Are anti-virus companies behind the viruses?
Avecho, Britain’s ‘complete worry-free mail service’, reckons “the world needs to wake up to the fact that the anti-virus industry is not an anti-virus industry, it is a definition-selling industry and they just love these viruses. The more afraid you are, the more money you spend with them.”
This problem is solvable, quickly, according to avecho. It points to avecho’s own ThreatCENSOR, which “applies a wonderful, simple piece of logic which has stopped MiMail, SoBig, MyDoom and all variations of Bagel and NetSky. It is not rocket science, it is simple and fool-proof. It is based upon the reality of how we work.” ThreatCENSOR works on the simple premise that:
- viruses are executable code — in other words, globs of computer programs that attach themselves to emails and try to get you, the recipient, to open them.
- 99% or more of all normal communications do not contain any executable code. “These are documents, graphics, sounds or text. If you want a piece of executable code, you invariably know that you want it, and from whom.”
- by applying a simple rule ‘I will only accept executable code from people I know – and that I am expecting’, ThreatCENSOR stops over 98% of all viruses, with no traditional anti-virus at all.
It’s not a bad idea, a bit like one mentioned in this blog a week or so back. Of course, avecho have an axe to grind, and they’ve been doing it entertainingly for months, if their press releases are anything to go by (all links are to PDF files):
- industry passes the blame for infection and propagation of email viruses onto the users;
- Are viruses here to stay? Only 18 months left for the £2bn traditional anti-virus industry;
- avecho.com stopped sobig A technology has existed for over a year which could have completely stopped Sobig. Why are the AV vendors still beating the same old drum?
- On Wednesday 6th August 03 avecho GlassWall stopped a variation of the MiMail virus that had already successfully passed through a leading industry virus scanner, with up to date virus definitions.
But they do have a point. Somehow we’ve got to find a better way to stop viruses than using updating libraries. What I want to know is: Is there something like this that can work on end-users’ machines, or does everything have to be server based?
Nothing new in this, but a fascinating summary of this year’s viruses, and a sober reminder of how tricky it’s all getting: F-Secure’s review of 2003 makes for interesting reading. This for example, on how the Slammer worm caused so much network traffic:
In theory, there are some 4 billion public IP addresses on the Internet. The Slammer worm was released on January 25, 2003 around 04:31 UTC. By 04:45 it had scanned through all Internet addresses – in less than 15 minutes! This operation can be compared to an automatic system dialing all available phone numbers in the world in 15 minutes. As on the net, only a small number of phones would answer the call but the lines would certainly be congested.
Or the Bugbear.B worm, which tried to steal information from banks and other financial institutions:
To this end, the worm carried a list of network addresses of more than 1300 banks. Among them were network addresses of American, African, Australian, Asian and European banks. As soon as this functionality was discovered, F-Secure warned the listed financial institutions about the potential threat. The response time of the F-Secure Anti-Virus Research Unit was 3 hours 59 minutes from the detection of the worm to the release of an anti-virus update. F-Secure also published a free tool to clean systems affected by Bugbear.B.
Or Sobig.F, which waited for a couple of days after infecting a machine and then turned affected machines into e-mail proxy servers:
The reason soon became apparent: spammers, or organizations sending bulk e-mail ads, used these proxies, which Sobig had created, to redistribute spam on a massive scale. Computers of innocent home users were taken over with the help of the worm and soon they were used to send hundreds of thousands of questionable advertisements without the owner being aware of this.
It is likely that there’s a virus writer group behind Sobig. They planned the operation, then used the worm to infect a huge number of computers and then sold various spammer groups lists of proxy servers which would be open for spreading spam. It was clearly a business operation.
A great read, and fodder for a novel were it not just the start of a difficult time for the Internet.
Microsoft is a mite upset, and is offering $500,000 reward
to inform on the virus writers responsible for the Blaster and Sobig worms. (In August, if you recall, the Blaster-A worm infected many unprotected home and business computers, attempted to launch a denial of service attack against a critical Microsoft security update website, and, most importantly, mocked Microsoft chairman Bill Gates. The worm exploited a critical security hole in versions of Microsoft Windows. Just days later the Sobig-F worm, which spread on the Windows platform, bombarded email users around the world, clogging up email servers.)
Sophos, the anti-virus people, had this to say: “It’s no surprise to hear that they are fed up with this situation and prepared to offer a reward for the capture of these virus writers,” said Graham Cluley, senior technology consultant for Sophos. “There must be people out there in the computer underground who know who is responsible for the creation of these malicious worms. Offering a total of $500,000 will be a great temptation for someone to break their silence – and do all legitimate users of the Internet a favour.”
Spammers may be using viruses to attack their enemies
. Further to my column on how virus writers and spammers may be in cahoots to deliver spam, The Register
reports that anti-spam activists have produced fresh evidence that recent assaults — called Distributed Denial of Service attacks, or DDoS, — on their websites have been enabled by the infamous Sobig worm.
Two anti-spam services, Monkeys.com and the Compu.Net “block list”, have already closed in the past week.
Spamhaus has been under constant “extremely heavy” DDoS attack since early July, and they believe the attack against his site and others originates from Windows machines infected with the Sobig worm, controlled by spammers over IRC networks.
What’s interesting is that, if properly investigated, this may help prove the link between (some) spammers and (some) virus writers. And, of course, get them off the streets and in jail.
Fridrik Skulason’s open letter
draws attention to another point: that while Sobig.F was scheduled to die out on Sept. 10, we might just have been lucky this time
. He compares the two recent attacks — Sobig and Blaster — and concludes that if the guy or guys who write the next version of Sobig look closely, they may combin the two and create a real monster:
“With Sobig.F scheduled to die out today, Sept. 10th, the problem might go away for a while – until the next similar worm appears. And this is the scary part. Sobig.F didn’t really infect that many machines world-wide, maybe only 200.000 or so. This is only a fraction of the number of machines infected by Msblaster (Lovsan). Now imagine a worm combining the distribution method of Msblaster with the mass-mailing feature of Sobig.F. The flood of traffic might practically render the Internet unusable.
“Eventually, some virus author will create a virus like this, maybe this month, maybe in a few years, but it will happen.”