Attack of the zombies

Don`t you hate it when doom prophets are vindicated? Well, they were right this time about how sophisticated viruses are becoming, and about how pitifully vulnerable we are.

It seems like a really long time since MyDoom got into the global network and almost brought it to its knees. And now, with news of its successors piling into the gaping holes it left, the cynics (myself among them) are for once quiet.

There`s a good reason for that. It seems suddenly meaningless to point out that many companies make a lot of money out of scaring their customers with emotively worded cautionaries about the extent of their exposure.

So now that we`re all paying attention - how sophisticated are viruses really today? Judging from the MyDoom.A worm, pretty damn sophisticated.

I think the main reason for its virulence is not the cleverness of the bearer-mail content (including genuine-looking failed-delivery server responses), nor is it the hidden intent of its clever attachments, nor the fact that it has its own mail engine. It got itself in everywhere because of the sheer variety of ways in which it presented itself. Cause and symptom e-mails abounded in merry confusion.

How to keep up with such obfuscation and variety? Suddenly, common sense, for years my first weapon against viruses, seemed a puny arsenal, and grudgingly, I decided I would have to rely even more religiously on technology to safeguard my machine.

So the real conclusion to be drawn from the fantastic success of this virus is not that it`s so clever, but that, as usual, the world has been caught napping.

Carel Alberts, Journalist, ITWeb

MyDoom isn`t really that clever, though. For one thing, its follow-ups could have been a lot more virulent if they had better spreading techniques, such as an SMTP engine of their own (like their predecessor). Also, the C-variety, which re-infected machines infected by the A variety, does not open a backdoor, security commentators have noted.

So clearly the guy who is causing all the mayhem (there`s evidence that all variants are from the same creator) either doesn`t care much for coding best practices, though he`s obviously a pro, or he`s a pro who hasn`t even begun to flex his coding muscle, since he doesn`t yet need to. It`s a scary thought, being taken by someone who isn`t even trying.

One hint about his career-coder status came in the form of some numbering in the virus code, which appears to "version" the program. The creator also left the name "andy" in the source code, which is the behaviour of someone checking in source code, which in turn points to his professionalism, according to Network Associates.

So the real conclusion to be drawn from the fantastic success of this virus is not that it`s so clever, but that, as usual, the world has been caught napping. They opened stuff, they ignored firewall warnings or switched them off, they forgot to update their anti-virus software, in short, behaved as foolhardy as ever.

The truly stupid thing is, that to be infected with MyDoom, you still have to open an attachment. Not go to some cleverly spoofed Web site, not through a mail preview pane, not through malicious code. Why do we get caught time and again by the same trick?

So what have we learned from all this? That it`s only the beginning and we`re doomed? That we`re double-doomed, because the attacks are nowhere near as sophisticated yet as they could be?

It`s not my intention to sow more gloom and frustration than is necessary - on the contrary, this means there is lots of room for improvement in users` security behaviour, which, I suppose, is a good omen. So perhaps, like the father said in To Kill A Mocking Bird, it`s not time to worry yet.

But do bear this in mind: where MyDoom.B failed in attacking Microsoft because of a coding error that allowed only a small proportion of infected machines to launch an attack at any one time, MyDoom.C has no such problems. It got easily into A-infected PCs, not via e-mail, but by listening for an open port backdoor, left open by A, and should start hitting Microsoft and SCO today.

Infection with C leaves a PC powerless against instructions by the attacker to launch distributed, zombie-like attacks. SCO`s Web site has been down and out for stretches because of the A version, but these attacks on it are scheduled to run out today as well. C, however, has no end date.

That is another obviously attractive coding improvement from many viruses that have gone before. And its possibilities are dire, for Microsoft, SCO and the rest of us, caught eyes wide shut in the midst of an escalating security crisis.

But as they say, remove any possible A infection, keep an eye out and read all you can about security, since this is just the beginning.