It's a relatively well-known rule of thumb in the anti-virus field (such as it is) that the most damaging viruses aren't the ones that spread most successfully. The "NewLove" virus, for instance, was basically an instant-destruction version of the "LoveLetter" virus; but "NewLove" went nowhere, whereas "LoveLetter" was briefly widespread. A disease that instantly kills its host never gets much of a chance to spread.

On the other hand, a virus that spread "benignly" for a long time, and only after that long time launched its payload, would most likely be detected and wiped out before it got to the "launch payload" day. So there's a hard tradeoff for the bad guys.

Certainly most of the viruses out there now are inelegant and semi-functional hacks, and Someone Who Really Knew What He Was Doing could cause much more trouble than the typical virus causes (the typical virus, in fact, never infects anyone, and just gets traded from K001 HAX0R D00D to K00l HAX0R D00D without ever infecting an actual user).

On the other hand, blithe claims that an "ubervirus" could magically evade detection because (to quote the HNN story) it "can be coded in different forms, so that there will be hundreds of different code signatures", have no teeth: anti-virus programs have been dealing with polymorphic viruses that have *millions* of different forms for years, and doing it successfully. Saying that simple polymorphism "will make it difficult for anti virus vendors to develop a program that will search for code signatures" just shows a lack of knowledge about what anti-virus programs already do.

While in theory it's possible to make a virus that can't be perfectly detected, in practice no virus has so far proven to be a major problem for the anti-virus companies to detect well enough, once they had a sample in hand.

We have never seen a virus that was discovered only after having spread undetected onto a large number of systems for a long period of time. Now it's possible that there are two distinct kinds of viruses in the world: the quickly-detected ones that we've found, and the uberstealthy viruses that spread and hide so well that we've never found even a single one. But that seems real unlikely to me! If there were "stealthy" viruses out there, it seems to me we would have found at least *one*, and then discovered that Yow it's on thousands of systems and has been for months. But that's never happened.

On the one hand it's certainly true that a really well-written virus could cause lots of trouble. On the other hand, it's easy to overestimate that trouble by making vague claims about uberviruses that could do magical things (like automatically discovering and exploiting new vulnerabilities, or uploading themselves to read-only FTP servers) that we don't know how to make ordinary application software do, let alone a virus. Remember there's nothing magical about a virus: it's just a program that spreads. If it's hard to imagine how a program could reliably do X, it's unlikely that a virus that reliably does X is going to be along anytime soon.

Sure, a virus could periodically poll a set of websites for instructions. There have in fact been at least a couple of viruses that did that! In both cases, the websites were found and taken down in short order. This is the sort of thing that governments and ISPs understand pretty well, after all. If instead the websites had to be replaced with "remove yourself without destroying any host data" instructions, that'd be quite doable as well. Again, there's no magic here.

So while uberviruses sound scary, and stories about them might in the short run scare some people into more properly securing their systems, I'm afraid of a cry-wolf effect: if we say "systems should be made more secure because uberviruses are going to be launched at any moment", and then no uberviruses are launched, people will conclude that they don't need to make their systems more secure. Better, I think, to point out that systems need to be made more secure because of *ordinary* viruses, because of script k1dd13z trolling for vulnerabilities, and because of the real possibility of targetted industrial espionage. Better to goad people into action using threats that we know really exist, rather than trying to do it with far-out speculation that might turn out to be false.

This isn't to say that there aren't nightmare scenarios that security and anti-virus folks worry about and try not to mention in public! *8) There certainly are. If there are clever things we could do to our systems that would make attacks like "samhain" and Mr. Temmingh's virus, it'd be good to do those things. But I'd give priority, myself, to first fixing the dozens of security problems on the typical system that can be exploited *without* an ubervirus. Given that we have limited resources, it seems logical to worry about the existing threats first...