Sweating In the Hot Zone

Then a new generation of online epidemics, such as Melissa, Slammer, Nimda, and Code Red, began to spread more quickly, forcing Symantec to adopt more of a firefighting mentality and begin to establish offices around the world so it could respond at any hour of the day. The response center's staff grew to hundreds; Weafer estimates that his staff is about 10 times what it was in 1999. ("We don't give out the actual number, because you've got people who'll try to use it for intelligence," he says cryptically.)

The average dollar cost of a virus disaster in 2004:: $130,000
The average cost of a vrius disaster in 2003: $99,000*

Symantec's fast responses have helped it corner the market for antivirus software sold to consumers; according to the NPD Group, a research firm, it had nearly 85% of the market earlier this year, compared to runner-up McAfee's 12%. But Microsoft announced plans to start competing with Symantec in May and began unveiling an antivirus offering of its own in July. And things are more competitive in the corporate world, where, according to a 2003 report by another research firm, IDC, Symantec has 28.5% of the market, compared to McAfee's 23.9%. IDC expects the $8 billion market for security software--corporate and consumer--to double by 2008.

These days, about 20,000 virus samples--not all of them represent unique viruses--come in to Symantec every month. New strains propagate in clever ways: over instant-messaging software, peer-to-peer file-sharing systems such as LimeWire, and even wireless Bluetooth connections between cell phones. And where yesterday's security threats were nasty enough when they erased hard drives and crashed Web sites, now the creators of malicious code are often hunting for credit-card numbers and other personal information they can use in criminal enterprises. Symantec also expanded the scope of the response center's responsibilities to include spam, pop-up ads, spyware, and adware.

The people who work on the response-center team are an eclectic group, and they weren't easy to find. "It's not as if colleges are creating thousands of anti-malware or security experts every year that we can hire," Weafer says. "If you find them in any part of the world, you just go after them." One senior researcher, Peter Szor, came from Hungary; Sarah Gordon, who profiles virus writers to try to understand their motivations, works out of her home in Melbourne, Florida; Peter Ferrie, an expert at disassembling viruses to see what makes them tick, came to Santa Monica from Iceland. "The people we look for are the kind of people who aren't necessarily creating new products, but they like to take things apart and break them," Weafer says. "Give them a Rubik's Cube and they'll have it disassembled in five minutes. They're motivated by solving problems."

Weafer and six of his lieutenants are sitting around an oval Formica conference table for a weekly security briefing; several remote locations are looped in by speakerphone. There's a rapid rundown of the threats everyone's dealing with, and that provides an opportunity for Weafer to ask lots of questions and make sure the various sites are acting in sync.

Denise Bellotti at Symantec's anti-spam unit in San Francisco reports that the lab has identified a new tactic among phishers--con artists who send emails that link recipients to an official-looking Web site in an attempt to elicit credit-card numbers and passwords. "They're using a scout message first to establish credibility, and then they're sending a second message with the attack," Bellotti says from the speakerphone. In other words, a seemingly innocuous first contact--or scout message--is followed by the con. "That was a new one that came out over the last couple of days," she says.

Javier Santoyo, a senior researcher, brings up the subject of "kernel mode root kits," a particularly insidious Trojan horse that burrows so deeply into a computer that the operating system itself can't see it. (A "Trojan horse" is a program that masquerades as a helpful application so users will install it, but then creates a secret backdoor that allows the sender to access the computer.)

"Are we still at the leading edge of this threat?" Weafer asks. "I mean, is it a fringe thing, or are we seeing it accelerate?"

"I think it's going to become more and more common," Santoyo says. "These guys are good. They know the quirks of the operating system."

Mark Kennedy, a software architect, chimes in: "And our problem is that when you go that deep to try to extract it, you can render the machine unusable. Then you get blamed, rather than the bad guy." Though Weafer estimates that root kits constitute less than 1% of viruses out there, he says, "the bad actors are getting really bad."