“The patch model for Internet security has failed spectacularly,” the report said. “The fact that all victims were compromised via their firewall software the day after a vulnerability in that software was publicized indicates that the security model in which end-users apply patches to plug security holes is not viable.”

Witty’s victims were “participating in the best security practice that can be reasonably expected,” noted CAIDA, which previously published analyses of the Slammer and Code Red worms. “It is both impractical and unwise to expect every individual with a computer connected to the Internet to be a security expert.”

Witty is one of several recent malware outbreaks that have made end-runs around anti-virus programs. Several recent variants of the Bagle virus have spread using an auto-download feature exploited through HTML e-mail, rather than an attachment. The Phatbot trojan “has the ability to polymorph on install in an attempt to evade antivirus signatures,” according to an analysis from Lurhq.

CAIDA urged the security community to “reconsider the notion that end user behavior can solve or even effectively mitigate the malicious software problem,” and focus on writing better software and developing more secure Internet infrastructure. But those are complex, long-term solutions to an immediate challenge. If malware authors are indeed gaining the upper hand on the security community, the problems envisioned by CAIDA are likely to arrive long before the solutions.