How viruses become epidemic
The person or persons who wrote the Hare virus did a lousy job in designing a program, but knew how to spread it far and fast: newsgroups.
"When he posted to those newsgroups, he was hoping to get significant number of people to download and run it without thinking too much," said Dave Chess, a research staff member at IBM's T.J. Watson Research Center. "He would try to put it somewhere where as many people would get it as possible."
While it's too early to say whether distributing viruses specifically through newsgroups is a trend, antivirus experts agree that the Internet as a whole has created a vast, new venue where viruses can be spread widely and anonymously. With millions of people using the Net every day, these experts warn network managers to be especially vigilant when giving full Internet access to all employees.
As one way to ensure that planted viruses will spread, virus writers target red-light newsgroups. The Hare virus writer, for example, sought groups like alt.cracks, where hackers distribute illegal copies of "cracked" programs, and alt.sex, where pornographic pictures as well as programs that allow those pictures to be viewed are distributed.
That way, when people pick up the communicable electronic diseases by downloading and then opening programs, they would be less likely to report them or do anything else about the viruses because they'd have to admit which groups they had perused.
"Some of the people who find out they have a virus don't go telling their friends because they're forced to admit they've been doing these things which are unethical," said Jimmy Kuo, director of antivirus research for McAfee. "We refer to it as social engineering."
Or, as Wolfgang Stiller with Stiller Research suggests, perhaps the virus author had a vendetta against those newsgroups because he disapproved of the content. It's happened before. "At least in some cases, from what I've heard, the motivation for targeting alt.cracks or alt.sex is that they don't like what's going on in the newsgroup and it's an actual attack," he said.
But most likely, the designer of the buggy Hare virus (named for a reference to Hare Krishna that appears on the screen of an infected computer) targeted the groups for one simple reason: to find unsuspecting victims.
In the past, before the Internet was so popular--say, about two years ago--virus writers uploaded their wares to electronic bulletin boards or dispersed them through program discs, Pony Express-style. But with the advent of the World Wide Web and widely-read Internet newsgroups, users have a global venue not only to plant viruses, most of which are fairly benign, but also to distribute them.
The Hare virus spread around the world quickly through newsgroups where people indiscriminately ran downloaded files. One strain of the virus at the University of Auckland in New Zealand, likely introduced by someone who downloaded it from a newsgroup, infected a server that in turn spread it to several PCs linked to the network. University officials had to shut down the entire system to disinfect it.
Luckily, experts say the Hare virus is so buggy that those infected will probably discover it before it detonates and wipes their hard drives. Still, they are quick to add that Auckland incident should serve as a clear warning to network managers of the potential vulnerabilities of their systems, especially at universities or corporations where users have full access.
"Certainly within any business, you need to make decisions about which newsgroups need to be brought into that business," said Sarah Gordon, a Security Analyst with Command Software Systems.
"Having Internet connections to every desktop is maybe not the best idea," she said. "There are a lot of vulnerabilities, and the threat can't be assessed. Anytime you open yourself up to the outside world, you don?t really know what's going to be coming at you."
Managers might consider limiting newsgroups to those relevant to the job, or at least to those where programs are not exchanged as a practice, Gordon suggested. Most newsgroups feature the exchange of words and ideas, not programs.
As always, the rules for downloading programs are the same as they have been for exchanging programs with friends. "Generally, you don't execute binaries from unknown places," Gordon said. "That's always been a sensible practice. The Internet has just magnified the problem."
It has also magnified something else: Viruses, generally thought of as the graffiti of the computer world because of the messages, political, and otherwise, that they often contain are easily and unknowingly distributed through the Net. "There are systems that allow viruses to be freely distributed to anyone who wants them to play with them," Gordon said.
Stiller added that he and others "are constantly trying to shut them down." In many cases, though, that serves only to encourage them to move to other sites.
In earlier years, people who wrote and spread viruses needed to know how to program. Today, however, most people who put them out tend to be novices who are simply running programs or changing a few lines of code.
The original programmer may have put out a fairly benign virus to get his name out, not unlike a graffiti tagger. But in the hands of novices, that benign virus can turn ugly in a hurry.
"People will play," Gordon said. "If they're not technically competent to manage the virus, they may inadvertently release it."
Related story:
New virus can be detected