All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links.
When F-Secure's antivirus researcher Katrin Tocheva first spotted the MyDoom virus late in the evening of Jan. 27, she immediately reached out and smacked the monkey that sits near her desk.
The monkey is a stuffed toy that screams when hit. F-Secure's antivirus team uses it as an alert signal; when the monkey starts screeching, the team knows there's a new virus or worm on the loose.
The monkey screamed an awful lot in January and February 2004, and there were times that Tocheva was tempted to do some screaming of her own.
"It all started with the Bagle worm that was released on Jan. 18, 2004, followed by a few other worms and things," said Tocheva. "When MyDoom.A hit, I'd already been working for two weeks pretty much around the clock.
"MyDoom was then followed by MyDoom.B and DoomJuice, and then there was the Nachi.B worm, found early morning on Feb. 12 – that was 10 emergency cases without any break for almost a month. It just made me nuts."
When the monkey (or Tocheva's) screams echo throughout the antivirus lab on the fourth floor of F-Secure's main office in Helsinki, Finland, the antivirus team gathers to discuss the situation and assign duties. Those duties include reverse-engineering the virus code to see what the malicious software intends to do; writing a first, short description of the virus; testing the antivirus update and getting it online; and writing a long description of the virus for posting on the Web.
They also issue an in-house alert, if needed, which automatically triggers various events in the office. For example, a Level 1 alert, issued for the most serious viruses, automatically cancels any meetings that have been scheduled for or by antivirus researchers, who will now be too busy for the foreseeable future to attend them, and the receptionists at the front desk quickly call in extra employees in anticipation of increased phone calls.
"It's all pretty calm though. There's no red flashing light or nerve-wracking alarm signal ... except for the screaming monkey," said Gergely Erdelyi, an F-Secure antivirus researcher. "People don't run around headless and bump into each other or walls. It's more like us sitting in probably even deeper silence than usual and trying to figure what to do next."
Sometimes the sample of the new virus comes from an F-Secure customer (the majority of antivirus firms ask their customers to send them samples of new viruses), or sometimes in an e-mail from AVED, a mailing list for antivirus researchers all over the world. However it arrives, the most important job is to analyze its programming code.
"Virus experts are not officially trained anywhere," said Mikko Hyppönen, director of antivirus research for F-Secure. "Most universities don't teach assembly language anymore. Reverse engineering is a skill that is quickly becoming a lost art. So we're forced to find the experts where we can. Anyone who wants to do this for a living has to be pretty weird anyway."
First thing the team does is figure out what the virus is going to try to do. They unpack the virus's programming code – disassemble it, so it can be analyzed, decrypt any encrypted data and check any resources that may be related to the virus, such as Web pages that are distributing the virus or its additional components, explained F-Secure antivirus researcher Alexey Podrezov.
"We also try to infect our own test environments, which represents a basic home-user computer setup and a basic corporate network consisting of a server and a few workstations with different operating systems and lousy security."
Tocheva said that shortly after the team began to probe MyDoom's code, she knew "we were in for a nightmare ... a big outbreak." MyDoom featured none of the fun tricks that usually signal an impending major virus attack – no self-activation when a user simply opens the e-mail, no taking advantage of a specific vulnerability in the Microsoft operating system, no clever social engineering. But from monitoring antivirus newsgroups and other sources, Tocheva could see that the MyDoom virus was spreading incredibly rapidly.
"It is quite hard to predict what viruses will be big problems," said Erdelyi. "If something is obviously broken in the programming code, that virus of course will not get too far. On the other hand, very simple ones have caused quite a havoc in the past. SoBig and MyDoom, for example – they both send very simple messages that totally rely on the recipients clicking on them. And enough people did, apparently."
Hyppönen said he now believes the thousands of computers that currently harbor MyDoom will be used for a long time as unwitting dupes in spamming operations.
Infected computers now have a backdoor in their systems that allows malicious hackers to remotely access and control infected machines, which could then be used to spew spam or launch denial-of-service attacks. Malicious hackers have been selling the use of compromised computers to spammers for some time now, according to Hyppönen.
"When we can, we try to alert people whose machines are infected by letting their Internet service providers know," said Hyppönen. "With the Slapper incident (a Linux server worm whose goal was to create a network of infected machines to launch distributed denial-of-service attacks, similar to what MyDoom does), we actually sent out an e-mail to administrators of infected computers – tens of thousands of them. This was in late 2002. Got pretty good feedback too. But in most cases there's no easy way for us to figure out who owns which computers – only ISPs know that."
In the hopes of raising awareness about viruses, the F-Secure team has started a group blog, where they post information on new viruses and track big outbreaks like MyDoom as they happen.
MyDoom is one of the viruses that F-Secure researchers will remember for quite a while. Other equally memorable viruses, for Tocheva, include the Melissa virus, all the SoBig worms, Blaster and Nimda. But the worm that's No. 1 on her personal made-me-crazy list was Loveletter (also known as the Lovebug), with more than 30 new variants released in only five days.
"Some virus variants appear so quickly that we start analyzing a new variant immediately after finishing analysis of a previous one," said Podrezov. "One thing is good – this job doesn't get boring – every day you get something new, some new malware that challenges you, and it brings you an ultimate satisfaction when you crack the case."
"Personally I find the simple and mindless viruses to be more nerve-wracking to work with than the complex ones," added Erdelyi. "Doing the same thing all over again is not too challenging. Give us something new every time and we shall be happy."
