary?"
Chris Belthoff, senior security analyst in the U.S. office of Sophos, a U.K.-based anti-virus protection firm, has seen no direct evidence that new spam messages have been sent from infected machines. However, he notes, it's not impossible. "The author of the most recent Sobig virus variant almost certainly used some heavy-duty spamming techniques to initially distribute the virus, which is the main reason it caused so many problems. While there is no hard proof that e-mail addresses are being harvested with recent viruses, it is certainly possible to do so on an infected system with some fairly simple techniques."
Due to the nature of e-mail addresses, moreover, it would be difficult to follow a money trail even if it did exist. "Since this pure information product can be gathered, sold, and used without ever taking on physical form like a CD or printout of names, it's very difficult to track who's profiting from it," says David Croson, visiting professor of management science at MIT's Sloan School of Management.
Stay Current or Else
While estimates of the exact economic impact of viruses vary widely, just about everyone agrees that the costs to business are substantial. So what should firms do to protect themselves from a virtual blackout? "Companies not only need to ensure virus protection is in place on every single system (especially remote and mobile systems) but that virus protection programs on these systems are kept up-to-date with automated methods," says Belthoff.
Patches -- software fixes that close holes in programs -- need to be applied regularly, he adds. "Security policies for all companies need to include detailed steps on identifying new vulnerabilities, quickly testing available patches, and deploying them." A third consideration is end users: "IT departments should feel compelled to either directly lead or heavily influence end-user training for security issues, getting the end users to be more security-aware," says Belthoff.
Wharton chief information officer Gerry McCartney notes that security needs to be an organization-wide endeavor. "If all the energy is put into guarding the perimeters of the organization -- but people inside don't feel the need to be vigilant -- then large-scale bad things can happen if the perimeter security is broken. Organizations need to be vigilant in terms of keeping their machines fully patched and acting quickly and decisively to remove infected machines from their network, no matter who they belong to or what they do."
Shuttering the Windows
Since most viruses target Microsoft programs, the obvious question in many an IT manager's mind is: Is it wiser to switch to another system, such as Macintosh or Linux?
Hunter believes that for some firms, going the non-Windows route could make sense. "I think that some businesses will look to other platforms and factor virus costs into their IT departments. Linux and Mac -- which of course uses UNIX -- are inherently more stable than Windows, and the security on the applications tends to be better. They are also, because of their low user base, a much less attractive target for virus writers. As a result I'm sure there are some places that are looking at their total computing infrastructure costs and realizing that migrating to another operating system is going to be cheaper in the long run than maintaining Windows. Microsoft has been trying to push its 'trustworthy computing' initiative, one major component of which is resistance to viruses. Recent events haven't helped their position."
Croson points out, however, that viruses would probably go wherever the users are. "Remember, Windows is a target of opportunity because (a) it's popular, so the fixed cost of writing a worm to attack it can be spread over a lot of computers that it could infect, and (b) users of the Windows OS are, on average, less sophisticated than, say, Linux users. If the majority of systems -- especially those run by novice users, who don't really understand operating systems or security -- were Mac, then the worms would attack Macs. Thinking about the supply-side incentives for people to produce viruses will give us more insight into how to defend against them, by learning how to automatically defend against prosaic 'script-kiddie' viruses and making it not worthwhile to create really clever ones."
In addition, the costs of switching are not insignificant, cautions Belthoff. "Migration to Linux or Mac from Windows may appear attractive at first glance to someone dealing with a major virus infection and cleanup tasks. However, migration costs are sometimes more than they initially appear, particularly with Linux. The cost of the operating system is only one of several cost factors. Others are initial deployment, training or hiring of proper IT personnel, maintenance, and migration of applications to the new platform."
Besides, migrating isn't a cure-all, he adds. "It is important to note that, although Mac and Linux systems were not 'infectable' directly from Sobig.f, users of these platforms could suffer just as much as Windows users from all the resulting e-mail bounce backs and undeliverable returns caused by the worm. From that perspective, you couldn't hide from Sobig by being on Mac or Linux."
Place Your Bets
Not surprisingly, one firm's infection is another's profit opportunity, and several players are emerging to take advantage of it. "The big winners will be data security vendors," says McCartney. "Between people's concerns about what and how personal data is stored and available and these continuous security compromises, there is a strong argument to be made that most places are not yet doing enough to protect their data assets."
Anti-virus vendors and intrusion prevention firms aren't the only gainers, adds Belthoff. "There is also increased interest on the part of organizations in performing some form of 'lockdown' on the end-user desktop, which would drive increased interest in personal firewall and content filtering vendors." Established players like Norton and Symantec, notes Hunter, may be joined by new entrants in such niches as plug-ins for mail clients. Alternative platforms will likely tout their superiority, too: "Apple and the Linux-purveyors will probably use this as a marketing benefit. Why wouldn't they?"