The IT industry's war against virus writers has seen battles won on both sides this year.

Sven Jaschan, the 18-year-old German responsible for spreading 70 per cent of viruses in the first six months of 2004, faces a maximum of five years imprisonment after being charged earlier this month.

But his Netsky and Sasser computer worms have, so far, caused an estimated $6.25bn in damage, according to analyst Computer Economics, infecting hundreds of organisations worldwide, including the UK Coastguard, Heathrow Airport and the European Commission.

Most IT directors rely on anti-virus tools as a standard part of their defences. But how do those anti-virus writers ensure they can keep up with the seemingly relentless onslaught?

A team of 11 'virus crackers' at Finnish security specialist F-Secure were the first to warn the world about the Sasser outbreak in May.

Mikko Hypponen, F-Secure's director of anti-virus research, showed Computing around his labs last week to explain how they work.

'When I joined, 13 years ago, there were only 300 viruses and I don't think any one realised how bad it was going to get,' says Hypponen.

'And this year is probably going to be even worse than last year.'

Predictions that major virus attacks will cost businesses and consumers across the world $16.7bn this year back up his opinion.

'That's why the single fastest metric for any anti-virus firm is how fast you can protect customers by reacting to the virus,' he says.

One of first computers to become infected with the Sasser virus was one of F-Secure's so-called 'honeypot' PCs - a Windows computer with no firewall or anti-virus products, so new outbreaks show up as soon as they emerge.

'We have honeypots all over the world to detect viruses in the wild,' says Hypponen.

Other virus samples are received from different sources, including customers, other internet users and sometimes even the virus writers themselves.

'It could be that they have spent months writing it, but don't want to go to jail, so they show it off by sending it to the anti-virus firms,' he says.

'But we still decipher it and produce a patch as there's no guarantees they won't release it in the wild.'

F-Secure also receives and shares information with its competitors, with several of its anti-virus research team being members of the Computer Anti-Virus Researchers Organisation, a highly regarded group of virus breakers.

Once anti-virus firms find a new outbreak they go through a series of processes to identify its characteristics and how it propagates over the internet.

'You can either make a virtual PC environment on a server and infect it to see what the effects will be or you can take real machines and build a network out of them,' says Hypponen.

'But more and more we are seeing viruses that detect whether they are under regulation and act differently. So the other way, instead of running the virus, is to look at the code.'

With the Sasser worm, 'reverse engineering' was used to carefully dismantle and inspect the virus to discover its engineering and design features.

By analysing the code, Hypponen and his team were able to identify the key characteristics of Sasser, and discover how it copies itself in the Windows directory before scanning to find other vulnerable systems on random IP addresses - often crashing PCs in the process.

'Once a server has been infected it starts to send random packets to places all over the network and internet,' he says.

'Eventually it will scan every single address in the world that is on the internet and find every thing that it can infect.'

Once a virus has been cracked, the company creates a 'virus signature' and notifies customers that a patch is available for download.

'Sometimes viruses can take hours to decrypt, but once we know what it is we also alert the authorities and work with the ISP and web sites that might have been targeted to try and stop it from spreading,' says Hypponen.

Viruses were originally designed to damage systems, but today many have a more commercial objective - helping to spread spam, solicit online bank account details and deliver denial of service attacks, he says.

In January 2004, Mydoom.A, the largest email worm ever, was launched.

While experts focused on how the worm launched denial of service attacks against SCO and Microsoft's web sites, most were unaware that a spam proxy had been installed onto millions of infected computers, which then started sending advertising to all the email addresses it could find.

'People have got wise to direct spam, with individuals blocking addresses and ISPs shutting them down,' says Hypponen.

'Spam through proxy means it can be sent from what people think is a trusted address and much faster.'

There has been an increase in virus writing, but work by groups such as the National Hi-Tech Crime Unit and Microsoft's $250,000 virus writer bounty, also means 2004 has been the best year for catching the culprits, says Hypponen.

'We have seen the arrests of Netsky and Sasser creator Sven Jaschan and Blaster writer Jeffrey Lee Parson,' he says.

But with the growing popularity of new technologies, such as smartphones, anti-virus firms are spreading their net wider to focus on mobile viruses.

'Laptops with and without wireless access, handheld devices with open operating systems and mobile phones are all devices that need to be protected,' says Hypponen.

In June 2004, the first mobile virus 'Cabir' was found which spreads using Bluetooth.

'It was something that we weren't expecting,' says Hypponen. 'We were looking for mass mailer text messages or viruses that destroyed business cards, but not a Bluetooth virus.'

'This changes things as it spreads like the flu and could infect everything around it.'

Other viruses such as Duts have been written to infect PocketPC mobile devices and this month Brador, a backdoor flaw, was found, which gives cybercriminals full, invisible access to smartphones, meaning they can surf the internet or make calls.

And it is only a matter of time before premium rate text messaging and dialer viruses become common place, says Hypponen.

But through greater co-operation between mobile developers and the anti-virus industry, Hypponen hopes to kill mobile infections in their infancy.

'If you think about the PC virus problem that started 18 years ago, if we did the right things in 1986 we probably wouldn't have the 100,000 viruses that we have today,' he says.

'So if we start now with mobile phones then hopefully we wont have the same problems.'

The Financial Impact of Virus Attacks

Major virus attacks, such as Sasser, MyDoom and Bagel, will cost individual and corporate PC users $16.7bn worldwide this year, according to analyst Computer Economics. The most expensive virus of all time - so far - was the LoveBug in 2000, costing an estimated $8.75bn.

The most costly viruses over the past three years were:

2004:

Sasser - $3.5bn

NetSky - $2.75bn

Bagel - $750m

MyDoom - $4.5bn

2003:

SoBig - $2.75bn

Nachi - $500m

Blaster - $1.5bn

Slammer - $2bn

2002:

Badtrands - $400m

BugBear - $500m

Klez - $1.5bn

Further reading:
More stories on these topics:
Permalink  Comments  Forward
what do you think?
Click here for more Post your comment
Click here for more Send an email to the Computing editor at feedback@computing.co.uk
Reader comments for this story
Post your comment Post your comment   What is this?
Like this story? Spread the news by clicking a link:   Post this to Delicious del.icio.us     Post this to Digg digg this     Post this to reddit reddit!

related content
latest news
The MoD
Communications
BulletNAO: £7.1bn MoD scheme running late
Scheme has already delivered important benefits but first phase is 18 months late  04 Jul 2008
Cloud
Internet
BulletCloud-based email will surge in "fundamental restructure"
Storm approaching email market as clouds gather on SaaS provision  04 Jul 2008
Sainsbury's logo
Retail
BulletSainsbury’s web site down again
Retailer suffers from web downtime for the second time in a month  04 Jul 2008
Click here for more More news
latest in depth
easyjet aircraft
Transport
BulletEasyJet reviews IT processes
Cutting fuel costs and improved services high on airline’s agenda  03 Jul 2008
Williams F1 cars
Communications
BulletWilliams F1 drives through changes
Formula 1 team uses a virtual private network to exchange strategic data with its UK factory  02 Jul 2008
Gavel
Internet
BulletRelaxed domain laws may fuel legal costs
Experts warn that changes could tempt new cyber-squatters  02 Jul 2008
Click here for more More in depth

Advertising Marketplace

Sponsored links

Featured jobs

Senior Network Officer
United Kingdom | University of Brighton
 Senior Network Officer, from £30,013 to £35,858 per annum Information Services is responsible for all centrally provided IT Services and facilities and has an ambitious development programme outlined to 2012. Working in a small team you ... more >
Analyst Programmer
United Kingdom | London School of Economics and Political Science
  London School of Economics and Political Science The Library Analyst Programmer (fixed term 24 months) Salary: £30,201 - £36,563 pa incl The Library is at the heart of LSE, one of the world's greatest ... more >
Network Engineer / Data Analyst
Birkenhead, United Kingdom | Crowder Consulting
Network Engineer / Data Analyst, Birkenhead, 18,000 - 23,000 Crowder Consulting are leading consultants in water and waste water network management.  We are specialists in the fields of leakage, hydraulic modelling, asset management, capital maintenance, technical ... more >
IT Services -Systems Specialist
London, United Kingdom | London School of Economics
  IT Services -Systems Specialist  (Business Continuity), Salary: £38,212 - £44,264 p.a. 2 years fixed-term LSE is a cosmopolitan community in the centre of London focusing on the study of the social sciences. IT Services ... more >
Click here for more  More job opportunities