Year 2000 viruses proved to be as impotent as the infamous Y2K bug itself. As the long-anticipated date approached, fears grew that hackers would take advantage of the millennium to launch new attacks. But it didn't happen, and Charles Rutstein, an analyst at Forrester Research in Massachusetts, is not surprised.
"We have been saying for the last six months that the millennium would be a complete non-event as far as viruses are concerned," Rutstein says.
He cites two reasons for this. "First of all, most virus writers had better things to do on New Year's Eve than to sit around and watch their creations take life. Secondly, even though the propagation rate for new viruses is much faster than before, the notion that any virus writer could time a virus outbreak to occur exactly on the eve of Y2K is ludicrous."
The worst problems came from malicious code that took advantage of year 2000 fears.
"Some of our biggest challenges came from people springing Y2K hoaxes," says Don Jones, director of Y2K readiness at Microsoft. "There was one that claimed to be from Microsoft Support.com, and another claimed to be from Bill Gates."
Although year 2000 didn't initiate the onslaught of viruses expected, the proliferation of computer viruses today has been ushered in by technical innovations such as the Internet that created infinite opportunities for unsuspecting technology users to be thwarted.
So even though January 1, 2000 came and went without much incident on the virus front, IT managers will need to be ever more vigilant about protecting their companies from a business-halting virus outbreak as the new millennium brings increased dependence on the Web and interconnectivity of networks.
A hacker's dream
Imagine an exploding population of homogeneous organisms, with each one able to initiate intimate contact with any other. Add a small group of wily predators who love to tinker with the forces of nature, and the stage is set for artificially induced epidemics.
This describes exactly the present state of affairs in information systems, and the increased vulnerability to viruses and malicious code, according to Carey Nachenberg, chief researcher at Symantec's antivirus research centre in California.
"It is very different from anything we have seen before," Nachenberg says. "For the first time, we have a computing monoculture. Monocultures in the natural world are extremely vulnerable to pests such as viruses."
The same is true, he adds, in the not-so-natural world of computing.
"By the end of last year, there were more than 200 million PCs connected to the Internet," Nachenberg says. "Ninety per cent of these are Windows machines running the same applications, such as Word, Microsoft Exchange, and Excel."
The reasons for concern do not stop there. Not only do the unscrupulous have a bigger field to play in, they also have tools that are easier to use and potentially more dangerous.
"The advent of macro and script viruses -- viruses written in macro languages such as Word Macro and VBScript -- makes it fairly easy to write new ones," says Vincent Gulotto, director of Avert, the emergency response team at Network Associates (NAI) in California.
ActiveX and Java add to this problem, says Sal Viveros, group marketing manager for total virus defence at NAI.
"This is mobile code. As it becomes easier to use, we will see more mobile virus code," Viveros says, adding that this kind of mobile virus code is particularly scary because it can be activated simply by surfing to a Web site.
Most analysts and users agree that it is only a matter of time before the invasion of the bad applets begins.
Don't panic . . . yet
Antivirus software vendors such as Symantec and NAI enjoy a steady revenue from selling protection from just these kinds of threats, so IT professionals must take such warnings with healthy scepticism. However, analysts tend to support all of the above concerns. And while they, too, stress the need for calm, they also caution against complacency.
"When macro viruses first came on the scene, most viruses were still written in assembly language or machine code," says Roger Thompson, technical director of malicious code research at ICSA, a computer security research company in Virginia. "And they were spread by physically transporting infected floppies from one machine to another. In those days, we recommended that you upgrade your antivirus software every two to three months."
Now it can be as often as every few hours.
"Antivirus software that automatically updates itself makes sense in the present environment," says Ron Krantz, chief IT architect at Niagara Mohawk Power in New York. "Vendors like Anti-Virus Pro offer four or five fixes a day."
This may sound a little extreme to IT managers who support thousands of clients, and Krantz emphasises that businesses need to find the right balance when implementing an antivirus solution.
"Rarely will you need to get updates that often," Krantz says. "The vendors are already very quick to get fixes out to everyone when a new virus appears. So daily updates will matter only if you are the unfortunate one to get hit first."
Another factor, according to Krantz, is resource allocation. In other words, productivity lost from constant software upgrades can easily be greater than the productivity lost from a new virus.
"It takes time to download the new fixes to each desktop," Krantz says.
No-hands attack strategy
Two of the biggest antivirus vendors, NAI and Symantec, are scrambling to make their antivirus code smart enough to automatically upgrade only when necessary. This method has yet to be proven, but if successful, it could give network managers a little more breathing room.
Antivirus software operates by scanning for a match with a signature file. These signatures are the fingerprints that identify malicious code. Signature scanning technology is mature, and the software is now quite effective. But no matter how good the software is, it can't finger a new virus unless the signature of that virus is known and filed in a repository.
"Today, it is entirely possible that a virus which surfaced for the first time in Malaysia could show up on your desktop the very next day," Forrester's Rutstein says.
This is why NAI and Symantec are working to completely automate the process of providing signature updates. NAI calls it the AutoImmune system, and Symantec has its Digital Immune system. Neither is fully functional yet, but both employ heuristic technology to identify suspicious code.
"Think of it like this: if you see someone walking down your street wearing a mask and carrying an automatic weapon, you might get suspicious," Symantec's Nachenberg says. "Our heuristic software is designed to recognise suspicious code."
Once that code is identified, the software will automatically send a copy to the vendors' labs. The code is analysed, and if it is indeed malicious, experts will create both a signature file and a fix. These will then be sent via the Internet as automatic upgrades.
Batten down the hatches
Whether these solutions will really offer users the security they promise remains to be seen. Meanwhile, IT managers struggle to make do.
"We are considering doing virus scanning on all incoming e-mail," Krantz says, but he adds that there are some major problems with implementing such a solution.
"It is expensive, it creates a bottleneck at the mail server, and it isn't clear that such a scan will be all that effective," Krantz says.
This last concern is a direct consequence of the new methods employed by hackers"We aren't just scanning for binary code inside an executable anymore," Krantz says. "The bad code could be hidden in a password-protected Zip file or encrypted in SMIME [Secure MIME]. These are things we can't even scan."
So as new applications and systems continue to open doors for hackers, and the interconnected Internet landscape expands, IT managers will have to keep closer watch over their growing networks in the coming years. At the same time, IT can count on antivirus vendors to work on fighting the latest exploits.