It's a paradox that has engaged the software industry ever since the Witty worm reared its ugly head. The dilemma began when a security loophole was discovered in the BlackIce firewall software, a product of the US company ISS. The company offered its customers a patch program to close the loophole. But by announcing the patch and thereby drawing attention to the loophole, the manufacturer only made things worse, allowing the virus to attack again before all customers had managed to install the patch.
Well after midnight one Friday night, when most American computer users were fast asleep, Witty crept from computer to computer, infecting more than 10,000 devices through a weak point in the vulnerable virus protection software.
The epidemic subsided again after a few hours, but not because the loophole had suddenly been closed. The problem was that the Witty worm was too aggressive, crashing thousands of its host computers by erasing parts of their hard drives.
This incident took place on March 20, 2004, but it went almost unnoticed by the press. When compared with the "I Love You" virus, which infected several million computers in 2000, Witty seemed hardly worth mentioning.
Infecting the anti-virus programs
Many experts thought that it could have been worse. And they were right. It did get worse.
Witty's progeny, as it turns out, could be even more dangerous. The computer worm was only the first of a flood of a new kind of virus program -- and they are potentially devastating because they target the very programs that are meant to offer protection to computer users. Even backup programs, which are designed to minimize data loss, are targeted by the new viruses.
Just last week, it was discovered that software manufactured by Panda contained a security loophole. It was discovered when a virus took advantage of the blind spot to crash third-party computers. But as serious as it sounds, this type of attack is comparatively harmless. The most dangerous worms are those that enter computers surreptitiously and then, unnoticed, record every keystroke and search for passwords.
Computer Associates, F-Secure, Kaspersky, Symantec -- a number of established manufacturers of security software that have now been forced to admit that their programs contain weak points. The companies affected by this problem have sought to patch their loopholes as inconspicuously as possible, but they have also sought to downplay the problem in the first place. "Most of these threats are purely hypothetical," says Mikko Hyppönen, a virus specialist with Finnish security firm F-Secure. But not everyone agrees and, indeed, the industry's failure to deal with the problem effectively has become a hotly debated topic among industry insiders.
Virus protection programs are especially appealing targets for hackers. "Anyone who wants to make a name for himself in the hacker world isn't going to spend time looking for the 1,000th loophole in Windows," says Andrew Jaquith, an analyst with the Boston-based Yankee Group consulting firm. "Attacking a virus scanner directly is considered much cooler."
The increased security in Microsoft products is an indirect consequence of the Witty worm. "Although Windows products are still at the greatest risk," says Jaquith "abuse has become more difficult."
Rohit Dhamankar of security firm Tipping Point warns of a new risk -- that the Witty wave could encourage copycats. "Any beginner can build a new virus using kits that are openly available." Indeed, the Witty worm's program code is practically custom-made for reuse. The name Witty refers to a message hidden in the program code: "Insert witty message here." It's a challenge to hackers to simply reuse the code and simply insert their own witty message, almost as if the killer worm were nothing but an innocuous electronic postcard.
But the main reasons behind this new vulnerability do not lie with hackers themselves, but rather with an industry that stubbornly refuses to grow up. For years, more than a dozen manufacturers have been fighting tooth and nail for a slice of the highly competitive business. The upshot is that there is no uniform system for naming viruses to this day.
"The industry is now under tremendous time pressure, with practically every manufacturer offering new updates on a daily basis, leaving little time to actually test the software," says Andreas Marx, a computer security consultant from the eastern German city of Magdeburg. Besides, the security packages are constantly being expanded to include new functions, often using defective components sourced from third-party suppliers. As a result, the supposed patches sometimes contain loopholes of their own.
Most computer users are still blissfully unaware of the problem, often paying more than €40 for their protective software, oblivious to the fact that their virus protection could suddenly become highly infectious itself.
What should customers do? "The worst reaction would be to panic and do without virus protection altogether," advises Andreas Marx. "After all, where in life do you get absolute security?"