by Robert Vibert © May, 2000
On May 4th, the first of the LoveLetter computer virus family appeared. Within days, computer e-mail systems at organizations large and small around the world had become overloaded and subsequently shut down, administrators had applied updates to their Anti-Virus software to get their computer systems operational again, the process of cleaning infected systems was started and draconian measures were taken to stem the tide of new variants of LoveLetter. All of this activity has been estimated to have cost anywhere from 6 to 10 billion dollars, mainly in lost productivity and cleanup efforts.
Two weeks later, another variant of the virus, NewLove, appeared with the potential to cause even more damage. By this time, as many as 30 variants of LoveLetter had been identified. Only one conclusion can be reached as we examine the fallout from this ongoing event – the traditional approach employed for dealing with computer viruses is reactive, expensive, and does not solve the virus problem, but rather focuses on the symptoms.
In the days following the outbreak of the LoveLetter virus, fingers were pointed in various directions, as scapegoats were sought out, with Microsoft being one of the most commonly targeted. At the same time, pundits spouted off with cures for the problem, often involving improvements to User Education. Tempting as it is to deal with the symptoms, one must attack the problem itself. If we examine the fundamentals of the problem, we discover that:
- computer viruses have been a constant source of problems for almost ten years, with a growing frequency of incidents in the past three,
- the majority of the computer world is using Microsoft software products, which have grown more and more integrated and “user/programmer friendly”,
- these same features in Microsoft products are often exploited by virus authors,
- the Internet has made obsolete many of the old models for the rate and range of spread of viruses,
- the existing response model for viruses is based upon identifying each new virus and variant after it appears and has an impact, however small,
- the rules of what is safe and what is not keep changing as new virus threats develop, and
- this reactive approach provides remedies, but only after a virus has had the opportunity to cause damage.
What worked in the past
Until about March of 1999, the reactive approach to computer viruses could be said to more or less work. Then, Melissa struck and the cost of dealing with a single virus soared to new heights. As with LoveLetter, the estimates for costs must be viewed with a critical eye, but Melissa is considered responsible for $80 million US in damages. The response from Anti-Virus developers has been to offer more of the same that they had been selling for years:
- “auto-immune systems” which are to respond quickly to new viruses,
- more frequent incremental updates to the virus detection databases,
- attachment blocking at Internet Firewalls, and
- heuristic detection of previously unknown viruses.
When the mad rush to obtain fixes for the Melissa virus was over, several Anti-Virus developers publicized their efforts during the disaster, claiming that they were very fast in responding. The obvious fact that it was a purely reactive response was not mentioned. Some Anti-Virus firms also touted the improvements they made to their web servers – an increase in capacity designed to support the load of thousands of users simultaneously downloading updates to their Anti-Virus software. This was undoubtedly a reaction to stories in the press about how even the Anti-Virus firms were swamped by Melissa – a somewhat bitter consolation for the customers still suffering the effects of the virus.
Shortly after the dust of Melissa had settled, comments were made by security specialists about how easily the Microsoft Outlook e-mail program was exploited, and how we needed to learn the lessons the Melissa episode taught. Others pointed out that the ShareFun virus, released two years earlier in February 1997, had demonstrated the principles embodied in Melissa.
So, what went wrong with LoveLetter?
If you are in the business of selling Anti-Virus products, you could be forgiven for thinking that nothing went wrong. After all , the scenario unfolded as usual: a new virus was discovered, your technicians updated your product’s database of viruses and thousands or millions of people obtained the updates. No news here, right? For the organizations who have purchased Anti-Virus software in the belief that it would protect them form viruses, obviously something did go dramatically wrong as:
- most Anti-Virus heuristics failed to detect LoveLetter, despite the similarities it has to the year-old Melissa virus,
- the web servers of numerous Anti-Virus companies were completely swamped, preventing many users from downloading the virus database updates in a timely fashion or even from obtaining information about the threat,
- the “Auto-Immune” systems were nowhere to be seen,
- new versions of the incremental updates were so frequent that one had to download them repeatedly, as each new variant of LoveLetter appeared,
- some incremental updates were over 2MB in size, which effectively contradicted the whole philosophy behind them (small size, efficient to obtain and distribute),
- many users were not informed that early version of some updates were ineffective, leaving their systems susceptible to infection when they thought they were protected,
- the phone lines to Anti-Virus vendors were jammed by the high volume of calls,
- one Anti-Virus developer actually accidently sent the virus out to its reseller network for several hours, and
- most importantly, handling this virus incident cost a lot of money.
From a customer’s perspective, LoveLetter has been a very expensive lesson in the failure of reactive Anti-Virus technology. As the classical Anti-Virus approach is almost entirely centred around developing a riposte to each virus, it requires that
- the virus can be diagnosed and a cure developed quickly,
- the cure can be sent to the infected parties as soon as possible,
- the infrastructure for delivering the cure functions properly, and
- the customer is able to distribute the cure internally in an efficient and timely manner.
With LoveLetter, the weaknesses inherent in this reactive approach were exposed, again. It is apparent that lessons that should have been learnt with previous virus incidents have not. As was the case with the Melissa virus, organizations scrambled to fix the problem, after it appeared and swamped their e-mail servers. This was in fact the biggest impact of the virus – overwhelmed e-mail servers suffering from excessive traffic. The same thing happened with Melissa – why were so few organizations ready for this repeat performance?
The popular approach to resolving the Anti-Virus problem is not working, as it continues to focus on reacting to the symptoms.
Finger-pointing and Simplistic Cures
Unfortunately, in every crisis there is a tendency to seek out scapegoats or propose overly-simplistic fixes. Strong editorials have been written, holding Microsoft or the Anti-Virus developers as solely responsible. Microsoft has reacted to the increasing level of criticism by announcing a draconian update to the Outlook e-mail program which might or might not close some of the security holes exploited by viruses. However, response to the update has been mixed, as it appears to overcompensate. Anti-Virus vendors have been called to testify in front of government bodies, and been forced to defend their approach as being the one desired by Customers.
There are also those who will promote a single approach as being the answer to the problem. In the LoveLetter case, numerous participants in newsgroups and other public forums have spouted off about the need for better user education. “Users should be taught to not open suspicious attachments”, was a common battle cry, ignoring the fact that LoveLetter arrived from a known source and does not appear suspicious to the average user. Others promote a mass move away from Microsoft products to those from other manufacturers.
Who’s to blame
The truth of the matter is that there are a number of players in this tragedy and a number of pieces to the solution. The players, all of whom must share part of the responsibility for what has happened include:
- users in organizations who take the approach of total ignorance, blindly opening any e-mail attachment and trusting that someone else will solve all their problems,
- Information Technology and Information Security managers who don’t assume full responsibility for the infrastucture they create and support, by selecting the lowest bidder and not pushing for true solutions to problems such as computer viruses,
- Upper Management at organizations who give only token attention to security and shortchange the security budget in favour of the bottom line,
- Microsoft, which hides behind the defence of satisfying users, when confronted with the observation that basic security considerations are missing from many of their products,
- Anti-Virus developers, who have become too hooked on the revenue stream which comes from constant updates to their products to seriously promote alternative approaches to solving the problem.
There are no miracle cures out there, but there are a number of things that can be done to reduce the impact of virus incidents:
- Users need more training in how to use e-mail safely, but we have to be realistic about how much impact this can have.
- Safeguard limitations on the spread of viruses and their activities need to be put in place.
- Pro-active approaches to the virus problem and other threats need to be taken by both Anti-Virus vendors and user organizations.
- Technologies in addition to the classical “detect known viruses” need to be enhanced and employed where appropriate
- Response systems need to be robust and functional – currently they fail on every crisis.
If there is a single lesson to be learnt from all of this, it is that the Anti-Virus approach so heavily promoted by Anti-Virus vendors and practised by their Customers is inadequate to the job before it. Unless a more comprehensive, pro-active response is adopted, this scenario will repeat itself time and again, with increasing costs.