Nepali Times
Technology
The worm that won’t die


MICHELLE DELIO


Unlike most of its headline-grabbing predecessors, the SirCam virus that hit us in July was not a transient threat. Almost four months after it was first spotted, the virus and deadlier variants are still pouring into e-mail inboxes. Most viruses peak and then rapidly fade away two or three days after their Internet debuts. But so far, SirCam has been more like a monsoon than a squall. Lists by antiviral companies that track virus infections have SirCam topping the all-time active threat lists by a huge margin. So, either SirCam is one incredibly pervasive and persuasive virus, or its much-heralded predecessors didn't have a huge effect on most e-mail users.

Rob Rosenberger of vMyths, a virus hoax site, argues that most "red alert" viruses are really just tempests in a teacup, dubbing them "Hystericanes" that do little damage to few users and fade fast. Impact statistics for the best-known viruses seem to confirm Rosenberger's theory. Melissa, which spread across networks in March 1999, only reached fifth place on antiviral company Sophos' list that month, with a mere 6 percent of all reported infections. "VBS/LoveLet," better known as the Love Bug, came in first place when it debuted in May 2000, but claimed only 36 percent of all reported infections. That record was barely topped by AnnaK in February 2001, with 38.2 percent of all reported infections. Variants of all three of these viruses occasionally turn up, but the originals sputtered out after only a few days of running wild.

SirCam's infection rate is far greater than that of its predecessors and, although infections seem to have slowed somewhat last month, suddenly in the last week, new and more potent variants have surfaced. And experts say it will continue to spread until computer users develop a healthy scepticism of any and all e-mail attachments, no matter who sent them, how legitimate they look, or how tempting the contents of those attachments promise to be. "Viruses like LoveBug and Kournikova all had the same subject line, body text, and attachment name," Shipp said. "So they were easily spotted and all turned out to be one-day wonders, fading out within 48 hours of being identified. But viruses like SirCam, Magistr and Hybris change their identity and all these viruses have been very long-lived in comparison to the one-day wonders."

Hybris, first spotted in October 2000, was still rated as the third most active virus on Sophos' summer list, with 4.1 percent of all reported infections. It often cops a top spot on virus threat lists, but infection rates have continued to diminish significantly since last October. Hybris updates itself by downloading little pieces of code that allow it to perform new, malicious actions. But so far, the text of an infected e-mail always refers to Snow White and the Seven Dwarves, which makes it easier for computer users to identify than Magistr.
Magistr has appeared in the top five of most antivirus companies' lists since it was first spotted in March, and has maintained a steady rate of infection. SirCam is similar to Magistr. Both create the subject, body and attachment text of their infectious e-mail attachments from files on an infected computer. Magistr sometimes includes random file attachments from its victims with the infected e-mail; SirCam always includes a file plucked from the infected machine. And like SirCam, Magistr has its own e-mail engine that allows it to connect directly to a mail server. But Magistr trashes infected computers, which has limited its ability to spread widely. It's hard to transfer a virus when the computer that harbours it is unusable.

Dr Wise Young, recently honoured by Time magazine as one of America's best scientists, said SirCam and Magistr have many of the same features as biological viruses and bacteria. "A virus cannot reproduce by itself. It must do so with host cells because it contains little or no machinery for protein synthesis," Young said. "In contrast, a bacterium is a unicellular organism that contains its own machinery for reproduction. A biological worm such as a tapeworm or a liver fluke is a multicellular organism that not only contains its own machinery for reproduction but has many multiple cells that perform specialised functions."

Computer viruses are malicious programs that spread only through physical actions such as clicking on an e-mail attachment or sharing an infected diskette. In this respect, they are similar to biological viruses. A computer worm-malicious code that can automatically replicate itself over networks-is biologically similar to bacteria, which is capable of reproducing without any outside help. Technically, both Magistr and SirCam are worms as well as viruses. Both require an action-clicking on an infected attachment-to be activated, but once activated they are capable of replicating themselves.

"SirCam packs a double punch with its viral ability to appeal to humans' \'curiosity' cell, and its bacteria-like ability to self-replicate," Young, the head of high-tech WM Keck Center for Collaborative Neuroscience, said. "So there is a good chance that SirCam may be with us for a long time." Inboxes filled with messages asking for advice have already become the norm for those hit hardest by SirCam- anyone whose e-mail address appears on a website. Each time the user of an infected computer boots up a program on that machine, SirCam infects a randomly selected document from the My Documents folder and attaches the document to an e-mail. It then sends that e-mail to randomly selected names gathered from an infected computer's e-mail address book and Internet cache files, which contain copies of recently visited websites.

The virus-laden attachments can be safely pried open by the tech-savvy, so some SirCam victims have been turned into unwilling exhibitionists, flashing their private parts to nosy nerds around the world. Some people who have been reading the attachments speak almost fondly of their new plague-ridden "friends," saying they feel they have come to know them by peeking into their private documents. "Yes, I read all the attachments," said Terry Anders, a freelance technical researcher. "There's Enrique, he's looking for a job and is getting desperate. I keep getting new \'upgraded' versions of his resume and cover letters. Maria is in human resources and is struggling hard to keep a large corporation happy. Gerald is an immigration lawyer with a heavy caseload and a short temper, he sends sarcastic memos to his staff. And Thomas is an accountant with a wicked porn collection."

Anders and others who are reading the attachments said they first attempted to alert the senders of SirCam-infested e-mails that they had been infected. But the alert e-mails often were returned with error messages indicating that the infected user's return address was incorrect. SirCam's built-in e-mail program can spoof addresses. And so, when the e-mailed attachments just kept coming, some people started reading them. "SirCam has been like a sleazy soap opera for geeks, so I'll be sorry to see it fade away," Anders said. "But it's got to suck for all the people who suddenly realise that their little secrets have been providing mad amusement for techies around the world." (Wired)



LATEST ISSUE
638
(11 JAN 2013 - 17 JAN 2013)


ADVERTISEMENT



himalkhabar.com            

NEPALI TIMES IS A PUBLICATION OF HIMALMEDIA PRIVATE LIMITED | ABOUT US | ADVERTISE | SUBSCRIPTION | PRIVACY POLICY | TERMS OF USE | CONTACT