Sweating In the Hot Zone

The day never ends for Symantec employees charged with outsmarting those bad actors. Every afternoon at 5 p.m., the crew in Santa Monica passes the baton to colleagues in Tokyo, meaning that they become responsible for new threats that appear--and for taking the lead on lingering older threats. "From 5:00 to 5:30, it's the U.S. team's job to brief the Tokyo team," Weafer says. "And in the second half of the hour, the Tokyo team is effectively in control, but they can draw on the U.S. team." At the end of the Japanese workday, Tokyo hands off to Dublin, and at 8 a.m. in California, the baton returns to Santa Monica.

Work in progress shifts smoothly from one continent to the next, as in August when the Santa Monica team was investigating an issue for customers in the United States and Europe. "Keylogger" software had been capturing information typed by computer users and sending it to an unknown source. "When we transferred the issue to Japan, that handover included the technical knowledge of what our researchers in Santa Monica had found, the tools we were developing, and the contact points with our customers," Weafer says. "Our job is not to drop anything."

Other companies, such as McAfee, Sophos, and Kaspersky Lab, have their own antivirus troops, of course, and they're avid rivals. "We compete on response time--who saw a virus first and how fast did you get the solution to customers," says Vinny Gullotto, vice president of McAfee's antivirus and vulnerability emergency-response team, its counterpart to Symantec's response center. But he notes, too, that these virus hunters also cooperate to address fast-moving, global threats. In that sense, they resemble a community of scientific researchers, says Shane Coursen, a senior technical consultant at Moscow-based Kaspersky. (Coursen works in Nevada.) "We talk about things that are happening in the virus and malware world, like the best way to counter a particular threat," Coursen says. Security researchers at rival companies even maintain mailing lists--some of which are kept private to prevent virus writers from infiltrating them--that they use to exchange ideas and even virus samples among themselves, he says. "But we don't get down and dirty and talk about individual lines of code in our products."

When malicious code could cause serious damage, Symantec and its peers often provide information to law-enforcement agencies such as the FBI, the U.S. Secret Service, and the Royal Canadian Mounted Police. "If they need an analysis done on a new threat, we'll help them," Weafer says. "We provide them with intelligence that we have, but we don't chase criminals."

Symantec does spend a lot of time trying to figure out just what makes those criminals tick. Understanding their motivations and personalities can give an edge to researchers responsible for dismantling new viruses and predicting what may be coming. "Usually, the virus writer is a young person who doesn't recognize the impact of what they're doing," says Gordon, Symantec's profiler and senior research fellow. "The motivation varies with the individual. It can be revenge, the technical challenge, or the desire for notoriety. There's a generational problem here, where a lot of young kids don't realize that what they're doing when they're on the computer can have an effect on the real world."

That was exactly what happened in August 2003, when an 18-year-old set the Blaster-B worm slithering across the Internet. This worm caused computers to launch an attack on a Microsoft Web site and also created a backdoor for stealing information from infected machines.

It was part of what Weafer refers to as the "week from hell," when three major threats surfaced simultaneously to test the response center's mettle. While Blaster-B, a variant of an earlier worm, was instructing computers to crash a Microsoft Web site, the Welchia worm sought out computers that were infected with Blaster, deleting the file, repairing the operating system, and rebooting the computer. But in the process, Welchia created disruptive traffic on the Net. SoBig.F was a mass-mailer worm that looked for email addresses in the recipient's address book and then sent copies of itself to others, with subject lines such as "Re: Details" and "Re: Your application."

"It was the first time we'd seen three back-to-back category three or above threats hit us," says Alfred Huger, Symantec's senior director of engineering for security response. "The possible number of machines that could've been affected was astronomical. That was one of the things that drove us fairly hard."