Mikko Hypponen, the director of antivirus research at F-Secure, a computer security company. "The code is high quality. It's been tested well. It really works in the real world." By the time the latest variant, Sobig.F, appeared in August, the worm was programmed to install a back door that would allow the author to assume control of the victim's computer. To what purpose? Experts say its author has used the captured machines to send spam and might also be stealing financial information from the victims' computers.
No one has any clue who wrote Sobig. The writers of this new class of worm leave none of the traces of their identities that mal-ware authors traditionally include in their code, like their screen names or "greetz," shout-out hellos to their cyberfriends. Because criminal authors actively spread their creations, they are cautious about tipping their hand. "The FBI is out for the Sobig guy with both claws, and they want to make an example of him," David Perry notes. "He's not going to mouth off." Dunham of iDefense says his online research has turned up "anecdotal evidence" that the Sobig author comes from Russia or elsewhere in Europe. Others suspect China or other parts of Asia. It seems unlikely that Sobig came from the United States, because American police forces have been the most proactive of any worldwide in hunting those who spread malware. Many experts believe the Sobig author will release a new variant sometime this year.
Sobig was not alone. A variant of the Mimail worm, which appeared last spring, would install a fake popup screen on a computer pretending to be from PayPal, an online e-commerce firm. It would claim that PayPal had lost the victim's credit card or banking details and ask him to type it in again. When he did, the worm would forward the information to the worm's still-unknown author. Another worm, called Bugbear.B, was programmed to employ sophisticated password-guessing strategies at banks and brokerages to steal personal information. "It was specifically designed to target financial institutions," said Vincent Weafer, senior director of Symantec.
The era of the stealth worm is upon us. None of these pieces of malware were destructive or designed to cripple the Internet with too much traffic. On the contrary, they were designed to be unobtrusive, to slip into the background, the better to secretly harvest data. Five years ago, the biggest danger was the "Chernobyl" virus, which deleted your hard drive. But the prevalence of hard-drive-destroying viruses has steadily declined to almost zero. Malware authors have learned a lesson that biologists have long known: the best way for a virus to spread is to ensure its host remains alive.
"It's like comparing Ebola to AIDS," says Joe Wells, an antivirus researcher and founder of Wild-Lists, a long-established virus-tracking group. "They both do the same thing. Except one does it in three days, and the other lingers and lingers and lingers. But which is worse? The ones that linger are the ones that spread the most." In essence, the long years of experimentation have served as a sort of Darwinian evolutionary contest in which virus writers have gradually figured out the best strategies for survival.
Given the pace of virus development, we are probably going to see even nastier criminal attacks in the future. Some academics have predicted the rise of "cryptoviruses"-malware that invades your computer and encrypts all your files, making them unreadable. "The only way to get the data back will be to pay a ransom," says Stuart Schechter, a doctoral candidate in computer security at Harvard. (One night on a discussion board I stumbled across a few virus writers casually discussing this very concept.) Antivirus companies are writing research papers that worry about the rising threat of "metamorphic" worms-ones that can shift their shapes so radically that antivirus companies cannot recognize they're a piece of malware. Some experimental metamorphic code has been published by ZOmbie, a reclusive Russian member of the 29A virus-writing group. And mobile-phone viruses are probably also only a few years away. A phone virus could secretly place 3 a.m. calls to a toll number, sticking you with thousand-dollar charges that the virus's author would collect. Or it could drown 911 in phantom calls. As Marty Lindner, a cybersecurity expert at CERT/CC, a federally financed computer research center, puts it, "The sky's the limit."
The profusion of viruses has even become a national-security issue. Government officials worry that terrorists could easily launch viruses that cripple American telecommunications, sowing confusion in advance of a physical 9/11-style attack. Paula Scalingi, the former director of the Department of Energy's Office of Critical Infrastructure Protection, now works as a consultant running disaster-preparedness exercises. Last year she helped organize "Purple Crescent" in New Orleans, an exercise that modeled a terrorist strike against the city's annual Jazz and Heritage Festival. The simulation includes a physical attack but also uses a worm unleashed by the terrorists designed to cripple communications and sow confusion nationwide. The physical attack winds up flooding New Orleans; the cyberattack makes hospital care chaotic. "They have trouble communicating, they can't get staff in, it's hard for them to order supplies," she says. "The impact of worms and viruses can be prodigious."
This new age of criminal viruses puts traditional malware authors in a politically precarious spot. Police forces are under more pressure than ever to take any worm seriously, regardless of the motivations of the author.
A young Spaniard named Antonio discovered that last fall. He is a quiet twenty-three-year-old computer professional who lives near Madrid. Last August, he read about the Blaster worm and how it exploited a Microsoft flaw. He became intrigued, and after poking around on a few virus sites, found some sample code that worked the same way. He downloaded it and began tinkering to see how it worked.
Then on November 14, as he left to go to work, Spanish police met him at his door. They told him the antivirus company Panda Software had discovered his worm had spread to 120,000 computers.
When Panda analyzed the worm code, it quickly discovered that the program pointed to a site Antonio had developed. Panda forwarded the information to the police, who hunted Antonio down via his Internet service provider. The police stripped his house of every computer-including his roommate's-and threw Antonio in jail. After two days, they let him out, upon which Antonio's employer immediately fired him. "I have very little money," he said when I met him in December. "If I don't have a job in a little time, in a few months I can't pay the rent. I will have to go to my parents."
The Spanish court is currently considering what charges to press. Antonio's lawyer, Javier Maestre, argued that the worm had no dangerous payload and did no damage to any of the computers it infected. He suspects Antonio is being targeted by the police, who want to pretend they've made an important cyberbust, and by an antivirus company seeking publicity.
Artificial life can spin out of control-and when it does, it can take real life with it. Antonio says he did not actually intend to release his worm at all. The worm spreads by scanning computers for the Blaster vulnerability, then sending a copy of itself to any open target. Antonio maintains he thought he was playing it safe, because his computer was not directly connected to the Internet. His roommate's computer had the Internet connection, and a local network-a set of cables connecting their computers together- allowed Antonio to share the signal.
But what Antonio didn't realize, he says, was that his worm would regard his friend's computer as a foreign target. It spawned a copy of itself in his friend's machine. From there it leapfrogged onto the Internet-and out into the wild. His creation had come to life and, like Frankenstein's monster, decided upon a path of its own.