News

Opinion: Troubled Times for E-mail

• By Scott Bekker
• 12/09/2003

We've reached a tipping point with viruses, and it's very bad place to be.

It used to be that the bulk of virus e-mails had the intent of being just annoying. An appropriate way to think about the virus/worm author was the teenage tinkerer seeing what kind of trouble he could stir up. Damage estimates were measured in downtime and theoretical lost productivity from some hypothetical nirvana of 100 percent worker productivity. Sure there were more serious types out there, actively after your digitally-stored assets, but they tended to use lower profile, smarter, means to attack systems.

The Sobig.F worm changed that in a big way. As the fastest-spreading worm to date, Sobig.F became spam-like in the way it flooded users' inboxes with hundreds of messages. For the record, MessageLabs, a security vendor and e-mail hoster, reports that Sobig.F was the most common e-mail infection of 2003, with 32 million Sobig.F mails intercepted. The No. 2 infected e-mail, Swen.A, was way, way down at 4.1 million. (See table below).

But Sobig.F was more than similar to spam. It appears to have been designed to turn infected PCs into spam-relay engines, MessageLabs notes. Is it a coincidence that spam boomed in 2003? The overall ratio for spam to e-mail for the year leapt from one in 11 for 2002 to one in 2.5 this year. MessageLabs also reports that more than 66 percent of spam was sent through hijacked computers.

The flood of spam sent through hijacked computers, many of them consumer systems with broadband connections, is leading to serious questions about the future of e-mail. Perhaps nothing illustrates the general frustration with spam as well as a survey done for Symantec of 500 small businesses. About 42 percent of the respondents said they would consider abandoning e-mail for business correspondence if the spam situation worsened. While the idea probably never occurred to most of the respondents before being presented with it in the survey, the fact that they didn't dismiss it out of hand is sobering. (View Symantec's discussion of the survey here.

There is reason to suspect the Sobig author of aiming for more than the disruption of the e-mail system. By creating an open proxy network for spam relays, the virus author had an asset to sell to spammers, or possibly a network to hand over to the bosses at a spamming organization. Consider this: The Sobig e-mails each expired after a set time, and each expiration date was followed immediately by a new variant of the malware. When Sobig.F spread like a wildfire in high wind, the spam-relay network would have been in place and probably would have been much wider than the author could have hoped. If the author was out to wreak havoc rather than chase profits, why not take the lessons learned from Sobig.F and plow them into a Sobig.G?

This leaves us with a new model for the virus/worm author -- somebody with a profit motive. It's evident in another blockbuster worm of 2003. Mimail is the one with the variant asking PayPal customers to update billing information, including credit card numbers and expiration dates.

These are two pretty strong examples that profit motive, rather than notoriety, is becoming the driver for authors of viruses that erupt into mass outbreaks. Market forces being what they are, we should expect competition to drive virus writing to new heights in 2004.

Following is MessageLabs' tally of virus e-mails it had stopped by Dec. 1:

1. W32/Sobig.F-mm -- 32,432,730
2. W32/Swen.A-mm -- 4,184,129
3. W32/Klez.H-mm -- 4,006,766
4. W32/Yaha.E-mm -- 1,920,424
5. W32/Dumaru.A-mm -- 1,129,061
6. W32/Mimail.A-mm -- 1,052,481
7. W32/Yaha.M-mm -- 862,682
8. W32/Sobig.A-mm -- 842,729
9. W32/BugBear.B-mm -- 814,865
10. W32/SirCam.A-mm -- 511,578