This fall, the "National Strategy to Secure Cyberspace" stated that all home and business users need to install antivirus software on their computers and update their systems on a regular basis. Most CSOs and CIOs—dare we say all of them?—by now realize that it is irresponsible to deploy computers without antivirus protection. Nevertheless, the war against computer viruses and their authors is stumbling. Tens of thousands of computer viruses are in circulation. Symantec's Security Response website reported 81 viruses discovered during a 30-day period this fall. Academics who follow viruses say that that figure understates the threat. "Currently we are seeing new computer viruses and worms, targeted at [Microsoft Windows], reported approximately once every 75 to 90 minutes, on average," wrote Gene Spafford, computer science professor and director of Purdue University's Education and Research in Information Assurance and Security, in the 2003 AAAS Science and Technology Yearbook. There's a key bit of information in Spafford's line—the bit about Windows. Now this is not an anti-Microsoft rant; all operating systems

Diversity is going to be a necessary element of successful antivirus defense.

have displayed vulnerabilities over the years. But the reliance throughout corporate America on a single OS means all of our eggs are in one basket. There's a solid argument to make that in the long run, all the antivirus add-ons in the world won't stem the tide of viruses and worms. Diversity is going to be a necessary element of successful antivirus defense.


So Far, So Lucky
In the United States, the worms that have been the most successful at propagating have inflicted comparatively little damage on their inflicted hosts. The Melissa, I Love You, Nimda and Code Red worms infected tens of millions of machines in a day and cost corporate America more than a billion dollars in "lost productivity" (although it's unproven that being without your e-mail for a day really constitutes lost productivity). Aside from sending out a lot of e-mail and clogging servers, though, those worms didn't fundamentally damage the computers that were infected.

Compare that with what happened to Korea on April 26, 1999, when more than 1 million computers had their hard drives wiped and their system BIOS erased by the CIH/Chernobyl virus. In many cases, damaged systems required new BIOS chips or motherboards. Total losses were pegged at $250 million in hard dollars.

CIH/Chernobyl is no match for today's signature-based antivirus systems. The typical virus scanner has a database of signatures—unique byte strings—for roughly 50,000 viruses. On a properly protected computer, executables infected with a familiar signature such as Chernobyl's simply can't run. Signature-based antivirus software is also slowly making its way from the desktop to the network, adding another layer of security.

But there is a serious failing with signature-based systems that few people in the antivirus community admit. Antivirus scanners do nothing to protect against the most serious virus threat today: new viruses. By definition, a new virus won't be in any existing database of viral signatures. Back when the Melissa and I Love You worms hit, the only way that businesses could protect themselves was to update their antivirus systems. At times this meant updating every day—or even every hour—as new variants of these viruses hit the network.


The Monoculture Problem
Unfortunately, even this won't be good enough in the near future. A paper that was presented at this year's Usenix Security Symposium convincingly showed several strategies for infecting between 1 million and 10 million Internet hosts in 15 minutes or less. The paper is titled "How to Own the Internet in Your Spare Time," by Stuart Staniford at Silicon Defense, Vern Paxson at ICSI Center for Internet Research and Nicholas Weaver at UC Berkeley. The authors' findings are based on results they discovered with an Internet simulator that they created for this purpose. (The full text of the paper can be found at www.cs.berkeley.edu/~nweaver/cdc.web.)

There are several workable infection strategies, it turns out. One is to scan in advance for vulnerable machines that are connected to high-bandwidth networks. Another approach is to divide up the Internet's address space in an intelligent manner so that each copy of the worm has the maximum chance of infecting a virgin machine. Staniford and company call such worms Warhol and Flash. It is impossible to protect against those worms with signature-based antivirus systems: Before a worm could be analyzed and a signature distributed, the damage would already be done.

If someone creates a worm that combines the infection strategy outlined in the Staniford paper with a Chernobyl-style payload, we are looking at a lot more damage than a few days of lost productivity. MSN, HotMail, eBay and tens of thousands of small and midsize businesses would all be shut down, and bringing those companies back up might require getting new hardware, restoring systems from backup tapes (assuming that backups exist) and finally, patching the security flaws. Such repairs could take weeks; many companies would fail.

Nevertheless, it's important to realize that a Warhol or Flash worm would almost necessarily be selective: such a worm would probably exploit just one or two vulnerabilities known to the authors—vulnerabilities that were not widely known, or at least not widely patched. The biggest bang for the worm author, obviously, is going to come from targeting the single largest platform: Microsoft Windows systems running on Intel-based architectures.

I'm not arguing that Windows is a fundamentally less secure OS than Unix—that's beside the point. All systems have had significant security problems. Even OpenBSD, which boasts just a single remote vulnerability in the past six years, was susceptible to a flaw discovered this fall in the OpenSSL library package. But because of architectural differences, every Unix computer with the OpenSSL library would have had a slightly different exploit. Windows systems, on the other hand, frequently have common exploits. Those computers can rightly be thought of as a monoculture crop—with all the strengths and weaknesses that a monoculture implies.

Much of American agribusiness has adopted monoculture farming in recent years: crops that are

Researchers are trying to build an "immune system" to attack any program that seems to be acting in a suspicious manner.

genetically identical, have less variation, simplified growing procedures and, as a result, generally increased profits—even though the seeds usually cost more. American business and government, likewise, is standardizing on the Microsoft monoculture to decrease training and deployment costs—even though the software itself costs more. But just as a single virus or fungus can wipe out an entire field of genetically identical organisms, so too can a single computer virus wipe out a network of identically configured Windows servers.


Palladium: Nice Try
Microsoft's Palladium initiative might be an approach to solving the monoculture problem: In theory, if computers are gimmicked so that they will run only cryptographically signed programs, then viruses won't run because they won't be signed. I personally don't believe that computer users will put up with such a system, but even if they did, Palladium will not put an end to viruses unless every signed program is itself bug-free. Otherwise, a clever hacker will always be able to booby-trap the signed code with a data-driven attack. This isn't just theory. There have already been several examples of bugs in digitally signed ActiveX applets that could be used to propagate viruses and other nasty programs.

Other researchers are trying to build an "immune system" to protect modern operating systems against viruses—such a system would monitor a computer's health and attack any program that seems to be acting in a suspicious manner. But just as our own immune system is susceptible to viruses such as AIDS, a monoculture immune system would necessarily have its own Achilles' heel. Hackers would find it and exploit it.

The best approach, to borrow nature's own solution, is to stop deploying a monoculture crop on our desktops and servers. Businesses and government should not standardize on a single OS; instead, they should adopt a dual-source or multisource approach—deploy both Windows and Unix.

Alas, that approach is clearly more expensive in the short run, but in the long run it is dramatically more secure.


Simson Garfinkel, CISSP, is a Boston-based technology writer, and he is also the CTO of Sandstorm Enterprises.