Editor 2-Jun-02
You've Got the Klez!

Viruses, Trojans & Worms, Oh My!

Home

Index

Services

13-Apr-02
MS Office .NET

28-Jan-02
The DoJ Settlement

04-Aug-01
Tech Stocks Tank

04-Aug-01
MS Guns for Intuit

04-Aug-01
.Net Gains Speed

15-Jul-01
Court of Appeals: Guilty!

13-Jul-01
Back in Operation

09-Feb-01
Software Licensing

15-Jan-01
Is Linux for Your Business?

1-Jan-01
Predictions

25-Dec-00
Microsoft Invades Accounting

21-Dec-00
.Net Takes Shape

24-Nov-00
The Next Windows

08-Oct-00
Winds of Change

23-Jun-00
Microsoft .Net

10-Jun-00
Microsoft strikes out at Linux

7-Jun-00
Tried, Guilty, Sentenced

28-May-00
OS/2 Finally Dead

11-May-00
The ILOVEYOU Worm

6-Apr-00
What's to be done with Microsoft

25-Mar-00
Our Web comes alive again

The W32/Klez.H and W32/Klez.I worms were released on April 17th, 2002. using different propagation strategies. Klez.H followed the rising sun around the world as people opened their email. By time the antivirus companies knew about it and came up with software to fight it, it was already out of control. Once infected, updating your antivirus software does little or no good. Yes, we have Removal Instructions.

In less than 30 days, Klez.H became the worst virus scourge in history. As of early June, most victims don't yet know they have been infected, and Klez continues to spread aggressively using a whole list of email strategies. Once it has infected a networked computer, it immediately infects most or all of the network.

Klez.H is also a privacy concern, because it attaches itself to documents found on the infected computer and emails them far and wide.

The cost of Klez.H to Windows users is going to be astronomical. Once you are infected, Klez.H is difficult to detect and remove, requiring special removal software and removal techniques. There's a labor cost for disinfection, a cost for up-to-the minute antivirus software to prevent reinfection, and a very heavy cost in lost productivity and often lost income while the whole network is shut down. Even for a very small company, that's thousands of dollars.

The cost of Klez.H to Linux, OS/2 and Macintosh users will be, once again, zero. Klez.H, as with nearly all fast moving viruses, worms and trojans, is a Microsoft problem, and only a Microsoft problem. Klez.H infects only systems running Windows 95, 98, Me, XP, NT and 2000.

The worm can spread with incredible efficiency, because it knows that every Windows computer it hits will be exactly like every other Windows computer, and offer all the same tools it can use to trash that system and go on to others. Epidemiologists call this a "monoculture", where there is no natural immunity.

Microsoft will once again give its three standard excuses: "It's the fault of dumb users opening unknown email"; "It's not our fault, it's criminal hackers"; and "If any other operating system were as popular as Windows, its problems would be just as bad.".

The first is just plain stupid. First of all, modern worms like Klez.H make themselves look like normal email messages from people you know, with appropriate subject lines and contents. Further, Microsoft continues to promote it's products as requiring almost no training or computer knowledge, then blames untrained users for its problems.

The second is irrelevant. There are going to be criminal hackers. If you take no measures to protect yourself against them, they will have an easy time of having their way with you. Microsoft has done next to nothing to protect it's users. Running Windows is like leaving your brand new Mercedes overnight on a New York City side street, unlocked.

The third is an outright fabrication. Only Windows allows arbitrary programs to run automatically with full system privileges and without user permission. Only Microsoft provides all the tools necessary for efficient virus propagation as built-in parts of their system. Only Microsoft's software is so shot full of serious security holes they issue a patch just about every week, and sometimes the patches don't work or cause other problems.

A measurable example of this is Web sites. Microsoft IIS holds a 30% share of Web sites while Apache holds a 60% share. Apache runs mostly on Unix and Linux, while IIS runs only on Windows. Between 60% and 70% of Web defacements and break-ins are on IIS Web servers. Further, most large sites that would be the most attractive targets run Apache. It's so easy to knock over a Microsoft based Web site it brings no prestige even among script kiddies, the very lowest rank of the hacker community.

When Will Microsoft Fix These Problems?

The short answer is, they won't. The long answer is they are applying a major Public Relations campaign to the problem, under the title "Trustworthy Computing". So far, this has resulted in a copyright on the phrase "Trustworthy Computing", and pretty much nothing else.

Bill Gates issued a big internal memo (which was obviously worded for public consumption), and all Microsoft programmers were supposed to do nothing but search for security holes in their code during the month of February (the shortest month, naturally). Software coding experts have pronounced this move as having little value except as PR.

Why won't Microsoft do anything about Windows problems that are costing their customers literally billions of dollars?

First, because they don't have to. You're going to buy their products anyway because you've convinced yourself you have no choice. Improving security won't cause you to run out and upgrade to the latest version - new features (which introduce new and improved vulnerabilities), hopefully will. Besides, it's your money, not theirs.

Second, and most important, is that all the design features that cause this high level of vulnerability were designed in purposely because they aid Microsoft in holding and expanding its monopoly. These features are very important to their marketing people, and Microsoft is a marketing company, not a technology company. For more detail, see Microsoft's Security Model.

Virus spreading automation features are there to promote "ease of use", and the tight integration among products and features makes it impossible for competitors to get in edgewise. Companies that use Microsoft Office integration features to automate business functions aren't going to substitute non-Microsoft products that don't know the secret APIs, are they? They aren't likely to move to Star Office, no matter how good it is or how much less it costs, are they?

Antivirus vendors like Symantec (Norton) and Network Associates (McAfee) actively work to hide the truth. They keep generating news stories about Linux viruses that nobody ever actually sees in the wild to try to make you think other systems are as vulnerable as Windows. If people migrated from Windows to Linux, that would pretty much destroy the antivirus industry.

There was a joke going around about a Linux virus that politely asks the user to please log out and log back in as root. and then run it so it can infect the system, after which it politely asks the user to please email it to all his friends.

Recommendations

I won't bother recommending you dump Microsoft software and migrate to Linux or OS/2, because you've never listened to me before, and you've already convinced yourself that you can't. I won't bother recommending that you keep your antivirus software up-to-date, either, because with today's fast moving worms like Klez.H, you already have it before a fix is available.

I do recommend prayer. Don't bother praying that the worms won't come, because they will anyway - get down on your knees and pray that your competitors stay with Windows so their costs will be as high as yours.

Just in case you need to satisfy a morbid curiosity about what your competitors might do, start with Should Your Business Use Linux?.

Now, I really do have to go. I've got a lot more clients who need The Klez removed from their systems. There's going to be plenty of food on the table this month!

Links

©Andrew Grygus - Automation Access - www.aaxnet.com - aax@aaxnet.com
Velocity Networks: Network Consulting Service - Internet Service Provider - Web Page Design and Hosting
All trademarks and trade names are recognized as property of their owners