Feeds

Why Sobig is bad for privacy and AV vendors

The drugs don't work

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Eight years ago when I first used the Internet, while doing support work in a Manchester cyber café, email was a joy.

I could contact my friends, even when they were on the other side of the world, on the click of a mouse. It was so much easier and cheaper than the alternatives - snail mail or the phone.

Email is still enormously useful as a journalist (not least as an important source of news leads) and but the increased prevalence of spam and viral messages is undermining this.

Drowning in malicious code

Email services firms such as MessageLabs and Brightmail will tell you that one in two emails is now junk email. At The Register this figure is more like four in five emails, and that was before the recent outbreak of Sobig-F.Currently the ratio of legitimate email to malicious junk is approximately two in 100. Clearing out my email inbox is becoming a near Herculean task.

Outsourced security

To get around the junk mail overload, home users can use tools such as Spam Assassin or Mailwasher while small businesses can use managed services like MessageLabs, Avecho.com, intY and the rest.

With Spam Assassin - the most accurate anti-spam package we've found so far - you still have to download email, so if you get sent in excess of 3,000 copies or bounced messages over the weekend (a real figure for us here) that's still a problem.

And if you use managed services (which alleviate the bandwidth headache) then privacy is undermined. By definition you have to trust a third-party - an undesirable consequence of using services that do reduce the signal to noise ratio of email traffic down to sensible proportions.

The emerging breed of anti-virus firewalls and all-in one security appliances enable larger businesses to tackle the problem in-house but these are prohibitively expensive for home users and many SMEs.

Internet moves to an ex-directory model

As well as the expense, the increased prevalence of malicious and nuisance emails creates an uncomfortable dilemma for news services and Net-facing email firms.

In response to Sobig-F, many firms will be forced to make their customers jump through more hoops (Web-based forms being one of the more elegant approaches) to get in touch with them. Some will be tempted to abandon existing email addresses as hopelessly compromised.

Although Sobig-F is, at least for net-facing firms, an order of magnitude worse than anything we've seen before, things have deteriorated over the last three years or so.

Every day, in every way, it's getting worse and worse

Starting off with the Love Bug and moving on through the Anna Kournikova worm, Nimda, Klez and the rest each new worm is more ferocious. Virus writers have upped their game in terms of social engineering tricks and propagation techniques; the ability to scour hard drives for email addresses and spoof viral-laden messages are examples of this.

In particular the speed at which viruses take hold is outpacing the capacity of AV firms to develop fixes for users to deploy them. The critical path has gone critical.

Managed services firm MessageLabs reckons that at the height of the Sobig outbreak one in 17 emails were viral.

Rival firm intY, which specialises in providing services to SMEs, reckons smaller businesses were particularly affected by the prolific worm. At the height of the outbreak last week, intY was blocking one in three emails. Even now one in seven emails that intY analyses are viral.

According to Paul Richards, development manager at intY, the higher rate of virus interceptions among its user base is accounted for because smaller businesses were disproportionately targeted by the worm. Smaller businesses generally have a wider diversity of email contacts and this too helps explains why they were hit harder, Richards added.

Sobig-F is, lest we forget, sixth in a series of increasingly aggressive worms, and it's unlikely to be the last.

The blame game

So who's the blame for this mess?

Microsoft is an easy target. Its success on the desktop has created a monoculture through which viruses can spread. Until Windows 2003, Microsoft products shipped with security turned off by default. The auto-execution features of Outlook and Outlook Express allowed viruses to execute in the preview pane, until it issued a patch.

Now Redmond has embraced security by default in the design of its products but this will take years to work through the system. Microsoft points out that it has supplied fixes to correct most of these issues.

But how often are they applied? Not frequently enough, clearly.

It takes just a small percentage of users to get infected for a virus to become a bandwidth-hogging, time-consuming nuisance for the rest of us.

With Sobig-F even those Linux, Unix, OS/2 and Apple users who are immune from the infection are still flooded with viral email, to say nothing of the bounced messages from AV scanners reporting that messages they never sent are infected with viral code. Windows users who properly secure their systems see much the same effect.

AV vendors have mined a rich seam of free publicity on the back of Sobig and Blaster. They say you must deploy and update AV tools to protect yourselves against the worm. Enterprises should consider blocking executables at the gateway, they add.

It's a familiar theme and it's wearing thin.

Blunt razor blades

Anti-virus technology is reactive by its very nature - signatures to detect malicious code are not produced until after a new strain of virus has appeared. It has evolved little over the last few years. Some improvements have been made in heuristics and in pushing updates around in corporate environments but it's hard to conclude that virus writers do not have the upper hand.

And while we're apportioning blame let's not forget the central role malicious code creators are playing in this mess. Circumstantial evidence from the behaviour of previous variants of Sobig suggest the worm could have been used to create a virtually untraceable network of compromised machines to act as spam proxies.

This suspicion has grown with the release of the latest variant of the worm.

It's a truism in information security that defence is far harder than attack and this is ably demonstrated by the latest malicious code outbreaks.

In defending against the worm, the Internet community may have to move towards a new defensive posture. More of the same just won't do.

Virus filtering services from ISPs and managed services firms will become a more attractive alternative, despite the privacy concerns involved in their use. In the short term AV firms can look to a boost in sales from the publicity generated by the Sobig outbreak.

Changes

But Symantec, McAfee, Sophos and the rest would do well to look over their shoulder. Behaviour blocking technology - which is able to stop malicious code executing on the desktop - could supplant AV tools as the first line of defence against viral code. Cisco's acquisition of behaviour blocking firm Okena earlier this year signals that heavyweights are eyeing this market for growth. In this scenario, conventional AV tools would then become file disinfectors - not the first line of defence against malicious code.

This market change, along with a retreat into a less open Internet, might be seen as the true legacy of the Sobig pandemic a couple of years hence. ®

Related stories

Blaster rewrites Windows worm rules
Sobig second wave attack fails to strike
Sobig-F is fastest growing virus ever - official
Auto-responders magnify Sobig problem
Email worm joins Blaster attack on Windows
Why spammers lurve the 'Microsoft support' worm (Sobig-A)
On Spam cures that are worse than the disease
Anti-spam packages 'too unreliable' to certify
Melissa virus author jailed for 20 months
Virus writers outpace traditional AV
AV vendors sell 'blunt razor blades'

Remote control for virtualized desktops

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Managing SSL certificates with ease
The lack of operational efficiencies and compliance pitfalls associated with poor SSL certificate management, and how the right SSL certificate management tool can help.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.