Q: What's the AV industry's definition of happy?

A: Debunking cybergeddonists during MyDoom viral pandemic

Analysis If you'd like to see the personification of happy, then look no further than an AV product or service vendor in the middle of a viral pandemic.

You might think that during the MyDoom outbreak even industry insiders would lose at least little sleep over the lack of progress there has been in stemming the flood of malicious code attacks. Not so.

Look at me, I do AV!
In fact, a flood of viral-generated email guarantees that security vendors will be thrust into the spotlight. MyDoom might be a threat to users, but the virus sparked off the biggest marketing boom for vendors since 2003's SoBig-F. Better still, MyDoom spread even faster than Sobig-F, making it the worst mass mailer ever.

In the rush to be the first to tell the world about how their products and services are the most vigilant and capable on the market, security vendors have more or less abandoned any attempt to agree common names for viral code. MyDoom-A is also known as Mimail.R, Novarg.A, Shimg, W32.Novarg.A@mm, W32/Mydoom@MM by various vendors, despite calls from high profile end-user group AVIEN for the industry to standardise viral nomenclature.

This, in itself, is a recipe for confusion but users' despair is compounded when vendors give wildly different advice about both the scope of a viral attack and the best way forward in combating mass mailing worms and other viral nuisances.

Lies, damn-lies and AV statistics

In the case of MyDoom, as with other virus outbreaks, such marketing activity is often backed by questionable statistics.

Our old friends mi2g, for example, claimed at the start of February that MyDoom caused $38.5bn of economic damage worldwide. VMyth's Rob Rosenberger has pointed out that this guesstimate is 1.6 per cent of the US federal budget proposed for next year or 40 per cent of the damage to New York City on 9/11.

Predicting the damage caused by anti-attacks is a notoriously inexact science, but that hasn't stopped mi2g coming up with a figure running into the ten of billions and "correct" to three figures. Meanwhile, other vendors equally confidently dismiss the whole MyDoom epidemic as a storm in a tea cup.

Hyping anti-hype

Sophos used to specialise in posing as the voice of sanity in the industry, but now other vendors have caught the debunking bug. After all you get almost as much free publicity - and enhance corporate credibility - by exposing hype-laden cybergeddon predictions as false, as you do by making them in the first place.

Trend Micro, for example, reckons that MyDoom has been "over sensationalised" by the industry and that from a user perspective it is not that much of a worry. The statistics used to scare PC users are figures generated by those firms analysing the number of these emails in the wild, not actually hitting users, according to Trend Micro's Raimund Genes.

Jack Clark, technology consultant with McAfee Security, agrees with him: "The recent MyDoom-A is a successful flash in the pan: in a week or so it will drop off the charts, the denial of service attack will end and the author - if he has any sense - will hide under his bed until the hype is over."

According to Jay Heiser, chief analyst at TruSecure, the "biggest problem for the Internet as a whole is that the mail service is burdened with an extra load of junk mail, not only from the worm itself but also from perimeter scanners that automatically bounce-back infected messages to the apparent sender. Virtually all mass-mailer malware uses spoofed sender addresses, so it is way past time for administrators to turn off the bounce back feature."

TruSecure reckons MyDoom has caused less physical and financial damage than half-a-dozen other viruses.

Rival approaches create confusion

Minutes after MyDoom was first spotted on 26 January we received the first of scores of emails giving various vendors' opinion on the best way to combat mass mailers like MyDoom. This marketing tsunami hasn't stopped yet - almost a month later.

Say what you like about them: security vendors have never been slow on jumping on a bandwagon. And MyDoom is the Mother of Marketing Bandwagons, or should that be opportunities?

It used to be the case that AV fighters competed not in terms of technology but in terms of providing a more efficient service in a market with little product differentiation. That's changed over time, so that now there are a number of rival approaches competing for attention and end-user mind share.

First up are the email filtering firms such as MessageLabs and Avecho, which argue that the spread of MyDoom illustrates the shortcomings of the traditional AV scanner approaches. Virus should be filtered out from email traffic on the Net before they get anywhere near corporate boundaries.

Host-based intrusion prevention firms argue the opposite. Firms like Cisco, Prevx and others have been in touch to say that malicious code should be thwarted at the desktop using various types of behaviour-blocking technologies.

A third approach comes from all-in-one security appliance vendors, like ServGate, who reckon that MyDoom style attacks are best neutralised by appliances placed at the edge of the corporate network.

All these vendors - along with Websense's Client Application Manager, GFI's Trojan and Executable Scanner and Finjan Software's enterprise security software - blocked MyDoom proactively without the need for AV signature updates, we're assured.

That's a claim conventional AV firms can't make, not that it put them off seeking attention during the MyDoom epidemic, naturally. Traditional AV vendors, such as Panda Software, have been relegated to offering standard safe computing advice.

While it is fair enough to advise people to update AV signatures and to avoid opening unsolicited attachments, this message obviously isn't getting through to everyone. It takes only a small percentage of infected machines before the rest of us are drowning in spam.

Despite the transparent failure of the scanner approach, license sales from traditional AV vendors remain buoyant. History shows that sales - and share prices - of AV vendors rise on the back of high profile epidemics.

Now there are whole raft of alternative approaches, that market reaction might change. However, uncertainty over how these products fit in with company's existing security infrastructure could hold back progress. Services from filtering firms complement traditional AV protection, whereas intrusion prevention is often pitched as an alternative. The picture is far from clear and we expect the fog of marketing wars will hang over the industry for some time to come.

This might suit the industry - but it doesn't help users one little bit. ®

Related Stories

MyDoom dies today
MyDoom assault forces SCO.com off the net
Worms pour through MyDoom back door
Sobig-F is fastest growing virus ever - official
And now we are One. Many unhappy returns to SoBig
Virus writers outpace traditional AV
The trouble with anti-virus
Anti-virus industry: white knight or black hat?

Other stories you might like

Biting the hand that feeds IT © 1998–2021