For computer security experts, 2003 started with the Slammer Internet worm and went downhill from there. The year, which included four major worm and virus outbreaks just in August, has been labeled the “year of the worm” and “the worst year ever” by more than one computer security expert.
All that activity meant good news for antivirus software companies, such as Symantec Corp. It was bad news for organizations of all kinds, which expended precious resources disinfecting everything from desktop workstations, to airline reservation systems and automated teller machine (ATM) networks that were hobbled by virus outbreaks.
Will 2004 bring more of the same, or will it be remembered as the year in which Internet users “took back the streets” from virus writers, malicious hackers and spammers? A little bit of both, say corporate security experts and computer virus specialists.
When it comes to computer viruses and worms, Internet users will not see any letup in virus outbreaks in 2004, despite high-profile prosecutions of some virus authors and a Microsoft Corp. bounty on the head of the original authors of the Blaster and Sobig viruses, according to Chris Belthoff, senior security analyst at Sophos PLC.
Prosecutions and bounties do not prevent crime in the physical world, and should not be expected to work any better online, Belthoff said. Such programs also misunderstand the motivation of virus writers, who are often looking for attention and recognition, rather than financial gain, he said.
The threat of a so-called “zero day attack,” in which a virus or worm exploits an unknown and unpatched software vulnerability also looms as a worst-case scenario. A Blaster-style worm based on a zero day vulnerability could adversely affect computer networks and leave administrators with few options to protect network resources, he said.
Microsoft’s operating systems and products will continue to be targeted by hackers and virus writers in 2004, said Belthoff and others.
Security exploits relying on buffer overflows in Microsoft product code will still be the most common avenue of attack. Hackers are also exploring “internal” vulnerabilities in Windows, like the RPC (Remote Procedure Call) security holes that produced Blaster, as well as Microsoft’s .NET Web services framework, Internet Information Server Web server and Windows 2003 Server, one exploit writer, who uses the online handle “wirepair,” told the IDG News Service via e-mail.
The wealth of new, unexplored code for.NET makes it fertile ground for hackers, agrees Mikko Hyppönen, director of antivirus research at antivirus company F-Secure Corp. in Helsinki.
“One thing that’s interesting about attacks in an environment like .NET is that a successful worm will hit multiple platforms: desktop (computers), laptops, as well as mobile phones and PDAs (personal digital assistants),” he said.
The year brought some small victories for law enforcement and for Internet service providers and corporations that were drowning in a flood of unsolicited commercial (“spam”) e-mail.
America Online Inc., EarthLink Inc. and others won big legal settlements against spammers. And in December, President Bush signed the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act. The new law imposes criminal penalties of up to a year in jail for common spamming practices like hacking into someone’s computer to send spam or setting up e-mail accounts using false information to send bulk spam.
But e-mail users shouldn’t expect to see a decrease in the amount of spam they receive, said Andrew Lochart , director of product marketing at Postini, Inc., Redwood City, California.
“The nature of the Internet (e-mail) protocols, especially SMTP (Simple Mail Transfer Protocol), makes it far too easy for dedicated spammers to hide themselves, and we’re seeing a lot of (spam) activity moving offshore, outside of U.S. jurisdiction,” he said.
Postini estimates that 80 percent of the one billion e-mail messages it processes each week are spam. The company believes that number might go as high as 90 percent by the end of 2004, Lochart said.
Spammers are also finding new ways around laws and antispam security measures, Belthoff said. For example, as free e-mail service providers and network administrators have clamped down on accounts and insecure servers used by spammers to send mail, they turned to computer viruses to create networks of zombie home computers that distribute their e-mail, he said. Sophos estimates that 30 percent of the spam its researchers see comes from IP addresses that belong to consumer machines. Two years ago, hardly any spam came from such sources, he said.
Incidents of online identity theft will also increase in 2004, spurred by a brisk, international market for stolen credit card numbers and personal identity information, according to security experts. Organized criminal groups in Russia and South Korea are using targeted, malicious hacking and so-called “phishing” Web sites to harvest information on thousands of online users, according to Richard Stiennon, research vice president at Gartner Inc.
But the security news in 2004 will not all be bad, experts agree. The next twelve months will find enterprises deploying more security technologies, more precisely and with fewer problems, Stiennon said. “It’s getting to the point where know what we need to do and there are good solutions out there, but now we have to execute,” he said.
Microsoft’s efforts to strengthen its operating systems’ security and products will also close a number of well-worm avenues for hackers and virus writers, Stiennon said. Those changes include a new version of the Internet Connection Firewall, now called the Windows Firewall, in Windows XP Service Pack 2 (SP2) that is on by default and changes to Windows’ implementation of RPC that will make it harder for attackers to exploit that service. Recent worms such as Blaster and Nachi used a security vulnerability in RPC to infect Windows machines.
Subsequent changes to Windows will integrate antivirus and content filtering technology with the operating system, making it easier for Windows users to block attacks, Stiennon said. A default firewall for the Windows desktop will be a marked improvement for many users, allowing them to spot virus and Trojan activity that otherwise goes unnoticed, said Bruce Hughes, director of malicious code research at TruSecure Corp. ICSA Labs
However, the seeds of change Microsoft plants in XP SP2 might take years to bear fruit, he said. “We’re still seeing viruses that use (Microsoft) Outlook address book vulnerabilities, and the cumulative patch for that came out two years ago,” Hughes said.
Finally, the 2004 Presidential election will continue to focus public and media attention on the security of embedded operating systems in everything from electronic voting kiosks to automated teller machines (ATMs) and SCADA (supervisory control and data acquisition) systems that run critical infrastructure, experts said.
Security flaws, the increasing use of embedded versions of Windows and the near-total dominance of the TCP/IP networking protocol make it likely that virus and worm outbreaks will affect private networks used by ATMs, utilities and other critical systems, even if those systems don’t run Windows, F-Secure’s Hyppönen said.
“In the old days, these systems used proprietary protocols that were immune to Internet worms. Now you have embedded systems connected via TCP/IP to corporate intranets and office systems. Internet worms like Blaster and Slammer, because they try every possible (Internet) address, will find these systems, which hackers would never find, and end up in places nobody imagined,” he said.
Such outbreaks have started to raise questions about the wisdom of creating homogenous populations of computers running Microsoft software, Stiennon said. “One thing that changed dramatically in 2003 was the world’s acceptance of the philosophy of ‘Microsoft everywhere’,” he said.