Skip to main contentIt started on a single computer, in the dead of a Saturday night in January. A tiny little piece of code, not much longer than a couple of newspaper sentences, invaded a Microsoft database program.
The intruder consisted of a very simple set of instructions. It turned the infected machine into a volcano of poisonous electronic junk mail. The computer gushed randomly addressed messages into cyberspace, each carrying a replicated copy of the rogue program. More machines got sick. Those computers also vomited virulent code and infected even more machines.
Most of the Western Hemisphere was asleep. But the virus called Slammer--soon notorious as the largest attack on the Internet ever--was on the march.
The outbreak reached critical mass in minutes, as a few network administrators and security specialists--the Internet's thin global defense line--watched in mounting alarm. The worm's army of infected machines was doubling in size about every eight seconds. Large sections of the Internet, overwhelmed by the torrent of garbage data, began to shut down.
In Portland, beepers started screaming, and telephones began ringing in darkened apartments and houses.
It just so happened that Khai Pham decided to drop by his Beaverton office a little after 4:30 am Portland time. Before dawn on a Saturday morning seems like an insane time to punch the clock, but for Pham it's no big deal.
"It might sound crazy, but sometimes I'm still at work at about that time," says Pham, a lanky, black-haired 28-year-old with a bachelor's from elite Cal-Tech.
That morning, Pham found the Anti-Virus and Vulnerabilities Emergency Response Team's lab anything but sleepy. The Beaverton lab is a nerve center of a global anti-hacker squad (known as AVERT), one of a handful of major outfits that combat computer viruses, worms and other breeds of so-called "malware." A team member in Germany had captured a sample of Slammer hours before and sounded the alarm. By the time Pham showed up, a skeleton crew of Beaverton researchers was already battling the online plague.
Pham might be a low-key, circumspect, bespectacled guy, but he's actually part of a select force--part biohazard squad, part SWAT team, part cloak-and-dagger code-breakers. By some estimates, only 500 specialists on the entire planet do this stuff. On the morning of Jan. 25, 2003, it was all hands on keyboard.
Pham and other Beaverton specialists struggled to trap Slammer in the isolated, secure environment of the AVERT lab's computers. The worm was unusual and tricky, its replication process different from that of most viruses. The hunt took hours. But by 8:30 am, Pham and his comrades succeeded in infecting a machine they could control and observe. They could figure out how the beast worked--and how it might be stopped.
The urgency was obvious. Across the United States, ATMs were on the blink. South Korea lost nearly all Web and cell-phone access. A safety system at the Davis-Besse nuclear power plant in Ohio went offline for five hours.
Pham and his colleagues responded with lethal focus. By 10 am, he'd written code that could detect infected systems. By 11, other researchers had tested Pham's diagnostic tool. As morning flipped into afternoon, the researchers in the Beaverton lab were close to beating Slammer.
Nailing the worm's last chunks took still more hours. Finally, by 5 pm, AVERT added code designed to detect Slammer--and help stop its spread--to the security software sold by its publicly traded parent company, Network Associates. The firm's clients, an estimated 70 million individuals and companies, pay subscription fees for an ever-evolving defense against destructive programs roaming "in the wild."
AVERT's solution was nearly 17 hours in the making. Still, it was the first commercial software to counterattack against the world-wrecking virus. The team's major competitor, Symantec, would take another seven hours to devise its own solution.
As the 21st century's central nervous system teetered on the brink, a crew of anonymous geeks in a sterile, faceless Beaverton office pod came to the rescue. Even so, they didn't have time to gloat.
"With many corporations closed for the weekend and unaware of the threat," Pham says, "we realized our work was just beginning."
Spring sunshine pours through towering windows, casting a rosy glow on the Multnomah County Central Library's Science wing. Most of the room's activity clusters around two long tables outfitted with black plastic computer terminals. Clicking from 16 keyboards makes a rodentlike buzz. An elderly lady in a flower-print shirt is scanning Costco's website. A few streetwise-looking kids are checking their email. A couple of others are actually using the library's online book catalog. Every machine is busy, and three people wait their turn.
On the information superhighway, the Multnomah County library system's public terminals are mass transit--as crowded, commonplace and utilitarian as a packed MAX car. The putterers in the Science room probably have no idea that nine county employees are charged with making sure this accessible system isn't vulnerable to attack.
Stan Johnson leads the county department responsible for keeping viruses out of about 4,000 machines. A key part of that effort, he says, is the anti-virus software Khai Pham and the other AVERT specialists in Beaverton work on. The county pays about $40,000 a year ($10 per machine) for the software, sold under the brand name McAfee. McAfee programs guard not only library patrons but the county's byzantine social services--everything from STD clinics to parole officers to animal control.
"There are two things to worry about," Johnson says. "One is, a virus gets in and causes complete destruction. When LoveBug hit, it killed some of our PCs. We had to go in and rebuild every infected machine. People had to hope they'd backed up their files.
"Two, there are viruses that can get into your machine, take all the documents in a folder and email them out to whoever. So you can potentially lose very sensitive information."
To help counter those threats, Johnson says the county shifted to McAfee software when it merged a number of tech departments into his office about two years ago. The programs AVERT works on consistently receive high marks from the independent trade magazine Virus Bulletin.
To Pham, the task of defending clients like Multnomah County, no matter how technical in detail, boils down to a simple matter of right and wrong.
"It's warfare," he says. "Us on one side. Virus writers on the other."
AVERT's enemy in that fight is a murky international underground of hackers who write and unleash viral code. These cyberspace mad scientists don't all share the same motivations or methods. But they add up to a force that seems to be growing in strength.
Last year was called the worst ever for viruses. And AVERT has already issued more alerts about high-danger viruses in the first few months of 2004 than in all of 2003.
"A couple of weeks ago, we had an outbreak on the weekend," Pham says. "Then an outbreak on Monday. And a new outbreak on Wednesday."
The pressure is on--a pressure that, to hear some tell it, makes anti-virus techies like Pham a breed apart.
"The biggest challenge I have is finding smart, energetic, creative people who don't get tired of routine work," says Victor Kouznetsov, senior vice president for AVERT's corporate division. "Kind of a contradiction, right? In a day, you might get 100 things to analyze, and all 100 are things you've seen before. You sit around and sit around. It's like firefighters playing dominoes, but even they have to go rescue a cat sometimes. But then something happens, and you gotta get there."
Kouznetsov, a smooth, philosophical Russian with a sweep of dark hair, has worked in the anti-virus industry since 1988. He's seen his trade go from an age when viruses crept around via floppy disc to a $1.4-billion-a-year industry, virtually omnipresent in the business world. In an FBI survey last year, hundreds of private firms and government agencies rated viruses, combined with the website-freezing attacks they often launch, as the most costly computer crimes, worse than information theft or employee malfeasance. Kouznetsov says that during a viral outbreak, AVERT specialists work in an atmosphere where time is literally money.
"We have clients who know how much being offline costs them," Kouznetsov says. "Every minute has a dollar figure attached to it. And if your competition comes up with a fix six hours before you do, their salesmen are going to your client saying, 'Hey, we're beating these guys.'"
Kouznetsov says there is no one type of person suited to this mix of plodding analysis and breakneck response.
"We are constantly recruiting, and there has never been a layoff among researchers," Kouznetsov says. "I'm interested in people from all different kinds of fields who can think critically and quickly. If you know anyone, seriously, give me a call."
"It's like playing black in chess," says Joe Telafici, AVERT's director. "The other guy always has the first move."
Telafici, a black-mustached New Jersey native, used to investigate environmental contamination back in the Garden State. He keeps a photo of himself on the door of his office, in which he sports a crazy crop of dreadlocks and a maniacal expression, and appears to be attacking the camera with a bottle of Pepto-Bismol. These days, he wears his hair close-cropped and polices a different kind of toxic sludge. It seems the gastric implications of his work haven't changed.
"It was not unusual, over the last five or six years, to hear about three or four viruses a year in the mainstream media," he says. "Now we have as many as three or four a week. That's a completely different set of circumstances for us. There have been a lot of 3 am phone calls."
AVERT's specialists attribute much of the recent mayhem to MyDoom, a fast-moving Big Kahuna that erupted on the Net in January 2004, a year after Slammer. When MyDoom hit, most attention focused on attacks the worm launched against the websites of Microsoft and SCO, a software company embroiled in a high-profile intellectual-property controversy.
An AVERT researcher named Craig Schmugar gave the worm its ominous name, which quickly swept through the media. (Virus naming is a somewhat chaotic process. Researchers at different labs often give different names to the same virus, then wait for one of the names to catch on.) Now, Schmugar says the real significance of MyDoom was lost in the initial frenzy. He says MyDoom, by installing "back doors" in infected machines, gave hackers access to thousands of compromised computers.
"It seems like the variants we've been seeing over the last few months are successful because of MyDoom," says Schmugar, a tall, soft-spoken guy with a master's degree in jazz pedagogy. "Anyone who knows the Internet address of an infected computer can use it to send out more viruses."
In other words, MyDoom may have kicked off malware's golden age--an era when increasingly talented virus writers turn the Net into a virtual free-fire zone.
"There have always been virus writers who took a lot of time to craft code," Telafici says. "But they tended to be the ones who would say, 'Oh, this is interesting.' Sometimes they didn't even distribute it. It was an intellectual exercise. None of that seems to be the goal today. It's all about, how many machines can I infect? How fast?"
So who are these renegade programmers?
Telafici says that though there are thousands of dabblers, the virus-writing elite is probably about as small as the cadre of anti-virus researchers. Scattered all over the world, serious virus writers make an elusive quarry.
"Some guy in Eastern Europe will compromise a machine in Canada and use it to launch an attack in the U.S.," Telafici says. "That's a very tricky thing for authorities to investigate."
A group called 29A Labs (29A is "666" translated into a special numbering system programmers use) is arguably the world's most high-profile virus writers' collective. The members of 29A work under pseudonyms like Ratter, VirusBuster, dis69 and Morphine. Articles on the group's website blast the anti-virus industry for fear-mongering (and the media, for giving the industry press). They also delve into the inner workings of viruses and other malware. The site and others like it put malicious code just a Google search and a copy-paste away from anyone.
The 29A writers typically say their work is for informational purposes only. They argue that by plumbing different computer systems' vulnerabilities--and by brewing a virtual apothecary of poisons--they're expanding the computer world's knowledge base. It's an impolite, Anarchist's Cookbook approach to free speech, characteristic of the viral underground's most self-consciously intellectual subculture.
"Traditionally, the virus-writing community has been composed of astute but self-educated young guys," says Kouznetsov. "They don't care about money. They're artists--they really are, because to find vulnerability in, say, a Microsoft Windows Help file takes a pretty twisted mind. You could call their motivations aesthetic."
Some believe the game is changing. Many security experts think professional junk-mailers--the spam sleazebags who trawl the Internet for suckers, using cheap Cialis, celebrity nipple shots and implausible mortgage rates as bait--are paying virus writers for lists of compromised computers. Machines infected with viruses like MyDoom, which install back-door access points in their victims, can be used as conduits for spam. By channeling junk mail through an unwitting middle man, spammers make their work harder to trace.
Some forms of malware can be used to steal credit-card numbers or passwords, or to heist proprietary corporate information. With potentially lucrative criminal schemes entering the picture, Telafici says some virus writers have an incentive to perfect their code, invade more machines and stay anonymous.
"People doing this to sell addresses to spammers or steal credit-card information don't put their names in their code saying, 'Isn't this cool,'" he says.
The last couple of weeks have been hell on wheels for Cory Bell, the bearded 29-year-old information-security chief for Portland State University's 3,800-computer network. On the first Friday in April, he started hearing complaints that the university's system was moving slowly and acting weird. He discovered some machines highly infected with worms--worms that actually shut down the school's anti-virus software.
Fighting to quell the infection, he watched new variants of the worms barrage the systems.
"We were getting new infections faster than the anti-virus companies could send updates to our screening software," Bell says. "We found ourselves trying to research the viruses and figure out what we had--trying to do what these companies have whole labs to do."
Bell's predicament underscores the biggest charge critics level at the anti-virus industry: that AVERT and its competitors, which mostly react to outbreaks after they begin, are peddling security systems that can't keep up with the mounting viral surge.
"They need to change the entire architecture of the industry," says Michael Sweeney, who runs an L.A. security company called PacketAttack and is a prominent industry critic. Sweeney and others believe new, preventive technological approaches could stop outbreaks before they occur--and potentially head off disaster.
"What we have now is ancient," he says. "And I predict that this year or next year, this model is going to implode."
Bell, meanwhile, says it's true that malware is getting more sophisticated and that the anti-virus industry is basically reactionary. All the same, he's inclined to give credit to AVERT and its like.
"No, they can't keep up," he says. "But what more can they do? Imagine trying to figure out every kind of bad behavior possible--before it happens. You can't get mad at the cops because they come to your house after someone breaks in."
AVERT's specialists, naturally, defend their work.
"Even with the heightened activity, we've still managed quick response times," says Schmugar. He acknowledges, though, that his team doesn't have all the firepower it might one day need.
"If the workload increased significantly, we'd need more staff, hardware and bandwidth," Schmugar says. "We've seen things that have come very close to being worse than they turned out to be. MyDoom could have been that."
Kouznetsov says he worries less about a paperback-thriller super-virus and more about malicious code's evolution.
"Telephones, entertainment--all of this is converging into the kind of networked environment we've seen with computers for years," he says. "So you get that complexity in these other systems--guess what? You will have more vulnerabilities."
In other words, no one at AVERT is predicting victory.
"We are dealing with human nature, good and bad," says Kouznetsov. "It is not a war between man and machine. These viruses don't just generate themselves. It is a war between humans, using machines."
Schmugar chooses a different metaphor.
"We keep coming up with better antidotes," he says. "And they keep building more potent poisons."
A Viral Glossary
A few anti-hacker terms, explained.
29A Labs A European virus writers group, one of the world's most high-profile. Its website is www.29a.host.sk . A Czech hacker using the screen name "Benny" often acts as a de facto spokesman for the group; Benny did not respond to emailed questions for this article.
Alerts AVERT issues alerts to customers and other researchers when new viruses are discovered, rating them according to the danger they pose to users. Threat levels in AVERT's system range from Low- to High-Outbreak.
Attacks Some viruses, like MyDoom, launch "denial of service" attacks against selected Internet sites. The viruses cause infected computers to attempt to access sites simultaneously, in hopes of flooding the dataports connecting the target to the Web. MyDoom's attack forced the software company SCO to change its site's address.
Compression Virus writers often use compression programs -- "packers" -- to shrink and scramble their code.
Encryption A coding mechanism that prevents a program's code from being read; virus writers often use them to thwart anti-virus researchers. Polymorphic encryptions change with each new generation of a virus, effectively mutating over time.
Malware A contraction of "malicious software," this is a catch-all term for viruses, worms, trojans, spyware and other evil-doing programs--all of which fall within AVERT's jurisdiction.
Virus A program that attaches new copies of itself to other programs. The term is also used as a synonym for malware.
Trojan A program that looks useful, but is actually malicious.
Spyware A program that embeds itself in a machine to monitor the computer and Web habits of its user. Not all spyware is considered malicious--the "cookie," which gathers data on users' online activity, is widely used in e-commerce--but some is used to disrupt Web-browsing or steal proprietary information.
Variants Often, as soon as a virus is figured out, virus writers will alter its code to produce a new "variant." --ZD
Avert Labs www.avertlabs.com
For a lively account of how the Slammer virus spread, see "Slammed!: An inside view of the worm that crashed the Internet in 15 minutes," by Paul Boutin in the July 2003 issue of Wired: www.wired.com/wired/archive/11.07/slammer.html .
The price structure for most anti-virus software is determined by how many licenses a customer buys. Network Associates' McAfee Active Virus Defense Suite sells for as much as $88.85 apiece for between five and 10 licenses, or as little as $29.32 each for more than 10,000.
Virus Bulletin's website is www.virusbtn.com .
Stock analyst Rob Owens of the Portland firm Pacific Crest Securities says Network Associates is second to top anti-virus company Symantec, which also has facilities--though not an anti-virus lab--in Oregon. Owens says Network Associates is fighting to gain market share. "They're definitely riding the virus wave," he says.
Journalist Clive Thompson tracked down members of 29A and other virus-writing groups for a Feb. 8 New York Times Magazine article, "The Virus Underground."
Portland State University's computer-science department offers one upper-division class on malware and its detection. The course's textbook is The Giant Black Book of Computer Viruses, Second Edition, by Mark Ludwig.
WWeek 2015