Computer networks provide an efficient means for transporting data between workstations or terminals on (or connected to) the network. Such networks can consist of Local Area Networks (LANs), which are generally restricted to one geographical area or location. Such networks can also include Wide Area Networks (WANs) which connect a number of machines over a larger geographic area. The Internet is also an example of one such network. The Internet is a worldwide system of computer networks—or a network of networks—wherein users at any one computer can, if they have permission, get information from any other computer. The Internet was conceived by the Advanced Research Projects Agency (ARPA) of the U.S. government in 1969 and was first known as the ARPANet. The original aim was to create a network that would allow users of a research computer at one university to be able to “talk to” research computers at other universities. A side benefit of the ARPANet design provided that messages can be routed or rerouted in more than one direction, and that the network can continue to function even if parts of it were destroyed in the event of a military attack or other disaster (including simple down-time of component parts).
Today, the Internet is a public, cooperative, and self-sustaining facility accessible to hundreds of millions of people worldwide. The Internet is providing ever increasing opportunities for persons across the world to interact with each other via a relatively cheap medium of communication. A typical interaction consists of a user (or client) using a browser (or other such device) to contact a web server (i.e. website) with a request for information (i.e. a webpage, data, or the like). The information exchanged between the web server and the client might be in the form of HTTP requests and responses.
Widespread usage of the Internet has led to more widespread occurrences of certain destructive computer viruses. This include (for instance) the recent “Melissa” and “I Love You” viruses, which caused extensive network damage. A virus is a piece of programming code usually disguised as something else that causes some unexpected and usually undesirable event (for the victim). Viruses are often designed so that they automatically spread to other computer users across network connections. For instance, viruses can be transmitted by sending them as attachments to an e-mail note, by downloading infected programming from other sites, and/or be imported into a computer from a diskette or CD. The source application that deals with the e-mail note, downloaded file, or diskette is often unaware of the virus. Some viruses wreak their effect as soon as their code is executed; other viruses lie dormant until circumstances cause their code to be executed by the computer. Some viruses are playful in intent and effect simple messages to the user, while others can be quite harmful, thereby erasing data, causing a hard disk to require reformatting, or clogging networks with unnecessary traffic.
Generally, there are three main classes of viruses: (1) File infectors. Some file infector viruses attach themselves to program files, usually selected .COM or .EXE files. Some can infect any program for which execution is requested, including .SYS, .OVL, .PRG, and .MNU files. When the program is loaded, the virus is loaded as well. Other file infector viruses arrive as wholly-contained programs or scripts sent as an attachment to an e-mail note. (2) System or boot-record infectors. These viruses infect executable code found in certain system areas on a disk. They attach to the DOS boot sector on diskettes or the Master Boot Record on hard disks. A typical scenario is for a user to receive a diskette from an innocent source that contains a boot disk virus. When the operating system is running, files on the diskette can be read without triggering the boot disk virus. However, if the diskette is in the drive, and the computer is turned on (or the OS is reloaded), then the computer will look first in the computer's “A:” drive, find the diskette with its boot disk virus, load it, and make it temporarily impossible to use the hard disk. (3) Macro viruses. These are among the most common viruses, and often do the least damage. Macro viruses infect applications (such as Microsoft Word) and typically insert unwanted words or phrases into an application.
The best protection against a virus is to know the origin of each program or file that is loaded into a computer, or opened from an e-mail program, or the like. Since this generally difficult, there is wide variety of anti-virus software on the market. Anti-virus (or “anti-viral”) software is a class of program that searches a computer's hard drive and floppy disks for any known or potential viruses. The market for this kind of program has expanded because of Internet growth and the increasing use of the Internet by businesses concerned about protecting their computer assets. Virus warnings can thereafter be sent to the user pertaining to any findings.
Tracking of viruses is becoming important in the evidentiary search to identify any parties that might have been involved in the origination and distribution of a virus. There are presently an estimated 6 to 8 new viruses being unleashed everyday, with most of them being spread through the Internet. Notably, a common virus 10 years ago in the United States might have needed more than a year to propagate and become well-known in Asia. Now, through the use of email and the Internet, it only takes a matter of days or even hours for a virus to spread worldwide. Virus tracking thereby aids in finding and distributing a “cure” for such viruses. For instance, if a certain set of networks, in a certain part of the world were infected (moreso) by a particular virus, then this knowledge might aid in tracking down the source and/or type of the virus. Moreover, the affected networks and computers could be more quickly remedied if the severity of the infections, and the location of the infections, are known on a wider scale.
Prior anti-virus systems (i.e., McAfee, Norton, and the like) have not provided any real-time methods for tracking virus information, or the level of virus activity, on a wide distributed-network scale (i.e., systemwide, nationwide, worldwide activity). Certain popular anti-viral software is based entirely upon an online scanner model. A user contacts the site of an anti-virus software provider, and is prompted to download a program. The software—which now completely resides on the user's computer—is thereafter triggered from the web (or network), and scans the user's computer. The user is alerted to any viruses found. However, the downloaded anti-virus software does not perform any real-time communication of the results back to anti-virus server site to form a collective analysis. The user computer might communicate viral information back to the anti-virus server via email messages, or the like. However, the latency involved with such reporting methods will not provide for any real-time display and analysis of the virus scan results.
Accordingly, what is needed in the field is a system for real-time tracking of viruses from various computers on a distributed computer network. A central tracking server might be employed to receive data pertaining to the anti-virus scanning results from each computer on the network. The system should thereafter be capable of displaying the real-time results in various formats, including levels of viral activity as reported from various geographic locations, or the like. The wide-scale and real-time tracking of viruses would thereby aid in understanding, and proactively preventing the spread of such viruses.