In cyberspace, a dark alliance

Not only are attacks more frequent and malicious, they're more skillful too. Some viruses are "sleepers" that quietly embed themselves in a computer system for months before starting up, Pironti says. That way they become copied onto the backup version of the operating system, making them very difficult to root out. Once activated, they can also "phone home" to get new instructions.

The speed of virus attacks and the skill of the virusmakers today require new defense strategies, says Professor Savage, who is also the project director of the Center for Internet Epidemiology and Defenses. The virus-fighting initiative, funded by a $6.2 million grant from the National Science Foundation, officially begins this month.

Even top-notch computer scientists may take hours to design a "patch" to stop a virus, a response time that's far too slow, Savage says. The Slammer worm, for example, doubled in size every 8.5 seconds and spread around the world within 10 minutes. "At these kinds of speeds, any solution that involves a human in the loop, which is our state of the practice today, isn't going to fly," he says.

Savage and his partner, Vern Paxson at the International Computer Science Institute in Berkeley, Calif., have set two goals for their center: One is to understand better how worms and viruses spread, accumulating minute detail on their limitations and characteristics. They also want to better predict how fast a virus will spread and how destructive it will be.

Using that knowledge, they hope to build fully automated defenses "that take whole classes of attacks off the playing field, as opposed to addressing one particular attack that happened last week," he says. Right now, "it's like you're constantly trying to come up with a flu vaccine, but a new version [of flu] is coming out every day."

He and Dr. Paxson have been working on concepts such as "content sifting" and "scan detection," ways of identifying "very untypical behavior" of computers - such as suddenly contacting thousands of other computers - before an actual virus is discovered. They've been able to detect signs that a virus was at work 12 hours before the virus was found. Their aim is to identify a new class of worms or viruses and devise a way to block it in less than a minute.

While thinking of these Internet-borne attacks as "viruses" is a helpful model, it isn't perfect, Savage points out. A computer virus is used by people who, like bioterrorists, have a malicious intent. It's not a random act of nature, he says.

Virusmakers also monitor online discussions about new defense techniques to learn how to get around them. Savage says he doesn't want to release information that can help attackers, but in the end, sharing information among colleagues will build the strongest defenses. "We're not going to be keeping all this stuff secret," he says.

While all attacks may never be stopped, he says he'll be satisfied if he can limit them to those from only a few really talented, if malevolent, people. "A 12-year-old shouldn't be able to take down the Internet," he says.

Not only is the stream of junk e-mail, or spam, rising, but an increasing share of the messages contain viruses, security firms warn. Among their findings:

• Nearly two-thirds - 63.5 percent - of e-mail in the first half of this year was spam, according to one analysis. That's up from 37.9 percent in 2003 and 1.5 percent in 2002.

• In January, 1 out of every 129 of those e-mails contained a virus; by June, 1 in 10 had one.

• The most common virus found in e-mail was the Netsky.P. worm, which accounted for 28.4 percent of all viruses discovered in August.

• US sites originated 42 percent of August's spam, followed by South Korea and China (14 percent) and Brazil (4 percent).

Sources: MessageLabs, Postini

Page: 1 | 2