commentary Viruses like MyDoom spread more quickly than warm butter on toast. Why?

OK, so, if I was sick of getting MyDoom last week, by the time you read this I confidently expect that I will be thrashing around violently in a straightjacket, screaming "No more! No more!" at the top of my lungs. At the time of writing SCO's ducking and weaving MyDoom with the use of a new Web site -- although the attacks on SCO and Microsoft are more than likely a diversionary tactic by forces more interested in spreading spam than anything else -- and it continues to flood inboxes at a rate of knots. Some reports state that it's the fastest propagating worm ever -- at least until the next worm comes along, of course.

So, how has it managed to perform this remarkable feat? And how does one end up in a job where you track the relative speed of computer viruses, anyway? The answer to the second question is "Go and work for a security company, especially those that flog antivirus software" if you were really keen, but human nature being what it is, I have to wonder if anyone at an antivirus firm is running a book on virus spread rates:

"I'm giving 10-1 that we'll see 10,000 infections this hour!"
"I'll take those odds, Bill, along with Virus #15 in the fourth..."

The answer to the first question is a touch more complicated, as the virus itself succeeds on so many different levels. Let's start with the most basic level first.

Level #1: People are idiots
Yes, it might hurt to realise it, but the great mass of people have the average common sense of a week-old peanut. It doesn't really matter how many times you tell people to only open attachments that they were expecting from people that they know, and preferably to virus scan them first (it won't catch everything, but it can't hurt), there will always be one or two slack-jawed drooling morons out there that'll just merrily click away. That might seem harsh, and undoubtedly there are people who only get bitten the once and never again, but somebody must be breeding enough to keep people opening attachments they weren't expecting with vague details like the MyDoom ones.

Level #2: Everyone on the planet is infected
Otherwise known as the spoofed header of death. Practically every virus in the last five years has spoofed headers, but it's only been the last couple of really big incidents that have had me inundated with nervous users and, for that matter, an unholy number of 'bounced' messages letting me know that somebody's virus scanner bounced back a message to me that I never in fact sent. It's probably great business for antivirus vendors, as it keeps the less informed user in a nervous tizzy, but at the same time it makes the mail problems associated with MyDoom and other viruses that much more annoying, especially when the bounces carry the virus payload with them.

It doesn't mean that nobody's infected, however. You should be still keeping virus definitions up to date and scanning regularly, just like you should be doing regular backups of your important data. Because it's not like anyone could get behind on those sort of tasks, is it?

As an aside, I wonder if those groups with the largest e-mail contact lists
-- AKA spammers -- get infected with viruses like MyDoom? Now, there's a nasty scenario, even with the inbuilt satisfaction of watching spammers get some payback when a few million of them bounce back.

Level #3: It's called Software because security is soft
This is a slightly more complex issue than it might at first seem. One could confidently say that software is way too insecure, and to an extent one would be right. The logical conclusion here, however, is that if we fixed all the security holes, then worms like MyDoom would shrivel up and die. Leaving aside the relative complexity of, say, 12 billion lines of code -- and I'm pulling numbers out of a hat here -- there's also the security versus convenience and privacy issue.

We could make every computer on the planet virus free, if we'd take a hard line on security policies.  A hard line means having each and every e-mail we send or receive scanned at a software and personal level. Not only would the costs here be astronomical, you'd also be talking about giving up a whole lot of privacy along with it. Some businesses unashamedly do this kind of thing (within privacy guidelines), but I've got to admit I wouldn't want it enforced on me, and I can't see how you'd do it on a home PC level.

Level #4: Virus writers have an agenda
Some of the earlier viruses were written for kicks by particularly stupid individuals -- not stupid in the programming sense, but stupid in the lacking common sense variety. Latter day viruses have had specific targets -- MyDoom's two variants so far target SCO and Microsoft. So you could argue that they've got an open-source axe to grind, right? I don't think so.

It's vaguely possible that the MyDoom author(s) have some kind of axe to grind, but I'd be surprised if this was the real intent behind the virus; it screams smokescreen to me, whether it's for opening up relays for yet more lovely spam or simply testing the waters of exactly how many peanut-brained users there are out there. My colleague Josh Mehlman has further thoughts on this very topic, if you're keen.

Level #5: My Linux/Mac/OS2 box is secure, nyah nyah nyah...
Clap, clap, clap. Well done, pat yourself on the back. Now, realise that if your system of choice becomes the system of choice for the rest of the world, that rest of the world will include all the idiot virus writers out there. Open source may be quicker at identifying faults (and potentially fixing them) but that's something I could see virus writers building into future viruses; after all, MyDoom already blocks access to most antivirus vendor sites; what's to stop a Linux virus (theoretically) stopping updates?

How badly have you been hit by MyDoom? Do you think we'll ever see the back end of the virus problem? Talkback to me below!.