By Michael Shnayerson
In Edgar Allan Poe's classic story "The Mask of the Red Death," an uninvited guest slips into a costume ball, his mask in place, and mingles with the crowd until the clock strikes midnight. Only then do the horrified onlookers realize that he's infected them with a deadly plague.
So, on the morning of August 18, 2003, did a masked guest enter an Internet newsgroup to infect his cyber-companions with the widest-spreading and most costly e-mail virus of all time.
His mask was a stolen credit-card number. The ballroom was an Internet-service provider called EasyNews, floating in cyberspace but tethered to a business address in Phoenix, Arizona. Seven minutes after opening his EasyNews account, the guest entered a newsgroup dedicated to pornography. "Thank you!" read one of the subject lines of the message he posted to the newsgroup's patrons. "Re: Details," read another. The message had an attachment ostensibly containing pornographic images. Greedily, many of the guests clicked it open, only to be infected. And so began SoBig.F, a virus that sent unsolicited e-mails-hundreds of millions in all-around the world.
The e-mail flood disrupted businesses from Starbucks and FedEx to AOL Time Warner, ultimately resulting in estimated losses and costs of $14.6 billion worldwide, a new record, according to mi2g, a digital risk-consulting firm in London. At least a million computers were blitzed-some with thousands of e-mails each day. But that was just the start. Encrypted in the virus's code was a second stage, timed to launch later that week. Every computer infected with SoBig.F would download a mysterious program from an unknown Web site. Would the program wipe out the data on the owners' hard drives? Steal their passwords or credit-card numbers? Recruit them in a campaign of cyber-warfare?
With the fateful hour looming, virus hunters around the world vied with one another to crack the encryption, both to avert what could be a global computer calamity and to earn the glory of stopping the most complex virus yet. Some were at Microsoft in Washington State, others at Computer Associates on Long Island, Symantec and Network Associates in California, and still others at Britain's Sophos P.L.C. and Tokyo's Trend Micro. These were the industry leaders. Yet all knew they had a colleague to reckon with: Mikko Hypponen, a 34-year-old Finn with a blond ponytail, who worked at a small, Helsinki-based company called F-Secure.
In an office devoid of decoration or personal effects, Hypponen bent over his laptop and scrolled through 2,000 pages of SoBig.F virus code, calling out orders to a team of young Europeans down the hall. Beside him, a forgotten cup of black coffee grew cold. Outside, unnoticed, a precious Nordic summer day rose, shimmered, and began to fade.
To a first-time visitor, everything in Helsinki seems to work just as it should. The airport is spotless and hassle-free; the taxis are new Mercedeses, whose drivers hold forth with the erudition of college professors; the streets are clean-swept and uncrowded, the buildings a cheery mix of wedding-cake Art Nouveau and soaring modernism. A liberal spirit prevails: Finland's wildly popular president, Tarja Halonen, was a single woman upon her election, in February 2000, and only afterward married her steady beau. And everywhere in this old seaport is the happy hum of new money, thanks to Nokia, the onetime maker of rubber boots whose mobile phones spawned an industry and made Helsinki one of the European Union's fastest-growing cities.
No surprise, then, that the boom in I.T.-information technology-has fostered a plucky start-up here to guard that information from hackers and virus writers. F-Secure-the name means nothing, but to its founders sounded "cool"-went public in November 1999 during the dot-com wave and saw its stock soar more than a thousand percent, briefly making its young C.E.O., Risto Siilasmaa, the richest man in Finland, to his utter mortification. (Finns are different.) The stock is back where it started, but the company is profitable, in large part because of its crack anti-virus team.
Siilasmaa and the corporate brass enjoy harbor views from the modernist glass boxes where F-Secure has its headquarters, in an industrial area at the western end of Helsinki. Hypponen and his young programmers look out the back from bare, unlit offices onto a dreary street, but none seems to mind: their eyes are glued to their computer screens. Some 600 viruses hit the Internet each month-more than 80,000 have plagued it to date-and Hypponen's team has to deal with most of them, posting fixes online twice a day to the far-flung corporate clients of F-Secure's anti-virus program. The pressure, especially when a Level One virus hits, is intense.
"This year, 2003, was the worst in virus history," says Hypponen, whose good looks, easygoing charm, and perfect command of American jargon make him stand out in your average gathering of European computer wonks. In that terrible year, he says, one month was the worst: "The whole of August was just a nightmare."
It started with a virus called Blaster. In early June, a somewhat informal Polish group of computer-security sleuths called Last Stage of Delirium (L.S.D.) had detected a hole in four versions of Microsoft Windows operating systems. The group, which views itself as a watchdog, quietly contacted Microsoft to alert it to the problem. The hole was in one of the worst possible places: in a part of the program that governs how a computer processes commands from other computers. On July 16, L.S.D. and Microsoft made coordinated announcements: L.S.D. declared it had found the hole, but offered no technical details, while Microsoft offered a software "patch" to fix the problem. Over the next week, some 40 million patches were downloaded. But virus writers had taken note, too. Soon the hole's working code was posted on the Web, apparently by Chinese hackers. The result was all but inevitable. On August 11, millions of computers with Windows Server 2003 and Windows XP started rebooting uncontrollably. Blaster wasn't just a bad new virus. It was an entirely new kind of virus.
Virus history, as Hypponen calls it, began in about 1986 with primitive viruses on floppy disks that spread only when the disks were exchanged. That era now seems quaint. By the mid-1990s the Internet had spawned viruses that spread in documents sent by e-mail, but just to one user at a time. Not until the late 1990s did virus writers figure out how to mass-distribute infected e-mails. But even then a user still had to click on an attachment to infect his computer. After a painful experience or two, many users learned to delete e-mails with attachments from unfamiliar senders. They assumed, as a result, that they were safe. They were wrong. With Blaster, a computer needed only to be connected to the Internet to be infected. No e-mail, no attachment. That made it, in the jargon of the biz, both a virus and a worm, which replicates on its own.
A new era had begun.
Among the first machines to be infected by Blaster was one of Katrin Tocheva's "honeypots." One of the few women virus hunters, and Hypponen's team manager, the Bulgarian-born Toche-
va, 44, keeps several home computers on 24-hour cable connections to the Internet. They all have the Windows programs-any virus writer's favorites, given that Windows has 95 percent of the market-but no anti-virus software. That's what makes them honeypots, perfect targets for viruses. At 10:14 p.m. Finnish time on August 11, she sensed she had a big hit. By 10:50 she and the team had posted a description of it, beat-
ing the U.S.-based Computer Associates by eight minutes. That gave them the right to name it: they called it Lovsan because its code contained the words "love you san." Many newspapers picked up the name, but many more took their cue from other virus hunters, who apparently felt they had christening rights and named it Blaster. "The media liked the name Blaster more than Lovsan," Hypponen says.
Soon every anti-virus program in the world-not only F-Secure's but also McAfee's, Norton's, and others-had warned its subscribers to download the Microsoft patch, and the companies had begun working together. "Mikko doesn't work in a vacuum," observes Ian Hameroff, security strategist at Computer Associates. "F-Secure was involved, but so was C.A. and Symantec [maker of Norton] and Network Associates [maker of McAfee], as well as others."
Still, over the next week, Blaster wreaked havoc, exacerbated by another virus, called Welchia. Air Canada's check-in system was shut down. East Coast freight- and commuter-railroad services were disrupted. Hundreds of thousands of users tried to download the Microsoft patch or similar software only to have their P.C.'s reboot before the download was done. In another first, Hypponen's team crafted a software tool to circumvent the problem, and put it out free on the Web.
After a week of dealing with Blaster, Hypponen was exhausted when he came in for work on August 19. Tocheva had flown to the Greek islands with her 20-year-old son for a well-deserved vacation. That, Hypponen thought, was what he should have done with his wife, Riitta, and his two young children. But then, at 9:20 a.m., Ero Carrera, a young Spanish team member, popped his head into Hypponen's office and said, "You better see what we've got in the lab."
The team's "lab," down the hall, is a windowless room of honeypot computers, its dreariness relieved only by a growing collection of raunchy postcards of European bathing beauties. On one of the honeypots was a screen of virus code. Hypponen scanned it and nodded. The code looked all too familiar. "I think you're right," Hypponen said with a sigh. "SoBig is back."
Throughout the year, a strange series of viruses had hit the Internet, the first one only moderately threatening, the following ones more complex and cunning. Hypponen dryly called the series a "development cycle." Now the cycle had turned again.
On January 9, 2003, Hypponen and his team became the first to debug an infected e-mail sent from the fictitious address email@example.com. SoBig was a standard e-mail virus: it came in an attachment that had to be clicked on for a computer to become infected with it. Like most e-mail viruses, SoBig then sent itself to every e-mail address in a user's computer, always appearing to come from firstname.lastname@example.org. But, as Hypponen and his industry colleagues soon saw, the virus had a second stage: every infected computer was scheduled to download files from a single Web site at a later time.
To stop this first SoBig, the virus hunters had only to warn Internet-service providers (I.S.P.'s) like America Online to block e-mails from email@example.com, and then persuade a Web-site host called GeoCities to shut down the page from which the second stage would be launched.
Somewhere, the virus writers were watching what the virus hunters did. Watching and learning.
On May 19, a new SoBig hit the Internet-SoBig.B, to follow the renamed SoBig.A. Instead of coming from firstname.lastname@example.org, the variant purported to be from "Microsoft Support"; it came with an attachment, and users were instructed, "All information is in the attached file." That made it like a "Trojan": an e-mail appearing to be helpful or benign, but containing nasty stuff. "Microsoft Support never sends files with attachments," Hypponen observes. But hundreds of thousands of users, especially in the U.S. and Britain, were duped. As with its predecessor, SoBig.B led infected computers to a single Web site. Strangely, SoBig.B was coded to terminate in two weeks, as if the writers viewed it as a dry run. The day after its demise came the new and improved SoBig.C, and then, two weeks later, SoBig.D.
With each iteration, the game grew nastier. The writers were figuring out how to send e-mails from many addresses, not just one, and how to give them various subject headings. Now service providers had a much harder time blocking them. When the virus got through, it downloaded "keyboard sniffers," which reacted to words typed on a keyboard, such as "password," "bank," "account access," "My eBay," and "credit card," and copied the words or numbers that immediately followed them. The virus installed "backdoor" programs, too. With them, the virus writer could enter the computer at any time, like a thief with a house key, and fish out the passwords, credit-card numbers, and other files and documents at his leisure.
To foil the hunters, the virus writers even created a program that removed the SoBig virus itself. This sounded good but wasn't. The keyboard sniffers and back doors were still there, but now no anti-virus program could detect them.
No line in the virus's code identified each new variant as SoBig: that was the hunters' name for it, not the writers'. Nor was there any encoded message. "I hate to go to school," the writers of the infamous I Love You bug had declared in May 2000. "I want a good job," pleaded the writer of the Klez virus of March 2002. "Can you help me?" The classic profile of the virus writer, as those messages attested, was a disaffected teenager. The writers of SoBig were almost certainly adults and deadly serious. The only signature of every SoBig incarnation-the twist that suggested each iteration was the work of the same virus writers-was the increasingly sophisticated second-stage hookup of infected computers to a Web site for downloading files.
When SoBig.E expired on July 14 without a follow-on the next week, Hypponen allowed himself to think he'd seen the last of the virus. Perhaps the writers had given up on the second-stage approach. Perhaps they'd feared they would be caught. But now here was SoBig.F. And after just minutes of scrolling through its code in the airless lab, Hypponen could see it would be a lot worse than SoBig.E.
As a first step, Hypponen had to post a virus alert, one that would not only appear online for F-Secure's anti-virus subscribers but also be sent as a message to subscribers' phones and pagers. He spent a few more minutes studying the code: he wanted to be sure before he woke up subscribers in North and South America. But there it was, the signature second stage, rendered in code with a whole new degree of efficiency.
With the alert posted, Hypponen's team started combing the worm's replication code for a search trick. They wanted a few bits that were both unique and essential to the virus-bits that would help a computer identify and kill it. In that, they were like microbiologists looking for parts of a human virus or bacterium that a drug could target. A good antibiotic takes about 10 years of research and development. Hypponen posted his team's search tool for SoBig.F in two hours and 33 minutes.
Virus hunters from New York to Tokyo were posting search tools and anti-virus updates as well, and for anyone who downloaded one, SoBig.F was no longer a threat. But that still left most of the world exposed. At 12:45 p.m., Hypponen started getting SoBig.F e-mails on his own honeypot computer, the one with the e-mail address he'd kept unchanged for the more than 10 years he'd been chasing viruses. By two p.m. he'd received a hundred of them. The headers were from all over the world: that was how fast the virus was spreading. Before the virus ran its course, Hypponen's honeypot would get 19,000 e-mails-an indication of what tens of thousands of other computer users were experiencing, too.
After watching the e-mails mount, Hypponen upgraded SoBig.F to a Level One threat at 4:55 p.m. Tuesday. It was as bad as Blaster, maybe worse. But Hypponen still knew only a fraction of what the virus could do. Late that evening, he unplugged his laptop and drove home to the suburb of Espoo in his four-year-old Volvo station wagon, listening to ColdPlay, the Fugees, and Finnish hip-hop on the computer stereo system he'd installed as one of his few indulgences. Soon after greeting his wife and putting his children to bed, he was back at the laptop, scrolling through code.
The next day-Wednesday, August 20-the virus rampaged through cyberspace like a tsunami. America Online stopped 11 million SoBig e-mails at its firewall; on Thursday, that number would double. Companies around the world staggered under the e-mail load; many systems crashed for hours at a time, costing the companies business. Yet home users were more affected. "It was relatively easy for corporations to block it with filters," says Vincent Weafer, a senior director of Symantec Security Response. "Home users got so many of these messages, with different subject headings, that they were apt to click on one or another of them." Trend Micro, reported Joe Hartmann, director of North American anti-virus research, received 3.1 million reports of infection from users downloading a free online scanner for SoBig.F.
The sheer volume of virus-spreading e-mails was alarming, but Hypponen was starting to think it might be a flaw. "It was actually bad for them," he says of the virus writers. "It made too much news." In fact, the virus writers had directed their worm to send out not just one e-mail at a time to each name in every user's files, but seven. "They thought they would infect more computers by sending more e-mail," Hypponen says. Instead, they infected fewer, as many users started deleting all the e-mails they were getting from unknown senders.
Still, hundreds of thousands of computers might now be vulnerable to manipulation by the second stage of the virus. By Thursday morning, Hypponen had learned that all infected computers were to start downloading a program of some kind at 10 p.m. Friday, Finnish time. Computers in different time zones would be synchronized precisely, to the tenth of a second, by connecting to atomic clocks-a first for the virus. "These guys are serious," Hypponen muttered. But what program? From where? And how?
The key lay in a short stretch of the virus heavily encrypted with algorithms, like a secret wartime code. "In most cases, we can crack the algorithms in a few minutes," explains Gergely Erdelyi, a 35-year-old Hungarian team member who took on the task. But these algorithms were multi-layered-designed to confound the world's 200 or so virus hunters until the second stage launched. With only 36 hours to go, Erdelyi took a chance. "If the virus wants to use the data at some point, it has to decrypt it itself," he says. "So what I did basically was run the virus and let it decrypt the data, and stop it at the critical point."
At about two p.m. Thursday, Erdelyi succeeded. What lay revealed was a list of 20 computers, all continuously connected to the Internet by cable modems. Most were in the U.S. and Canada, the balance in South Korea, nearly all of whose computers have broadband Internet hookups. Now the scheme came clear, not just to Hypponen's team but also to all the other virus hunters who were working together, their competition put aside, for the common goal of beating SoBig.F. The 20 computers were being used as servers to a sinister end.
On Friday, every computer in the world infected with SoBig.F would start trying to contact one of the 20 servers, like callers attempting to get through to a company switchboard. Twenty were needed for the sheer volume of traffic the infected computers would cause. When contact was made, the servers would direct the infected computers to a Web site from which they'd download a program. Twice a week until September 10-an intriguing date-all those infected computers would try to contact the 20 servers again at synchronized times. It was like the 1962 movie The Manchurian Candidate, but with computers, rather than people, programmed to wait for instructions. "Bots," the virus hunters call these hijacked computers-for robots.
Erdelyi used his infected honeypot to contact one of the 20 servers. He laughed as he read the result: the server directed him to www.sex.com, a collection of links to pornographic Web sites. It was being used unwittingly as a placeholder-a decoy. Anticipating that someone might break the encryption before 10 p.m. Friday, the virus writers had connected their 20 servers to the decoy Web site. Just seconds in advance of the appointed hour, they would substitute their Web site of choice. That way the virus hunters couldn't end the game by bringing down the Web site, as they had with earlier SoBigs. "We'd seen second stages before," says Sal Viveros, director of the McAfee anti-virus division at Network Associates. "But to put the Web site on at the last moment-that was new."
So the hunters had no choice but to shut down the 20 servers. Chances were the servers belonged to home users who had no idea what was going on; their computers had been infected with earlier versions of SoBig, and the virus writers were manipulating them through the clandestine back doors they'd installed. The home users would surely turn off their cable connections if asked. But how to contact them? The hunters had no names, just computer addresses in numbers. They could tell which Internet-service providers were linked to which computers, but there was no point in calling the I.S.P.'s. "We had done it many times before, and it was a waste of time," Hypponen says with a sigh. "They're not going to disconnect a paying customer just because some company in Finland calls them and asks them."
The virus writers had chosen their 20 servers well: they were from nearly as many different I.S.P.'s, making it that much more difficult for the hunters to get them all shut off. If even just one remained on at the stroke of 10 p.m. Friday, enough of the infected computers might connect with it to launch the mysterious second stage. Grimly, Hypponen put in a call to Finland's Computer Emergency Response Team (cert), a government-sponsored group.
By early Friday afternoon, the cert had helped get 11 of the 20 machines closed down. But the balance were in the U.S. and Canada, beyond the cert's reach. That was when Hypponen called the F.B.I. He was able to report that in the interim five more machines had gone down. But that left four still on, with the deadline less than four hours away.
At 7:28, Microsoft joined the search. The hunters were down to three servers. With the F.B.I.'s help, another was brought down. The remaining two were somewhere in the U.S. One of those had been turned off. Hypponen knew this because his team had written a tool that could make the servers react as if the virus were contacting them, and the 19th server kept failing to respond. Unfortunately, the 20th server did respond, so it was still online. Some press reports would speculate that the F.B.I. left the 20th machine on deliberately, hoping the virus writers would contact it seconds before the deadline, and so be traced. Hypponen thinks some I.S.P.'s were simply harder to contact than others. "It's not trivial to find who actually operates the system in that part of the world, then find the correct person in that company and persuade them to pull the plug."
Would one be enough? At precisely 10 p.m., hundreds of thousands of infected computers began trying to connect to the one last operating server. To the hunters' relief, they swamped it completely. When one of F-Secure's own computers finally got through, the server merely directed it to www.sex.com. Clearly, the virus writers had been monitoring the situation, watching one after another of their servers go down. With only one still working, they'd chosen not to replace www.sex.com with the Web site that held the program they wanted to send out. So the hunters would never know what the writers planned to download that night.
One of the great appeals of virus writing is that almost no one gets caught. As the number of computers infected by SoBig.F declined-from 145,264 that Saturday, August 23, to 98,205 on Sunday-the F.B.I.'s Los Angeles field office tracked the first infected e-mails to EasyNews, in Phoenix, and issued a subpoena. EasyNews co-owner Michael Minor found a record of the credit-card transaction used to open the virus writers' account, but the number turned out to be stolen. He also found the numerical address of the computer from which the purchase had been made. The computer was in Vancouver, British Columbia. "To the best of my knowledge it was at somebody's home," Minor told reporters. (The F.B.I. declined to comment.) Minor suspects all the agents found was a wide-eyed Canadian, whose computer the virus writers had commandeered through a back door installed by an earlier SoBig.
Hypponen feels sure he knows the motive behind SoBig.F: not malice, just money. "I think it's organized crime," he says, at least insofar as the writers are criminal and organized. Along with identity theft-credit-card numbers sold on the black market-he suspects they've made huge profits from creating "proxies" (or commandeered computers) for spammers.
As services such as American Online have tried to block the flow of commercial e-mails to their customers, spammers have learned new tricks. Most effective-if illegal-is the proxy. Hypponen thinks that, by installing back doors as part of their virus, the writers of SoBig hoped to send spam through each infected computer to every name in that user's address book-and, for that matter, to hundreds of other e-mail addresses supplied by the spammer. Soon enough, some of those recipients would complain, and regulators would trace the spam back to the innocent homeowner whose computer had been hijacked: end of proxy. But a program such as SoBig could keep providing more proxies until the virus hunters shut it down.
If Hypponen's hunch is correct, the greatest danger SoBig posed was a plethora of e-mail ads for penis enlargements and Russian mail-order brides. But like a human virus, SoBig's code tricks will surely spread among a global community of virus writers said to number in the thousands. "They're taking several playbook pages," says C.A.'s Ian Hameroff of recent activity, "and combining them in one virus." The timed second stage that SoBig.F perfected may soon be used to more dangerous ends.
The good news, says Hypponen, is that highly secure government computer systems, such as those of the U.S. military, are less vulnerable to virus infections because they aren't connected to public networks. So the scenario of a second-stage virus being used to download a file that launches the first rocket or bomb of World War III is, he says, implausible. What a politically minded virus writer can do is channel a flood of infected e-mails to one target, overwhelming it for hours or days in a "mass-distributed denial of service."
Code Red was such a virus: it targeted the White House's Web site in 2001 and would have inundated it had the site not been moved to a different server in time. Last March 18-two days before the Iraq war started-another denial-of-service virus went out as an e-mail with an attachment purporting to contain pictures taken by U.S. spy satellites over Iraq. Once opened, the attachment took over the user's address book and sent e-mails from everyone in it to a select group of Western journalists covering the war. The journalists were snowed under with tens of thousands of e-mails: a perfect denial of service.
As alarming as denial-of-service attacks may yet become, this worst year in virus history has shown that some of the most severe damage viruses do is indirect and unanticipated. This fall, Hypponen spent a lot of time poring over a 600-page transcript of conversations between operators of U.S. electrical grids in the moments leading up to the blackout of August 14, 2003. He thinks he knows why the blackout occurred: Blaster. "The blackout wasn't caused by the worm," he says, "but the blackout wouldn't have happened without the worm."
First, Hypponen argues, consider the timing: Blaster hit the Internet three days before the blackout. Over the next 36 hours, network traffic caused by the worm increased steadily. It peaked, says Hypponen, just as the blackout occurred.
The direct cause, Hypponen believes, was almost certainly operator error. "People made mistakes, they put too much power to lines." But, he theorizes, "the reason why they made those mistakes was that they weren't getting the right information from the sensors they were using to monitor the power grid." The sensors on the computers employed the same communication channels Blaster was using to spread. Just one or two infected computers in the network, Hypponen feels, would keep the sensors from relaying real-time data to the power operators.
"So if you look at the call logs-several hundred pages of phone logs which have been made public; I've looked through them all-they keep making [references] to computer problems." When a transmission operator calls FirstEnergy (whose utilities provide electricity to more than four million customers in three northeastern states) to question its voltage, Hypponen observes, FirstEnergy responds, "We have no clue. Our computer is giving us fits."
The creator of Blaster could never have imagined his virus might help provoke the biggest blackout in U.S. history and, perhaps, play a role in the several other blackouts that subsequently rolled across Europe. Yet, Hypponen feels, it happened. Results of a definitive blackout study have yet to be published as V.F. goes to press, but other people share his suspicions, including Congressman Edward J. Markey, a Democrat from Massachusetts, who participated in House hearings on the calamity. In January 2003 a worm called Slammer blocked commands that operated power utilities.
Risto Siilasmaa, F-Secure's sloe-eyed founder, says the blackout suspicions underscore a more important point. "An ever larger part of society's function is controlled by computers," he says, as youthful-looking at 37 as a college student, and genuinely relieved that his brief run as Finland's only billionaire is behind him. "So the indirect damage, the effects and repercussions that virus incidents cause, are becoming more visible." Electricity, water, heat, traffic lights, train routing, airplane-flight operations, many functions of government, corporate manufacturing and bill keeping-all are computer-run now, and so all are vulnerable to viruses, in ways both direct and indirect. The next target, Siilasmaa feels sure, is the brand-new, so-called smart phone.
"The smart phone is a small computer with an antenna," Siilasmaa explains, a phone that combines the function of a laptop, BlackBerry, Palm, video camera, and Web browser, and can even download from the Internet. "And with the new networks, you're always online." Helsinki is a center of this new technology: smart phones are as common here now as basic cell phones are everywhere else. One recent article in New Scientist predicts a global market of 100 million by 2008. The virus potential is mind-boggling. Why not viruses that record and relay recent phone numbers called by the phone user? Or viruses that turn the smart phone into an open microphone for eavesdropping, not just on phone calls but on any conversation within range?
To many computer users, the worst virus imaginable is one that would come unsolicited through the Internet-as Blaster has now done-and wipe out a hard drive. Many viruses, in fact, have wiped out hard drives, so an unsolicited one-one that doesn't require clicking on an e-mail attachment to launch-is all too feasible now. But so, says Symantec's Vincent Weafer, are more dire threats.
"If I lose a document, it might be backed up," Weafer says. "But what if a virus stole your most confidential file and sent it out to the world? Or took your credit-card number and sent it to Russia? Or stored child pornography on your machine? Having your identity stolen or your reputation tarred is far more significant than if documents get deleted."
Even now, unseen armies of bots are standing by, their back doors open to intrusion, capable of doing just that. SoBig.F has swelled their ranks considerably. Tens of thousands of bots that all those iterations of SoBig.F created remain undetected, under remote control, waiting around the world to do their masters' bidding.
Aware of the danger done by the most destructive virus ever, Microsoft has announced a $250,000 reward for information leading to the arrest and conviction of SoBig's creators. The reward is part of the company's new, $5 million bounty program to help nab virus writers. It's an indication of how serious a threat they are to Microsoft-and how hard they are to catch.
At the wheel of his Volvo, with punk music wafting from the stereo, Hypponen drives a visitor to a favorite restaurant in Helsinki, where the design theme is tractors-real tractors-and the dish of the house is reindeer steak. The nightmare of August is over, but September has brought Swen.
Like Blaster, Swen can infect a computer without its user having to click on an attachment. The e-mail this time is purportedly from "Microsoft Technical Assistance," explaining that a new security hole has been found in the Windows 95, 98, 2000, NT, and XP systems. Anyone not infected by simply opening the e-mail is sure to get the virus when clicking on an attachment that appears to contain the patch needed to fix the security hole. Official-looking boxes appear on-screen; blue bars show installation of the patch. "It looks very, very real," Hypponen says. "The images, the text-very convincing."
With Swen, Hypponen and his team have had to deal once again with a globally serious threat. Once again, they've logged a lot of late nights. An American virus hunter working for a boss who even briefly became a billionaire might wonder, perhaps, if he was getting paid enough money for shooting down virus after virus, and burnishing the company name, from a modest office with a backstreet view.
"Money?" Hypponen echoes wonderingly. The word seems almost alien to him. "Money would be nice. But it's the work that's so interesting. And obviously there's pressure when there's a big outbreak going on. No one is really at your neck, but you know that people in the company are relying on you." He flashes a boyish grin as he cuts his reindeer steak. "Who's going to buy the anti-virus program if we can't stop the viruses?"