So big indeed
SoBig.F was the more visible of the two recent waves of infection because it propagated itself by e-mail, meaning that victims noticed what was going on. SoBig.F was so effective that it caused substantial disruption even to those protected by anti-virus software. That was because so many copies of the virus spread (some 500,000 computers were infected) that many machines were overwhelmed by messages from their own anti-virus software. On top of that, one common counter-measure backfired, increasing traffic still further. Anti-virus software often bounces a warning back to the sender of an infected e-mail, saying that the e-mail in question cannot be delivered because it contains a virus. SoBig.F was able to spoof this system by “harvesting” e-mail addresses from the hard disks of infected computers. Some of these addresses were then sent infected e-mails that had been doctored to look as though they had come from other harvested addresses. The latter were thus sent warnings, even though their machines may not have been infected.
Kevin Haley of Symantec, a firm that makes anti-virus software, thinks that one reason SoBig.F was so much more effective than other viruses that work this way is because it was better at searching hard-drives for addresses. Brian King, of CERT, an internet-security centre at Carnegie-Mellon University in Pittsburgh, notes that, unlike its precursors, SoBig.F was capable of “multi-threading”: it could send multiple e-mails simultaneously, allowing it to dispatch thousands in minutes.
Worming into the system
Blaster worked by creating a “buffer overrun in the remote procedure call”. In English, that means it attacked a piece of software used by Microsoft's Windows operating system to allow one computer to control another. It did so by causing that software to use too much memory.
Most worms work by exploiting weaknesses in an operating system, but whoever wrote Blaster had a particularly refined sense of humor, since the website under attack was the one from which users could obtain a program to fix the very weakness in Windows that the worm itself was exploiting.
One way to deal with a wicked worm like Blaster is to design a fairy godmother worm that goes around repairing vulnerable machines automatically. In the case of Blaster someone seems to have tried exactly that with a program called Welchi. However, according to Mr Haley, Welchi has caused almost as many problems as Blaster itself, by overwhelming networks with “pings”—signals that checked for the presence of other computers.
Fortunately, as Nicholas Weaver of the University of California, Berkeley has pointed out, the algorithms that worms use to spread themselves are not particularly efficient. Blaster, after infecting a computer, searched at random for others to infect. A clever worm, says Mr Weaver, would start with a list of 10,000 or so vulnerable computers. This could be assembled surreptitiously by several months of discreet probing over the internet. Such a worm, which Mr Weaver dubs a “Warhol worm” after Andy Warhol's famous aphorism about fame, could infect all those vulnerable computers in about 15 minutes, giving it a huge head start. If a Warhol worm were to be released, by the time anti-virus engineers came up with a patch to protect the vulnerability it exploited, it would be too late. And if the worm had a truly malicious payload that, say, deleted files pell-mell, the damage would dwarf that caused by recent viruses.