Experts warn e-mail hackers could combine tactics to cause serious damage to computers worldwide

Monday, May 8th 2000, 12:00 am

By: News On 6

When the attention fades over the destructive spread of this week's "ILOVEYOU" e-mail worm virus, experts predict, the next wave of computer infections will strike with even more vengeance.

Future attacks may not require computer users to click on an e-mail attachment as ILOVEYOU did, said Vinnie Gullotto, vice president of McAfee's Avert virus-research center. Simply previewing a message will start the havoc, he said.

"I think, while this week's virus was pretty bad, it's not as destructive as it could be," he said Friday. "The next one could put companies out of commission for a couple of days or more. It would be almost like a natural disaster."

ZDTV's Leo Laporte, host of a popular technology television program and a knowledgeable computer programmer, predicted Thursday: "Within four months, we're going to get the Big One. I think it's just a matter of time."

The reasons for the dire prognostications center on three factors:

the vulnerability of Microsoft systems as they are traditionally installed in major corporate systems.

the proliferation of cut-and-paste malicious programming tools on the Internet.

the speed at which the world can contaminate itself by practicing unsafe computer habits.

By most accounts, the ILOVEYOU virus was, as Mr. Laporte told his audience after analysis, "cheesy code any idiot can write."

By cutting and pasting this strain with other viruslike programs available online, any amateur virus writer can embellish the destruction.

For example, the Melissa Word 97 virus - which the U.S. government said caused more than $80 million in damage worldwide last year - served as part of the ILOVEYOU construction.

The most frequently predicted problem is the addition of features from Bubbleboy, the first worm that could activate itself without being opened by e-mail readers.

Like ILOVEYOU, Bubbleboy exploits a Microsoft product - Outlook Express - the most widely used e-mail program in corporate America.

But unlike ILOVEYOU, Bubbleboy could begin acting when simply previewed in Outlook Express. Users would not have to click on the attachment to set off the virus.

So this week's oft-repeated warning from technology managers, "Don't click on attachments!" won't save systems from infection.

And, given the recent success of schemes using "distributed denial of service" attacks that shut down Yahoo and other Internet mega-sites earlier this year, it is reasonable to expect that some combination of denial-of-service programming, Bubbleboy and the ILOVEYOU virus will arrive, Mr. Gullotto said.

Distributed-denial-of-service attacks convert infected machines into "zombies" that, often unknown to users, can be directed by malicious hackers to blanket or "ping" Web sites with requests for information.

Those requests can cripple unprepared commercial computer servers, shutting down operations for hours or days, depending on the number of zombies employed.

"Whoever did this [ILOVEYOU] one could have made it a lot worse," Mr. Gullotto said. "He could have had the virus do all those things. And imagine if all those computers Thursday had started pinging Amazon and Yahoo.

"They would have been dead - dead in the water."

Limited defense

Richard Jacobs, president of the Sophos anti-virus software company, said: "In terms of the mechanism to spread rapidly, this one broke a lot of records. I guess you could say we were lucky because it wasn't set to do a lot of damage to the PCs it infected."

That will change, he predicted.

As was amply demonstrated by the head-spinning speed with which the most recent virus struck the world, anti-virus scanning programs are not capable of thwarting attacks by themselves.

"We can stop it outside to a certain extent," Mr. Gullotto said. "If we can catch it at the border or the gateway, we have a chance. But there are always going to be things that get through."

In most cases, corporate systems already had received ILOVEYOU messages, accepting the tainted mail and depositing it in users' in boxes by the time American workers arrived Thursday morning.

Even with anti-virus software running on every user's PC, the infection would have spread with the first person to click on the worm's attachment, which is a Microsoft Visual Basic script. Patches to catch the payload had to be prepared by anti-virus companies.

Most users had not been warned to update their virus scanners by Thursday morning. But when the warnings were finally sounded, many anti-virus Web sites became swamped by requests for updates, rendering them unreachable.

"We're just part of the solution," said Mr. Jacobs of Sophos. "I mean, just because you're wearing a seat belt doesn't mean you can drive into a brick wall at 50 miles an hour and walk away from it."

Risky decisions

Too often, corporations have relied on virus scans exclusively, Mr. Gullotto said. Corporations have chosen to risk downtime caused by infections rather than instituting stricter screening of incoming e-mail and hiring more technicians, experts said.

"When Melissa hit last year, many companies had people standing at doors as workers arrived, handing out fliers that said, 'Don't open any e-mail attachments!' " Mr. Gullotto said. "With this one, everybody was behind from the start."

Many users and pundits have blamed Microsoft for the exploitable features of their operating systems, MS Word, Internet Explorer 5 and e-mail programs.

For example, Mr. Laporte said he will no longer use e-mail programs that automatically open Word documents or Web pages. Without the presence of a feature called Windows Scripting Host, visual basic scripts such as ILOVEYOU cannot perform, experts pointed out. But Windows Scripting Host allows automation of many tasks that corporations and home users have embraced as valuable time-savers.

Opening Web, Word and other documents within the e-mail program, for example, is one of the features made possible with Windows Scripting Host.

"I tell people, 'Look, there's a certain amount of blame Microsoft should take,' " Mr. Gullotto said. "But the same customers who were infected are the same ones who asked for those features to begin with."

Still, Windows Scripting Host and other features with known vulnerabilities to malicious exploits can be disabled on a department-by-department basis, he said.

"The people in accounting may need [some of those features], but most don't," Mr. Gullotto said. "It requires a bit of social engineering."

System wide problems

Those exploitable features of Microsoft products are usually enabled by default, leading to their widespread installation across entire corporations.

"It's just the way they come packaged from Microsoft and other vendors," Mr. Jacobs said. "There is always a balance between convenience and security, and until we all turn to software vendors and say, 'We want security,' we're not going to get it."

No matter the safeguards, disgruntled employees will always click on attachments to create trouble, experts said. And the virus writers and patchers will continue their activities around the world, building stronger and more complex tools of disruption.

"There are too many people doing it, and it's far too uncoordinated," Mr. Jacobs said. "You can't stop these people from playing with this stuff. That's what they think they're doing."

As the world grows closer with the Internet, corporations and individuals will have to pull together to stop the practices that allow viruses and other maladies to infect computers everywhere, experts said.

Mr. Gullotto said, "We drink responsibly; let's get on the network and practice network responsibility."

That, he said, may be the only thing that can save the Internet from the Big One.