IT Losing Ground in Virus Battle

[William Knowles <wk () c4i org>]

http://www.eweek.com/article2/0,4149,1484760,00.asp

By Dennis Fisher 
February 2, 2004 

After years of success deploying more effective and smarter defenses,
anti-virus researchers contacted last week in the wake of the MyDoom
outbreak acknowledged for one of the first times that the battle may
be getting away from them.

The MyDoom virus, which hit Jan. 26 and infected
several-hundred-thousand machines, is the fastest-spreading virus in
the history of the Internet, experts said. At its peak late last week,
MyDoom had infected one in every 12 pieces of e-mail, according to
MessageLabs Inc., a New York-based e-mail security company. MyDoom
also is the latest in a line of recent viruses that, while not
particularly innovative, have been maddeningly effective.

Anti-virus software is an inherently reactive technology, leaving
users as the first line of defense against new viruses. But despite
endless admonishments to refrain from opening e-mail attachments,
whether from home or work, many users continue to be fooled. In fact,
whereas most viruses start from home PCs, MyDoom began from inside a
corporate network.

"There are a lot of Fortune 100 companies infected," said David Perry,
global director of education at Trend Micro Inc., in Cupertino, Calif.  
"There's nothing entertaining about this."

Social engineering tactics such as MyDoom's disguising itself as a
returned or rejected e-mail message make it harder for users to
distinguish legitimate messages from infected ones.

"[The virus writer] obfuscated the message to the point where it was
alluring. The innovation coming out of these guys is slim," said Ian
Hameroff, eTrust security strategist at Computer Associates
International Inc., in Islandia, N.Y.

Virus writers are now loading their creations with extras such as back
doors, mail proxies for relaying spam and keystroke loggers for
stealing passwords. As a result, they're guaranteed that the viruses
will continue to do damage after they've been removed from a computer.

By the end of last week, Symantec Corp. sensors were seeing as many as
2,000 unique machines scanning for PCs listening on port 3217, which
is used by the back door MyDoom installs.

All this has left many in the industry wondering when the tide will
turn. Much of the problem, experts say, is that security still does
not get the attention it deserves inside enterprises. "I think [that
executives] are aware that something needs to be done but not what,"  
said Karen Worstell, chief security officer at AT&T Wireless Services
Inc., in Redmond, Wash. "We have to tell them that it's not paranoia.  
It's good sense."

Dan Geer, principal scientist at Verdasys Inc., said in his keynote at
the Black Hat Briefings conference here that he believes it's time for
a kind of Centers for Disease Control and Prevention for the Internet.  
But to work properly, the center would need real-time data from across
the Internet, which would require victims to report what's happened to
them, something that is exceedingly rare right now.

For some companies, educating executives and other employees about
security issues and best practices has been just as important as any
piece of technology for improving security. Premera Blue Cross, a
health care company in Mountlake Terrace, Wash., requires that every
employee go through a 90-minute training session on security and sends
out regular e-mail flashes reminding workers of policies and
procedures and warning of new threats.

"We want everyone to know about security. The average top executive
doesn't understand security, but we have to change that," said Allen
Kerr, vice president of IT infrastructure and information security
officer at Premera. "Security is an imperative. It's no longer just a
good idea."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.