Why Sobig is bad for privacy and AV vendors

The drugs don't work

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Eight years ago when I first used the Internet, while doing support work in a Manchester cyber café, email was a joy.

I could contact my friends, even when they were on the other side of the world, on the click of a mouse. It was so much easier and cheaper than the alternatives - snail mail or the phone.

Email is still enormously useful as a journalist (not least as an important source of news leads) and but the increased prevalence of spam and viral messages is undermining this.

Drowning in malicious code

Email services firms such as MessageLabs and Brightmail will tell you that one in two emails is now junk email. At The Register this figure is more like four in five emails, and that was before the recent outbreak of Sobig-F.Currently the ratio of legitimate email to malicious junk is approximately two in 100. Clearing out my email inbox is becoming a near Herculean task.

Outsourced security

To get around the junk mail overload, home users can use tools such as Spam Assassin or Mailwasher while small businesses can use managed services like MessageLabs, Avecho.com, intY and the rest.

With Spam Assassin - the most accurate anti-spam package we've found so far - you still have to download email, so if you get sent in excess of 3,000 copies or bounced messages over the weekend (a real figure for us here) that's still a problem.

And if you use managed services (which alleviate the bandwidth headache) then privacy is undermined. By definition you have to trust a third-party - an undesirable consequence of using services that do reduce the signal to noise ratio of email traffic down to sensible proportions.

The emerging breed of anti-virus firewalls and all-in one security appliances enable larger businesses to tackle the problem in-house but these are prohibitively expensive for home users and many SMEs.

Internet moves to an ex-directory model

As well as the expense, the increased prevalence of malicious and nuisance emails creates an uncomfortable dilemma for news services and Net-facing email firms.

In response to Sobig-F, many firms will be forced to make their customers jump through more hoops (Web-based forms being one of the more elegant approaches) to get in touch with them. Some will be tempted to abandon existing email addresses as hopelessly compromised.

Although Sobig-F is, at least for net-facing firms, an order of magnitude worse than anything we've seen before, things have deteriorated over the last three years or so.

Every day, in every way, it's getting worse and worse

Starting off with the Love Bug and moving on through the Anna Kournikova worm, Nimda, Klez and the rest each new worm is more ferocious. Virus writers have upped their game in terms of social engineering tricks and propagation techniques; the ability to scour hard drives for email addresses and spoof viral-laden messages are examples of this.

In particular the speed at which viruses take hold is outpacing the capacity of AV firms to develop fixes for users to deploy them. The critical path has gone critical.

Managed services firm MessageLabs reckons that at the height of the Sobig outbreak one in 17 emails were viral.

Rival firm intY, which specialises in providing services to SMEs, reckons smaller businesses were particularly affected by the prolific worm. At the height of the outbreak last week, intY was blocking one in three emails. Even now one in seven emails that intY analyses are viral.

According to Paul Richards, development manager at intY, the higher rate of virus interceptions among its user base is accounted for because smaller businesses were disproportionately targeted by the worm. Smaller businesses generally have a wider diversity of email contacts and this too helps explains why they were hit harder, Richards added.

Sobig-F is, lest we forget, sixth in a series of increasingly aggressive worms, and it's unlikely to be the last.

The blame game

So who's the blame for this mess?

Microsoft is an easy target. Its success on the desktop has created a monoculture through which viruses can spread. Until Windows 2003, Microsoft products shipped with security turned off by default. The auto-execution features of Outlook and Outlook Express allowed viruses to execute in the preview pane, until it issued a patch.

Now Redmond has embraced security by default in the design of its products but this will take years to work through the system. Microsoft points out that it has supplied fixes to correct most of these issues.

But how often are they applied? Not frequently enough, clearly.

It takes just a small percentage of users to get infected for a virus to become a bandwidth-hogging, time-consuming nuisance for the rest of us.

With Sobig-F even those Linux, Unix, OS/2 and Apple users who are immune from the infection are still flooded with viral email, to say nothing of the bounced messages from AV scanners reporting that messages they never sent are infected with viral code. Windows users who properly secure their systems see much the same effect.

AV vendors have mined a rich seam of free publicity on the back of Sobig and Blaster. They say you must deploy and update AV tools to protect yourselves against the worm. Enterprises should consider blocking executables at the gateway, they add.

It's a familiar theme and it's wearing thin.

Blunt razor blades

Anti-virus technology is reactive by its very nature - signatures to detect malicious code are not produced until after a new strain of virus has appeared. It has evolved little over the last few years. Some improvements have been made in heuristics and in pushing updates around in corporate environments but it's hard to conclude that virus writers do not have the upper hand.

And while we're apportioning blame let's not forget the central role malicious code creators are playing in this mess. Circumstantial evidence from the behaviour of previous variants of Sobig suggest the worm could have been used to create a virtually untraceable network of compromised machines to act as spam proxies.

This suspicion has grown with the release of the latest variant of the worm.

It's a truism in information security that defence is far harder than attack and this is ably demonstrated by the latest malicious code outbreaks.

In defending against the worm, the Internet community may have to move towards a new defensive posture. More of the same just won't do.

Virus filtering services from ISPs and managed services firms will become a more attractive alternative, despite the privacy concerns involved in their use. In the short term AV firms can look to a boost in sales from the publicity generated by the Sobig outbreak.


But Symantec, McAfee, Sophos and the rest would do well to look over their shoulder. Behaviour blocking technology - which is able to stop malicious code executing on the desktop - could supplant AV tools as the first line of defence against viral code. Cisco's acquisition of behaviour blocking firm Okena earlier this year signals that heavyweights are eyeing this market for growth. In this scenario, conventional AV tools would then become file disinfectors - not the first line of defence against malicious code.

This market change, along with a retreat into a less open Internet, might be seen as the true legacy of the Sobig pandemic a couple of years hence. ®

Related stories

Blaster rewrites Windows worm rules
Sobig second wave attack fails to strike
Sobig-F is fastest growing virus ever - official
Auto-responders magnify Sobig problem
Email worm joins Blaster attack on Windows
Why spammers lurve the 'Microsoft support' worm (Sobig-A)
On Spam cures that are worse than the disease
Anti-spam packages 'too unreliable' to certify
Melissa virus author jailed for 20 months
Virus writers outpace traditional AV
AV vendors sell 'blunt razor blades'

Choosing a cloud hosting partner with confidence

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Hikvision devices wide open to hacking, claim securobods
prev story


Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
How to simplify SSL certificate management
Simple steps to take control of SSL certificates across the enterprise, and recommendations centralizing certificate management throughout their lifecycle.