• Investment World
• eWorld
• Catalyst
• Mentor
• Life
• Canvas
• Praxis
• Urban Pulse
• Brand Quest

Stocks

• Quotes
• SE Diary
• Scoreboard
• Open-End Mutual Fund

Cross Currency

• Rates
  
  

Shipping

• Ports
  
  

Archives

• Yesterday
• Datewise
• Resources

Group Sites

• The Hindu
• Business Line
• Sportstar
• Frontline
• The Hindu eBooks
• The Hindu Images

V. Sridhar

THE first virus of the new year had arrived. MyDoom, also called Novrag, was detected by the Computer Emergency Response Team/Coordination Centre (CERT/CC) (http://www.cert.org) at Carnegie Mellon University, US, on January 26, 2004.

On February 1, the virus launched a Distributed Denial of Service attack against the Web site of SCO (www.sco.com) , the company that claimed that its intellectual property had been illegally included in the open source Linux operating system. Subsequently, a variant of MyDoom unleashed an attack against Microsoft's Web site.

This is the first ever "social engineering" based attack, specifically targeted at a business entity. Though SCO tried desperately to save its face, offering up to $250,000 to catch the creators, it lost its Web face for a couple of days due to the barrage of attacks.

And just about four days ago, there was an out-break of another virus, W32.Netsky.D@mm, from the Internet. This memory-resident worm uses its own SMTP engine to propagate via email.

In the event of the growing number of automated, malicious virus-based attacks, it is worth examining how various stakeholders should respond to such incidents in the future.

Of late, Internet-based security attacks have increased considerably . According to CERT/CC, the Internet security research centre at Carnegie Mellon University, US, the number of security incidents reported increased to an alarming 1,37,529 in 2003 from 82,094 in 2002, and a mere 1,334 a decade ago!

2003 also marks the 20th anniversary of the first computer "virus", written by Fred Cohen as an experiment to be presented at a seminar on computer security. Since then, the surreptitious "malware" (malicious software), such as Melissa, The Love Bug, Code Red, Nimda and recently the Blaster have taken the Internet world by storm.

Seasoned system administrators still remember 5 p.m. US Eastern Standard Time on November 2, 1988, when the Morris worm, widely considered the first Internet-borne outbreak of the malicious code, started propagating.

The Code Red worm, released on July 19, 2001, affected more than 250,000 computer systems in less than nine hours. The W32/Blaster worm attacked more than 7,000 computers within minutes of its release on Black Monday, August 11, 2003.

In August 2003 alone, the financial damages due toW32/Blaster and its sequel SoBig accounted for more than $32 billion in economic damages.

As soon as a virus is launched and starts infecting machines, the infected user gives the malicious code to an anti-virus company such as Symantec, producer of Norton anti-virus, which then comes up with a "signature" to protect machines against the spread of this and other variations of the virus.

Most malware exploits the vulnerability exposed by the sloppy code of certain portions of the operating system. Perfect examples are Code Red, which used a vulnerability in Microsoft's Internet Information Server and Blaster, which exploited a sloppy "buffer overflow" problem in Microsoft Windows.

Since more than 90 per cent of desktops run Windows operating systems, it is quite natural that most malware is written to attack Windows vulnerabilities. Soon after the virus is detected, the producer of the software (in most cases, Microsoft) that has been exploited comes up with software patches to plug the vulnerability in the code.

The above set of events affects three stakeholders — computer users like you and me, who bear the brunt of the damage caused by the virus; the operating system/software vendor, whose code has been penetrated; and the anti-virus and security service vendors, who produce interim solutions to prevent the spread of virus.

It is the responsibility of the network administrators and users to install anti-virus updates and software patches to prevent future attacks.

The sooner the signature gets deployed, the slower the spread of the virus. Most users are not security aware and do not give importance to instructions from the network administrators until their machines get infected. The common technique used by the virus creators is "social engineering", where the user is tempted to open e-mails and attachments with snazzy promotional promises and invitations.

This mandates that the users are trained and persuaded not to open such suspicious mail attachments, and to run anti-virus programmes periodically to prevent infection. On their part, the network administrators of the organisation need to keep themselves abreast about security incidents, signature updates and software patches by tuning in to security alerts and advisories from organisations such as CERT/CC.

While it is impossible to produce software that is totally error-free and reliable, poor software engineering practices and the scramble to release code on time due to market pressures have led to this alarming situation.

Just in the third quarter of 2003, 2,982 vulnerabilities were reported by CERT/CC. Even while Microsoft withstood the onslaught of MyDoom, it announced on February 10 a major vulnerability in its Windows operating system that could allow hackers to break into personal computers and snoop on sensitive data.

By giving priority to "ease of use" Microsoft has left security holes in its operating system. While Microsoft protects its operating system as its intellectual property, the movement on "security through transparency" is gaining attention with the widespread deployment of open source software.

The term "open source" refers to the code that is open to the public. Open source products are available for free or at minimal price. Security experts tend to agree that computers are less prone to hacking and viruses when running open source software like Linux and Apache Web server.

Since the source code is open, vulnerabilities are often detected by millions of user groups who work with open source software, and solutions are devised immediately to plug the vulnerabilities.

Even though network administrators still find Linux or Unix complicated to administer and maintain compared to Windows 2000/NT, a move towards running essential services on non-Windows platforms reduces the vulnerability of at least the servers of the organisation.

It is also time the software developers and code-writers took responsibility for their code and adopted good software engineering practices to build robust systems. Security product vendors are the ones who have been having the last laugh! It has become almost mandatory for all organisations to deploy security firewalls to prevent intrusions, intrusion detection systems to recognise possible security threats, and anti-virus programmes to detect and clean viruses and worms.

Security product companies such as Symantec, McAfee and Trend Micro have benefited a lot, thanks to malware. But organisations that are cash-strapped and cannot afford to buy the very expensive security software solutions from these companies, should actively consider some open source freeware products available.

For example, Astaro or Portus (http://www.opensourcefirewall.com) for firewall, and Snort (http://www.snort.org) for intrusion detection are possible open-source products to look at. Even the anti-virus solutions so far available only for a price have drawn the attention of the open-source community through the open anti-virus project (http://www.openantivirus. org).

Due to the noted vulnerabilities in its operating system code, it is expected that Microsoft will do more than just release patches. The recent announcement by Microsoft on bundling Internet Connection Firewall with its forthcoming release of service pack 2 for Microsoft XP, due to hit the market in the second quarter of 2004, is a move in this direction.

Thus, each machine that runs Windows XP operating system will be protected by its own in-built host-based firewall. This is expected to end the golden era witnessed by the security product vendors.

Unless the three stakeholders co-operate, take responsibility for their product and services, and adopt a systemic approach to find solutions, they will continue to be at the mercy of terror from malware.

(The author is Professor, Information Management Area, Management Development Institute, Gurgaon. Feedback can be sent to: sridhar@mdi.ac.in)

More Stories on : Viruses | Insight | Security

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
Insure guarantee

Copyright © 2004, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line