Remember the day Nimda hit the Internet? Remember the day Gokar hit the Internet?
During those anxious first few moments, how could you tell whether Nimda would be naughty or Gokar a goner?
As more companies morph everyday people into computer and Internet users, the opportunity for more folks to fall prey to virus hysteria grows as does the opportunity for vendors to take advantage of the naive and overhype virus outbreaks.
MessageLabs announced this week that it trapped 1.6 million e-mail viruses this year, a figure that works out to one virus for every 370 messages sent. But only viruses like SirCam, Badtrans.b, Magsitr.a, Goner and Hybris, along with virulent worms like Code Red and Nimda and their variants, lived up to the hype, while most of the others went bust.
"Unfortunately, we're stuck in reactive mode," Hurwitz Group Director, Security Strategies, Pete Lindstrom said. "When you're reacting, it's tough to get a sense for the magnitude of the problem."
Inevitably, once a virus outbreak begins, inboxes begin flooding not only with the bad code, but also with virus alerts from vendors and services warning against the dangers of the malware and promoting fixes. Lindstrom suggests that these warnings, however many an administrator or end-user may receive, should not be ignored.
"There's no downside about warning the world to a virus. There's only upside," Lindstrom said. "The antivirus companies break even or they end up winning the race to notify the world first. If you've got a virus that is propagating via e-mail or is Web oriented, what else can you do except warn folks?"
How an alert is crafted
Antivirus firms learn of virus outbreaks, usually in one of two ways: either customers report an outbreak and submit samples to their vendor, or information is shared between vendors through an informal network.
"Once we get a sample, we dissect it in our lab and we then run it on an isolated network in-house so that there is no chance of it spreading to the outside," explained David Hughes, president of Sophos, Inc., the American subsidiary of Sophos PLC of the U.K. "Our analysts examine the code and the virus' behavior. We then send an alert to our customer base warning them of the new threat."
Firms usually rank the viruses according to severity, though that isn't always possible at the outset of an outbreak.
"In order to make an alert useful, you have to put it out early," said F-Secure's director of anti-virus research, Mikko Hypponen. "Often, you don't have enough data to help you make a decision if it is important or not."
Usually, it's a matter of a few hours from the time a sample is submitted to an antivirus firm to when an alert is issued. Those alerts are also upgraded if the propagation is widespread.
"We've sent out only six Level 1 (most severe) alerts this year," Hypponen said. "We've done 35 alerts this year and 29 of them were Level 2. We have three different rankings, which is less than most others. But we try to keep this as simple as possible for our customers."
Keeping the hype in check
Antivirus firms make a conscious decision every time they issue an alert as to its importance and severity.
"I can only speak for Sophos, but it's part of our personality to be the voice of reason," said Hughes. "We go out of our way not to hype a threat. At the end of the day, we want to be helpful to our customers. We want to protect them, not frighten them. Our inclination is to sit back, especially if there are few reports from customers. The industry is not well-served by over-hyping alerts."
Hypponen said F-Secure does not want to be the vendor who cried wolf.
"If you send out too many alerts, they are not going to be useful to customers," Hypponen said. "
Getting out of reactive mode
Being proactive is a necessity throughout IT and security is certainly no exception. Hurwitz Group's Lindstrom said that a key step for developers and users to take is to stop relying on signature files to identify viruses.
"The interesting question is: Why are we not shifting paradigms from being reactive to a stronger prevent mode," Lindstrom said. "The next paradigm shift is moving from signature files to a behavior approach to security."
Several firms currently use heuristic engines in their products, like Entercept, Harris and SecureWave among others.
"They define appropriate behaviors and protect a client or a server that way," Lindstrom said. "The hard part is the initial definition. It's frustrating that we still rely on signature files."