AV bigwigs weigh in on Sobig debate
Is the Internet dead yet, asks Vmyths founder
Reg Letters We've had plenty of feedback to our op ed piece yesterday on the wider implications of the Sobig worm. It wasn't easy but we managed to extract your insightful gems from the torrent of junk descending into my mail box. But it was worth it.
Most of you agree with our central thesis that the outbreak of Sobig has exposed the weaknesses of current generations of antivirus tools, but there's disagreement about the way forward.
Dr Alan Solomon, the founder of Dr Solomon's Anti-virus reckons the way forward is to charge for email. We dislike this idea on general principle (email should be open) but he advances a strong argument as to why other approaches are doomed to fail.
Scanners cannot work any more. That was true about three to four years ago, it's only now becoming obvious.
No way am I going to install software on my computers that's had less than a couple of days of testing from the programmer's hands to my systems. Believe me, I know what happens when you release AV software that isn't sufficiently tested. And no way can anything less frequent than a weekly update make sense.
Heuristics only work for really poor virus authors. The more sophisticated ones merely use trial and error until they've evaded the heuristic.
Behaviour blockers won't work either. Been there, done that. They didn't work 20 years ago, they won't work now. What, you're going to block any program that sends out an email with an attachment? Or you're going to pop up a box asking the user to make a decision that he cannot possibly make, and he'll click on OK every time?
The answer is, a change in the email protocol that can wipe out spam and severely curb virus spread, and the change isn't actually very complex or difficult to understand. What we need is the pre-paid penny post. When it costs you a penny to send an email, you'll think, hey, that's a bargain compared to the cost of texting, it won't deter you from chatting with friends, but it will make the 10,000,000 email spammer think twice about spending £100,000. And it'll curb the spread of email viruses, because users who let their computers become virus-spreaders, will face the cost of the mess they're making. Or they'll run out of "stamps" and the virus on their computer won't be able to spread itself.
But it needs someone to get the idea accepted. I don't know anyone who is doing so.
In our article, we highlighted the new generation of behaviour-based blocking tools (also known as host-based intrusion prevention systems) as an alternative approach to stopping malicious code executing on users' desktops. This approach isn't without it pitfalls, notably the difficulty in establishing rules on allowed and disallowed behaviours, and there's mixed reaction from our postbox on this idea. Dr Solomon, like a substantial number of you, was of the 'been there, done that - it didn't work' school of thought. However Reg reader Peter Holzleitner was more receptive to the concept.
The very minimum in "behaviour based" filtering would suffice, which is to eliminate ALL executable content. There is NO business need for it. We use http://www.mailscanner.info with great success - it stopped Sobig even before the AV tables were updated.
It is free, will work with your preferred AV scanner (which is still useful to kill macro viruses without clobbering the documents) and uses SpamAssassin as a plug-in.
Many of you pick up on our annoyance about auto-responses from AV scanners or badly configured mailservers sending out spurious messages when they receive copies of Sobig with spoofed email addresses.
New England-based reader Benno Belhumeur advances a theory that these auto responder messages may be part of what the virus itself is doing.
One of my users has been hit particularly hard by these "auto responders" and the odd thing is the responses are coming back with worm attachment still attached (and being detected by NAV [Norton Anti-Virus] (and then a response is sent out)). Looking at the headers it seems they're all coming from a few IPs and with forged return addresses. As far as I know NAV doesn't include the virus file in its response nor does it forge senders e-mail addresses. I think the text virus e-mail itself may have been changed to the text of a NAV auto-response. This is the only thing I can think of that would explain what's happening here.
An interesting theory but how it's not just auto response messages from Norton we're dealing with here. Evidence from our in-boxes suggests Belhumeur is probably incorrect. Then again, without a complete, comprehensive analysis of the worm (and why is that taking so long to appear? We only learned about Sobig's second wave attack days after it first appeared) its difficult to say.
However this message storm is being generated, reader Clive Page, of the UK's University of Leicester, highlights widespread general annoyance about this aspect of the problem.
He also makes a good point about how difficult it is for home users with only narrowband connections to download all the patches Microsoft advises it is necessary to apply.
The storm of messages with spoofed "From" fields have been made worse by the messages being rejected by so many corporate mail hubs and simply sent back to the apparent sender, usually with the virus attachment intact. I think the original virus outflow has stopped, but I'm still getting rejection messages complete with payload. In my view, most of the anti-virus products have simply made matters worse by this stupid behaviour.
Secondly: I'm a fairly typical home user with Windows on my PC, but I haven't been able to apply all the critical Microsoft patches. I don't have a broadband connection, and the total volume of updates now comes to many megabytes: I don't want to take the risk of staying online for the several hours it would take to download all these. I have tried to download them here, where we have a fast connection, to take home on a CD, but Microsoft will not allow patches to be downloaded except to PCs running Windows, so I am stymied. I expect similar problems have led to the vast number of unpatched, hence insecure, home PCs still on the net. So Microsoft are, yet again, partly to blame for this situation.
Indeed there's no shortage of entities Reg readers would like to put in the stocks for the Sobig pandemic. Microsoft (chiefly for creating the malware magnet that is Outlook), ISPs (for not filtering viruses - even though this has to be a ready market many users would be happy to subscribe to), AV vendors (for producing tools that are incapable of responding to fast-spreading worms) and the virus authors themselves all come in for criticism in our postbag. Some of you said we're overplaying the privacy concerns involved in trusting ISPs or managed services providers to filter malicious messages from email traffic. Others, a minority, say this is a real issue.
Meanwhile, Sam Bailey reckons its users wots to blame for the sorry state of many in-boxes.
You take your average small / big biz user sitting in front of a powerful machine with massive amounts of bandwidth... most are sadly clueless about anything beyond using Word or Outlook let alone viruses, worms and whatever else.
My approach is to simply have the mail client act more responsibly via plug-in via random testing i.e. popup a "you receive a mail entitled Anna Kornikova naked pics! Do you a) send to all your friends b) delete it immediately c) save it for after the working day" etc. According to the users answer the mail client / server controls there behaviour and alerts IT staff of a user in serious need of some training. The account can even be locked down until they pass a test - the "I have to ask someone I perceive as beneath me to let me use my email" is usually enough to get them using there brain a little more actively and suddenly the virus problems are cut by three-quarters.
Alternatively MS license the "read the text in the picture" to be added to the users approved list would help no end.
Not sure we're that keen on challenge response systems but we hear what you're saying, Sam.
Manni Heumann is also inclined to blame end users.
Sobig is not a technical problem. Give us the best AV technology you can think of. Give us email clients that will never ever start a program unless the user makes it. The next worm will still spread based upon the fact that users like to click their attachments.
Don't blame people for not updating their AV software. Blame them for clicking every [expletive deleted] attachment they receive. As long as each moron can get on the internet, worms and spammers will have something to feed upon.
I am as sick and tired of the windows-security-holes litany as of the security holes themselves. In fact, the vision of really good AV software and a windows version without security holes scares the hell out of me. Just think of it: Imagine years without worms, without security alerts from MS, and without a post on BugTraq. But someday, somebody will be clever enough to figure out how to make that thing blow up. And what then? By then, people will rely even more on their AV software and their blessed OS as they do now. They will know longer know that you are not supposed to click anything that looks even remotely clickable. And thus, they will click.
Software doesn't kill email, morons do.
Don't hold back, Manni. And remember it's not about users clicking attachments - remember that many worms have exploited the auto-preview feature in Outlook (Express) to spread. Yes, Microsoft has fixed this and yes, many people have still not applied this fix.
Rod Furey believes open source software is the answer. As we've repeatedly noted Linux, Mac OS, OS/2 and Unix users are immune to the virus itself but are still getting carpet bombed by the message storm it generates.
I'm just sick of people complaining about this sort of thing. The usual car analogy will suffice:
Bill: My car has 60,000 faults which render it susceptible to someone else taking
control of it whilst I'm driving.
Fred: Really? Mine has less than 100 and I can go where I want to.
Bill: Give me the name of your dealer - I'm going to buy one of yours.
And for computers:
Bill: My operating environment has 60,000 faults which render it susceptible to someone else taking control of it. And I spend all of my time applying security patches (30 so far this year).
Fred: Really? My operating system has less than 100, far fewer security patches and I spend my time doing what I want.
Bill: Yes, but no one uses your system.
Hello? Excuse me? What?
So it's 'Johnny Manager' - not the helpless end user that's to blame. A good point, to which we'd add that any approach that premised on users doing the right thing seems bound to run into trouble sooner rather than later. Over time, the prevalence of these MS-centric viruses will become a stronger and more compelling reason for users to consider open source alternatives. Microsoft is well aware of this, hence the Trusted Computing initiative. Redmond is taking steps to produce more secure code, in its own self interest, but this is taking time to reach the market. In fairness to Microsoft, its security experts (at least in private) are happy to acknowledge this point.
But we digress.
We'll leave it to Denise Rosenberger, wife of Vmyths editor Rob Rosenberger, who's currently on active service in Iraq, to close this selection of correspondence.
Rob Rosenberger is my husband. He called from Iraq to ask if the Internet had finally died. He said that you would know the answer, and, that I am supposed to ask you.
Rob (and Denise), I'm pleased to say the Internet is very much alive and well. The Sobig epidemic is a major nuisance but we're getting through. ®
Why Sobig is bad for privacy and AV vendors
Blaster rewrites Windows worm rules
Sobig second wave attack fails to strike
Sobig-F is fastest growing virus ever - official
Auto-responders magnify Sobig problem
Email worm joins Blaster attack on Windows
Why spammers lurve the 'Microsoft support' worm (Sobig-A)
On Spam cures that are worse than the disease
Virus writers outpace traditional AV
AV vendors sell 'blunt razor blades'
Sponsored: RAID: End of an era?