A client called me recently to tell me he thinks the current viruses "prove" me wrong about my previous thoughts about virus protection. I disagree -- if anything, the current crop of viruses reinforce my opinions that virus scanners are NOT the solution to the virus problem. First of all, let's look at a few of the recent viruses running around as I write this.
I lay the blame for this one right on Microsoft's front door. In their defense, they like to say that they had the fixes for this bug months before the virus was released. This is true. However, Microsoft has worked hard to earn the distrust of the "Update" process with their users. New updates bring "Enhanced" versions of programs, not just bug fixes. These new versions often have reports of "spyware" -- applications which report back to Microsoft what programs are installed on your system, what web sites you go to, what music you listen to, etc. Plus, there is always the risk of any update breaking a running system -- while Microsoft gets a lot of blame for this, this is a risk for any feature-adding update. There have been many reasons to distrust the Microsoft update process.
The bug blaster exploited should not have existed. The possibility of having a remote computer being able to influence your machine unsolicited should not have been possible on a consumer-oriented system (this is separate issue from the bug -- the feature shouldn't have been active, as a SECOND bug in the EXACT SAME FEATURE has proven. It is much like finding out a lock on the back door of your house is defective -- if you didn't even know there was a back door, why would you be watching the condition of its lock?).
The first call I got on this was the very morning it was released --
this virus spread fast and hard. The client that got it was running
Windows XP with a up-to-date virus scanner, however standard virus
scanners were useless against this kind of attack -- it just came in
via an unanticipated channel. Further, it came in so fast that
many people were infected before the updates were available.
SoBig.F is yet another in the SoBig virus series -- this one far more
successful and annoying than any of its predecessors, many of which were
also very annoying. The rate I was getting copies of this virus in my
e-mail was staggering; at its peak, I received 200 or more copies a day.
Considering each SoBig.F copy was
well over 100K in size, I received more than 20MB of garbage every day
to my mail server. Now, granted, I am a public persona on
the Internet, so I end up in a lot more people's address books than most
people do, but still -- this virus was a major problem for mail servers all
over the world.
Considering that most commercial e-mail services will not hold more than
5M to 10M of incoming e-mail, a lot of people had serious problems with this
This virus is very different from the Blaster worm -- in my mind, Microsoft gets virtually none of the blame on this one. This virus is very simple in concept -- it is an executable program that tried (a little) to not look like an executable. Ok, Microsoft Outlook was happy to help hide the type of file, Windows has a huge number of different file types which are directly executable, and the number of Outlook users makes a central store of e-mail addresses fairly easy to come by, but I'm going to give Microsoft a "pass" on this one -- I don't think they are the root problem here. (This is not a universal opinion -- one person who's opinion I respect considers the fact that Microsoft's Windows operating systems have very poor protection against users running programs just handed to them via e-mail a fatal flaw in the system design, however, any OS which prohibited that would be unacceptable to home and small business users).
I blame the users themselves on this one. For YEARS, people have been told "Don't click on attachments", and the long time bogus-advice of "Never click on something from someone you don't know!" (it really is bogus info until recently, as viruses always come from people you have already had e-mail contact with!), and yet...that is the only way SoBig.F spreads.
Mercifully, SoBig.F has an expiration date and time. On September 10, 2003 the virus just turned itself off. Why the SoBig author has done this with most of his or her work, no idea. Possibly, it is to "clear the decks" for the next version, or because he/she hates viruses as much as anyone, and didn't want to be dealing with the after effects of his/her own work.
A hardware firewall should be considered mandatory at this point in time. Unfortunately, most home Cable Internet providers frown on these devices, as they typically can be used to hook multiple computers to one service account. Tough. At this point in time, they would CLEARLY benefit from more of their users using these devices. Note that I have no respect for software "firewall" products. Most are too difficult for the user to properly configure (though they offer some interesting potential additional security benefit to those who DO know how to use them), and the idea of a Windows computer protecting itself doesn't sit well with me.
Microsoft just does not understand the most basic concepts of writing secure and reliable software. They have been pursuing two contradictory business philosophies: 1) Every computer should be attached to the Internet with e-mail and web access. 2) software should have as many neat and cool features as possible. This just doesn't work -- fact is, those neat and cool features are much of the REASON for Microsoft's horrible track record in the security business. The features are put in, and THEN there are attempts made to make them safe. NO. That can not work! Applications and features have to have security considerations thought of from the very beginning, not as a bolt-on afterthought.
The amount of time, money and effort spent cleaning up after Internet problems caused by inept users and bad software needs to be looked at, and hard decisions need to be made. The Internet can be seen as a playground, but a very dangerous playground -- with thugs, crooks and crazy drivers all over the place.
People have been clicking on stupid things in the work place, and the IT department mobilizes to fix the problem, the office suffers a productivity loss and more money and technology is thrown at the problem. The only thing that DOESN'T happen is the real problem doesn't get fixed: the user who did the stupid act doesn't have any reason to not do it again. As I commented in my last writing on this topic, we don't rely on technological solutions to bad and dangerous drivers -- we take the car away from them or we train them. The technological alternatives can't solve the problem -- that much should be clear now.
Macintosh and Linux users have been smugly saying, "Our systems are not vulnerable to these viruses!" These people are fools. Macintosh users are forgetting where the modern computer viruses started! For a number of years, while viruses were spreading like wildfire on Macintosh systems, some people argued that there was really no such thing as a virus on PC systems. While PC viruses are typically avoidable by common sense behavior issues, the early Macintosh basically required that the user use a virus scanner -- the viruses were unstoppable without one. As for Linux, just recently, someone floated a trojan program around for Linux systems which claimed to exploit a bug on the OpenSSH. In fact, it wasn't an actual exploit. It required the user to run it as root, and when run, it copied the system's password file and other critical info, and mailed it to a an e-mail address, where it could then be used to take over the user's computer. It wasn't a true virus, in that it didn't do anything to move from system to system, other than claim to have demonstrated a security exploit, and the Linux users then passed it around among themselves! The only reason viruses aren't spreading around on Macintosh and Linux systems at the rate they are on Windows systems is the market penetration that Windows has, and the glee people take in exploiting a Microsoft bug. It just isn't that hard to make a virus that spreads from user to user when something like 90% are using the same e-mail program. If Microsoft or their users ever get their act together, Linux and Macintosh users will quickly discover they are not immune from software bugs and "stupid user syndrome".
Holland Consulting home
Contact Holland Consulting
since September 23, 2003
Copyright 2003, Nick Holland, Holland Consulting