One moment an executive is working on an e-mail to an important client. The next, her PC has been converted into an expensive paperweight, paralyzed by a piece of malicious software.

From New York to New Delhi, this scenario is all too familiar. Nor do infections cause only local damage. Increasingly, computers are being attacked by software that enables remote intruders to gain access or enlist computers as hapless foot soldiers in an information war.

The perils of such enlistment hit the headlines last year when sites like eBay and CNN were brought low by a battalion of 75 computers flooding targets with junk data and blocking access by legitimate users. The attacker was a Canadian teenager, who had to hack into each computer individually. But autonomous, self-replicating software could create not a battalion, but an army, and wreak havoc on the communal infrastructure of the Internet.

Fear of just such a disaster fueled the urgent warnings that accompanied the recent outbreak of the Code Red worm. The target—the White House Web server—dodged the attack, but the aftershocks are still being felt. In fact, sampling nearly any Internet traffic stream reveals Code Red-like probes by copycat software looking for vulnerable computers to infect.

As in controlling the spread of real diseases, the key to effective defenses is to understand the cause and mechanism of infection, not to focus on the symptoms. A computer virus that erases a user's files may seem very different from one that merely prints out the occasional annoying message, but chances are, they both got into his or her system in a similar fashion.

Evolution of a sickness

Malicious software falls, by and large, into three classes: Trojans, viruses, and worms [see sidebar, "The Usual Suspects"]. The first to appear were the Trojans, which date back to the early 1970s. Their existence prompted Fred Cohen, then a graduate student at the University of Southern California in Los Angeles, to begin experimenting with hostile and defensive software in 1983. Cohen read about the various Trojan horse programs being found in user directories on timesharing systems, and as he remembers it, "I realized that if a program was [not only] a Trojan but also reproduced itself, it would spread from program to program and user to user, acting like a disease." Now a practitioner in residence in the computer forensics program at the University of New Haven, in Connecticut, Cohen is credited with having coined the term computer virus.

By 1986, the first virus, Brain, which would be widely transmitted among PC users, had been created in Pakistan. It eventually found its way to the United States, triggering an outbreak at the University of Delaware, in Newark, in October 1987. Although the virus did little damage, it marked the end of an age of innocence.

In 1988, another landmark event occurred: the first Internet worm. At its peak the Morris worm infected some 6000 hosts, or 10 percent of the nascent Internet. Attacking on several fronts, the worm exploited bugs in software on the target systems and tried to guess obvious user passwords. Ultimately, it was a victim of its own success. Because it was poor at determining whether or not a system was already infected, targets were soon infected with multiple copies of the worm running simultaneously. As the copies scanned for new targets, the resulting exponential increase in the load on individual computers and network connections tipped off system administrators.