Evolving networks, evolving viruses Computer viruses resemble their biological counterparts in many ways. They replicate, they travel attached to a host and they cause harm. But they do not evolve in the same way as living creatures. A new computer virus strain does not appear as a result of random mutation and competitive selection as in the biological world. This does not mean that viruses wont evolve. Quite the opposite.Computer viruses have been around for about 15 years already. The first viruses were merely scientific experiments known to a very limited group only. The viruses and worms of today are something totally different. Today, the virus problem is a severe threat to businesses around the globe. They are also totally different from a technical point of view. Our computer environments have evolved so dramatically that viruses from the eighties and early nineties cant survive today. They simply rely on functionality that isnt supported anymore. Modern computer networks provide communication channels that were sci-fi only 10 years ago. This evolution is changing our lives. The Internet is becoming one of the basic infrastructures that our society is built upon. We can now communicate both faster and to a wider audience than ever before. And it is easy. Unfortunately, computer viruses also take advantage of the same fast and easy communication channels to spread even faster.When a new powerful software solution is introduced, there is always a virus writer who wants to be the first to exploit it. This ensures that even if a particular virus wont evolve as it spreads, it will soon die out and be replaced by a new and even more sophisticated creation. From this follows that viruses evolve at the same rate as the infrastructure. The amount of damage caused by viruses can be kept under control by implementing security solutions. This can limit the impact of viruses, but not stop new viruses from appearing. File and boot sector virusesThe history of viruses can be divided into three eras. These eras are directly related to the computer systems that we used. The first wave of viruses appeared in the early nineties. These viruses are known as file or boot sector viruses. It is easy to figure out what methods they used to spread to other computers if we recall a typical computer network at that time. It was quite common to exchange or store data using diskettes. The boot sector viruses took advantage of this by attaching themselves to the first sector (so called boot sector) on diskettes that were used in an infected computer. Then the virus just had to wait until someone took the diskette to another computer. The tactics of a file virus is somewhat similar. It infects program files on the infected computer or shared network disks. Then it just waits until the file is sent to someone else. A lot of waiting and very little action! No wonder it took these viruses months or years to become widespread. Today these types of viruses do not pose a great threat, as diskettes are rarely used.Macro virusesThe next era started in August 1995. E-mail was about to take over as the most important communication method after diskettes and local networks. This made life harder for the traditional boot and file viruses because there were less chances to propagate. E-mail did not however rid us of the virus problem. On the contrary, it escalated the virus problem to new dimensions. Someone invented a new virus category, macro viruses, that had superior replication capabilities compared to the old viruses.Our networks are built and maintained to process and store data. We provide powerful and easy ways to produce documents and share them with others. Macro viruses benefit from this. They do not attach themselves to rarely transmitted program files as did the viruses of the previous generation. Instead, they look for documents created by the user and use them as hosts. Documents, such as text or spreadsheets, are commonly mailed to tens or even hundreds of other users. These users can be located all around the globe, especially in multinational enterprises. No wonder these macro viruses could spread around the globe in a couple of weeks, compared to years for the old viruses. The first macro virus, WM/Concept, became the most widespread virus in the world within a few months.At this point it was clear that the commonly used methods for updating antivirus software couldnt cope with the increased speed much longer. New antivirus definitions were typically shipped to the users on diskettes or CDs. The production and shipping time was far too long for fast-spreading macro viruses. The solution was naturally to update through the Internet. Physical media was still popular among customers. But the antivirus industry started to build fast on-line channels and prepare to fight the next virus generation.E-mail wormsThe next major leap towards more powerful viruses was not initiated by new communication methods like the previous wave, but rather by more powerful computers and networks. The e-mail worm era started in 1999 with the Happy99 worm. E-mail had become an important communication channel for both business and leisure. The networks and servers had capabilities for handling large amounts of e-mail. And the client software was sophisticated enough to provide programming capabilities and powerful contact lists. This was an ideal environment for automated posting and this is exactly what e-mail worms need. They do not wait for the user to send documents. They create and send e-mail on their own. An e-mail worm does not have to wait for the user in the same way as traditional viruses. It can send out hundreds or even thousands copies of itself in minutes.It is no wonder that this kind of malware was able to spread much faster than anything seen before. An e-mail worm usually spreads around the globe in 24 h as a result of a follow the sun effect. This interesting effect is easy to understand if we examine the way these worms work. They are able to send mails automatically, but still must wait for user actions in the recipients inbox before they can activate and spread. A new worm may, for example, be released in Asia during Asian working hours. It spreads rapidly in Asia and copies are sent to Europe as well. Europeans are, however, still asleep and the computers turned off. The outbreak continues in Europe in the morning when people go to work and open their computers. Copies are sent to the US and the wave continues when New York wakes up. Blended threatsWhats next? Both macro viruses and e-mail worms are able to work efficiently in environments without constant network connections. They can be stored on mail servers and activate when the mail is delivered. This was a very important capability in the nineties. The big revolution in the 21st century is connectivity and broadband. Larger and larger numbers of computers are connected to the Internet via a constant connection. This opens the door for network worms. A network worm spreads using direct connections between computers. No more waiting in e-mail server queues! And even more important, no more waiting for users to open their e-mail. This enables network worms to spread globally at any time of day. A global outbreak in a couple of hours is no longer science fiction.Can the protection programs cope with these new fast viruses? Yes, for the moment. But it is clear that we are facing a challenge that requires new thinking, just like back in 1995. The huge speed is not the only new thing in viruses of today. Fighting viruses requires skills from several areas of data security and many of the new worms can be classified as blended threats. The e-mail worms imitated a user that sent e-mail. A network worms goes one step further and performs hacking by itself. Each of these worms act as a hacker that tries to break into as many computers as possible. This makes it possible to utilize a new method in the fight against viruses. Other technologies such as firewalls and intrusion detection systems can be integrated into the antivirus solution to provide reliable protection. These features will be able to stop fast worms even if antivirus updates don't arrive in time.But that is not the only reason to integrate network security and antivirus features. Another clear trend, besides increased speed, is that many viruses and worms are able to disclose data. Confidential information can leak out of the company as part of the replication feature of the virus. The virus may also plant backdoors in the computers and even spy actively on the user. This development underlines very clearly that a mere traditional antivirus scanner isnt enough. The antivirus product must be able to filter network traffic and detect attack patterns as well as be effective against todays threats. New technology, new viruses, new protectionThe development in the computer and network field has been amazing during the past 15 years. New technologies emerge, prosper and die out. Whenever there is a new technology on the market, there are persons who try to create a virus that exploits it. Some of the technologies are powerful enough to host viruses. Some are even so powerful that the viruses become widespread in days or hours. But whenever there is a new technology on the market, there is also a security researcher who investigates how users of the technology can be protected. Thanks to these researchers we had fast Internet updates before the e-mail worm era begun. We will also have integrated Internet or network security before the network worms become real headaches in personal computers.Evolving networks, evolving viruses, evolving protection.Mikael Albrecht, Manager, Product Management Begin | Back
Computer viruses resemble their biological counterparts in many ways. They replicate, they travel attached to a host and they cause harm. But they do not evolve in the same way as living creatures. A new computer virus strain does not appear as a result of random mutation and competitive selection as in the biological world. This does not mean that viruses wont evolve. Quite the opposite.
It is no wonder that this kind of malware was able to spread much faster than anything seen before. An e-mail worm usually spreads around the globe in 24 h as a result of a follow the sun effect. This interesting effect is easy to understand if we examine the way these worms work. They are able to send mails automatically, but still must wait for user actions in the recipients inbox before they can activate and spread. A new worm may, for example, be released in Asia during Asian working hours. It spreads rapidly in Asia and copies are sent to Europe as well. Europeans are, however, still asleep and the computers turned off. The outbreak continues in Europe in the morning when people go to work and open their computers. Copies are sent to the US and the wave continues when New York wakes up. 
The development in the computer and network field has been amazing during the past 15 years. New technologies emerge, prosper and die out. Whenever there is a new technology on the market, there are persons who try to create a virus that exploits it. Some of the technologies are powerful enough to host viruses. Some are even so powerful that the viruses become widespread in days or hours. But whenever there is a new technology on the market, there is also a security researcher who investigates how users of the technology can be protected. Thanks to these researchers we had fast Internet updates before the e-mail worm era begun. We will also have integrated Internet or network security before the network worms become real headaches in personal computers.