Security gates held open for "Love" virus, mutants

A familiar computer virus hits corporations in Europe and the United States, underscoring a bitter reality for computer security: Despite ample warning and defenses, old viruses never die.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
3 min read
A familiar computer virus has hit corporations in Europe and the United States, underscoring a bitter reality for computer security: Despite ample warning and defenses, old viruses never die.

This week's attack involved a password-stealing variation of the notorious "I Love You" virus, which earlier this year crippled corporate computer systems across the globe. Three months after the initial outbreak, patches abound for the virus and its mutants--including the present example.

The problem is getting people and corporations to implement protective measures, according to antivirus software dealers, analysts and Microsoft--whose software the virus exploits.

"This is not just a technical problem but a social one," said Matt Bishop, associate professor of computer science at the University of California at Davis. "If people did download patches and use antivirus software, it would substantially reduce the danger of recurrences."

Dan Schrader, a consultant to antivirus software dealer Trend Micro, characterized the problem more bluntly.

"Any security solution that relies on the end user to engage in safe computing practices is doomed to fail," Schrader said.

One month after May's disastrous Love bug outbreak--which caused damage in the billions of dollars and infected 45 million computers, by some estimates--Microsoft released a patch for its vulnerable Outlook productivity software. That patch would have been effective against the latest Love mutation, according to Microsoft and antivirus companies.

Companies that remain vulnerable to the virus despite the availability of protection may be more the rule than the exception. Software dealers incorporate security patches into new products, and most computer users appear to get their security patches that way--even if they upgrade months or years after patches are offered.

Schrader estimated that fewer than 5 percent of software consumers installed standalone security patches.

Exacerbating the problem, many consumers never get antivirus software running even though the software comes pre-loaded with some computers. In addition, some computer users disable antivirus software with the hope of speeding PC performance.

As a result, viruses that might otherwise be eradicated enjoy long careers on the Internet. These include the destructive "CIH," or "Chernobyl," virus, which has been revived yearly since its introduction in 1997, and the "Form A" virus, which has been around since the early '90s, according to Schrader.

"CIH came out three years ago and got a lot of press," Schrader said. "If the virus succeeds, and it does about 10 percent of time, your computer becomes a boat anchor."

CIH attempts to destroy the Flash BIOS, or Basic Input-Output System, low-level software that tells the computer how to interpret commands from the keyboard and other devices. The virus destroyed hundreds of thousands of computers overseas, particularly in Asia, and tens of thousands in the United States, Schrader said.

Another human element contributing to the longevity of certain viruses is the tendency of virus writers to craft and launch mutations that enjoy widespread success on their debuts in the wild.

The Love bug was particularly attractive to virus writers because it was composed in Microsoft's relatively simple VBScript, or Visual Basic scripting language.

Some security analysts say the blame for chronic virus problems rests see CNET Software: Protect yourself from a virus attack mostly on the complex architecture of operating systems and applications written for them.

"It sounds good to blame the end user, especially if you're an antivirus vendor," said Gary McGraw, vice president of corporate technology at Reliable Software Technologies. "They're right in some respects, but if you're going to really address the problem, you're going to have to make the software we use way, way better than it is.

"The software should be designed right in the first place. Otherwise it's a constant game of catch-up, an arms race with the virus writers. And we're just going to lose that."