Re:Viewing 2003: The return of the virus
by Will Sturgeon
Date: December 24, 2003
Just when you thought it was safe to go back into the inbox...
Since the late nineties there has been a trend which has seen each year characterised by at least one major virus outbreak - be it Melissa, Kournikova or Love Bug. The only exception was a quiet 2002 but this year the virus writers returned with a vengeance. Were they just luring us into a false sense of security? Was this a new breed of virus writer? Had their motives changed? Will Sturgeon answer these questions and rounds up the year's events...
2003 has undoubtedly been the year of the virus. Blaster, Code Red, Deloder, Fizzer, Ganda, Lovgate, Magold, Mimail, MyLife, Nachi, Nolor, Sober, Sobig, Slammer, Swen and a whole host of other infections all came along to ensure the year was far more noteworthy than a comparably quiet 2002.
Whether they were lying low or merely taking time to plan their next move during 2002 the virus writers appeared to have little intention of letting 2003 pass without incident. Not only were there a high number of infections, but there was also a new found capability - a cleverness previously unheard off in the majority of attacks in the past.
Certainly Simon Perry, VP security strategy at Computer Associates, believes that 2003 has seen a return to prominence of the virus writer as public enemy, and claims this has actually been the most notable year since 2000.
He told silicon.com: "This has been the first interesting year in anti-virus since the ILOVEYOU outbreak back in 2000. It hasn't just been volume, it's been technique and also the level of attention the issue has garnered which have been the outstanding points."
However, while virus writers have undoubtedly raised their game, Perry also believes IT managers and administrators also have to accept some of the blame. Patch management has been an issue which has gained a great deal of coverage over the year, often because it is seen as something IT staff are falling down on.
A number of high-profile attacks have targeted known vulnerabilities, most notably Slammer, which exploited a flaw in Microsoft's SQL server for which a patch had been available for six months.
Perry said: "Vulnerability exploitation is now firmly entrenched as the vector to watch going forward. What Melissa did for email, SQL.Slammer did for vulnerabilities."
"The most dramatic revelation of 2003 has been the uncovering of the unhealed wound that is most company's patch management strategy^; or rather, a total lack of one," he said.
"I have no doubt that statement will upset a wide range of people who will cry foul and state that its a problem of too many patches, not a broken process. Slammer exposed that claim as an absolute sham," he added. "The volume of patches is a problem, but more importantly the lack of process in identifying what needs to be done to remediate the problems and prioritise what work is a bigger problem."
But it's not just the viruses themselves which have been making news in the antivirus market. Perhaps the biggest piece of news was Microsoft's move into the AV space, via the acquisition of Romanian firm GeCAD.
While vendors didn't exactly fall off their chairs at the news, it is a brave - or stupid - company that doesn't take the threat of a Microsoft incursion into their territory seriously. Back in June Gene Hodges, president of Network Associates told silicon.com: "Of course you'd be foolish not to worry about Microsoft as a competitor - but it's not in our top five worries."
The most obvious slice of the pie which Microsoft will steal is the home users. The enterprise users may be too savvy to miss the irony of Microsoft going into security, but home users will only be concerned with the ease and convenience of something which comes in a bundle.
Alyn Hockey, director of research at email filtering specialist Clearswift said: "A lot of home users, who perhaps don't read the press, will just think 'great it's free, I'll have it' as long as it comes bundled in with everything else."
Microsoft's other major contribution to the year in anti-virus - excepting the flaws which make many attacks possible - was the offering of bounties for information leading to the arrest of virus writers.
Essentially the $500,000 offer was aimed at the close-knit communities of virus writers and was intended to create discord among them.
The move fundamentally undermines their safety in numbers mentality and raises doubts about whether they can trust one another, effectively negating a lot of their effectiveness and a lot of their shared resource.
On the virus front the biggest news probably surrounded Sobig and its subsequent variants.
Graham Cluley, senior technologist at anti-virus vendor Sophos, said: "Sobig was a regular email worm that spread in such large numbers it stopped being a virus problem and started being an email infrastructure problem. Some companies were receiving hundreds of thousands of infected emails every day - even if they had protection in place to stop the virus it could still turn their email gateways to porridge."
Sobig is believed to have been the work of a new breed of virus writer. No longer is the motive to create havoc or gain some level of peer group notoriety to brag about in chat rooms. Now virus writers appear to working in conjunction with spammers as part of highly organised cyber crime groups. The motivation is now financial. Infect machines, self propagate the infection mechanism and take control of thousands of 'zombie' machines to conduct spam operations via open relays.
The virus writer is now a gun for hire - and spammers would appear to be the most obvious employer.
Even the BBC got in on the act of spreading the Sobig virus and back in February the corporation emailed it to users who had subscribed to the Archers newsletter.
Another favourite ploy of the virus writer - social engineering - also went from strength to strength. In a nutshell the challenge the virus writers are rising to is to come up with the most compelling subject line and attachment to encourage users to doubleclick.
A timeless favourite is the female celebrity. Virus writers pick an in-demand female celebrity and claim to have some candid shots attached to an email. Gullible recipients hoping for an eyeful of celeb flesh then click on the attachment and infect their machine.
This year Avril Lavigne, Julia Roberts and Catherine Zeta Jones have been subjects of just such a ploy.
Also popular are political events or topical issues. The Ganda virus arrived in an email promising secret 'behind enemy lines' photos of the war in Iraq. Also the coronex worm exploited people's fears about the SARS virus.
Anybody hoping viruses may go away some time soon will take no solace from November's news that the virus is now 20 years old. This would appear to suggest it has now become an established part of the IT landscape.
Certainly next year will bring little cheer on the virus front. According to Cluley the year ahead can be summed up in four words.
"More of the same," he warned.
^macro[showdigestcomments;^uri;Re:Viewing 2003: The return of the virus]