Automated Virus Busters
The latest computer viruses-which can e-mail themselves to everyone in a host computer’s electronic address book and change their appearance or even rewrite their own code to avoid detection-have created new problems for antivirus companies. But it turns out the most difficult challenge isn’t analyzing the viruses or creating fixes for them-it’s handling the flood of requests for help during an epidemic. When a fast-spreading virus infects many computers in a very short time, the number of virus samples submitted to an antivirus company for analysis increases by as much as three orders of magnitude, as does the number of requests for the antidote. This kind of jump makes most Web sites crash, but crashing during a virus outbreak is, obviously, a disaster for an antivirus company.
Researchers at IBM Research in Yorktown Heights, N.Y., in collaboration with Symantec, makers of the popular software Norton AntiVirus, have engineered ways to weather future outbreaks of even faster-spreading viruses. The first advance is a completely automated virus analysis center that develops antidotes and packages the cure for customers considerably faster than human virus analyzers. In March 1999, it took Symantec’s human virus busters six hours to crank out a cure for the Melissa virus, but IBM’s system can do it in 40 minutes. Norton AntiVirus users will have access to the automated virus analysis center this fall.
All the speed in the world won’t help, however, if a system is overwhelmed. To protect the virus analyzer, the group devised a network of gateways that was surprisingly hard to realize, says IBM antivirus researcher David Chess. “The stuff you would think would be the rocket science wasn’t the hardest part,” Chess says. “We had to do some unprecedented things to make the gateways robust to communication errors and sudden loads.”
Like secretaries opening their boss’s mail, the gateways perform triage on incoming viruses. First the gateway finds out if the incoming sample matches previously analyzed files; if it does, the gateway can immediately send the antidote to whoever submitted the virus. If the file matches one that the virus analysis center is working on, the gateway can acknowledge receipt of the virus and later send the antidote when it becomes available. Several IBM patents on the gateway system are pending.