If you're having trouble viewing your favorite sites
on the Internet, you're not alone. Within the last two months, we've experienced the return of the MyDoom virus as well as attacks--not on popular Web sites themselves, but on the secondary sites that power them. These two facts are related. What started as local gangs tagging and shutting down rivals has matured into a more sophisticated game that's targeting the interdependencies of the Internet itself.
Tag, you're it
Years ago, young hackers aligned themselves into gangs that prided themselves in shutting down rival sites. They did so by writing quick-and-dirty viruses that compromised as many innocent computers as possible with remote backdoor Trojan horses--much like a street gang tagging a site. If the red gang put a Trojan on your computer, then your computer was owned by the red gang. The blue gang could come along and retag your computer, but that was unlikely.
What started as local gangs tagging and shutting down rivals has matured into a more sophisticated game that's targeting the interdependencies of the Internet itself.
The game, back then, was simple: If the red army was bigger, it could cause a denial-of-service attack on the blue army's server, shutting down the rival gang. Something like that happened in December 2001
, when four Israeli youths were arrested for creating the Goner virus, which existed mainly to attack a rival gang. When you're talking a few hundred PCs, this "war" seems trivial.
Sobig changed things
But over time, these armies of red and blue grew more sophisticated. Needless to say, a person in control of a thousand compromised computers--a collection called a botnet--is in a very powerful position. With a single command, those thousand machines could launch a new virus, start a distributed denial-of-service attack on a single target, or relay spam messages.
A botnet's spam-sending abilities seem to be the holy grail of criminal activity. Starting with the Sobig virus in 2003, someone, somewhere realized these botnet networks of compromised computers could be sold to spammers, who would then use the machines to relay their spam across the Internet.
But the original Sobig infected relatively few systems, so criminal hackers (crackers) went about improving it. Roughly every two to four weeks for several months, new versions of the Sobig virus continued to strike, then expire, each version reaching out to slightly more computers than the version before. By the time Sobig.f hit in August 2003, it infected more than a million PCs in a first few days. Given its success, other viruses soon followed this model; MyDoom and Netsky, in particular, were designed to create larger and larger networks of compromised computers.
Given that the Trojan horses used by these most recent viruses were created in Russia, there have been serious suggestions that the Russian mafia may be contracting with virus writers to create newer and better viruses solely to relay spam.
MyDoom goes even further. Its compromised computer networks sometimes have specific targets for denial-of-service attacks. The botnet created by MyDoom.a, for example, attacked Microsoft's Windows update site until Microsoft was forced to move it. MyDoom.b went after Microsoft and SCO Linux, successfully taking the SCO site offline for several days. At the time, many thought it was some kind of message about Linux or specifically about the lawsuits that SCO was filing against other users of Linux for copyright infringement. I suspect, even now, that the targets are arbitrary; I think that MyDoom and the others are test viruses released to find out what works and what doesn't.
I think that crackers are attempting to take down the Internet. Of
course, they won't.
The very latest version of MyDoom, MyDoom.m
, adds a new trick: it uses popular search engines to harvest all the e-mail addresses within a given domain, then e-mails itself to those addresses. Although MyDoom.m briefly disabled major search engines, I think that its real purpose was to see if it would spread further, faster. It did, until Google and other search engines figured out how to filter the queries and return to work again. MyDoom.m peaked within a day, which is rare for an e-mail virus these days, and is thus not a very important virus.
MyDoom.m and events such as the July 27, 2004, distributed denial-of-service attack that targeted DoubleClick and last month's Akamai attack make it clear, I think, that crackers are attempting to take down the Internet. Of course, they won't. The Internet links too many different types of computers and is far too robust to fail entirely.
Nonetheless, popular sites such as Microsoft, Google, Yahoo, and Apple can go dark, and I predict we'll see more attacks like this in the coming months.
What can you do? The only way to stop these Internet thugs is to make sure your own desktop isn't conscripted in their dirty little armies. Make sure your antivirus software is up-to-date, and if you haven't already done so, download a personal firewall such as ZoneAlarm. Stay on top of the latest Microsoft Windows updates as well. Then, once your PC is secure, get your friends and neighbors to secure theirs.
Got a security question? Let me hear about it!