The Love Bug
[Sorry, the video for this story has expired, but you can still read the transcript below. ]
MARGARET WARNER: Elizabeth Farnsworth in San Francisco takes it from there.
ELIZABETH FARNSWORTH: And for more, we are joined by Mark Rasch, vice president for cyber law at Global Integrity Corporation, a computer security company. He is a former Justice Department computer crimes prosecutor. Jim Yost, chief information officer at the Ford Motor Company, one of the companies hit by the “love bug” virus; and Dan Schrader, chief security analyst for Trend Micro Inc., one of the country’s largest manufacturers of anti-virus software.
Mr. Schrader, what’s the latest on this virus, is it continuing to propagate?
DAN SCHRADER, Trend Micro, Inc.: Well, it’s continuing to propagate, but the rate is definitely slowing down. I think some of the estimates we’ve been hearing of 80% of companies being hit in Australia, perhaps the same percentage in the U.S., those are probably a bit high. Though anyone running certain Windows environments can get hit by the virus, it will only propagate within companies using Microsoft Exchange servers; they have maybe 40 or 50 percent of the marketplace. So the highest rate likely to get hit, about 40 or 50% of companies. That’s still an awful lot of companies.
ELIZABETH FARNSWORTH: Just briefly, so we understand, why are those the ones likely to get hit?
DAN SCHRADER: Well, this virus requires you to have something installed called the Microsoft Visual Basic scripting host, or Windows scripting host, which many people have. It uses Microsoft Exchange, and Microsoft Outlook e-mail client to open up an address book and spread itself. Again, people using Lotus Notes or some other e-mail systems won’t have that software in place, it won’t spread through their computers.
ELIZABETH FARNSWORTH: Mark Rasch, is it the most lethal virus so far?
MARK RASCH, Global Integrity Corporation: It’s the one that’s caused the most damage because of the way it propagated and how broadly it propagated. There are viruses that are designed to be more lethal to individual machines that can delete the entire hard drive. This doesn’t do that. The damage it caused was by propagating widely and clogging the e-mail systems.
ELIZABETH FARNSWORTH: Jim Yost, tell us what happened to Ford Mother Company, first start with today and then yesterday.
JIM YOST, Ford Motor Company: Well, today we got the bulk of our servers back up and running, our mail servers, which was really the major impact to us. Yesterday when we became a area of the virus very early in the morning, based on our situation in Europe, we made a decision before 8:00 Eastern Time to shut down our whole mail system worldwide to basically make sure that the virus was contained. We spent yesterday preparing for putting the antidote into our system. We disinfected our servers, made the decision last night on how to distribute that to our clients, and then by noon this afternoon were bringing all of our mail servers back up and running.
ELIZABETH FARNSWORTH: Put all that together for us, Mr. Yost, how disruptive was that for the company’s operations?
JIM YOST: In the end it turned out to be not very disruptive. We have our mail system totally separated from our applications and our e-mail systems from our customer bases. So, in reality, we isolated the issue to our exchange servers, shut those down, prevented the spread. And the inconvenience was the inability for people to send e-mails. But we obviously maintained our other — communications, voice, telephone, fax. So there was really no substantive disruption to our operations. We lost no production, we lost no sales. We really had no disruption to our production operations.
ELIZABETH FARNSWORTH: Dan Schrader, you have something to say about that?
DAN SCHRADER: I’d mention Ford was lucky in that case. Many companies rely entirely on e-mail. It has become the killer application of the Internet. People call it their mission critical application. If I can’t get e-mail, I might as well go home, and I think a lot of white collar workers feel the same way.
ELIZABETH FARNSWORTH: Tell us about the virus; what do you know about it and how do you know it?
DAN SCHRADER: I’ve seen the virus code, as have many other people now. It’s been widely spread, the source code of it has been published, which is unfortunate; I wish people wouldn’t do that. The virus is not a very sophisticated virus. The person who wrote this was not an educated or experienced programmer; it looks like it’s bits and pieces from other viruses like the Melissa Virus and kind of cobbled them together. It has misspellings; it has grammatical problems; it has bugs in the virus. There’s text in it that indicates it came from the Philippines, and that may be true, but I think the jury is still out. That’s what the virus writer wants us to believe. Now, the virus again deletes multimedia files in your computer, which is unusual. Many viruses try to either wipe out your computer or they try to target usually more valuable documents like word processing documents, spread sheet files and databases. We’re fortunate it wasn’t the case this time.
ELIZABETH FARNSWORTH: Mark Rasch, add anything you want to, to that, and tell us what we know about people who develop these programs.
MARK RASCH: We use somebody called a profiler, that’s a former intelligence analyst, that tells us things that we can find out about these type of virus writers. Typically for this kind of a virus that spreads broadly, the goal of the virus writer is simply to obtain credit. Look at the newspapers and either say to the public or their friends, hey, I did that, which is by the way one of the ways you catch them is when they take credit for it. But other types of viruses are designed to hide programs, so — logic bombs or Trojan horses — so that they can go back in later on, get your password and log in and steal the information that they’re looking for. So the motives for writing them and the kinds of people who do it differ widely.
DAN SCHRADER: I agree with the motives in this case, however, this virus writer did try to steal passwords. Fortunately, the code didn’t work, but one of the things the virus did was it tried to change what Web site your computer would go to, and when it went there, it would automatically download a file that would take passwords off your computer and e-mail it back to some location. That code didn’t work very much; the Web site wasn’t working; it didn’t get widespread, but that was a problem with this virus as well.
ELIZABETH FARNSWORTH: Jim Yost, let’s talk about what can be done to avoid this. You told us how you solved the problem with minimal disruption, according to what you have told us. Is that because you were really prepared, because your computers were programmed in a certain way? Or explain what you had done to prevent disruption.
JIM YOST: Well, we have a very active security effort within the company. We have layered security, we have firewalls at different levels. We physically separate our different types of servers, so to the extent there is infection we can isolate it and keep it separate. So there’s a physical and logical control that we have on the spread. Unfortunately this was a virus for which there was no protection; it did get in. We’ve trained our people to search out and understand when they get unknown very odd e-mail to alert us immediately, so we can go into action. Our team did go into action, determined very quickly that this was a potentially very dangerous virus. And that was the reason why we shut down the systems very quickly. So it was basically being very well prepared, having good security in place. But I think also, as always, it relies on very quick identification by people that it’s a problem.
ELIZABETH FARNSWORTH: And Mr. Yost, how worried are you about this? Do you get the feeling that the viruses are getting more dangerous, more sophisticated with each attack?
JIM YOST: Well, clearly there is always someone out there who is going to try and take advantage of some weakness in the system. As we become more wired together and more reliant on the system, it requires us to become much, much more careful in security. I worry about it on a daily basis. We’ve got very good experts that work with our vendors to make sure we’re well prepared. But we’re always to some extent going to be vulnerable to some very creative individual who will find a unique way to get into an application.
ELIZABETH FARNSWORTH: Mark Rasch, comment on that, this vulnerability of our networked world.
MARK RASCH: What’s happened as we become more networked, we become more vulnerable because we rely on these e-mails systems and these other systems all the time. The other problem is that just like what was just explained, you can only prevent the viruses that you know about. If somebody comes out with a brand new variant that you’ve never seen before, you have to be prepared to react, and really there’s very little prevention that can be done.
ELIZABETH FARNSWORTH: Mr. Rasch, if it attacked the Microsoft e-mail system, will some computers in a company have to be on a different system? You know, it’s like mono culture and crops, if you have one crop, it’s more vulnerable to a pest.
MARK RASCH: Certainly if you have diversity in operating systems and e-mail systems, you’ll be less affected by a virus that attacks only one variant. The problem is there’s some functional reasons to want to have similar systems within a company. So it’s a tradeoff, again, between functionality and security.
ELIZABETH FARNSWORTH: Mr. Schrader, on the vulnerability.
DAN SCHRADER: Well, one of the problems of the Internet is that, collectively, we’re all relying on individual security. In other words, even if — a sophisticated company like Ford, they’re relying on end users knowing what to do and knowing not to open up the e-mail attachment, running programs that are sent to them. Unfortunately most companies, most people are not as sophisticated as Ford. What we need to be doing is moving some of these security functions off the desktop, stop relying on the end user, and make it part of the infrastructure at the Internet. We need to be scanning malicious code as part of the backbone of the Internet, and until we get there, we’re not going to have an infrastructure in place for preventing or containing the spread of these viruses.
ELIZABETH FARNSWORTH: Is any of that happening?
DAN SCHRADER: Well, it’s starting to. A few companies like Sprint and U.S. West that offer managed e-mail services or Internet service providers are offering as a value added service to scan their data for viruses. If you’re a U.S. West customer, for I think $15 a month you get Internet access, for another $1.50 a month they’ll scan everything for viruses. That’s very good model, because that means the end user doesn’t have to worry about running anti-virus software, updating anti-virus software, getting the update. It means vendors like ourselves don’t have to worry about trying to update 300 million desktops in time to stop the next Melissa Virus. So U.S. West customers, they were protected. People who were getting their e-mail primarily through U.S. West and had signed up for that service, within an hour of our identifying it they were protected without doing a thing. That’s the kind of model we need to move to over the future.
ELIZABETH FARNSWORTH: Mr. Yost, do you agree with that from the point of view of a big corporation like Ford Motor Company?
JIM YOST: Yes. We scan incoming e-mail. In this case there was no protection for that virus. So it got in. And obviously with our layered protection we scan at different levels, but as long as you don’t have the anti-viral protection, it’s going to get in and can wreak havoc. So there’s a dual responsibility: one is to scan for known things and try and stay as far ahead as possible, detect where these viruses might be going and prevent them, the future ones; but there’s also a requirement on the case of the user when there is a problem to identify it and notify people that can take the corrective action.
ELIZABETH FARNSWORTH: And, Mr. Rasch, the privacy issues start to come up — don’t they? — when talking about the need for more security?
MARK RASCH: Well, what ends up happening now is you’re scanning every single file that’s coming in. Not only does that slow things down, but it raises the possibility that the contents of the file can be read. Who’s going to decide something is a virus or isn’t a virus — should be able to be read or should not be able to read. We have lists of viruses that Symantec and other companies put out, and those kind of lists if you’re just comparing it against a list, that’s one thing. But what you’ve done is you’ve enabled the ISP’s now to really go through all these files.
ELIZABETH FARNSWORTH: Mr. Schrader.
DAN SCHRADER: It’s a very legitimate problem. In fact, we have a constant tradeoff between security and privacy, and it’s a debate we need to have on a national level. Every security expert has an opinion on this. If you’re going to stop every e-mail and scan for virus, the next step is scanning junk mail or scanning for unsolicited mail. At what point do you want to give control to some foreign user or to some organization and where do you want to make the decisions yourself?
ELIZABETH FARNSWORTH: Okay. Briefly, what should our viewers who are computer users be watching all for?
DAN SCHRADER: Very simply, you should not open any file sent to you unless you know why somebody sent it to you. You should use your automatic update function within Microsoft Windows Explorer to update with the latest security patches. You just go up to the tools menu, and you click on Windows Update, and Microsoft will automatically download all these security updates. Finally, run anti-virus software, update it I would say at least weekly.
ELIZABETH FARNSWORTH: Mr. Rasch, do you have anything to add to that?
MARK RASCH: The only thing is from a corporate standpoint also, you need to have an emergency response plan and try to figure out who’s going to be able to pull the plug on the e-mail.
ELIZABETH FARNSWORTH: And Jim Yost, anything to add?
JIM YOST: I think that pretty well covers it.
ELIZABETH FARNSWORTH: Okay. Thank you all three very much.