Horror stories, conspiracy theories and the end of the world as we know it. Josh Mehlman talks to Paul Ducklin, head of global support at anti-virus software vendor Sophos about the online and offline threats of viruses.

What are some of the horror stories that you've encountered in your work?

One of the biggest horror stories is some of the verbiage that came out of people who should have known better about Code Redââ,¬"there was going to be an Internet meltdown and the end of the world as we know it. And I think people need to realise that the Internet's a lot bigger and stronger than some 4K bit of code written by some sleazebag to exploit a new security hole.

Some of the numerical damage figures that came outââ,¬"I've seen numbers like $1.2 billion damage caused by Code Redââ,¬"I find it very hard to reasonably substantiate those figures and I think it doesn't do the Internet security industry much good. It makes them look like scaremongers, even though some of them aren't. Also, one of the dangers was that all the hype about Code Red ââ,¬"wasn't really a big issue and the Internet reacted wellââ,¬"masked a lot more important things that were ticking over quite happily in the background, like SirCam.

Virus hysteria comes in waves. Who do you think is responsible?

Usually things happen when someone who is regarded as authoritativeââ,¬"probably believing what they sayââ,¬"says something without being guarded about it. In the case of Code Red, it was because the FBI came out with some fairly scary stories, which was ironic considering they themselves had been infected with SirCam and it sent out a confidential internal virus analysis document. It gave it that aura of fear, because the FBI doesn't often come out and make virus-related statements. So people thought -OK, this is from the horse's mouth, it's one to get excited about."

But quite often hoaxes are -from the FBI".

The big problem with hoaxes is that even if you were to receive something that looks like a hoax but was in fact a genuine virus warning, and it had on the bottom, -please be sure to forward this to all of your friends", people need to begin to recognise that it's obviously a bad idea, if only because it's bad citizenship of the Internet.

But companies face real threats from viruses.

While there's a lot of exaggeration of the damage numbers, that's not to say that the true figure is zero. It's unfortunate that we always have to compute this dollar value with lots of zeros at the end for people to take it seriously. Some things don't really have a price, like the reputation of your company.

Particularly in most developed countries where there are privacy laws and data protection lawsââ,¬"if you get a virus that mails something out from your machine, they could easily violate the law on your behalf. It's not really an excuse to say, -I didn't do itââ,¬"the virus did."

Different viruses will mean different things to different people. For a home user, a virus like CIH, which actually wipes out the BIOS so you have to go and buy a new motherboard, that is a disaster because you haven't got the computerââ,¬"you probably don't have a spare and you just have to dig into your wallet. To a company, they might have a spare computer so they could overcome that, they might have good backup so they can recover from the data loss. But they can't recall e-mail once it's gone out.

E-mail server meltdown seems to be a big problem, but aren't the other side effects still dangerous?

Absolutely. Even SirCam, which is best known for its e-mailing habits, on October 16 turns nasty Trojan and deletes a whole lot of files. If you look at something like Code Red II, once it's infected your server, it inserts a back-door Trojan on your machine which allows a potential attacker to go to your machine and run arbitrary programs, and also your machine is pretty much advertising that it's vulnerable because it's sending out pretty identifiable packets. The risks there are directly to the server and the company.

Some antivirus programs now bounce back e-mail messages with any sort of attachment that might contain a virus. Is this being too vigilant at the expense of getting work done?

People rightfully expect that antivirus software will answer questions and not ask them. The idea of taking something that is innocent and categorising it as a specific threat to my mind is a bad idea. On the other hand, if someone were to come back to you and ask you, -Could you please send plain text e-mail, because we think it's a better way to go?" then I think that would be quite sound advice. We've seen people to whom we've sent e-mail notifications of viruses and we only send them as plain text, but because we include certain phrases in the text, they'll be bounced and they'll say, -You tried to send us a virus." We've had an experienced IT manager quite seriously suggest that it would be very useful to him if we could somehow avoid the use of the word virus in our virus notificationsââ,¬"adopt some sort of circumlocution.

False alarms caused by antivirus software trying to be all things to all people means that it ends up saying -I think this might be suspicious, so why don't you work it out and see if it's a virus or not"ââ,¬"people expect the antivirus software to answer that question, not to pose it.

Isn't it preferable to err on the side of caution?

That belongs in policy. It's a good policy to say if there's an attached EXE file or screensaver, we can't see any reason why you need that file at all, so we're going to block it.

Back in the early 80s, research done by a guy called Fred Cohen, the guy who coined the term virus for self-replicating code, he was able to show mathematicallyââ,¬"and it stands to reasonââ,¬"that you can never write an antivirus program that will detect all viruses. This means that all antivirus software is heuristic, trying to guess on the basis of rules and experience whether or not something is a virus.

On the other hand, you can be proactive. Given the history of viruses and malicious code, you can often guess what form many new viruses will take.

All antivirus software will suffer some false negatives, where it misses a virus, and it's also going to suffer from false positives, where it condemns an innocent file. The trick is that you need to minimise both. If you have too many false positives, it will send people looking for a problem that they'll never find.

But it's important for people to recognise that technology aloneââ,¬"antivirus software, firewalls, policyââ,¬"are never going to solve 100 percent of the problem.

How do you find out about new viruses?

Presumably the virus writer is aware when they think it's finished, because they don't happen by accident. It is interesting how viruses arrive or come to the attention of antivirus companies. Unfortunately there are lots of different routesââ,¬"sometimes from the virus writers directly, sometimes from people who have accidentally created a virus. I think any antivirus researcher can recount stories of where they've gone to investigate a virus at a customer site and everything suggests that the virus was deliberately created and placed in that company.

Sabotage by virus?

It's hard to say because I've never got involved in a forensic investigation. But the enemy within is an important one. If we're worried about the enemy within with fraud and hacking and password abuse then there's no reason why we shouldn't consider it from a virus point of view. Although the average virus writer is not a disgruntled employee, probably just a sad kid somewhere. But then again, they're not all kids. The [alleged] author of Melissa was a 30-year-old IT consultant who should have known better.

So why do you think he did it? Desire for recognition? Boredom?

I don't know. Maybe he got the recognition that he craved from the counterculture as an older, wiser guy. But he didn't just write viruses and say -Look, how clever, I wrote a virus." He had previously written articles about how you could not only write a virus, but actually really get the thing widespread. It looks like he thought about it long and hard, and clearly what he did with Melissa was designed to get it to work better and to avoid the initial wave of protection to make it pretty much unstoppable.

I think you can say a similar thing for the love bug as well. The guy who allegedly wrote it had got in trouble at his university for writing hacking tools and virus related stuff. I've seen a copy of a thesis he'd written where the lecturer had crossed out huge sections with words to the effect that -This university does not train or reward criminals," because he was proposing a tool that would rip off passwords so that students could have free access to the Internet.

How long does it take for a virus to propagateââ,¬"and for you to respond?

The critical thing for an antivirus company is how quickly you can get a sample, and how quickly can you analyse it and respond. With a good antivirus company the answer is 10 or 20 minutes. The bigger question is how long does it take for the virus to get onto people's radar screens so that they actually want to do something about it. How long until the community as a whole is more protected than unprotected? Different viruses have different levels of success. The Love Bug was all over the world within eight, nine, 10 hours. The fixes were out there as well, but the virus was very aggressive. It caused a couple of days of sleepless nights and mayhem. Then compare that to a virus like CIH which came out in the late 90s, there was huge damage done by that virus after almost two years of it being detectable and preventable by most antivirus products.

So is it people, not technologies, that are the weakest link?

I think for example with Love Letter, there were a few people who couldn't resist downloading a file called LIST.DOC that allegedly gave them URLs and passwords for porno sites. So of course the first thing they did was they went and told their IT manager exactly what had happened. A little bit of psychology by the virus writer, who had previously written articles which were worried about how you got to distribute a virus far and wide, so it was obviously close to his heart.

What were the motivations for Sophos to set up a global support office in Sydney?

We think that running our global support operation out of Australia is an excellent idea, we think that there's an opportunity for us to present the lead in Australia and for Australia to present that lead to the rest of the region in matters of education on virus issues and best practice on virus issues. If you get a virus at 2am, you probably don't want to be awake, but if you are, you want to be able to pick up the phone and actually talk to someone who will advise you on the correct course of action.

We also feel it's important that someone gets support from their own region and people that they've built a relationship with, and they're used to dealing with, and that understands their problem or their network.

The current value of the Australian Peso wouldn't hurt, either.

That's not the reason we did it. There is some advantage in Australia being quite a technically demanding market, where they know what they want and aren't shy to ask for it. IT seems to be in a very mature state here. [In terms of time zones] it's the first market in that condition which wakes up. It means that we can get early information.

Any other cultural factors?

Twenty-four degrees on a winter's morning... now that you mention it. And beer that's served at a reasonable temperature.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.