One of the odd trends that Sharon Ruckman has observed in the past year while being on the "frontlines" of cyber security is that variants of worms and viruses are still delivering a major payload of headaches for IT administrators and end users.
With ample warning from the initial virus outbreak, companies and users should be better-protected against the brethren which follow, but the widespread damage of variants like Sobig.F and Klez.H show otherwise.
Ruckman, the director of product management at Symantec Security Response, believes this is partly due to the fact that virus writers are "getting better". Malware authors constantly make modifications to an existing virus in order to bypass security measures or increase its reach, as is the case with SoBig.F which was tweaked to spread via both e-mail and file-sharing networks.
As virus writing techniques evolve, computer users on the other hand, are still plagued by the perennial hazards of "ignorance" and "curiosity", she says. Just as how software flaws are unavoidable if humans are cranking out the codes, age-old "click-to-infect" strategies will work if humans are behind the computers.
CNETAsia recently spoke with Ruckman about recent trends in Internet security and how companies can mitigate their risks against the relentless virus onslaught.
Q: Despite so many lessons from the past, why are companies and users still hit by mass-mailer worms?
A: What's unusual in the past year is that we are seeing so many mass-mailers still having tremendous impact with the variants. Usually you will see the initial ones and a little bit of the variants later. Nimda was a very prevalent mass mailer. There's Klez.A but people really didn't hear it. People got infected on Klez.E and Klez.H. The person writing it just got better and better.
Same thing with Sobig.F. Sobig.F was huge, much bigger than the previous Sobig virus. We've seen all the different variants and they've had so much impact and they haven't been that sophisticated. They aren't using vulnerabilities. Users have to open e-mails and open the attachment.
Some attachments were even password-protected zip files to get through organisations. You have to work to get infected and this is where educating people is so important. A lot of folks learnt with Blaster and Welchia the message of making sure your systems are patched and security software are up to date. We haven't really had a major mass-mailer in the past year so people haven't really internalised the educational messages.
Some industry watchers fear a mass-mailer hybrid of the recent Sasser virus could soon emerge. Do you share that view?
We've actually seen similar blended threats. In 2001, Nimda was a perfect example of one where you had five modes of transportation. Can that happen today? Yes. There are well over 30,000 Web sites as well as an open-source community in the underground with a lot of these codes.
What we are seeing is a combination of spamming techniques and malicious code-writing techniques. What spammers are able to do is they have tools to go to the Internet download a wide variety of e-mail addresses.
What we do know about spam is a certain percentage of people will open it no matter what. If I can send that out to 100,000 people and get 10,000 to open it out of curiosity, you will see a much broader spread.
We are seeing well over seven vulnerabilities a day. Within 90 days there will be some exploit code written on 90 percent of those vulnerabilities. That could be one of the reasons why we are seeing much more activity occurring faster because they are getting the e-mails out to more people initially.
It's not enough just to put security software, perimeter-based and host-based systems, you must educate people.
Is the time window shortening between vulnerability disclosure and the release of exploit codes which takes advantage of a known flaw?
What we are seeing is the shortening of the window from when you have a vulnerability to when you have a threat exploiting that vulnerability. Quite frankly once a vulnerability which is critical enough gets announced, you will see people playing around with it.
We are seeing well over seven vulnerabilities a day. Within 90 days there will be some exploit code written on 90 percent of those vulnerabilities. However, very few of them actually end up in the worm category like Sasser and Blaster.
Are organised crime syndicates or virus writing gangs responsible for coordinating virus attacks?
Not so much organised crime per se. Typically, if you are in organised crime you don't want to get publicity. You try to be under the radar.
There has been and there always will be virus writing gangs. To get into the gang, you have to write code and show for it. These are a bit more sophisticated and they hide their tracks a lot better. Usually, the people who are caught are "wannabes" who are not really with the gang. They haven't covered their tracks that well or bragged to people and ended up being caught.
What more can organisations do to protect themselves against the constant barrage of viruses? People need to understand what's important in their systems. Just like physical security, you can spend a fortune to make sure there's no way anyone can break into your house or organisation. However, if someone wants to get in they will get in. Then you have to decide what's your most important system and how much you are willing to spend to mitigate the risk of having your systems broken into.
Typically, financial systems, manufacturing systems, engineering and intellectual property systems--those that make you money--are the most important.
What we've started to see companies do is to set up systems within their own environment which are better-protected. You can actually put "spheres of trust" in different organisations within your company. For example, financial systems could have more firewalls which are different from your gateway firewall.
