This article is more than 1 year old

Why Sobig is bad for privacy and AV vendors

The drugs don't work

Eight years ago when I first used the Internet, while doing support work in a Manchester cyber café, email was a joy.

I could contact my friends, even when they were on the other side of the world, on the click of a mouse. It was so much easier and cheaper than the alternatives - snail mail or the phone.

Email is still enormously useful as a journalist (not least as an important source of news leads) and but the increased prevalence of spam and viral messages is undermining this.

Drowning in malicious code

Email services firms such as MessageLabs and Brightmail will tell you that one in two emails is now junk email. At The Register this figure is more like four in five emails, and that was before the recent outbreak of Sobig-F.Currently the ratio of legitimate email to malicious junk is approximately two in 100. Clearing out my email inbox is becoming a near Herculean task.

Outsourced security

To get around the junk mail overload, home users can use tools such as Spam Assassin or Mailwasher while small businesses can use managed services like MessageLabs,, intY and the rest.

With Spam Assassin - the most accurate anti-spam package we've found so far - you still have to download email, so if you get sent in excess of 3,000 copies or bounced messages over the weekend (a real figure for us here) that's still a problem.

And if you use managed services (which alleviate the bandwidth headache) then privacy is undermined. By definition you have to trust a third-party - an undesirable consequence of using services that do reduce the signal to noise ratio of email traffic down to sensible proportions.

The emerging breed of anti-virus firewalls and all-in one security appliances enable larger businesses to tackle the problem in-house but these are prohibitively expensive for home users and many SMEs.

Internet moves to an ex-directory model

As well as the expense, the increased prevalence of malicious and nuisance emails creates an uncomfortable dilemma for news services and Net-facing email firms.

In response to Sobig-F, many firms will be forced to make their customers jump through more hoops (Web-based forms being one of the more elegant approaches) to get in touch with them. Some will be tempted to abandon existing email addresses as hopelessly compromised.

Although Sobig-F is, at least for net-facing firms, an order of magnitude worse than anything we've seen before, things have deteriorated over the last three years or so.

Every day, in every way, it's getting worse and worse

Starting off with the Love Bug and moving on through the Anna Kournikova worm, Nimda, Klez and the rest each new worm is more ferocious. Virus writers have upped their game in terms of social engineering tricks and propagation techniques; the ability to scour hard drives for email addresses and spoof viral-laden messages are examples of this.

In particular the speed at which viruses take hold is outpacing the capacity of AV firms to develop fixes for users to deploy them. The critical path has gone critical.

Managed services firm MessageLabs reckons that at the height of the Sobig outbreak one in 17 emails were viral.

Rival firm intY, which specialises in providing services to SMEs, reckons smaller businesses were particularly affected by the prolific worm. At the height of the outbreak last week, intY was blocking one in three emails. Even now one in seven emails that intY analyses are viral.

According to Paul Richards, development manager at intY, the higher rate of virus interceptions among its user base is accounted for because smaller businesses were disproportionately targeted by the worm. Smaller businesses generally have a wider diversity of email contacts and this too helps explains why they were hit harder, Richards added.

Sobig-F is, lest we forget, sixth in a series of increasingly aggressive worms, and it's unlikely to be the last.

The blame game

So who's the blame for this mess?

Microsoft is an easy target. Its success on the desktop has created a monoculture through which viruses can spread. Until Windows 2003, Microsoft products shipped with security turned off by default. The auto-execution features of Outlook and Outlook Express allowed viruses to execute in the preview pane, until it issued a patch.

Now Redmond has embraced security by default in the design of its products but this will take years to work through the system. Microsoft points out that it has supplied fixes to correct most of these issues.

But how often are they applied? Not frequently enough, clearly.

It takes just a small percentage of users to get infected for a virus to become a bandwidth-hogging, time-consuming nuisance for the rest of us.

With Sobig-F even those Linux, Unix, OS/2 and Apple users who are immune from the infection are still flooded with viral email, to say nothing of the bounced messages from AV scanners reporting that messages they never sent are infected with viral code. Windows users who properly secure their systems see much the same effect.

AV vendors have mined a rich seam of free publicity on the back of Sobig and Blaster. They say you must deploy and update AV tools to protect yourselves against the worm. Enterprises should consider blocking executables at the gateway, they add.

It's a familiar theme and it's wearing thin.

Blunt razor blades

Anti-virus technology is reactive by its very nature - signatures to detect malicious code are not produced until after a new strain of virus has appeared. It has evolved little over the last few years. Some improvements have been made in heuristics and in pushing updates around in corporate environments but it's hard to conclude that virus writers do not have the upper hand.

And while we're apportioning blame let's not forget the central role malicious code creators are playing in this mess. Circumstantial evidence from the behaviour of previous variants of Sobig suggest the worm could have been used to create a virtually untraceable network of compromised machines to act as spam proxies.

This suspicion has grown with the release of the latest variant of the worm.

It's a truism in information security that defence is far harder than attack and this is ably demonstrated by the latest malicious code outbreaks.

In defending against the worm, the Internet community may have to move towards a new defensive posture. More of the same just won't do.

Virus filtering services from ISPs and managed services firms will become a more attractive alternative, despite the privacy concerns involved in their use. In the short term AV firms can look to a boost in sales from the publicity generated by the Sobig outbreak.


But Symantec, McAfee, Sophos and the rest would do well to look over their shoulder. Behaviour blocking technology - which is able to stop malicious code executing on the desktop - could supplant AV tools as the first line of defence against viral code. Cisco's acquisition of behaviour blocking firm Okena earlier this year signals that heavyweights are eyeing this market for growth. In this scenario, conventional AV tools would then become file disinfectors - not the first line of defence against malicious code.

This market change, along with a retreat into a less open Internet, might be seen as the true legacy of the Sobig pandemic a couple of years hence. ®

Related stories

Blaster rewrites Windows worm rules
Sobig second wave attack fails to strike
Sobig-F is fastest growing virus ever - official
Auto-responders magnify Sobig problem
Email worm joins Blaster attack on Windows
Why spammers lurve the 'Microsoft support' worm (Sobig-A)
On Spam cures that are worse than the disease
Anti-spam packages 'too unreliable' to certify
Melissa virus author jailed for 20 months
Virus writers outpace traditional AV
AV vendors sell 'blunt razor blades'


Similar topics


Send us news

Other stories you might like