Fight Virus With Virus

That’s the only way to stop MyDoom.

Illustration by Robert Neubecker

On Monday, Web surfers faced the unthinkable: a day without Google. MyDoom.O, the latest version of the fast-spreading worm, used infected PCs to flood Google’s servers in what’s called a denial-of-service attack. With the MyDoom virus trolling for e-mail addresses so it could send itself to new victims, human users were pushed out of the way for a couple of hours. It only seemed like the world was ending.

The most frustrating thing about MyDoom is that it’s not some hyper-evolved beast. The 14 iterations of the virus that have appeared since MyDoom.A emerged in January aren’t stronger, faster strains that survived cures for weaker versions. All the anonymous MyDoom authors have done is look at the syntax—or even just the online descriptions—of previous MyDooms, then built new copies that differ by just a few lines of code.

As the Washington Post reported yesterday, protecting yourself is easy: Install some anti-virus software and set it to automatically update itself (the default for most programs). Unfortunately, most people whose computers are infected either don’t know they have a problem, or don’t bother to deal with it. That’s why MyDoom will keep coming back again and again. SCO and Microsoft, both earlier victims of MyDoom denial-of-service attacks, have posted $250,000 bounties, but neither have yielded a suspect nor deterred copycat coders. At the current rate, MyDoom.Z should debut around Christmas, forcing virus trackers to consult Dr. Seuss’ On Beyond Zebra! to alphabetize next year’s crop.

The only way to stop MyDoom might be to out-hack the hackers. In the past, “white hat” programmers have launched viruses that expose security holes without causing destruction in an attempt to make computer users more security-conscious. Last year, one programmer took the next step. As the Blaster worm circled the globe, the do-gooder released a worm called Nachi that infiltrated the same security hole as Blaster. But Nachi wasn’t a Blaster variant, it was a Blaster antidote: It erased copies of Blaster it found on PCs it invaded, then downloaded and installed a Windows update from Microsoft to secure the computer against further Blaster (and Nachi) attacks. Ingenious! There was only one problem: Nachi overloaded networks with traffic, just like Blaster had.

So far, no one’s created an effective antidote to MyDoom, which has done far more damage and shows no sign of stopping. While someone tried to repurpose Nachi for the job in February, that’s the wrong approach. What we need is a final MyDoom variant—let’s call it MyDoom.Omega—that breaches the exact same security holes as versions A through O, yet spreads itself slowly and carefully to prevent traffic jams. It could even launch warnings on the user’s screen for a few days (“Hey dummy! Click here to protect yourself!”) before going ahead and patching the hole itself.

Maybe a program like MyDoom.Omega doesn’t exist yet because the good guys don’t have an incentive. Rather than offering them megabucks to squeal on the virus’ creator(s), Microsoft, Google, and other MyDoom victims could challenge hackers to think up novel ways to squash the bug. Unleashing a white knight program might not offer the satisfaction of seeing a bad guy led away in flexicuffs, but it would be a lot more effective—and a lot more poetic.