The counterattack takes hold

In response to the Morris worm incident, the U.S. Defense Advanced Research Projects Agency (Darpa), Fort Lee, Va., set up the Computer Emergency Response Team. The group is now known as the CERT Coordination Center and is based at Carnegie Mellon University, in Pittsburgh. "It was decided that there needed to be an organization that could coordinate responses to events like this," explained Marty Lindner, team leader for incident handling at CERT.

Antivirus software companies sprang up too. One well-known vendor is Symantec, headquartered in Cupertino, Calif. As senior director of the company's Security Response office in Santa Monica, Calif., Vincent Weafer recalled how his staff watched viruses evolve. "Probably the biggest technology leap that occurred was the introduction of macro viruses" in the mid-1990s, Weafer said. A macro is a package of instructions used to automate tasks in large applications, such as the Microsoft Office suite, which provide so-called script engines to create and run macros.

If the application has been ported to several different platforms, the script engine ensures that the same macro will run on those platforms. Previously, differences between platforms meant that viruses could not cross the computer version of the species barrier and infect, say, both PC and Macintosh computers.

Script engines removed that barrier, and worse, provided a high-level language environment for virus writers. "All of a sudden," Weafer said, "we went from [virus writers] who had to understand assembly...and low-level code, to people who could write viruses in macro [languages]....We saw an explosion of macro viruses as a lot of people, not necessarily equipped with a great deal of knowledge, started to get involved."

Among those unsophisticated users was a new type of computer vandal called a script kiddie. With such a script a (typically) relatively unskilled adolescent can create his or her own viruses and worms with virus-writing tools created by others.

Then, in 1998, a new type of virus appeared that combined some features from all three classes, viruses, Trojans, and worms. These were the mass mailers that arrived at computers attached to e-mail. Melissa was the first big one. "Suddenly we had global epidemics in a matter of days, not months or weeks, as we used to," said Weafer. According to CERT, it took three days for Melissa to infect over 100 000 computers, compared to the months it took for Brain to infect a few thousand computers 10 years previously.