News

Opinion: Troubled Times for E-mail

A quick glance at MessageLabs' end of year statistics on virus activity and an impression that's been growing since the summer gets sharper.

We've reached a tipping point with viruses, and it's very bad place to be.

It used to be that the bulk of virus e-mails had the intent of being just annoying. An appropriate way to think about the virus/worm author was the teenage tinkerer seeing what kind of trouble he could stir up. Damage estimates were measured in downtime and theoretical lost productivity from some hypothetical nirvana of 100 percent worker productivity. Sure there were more serious types out there, actively after your digitally-stored assets, but they tended to use lower profile, smarter, means to attack systems.

The Sobig.F worm changed that in a big way. As the fastest-spreading worm to date, Sobig.F became spam-like in the way it flooded users' inboxes with hundreds of messages. For the record, MessageLabs, a security vendor and e-mail hoster, reports that Sobig.F was the most common e-mail infection of 2003, with 32 million Sobig.F mails intercepted. The No. 2 infected e-mail, Swen.A, was way, way down at 4.1 million. (See table below).

But Sobig.F was more than similar to spam. It appears to have been designed to turn infected PCs into spam-relay engines, MessageLabs notes. Is it a coincidence that spam boomed in 2003? The overall ratio for spam to e-mail for the year leapt from one in 11 for 2002 to one in 2.5 this year. MessageLabs also reports that more than 66 percent of spam was sent through hijacked computers.

The flood of spam sent through hijacked computers, many of them consumer systems with broadband connections, is leading to serious questions about the future of e-mail. Perhaps nothing illustrates the general frustration with spam as well as a survey done for Symantec of 500 small businesses. About 42 percent of the respondents said they would consider abandoning e-mail for business correspondence if the spam situation worsened. While the idea probably never occurred to most of the respondents before being presented with it in the survey, the fact that they didn't dismiss it out of hand is sobering. (View Symantec's discussion of the survey here.

There is reason to suspect the Sobig author of aiming for more than the disruption of the e-mail system. By creating an open proxy network for spam relays, the virus author had an asset to sell to spammers, or possibly a network to hand over to the bosses at a spamming organization. Consider this: The Sobig e-mails each expired after a set time, and each expiration date was followed immediately by a new variant of the malware. When Sobig.F spread like a wildfire in high wind, the spam-relay network would have been in place and probably would have been much wider than the author could have hoped. If the author was out to wreak havoc rather than chase profits, why not take the lessons learned from Sobig.F and plow them into a Sobig.G?

This leaves us with a new model for the virus/worm author -- somebody with a profit motive. It's evident in another blockbuster worm of 2003. Mimail is the one with the variant asking PayPal customers to update billing information, including credit card numbers and expiration dates.

These are two pretty strong examples that profit motive, rather than notoriety, is becoming the driver for authors of viruses that erupt into mass outbreaks. Market forces being what they are, we should expect competition to drive virus writing to new heights in 2004.

Following is MessageLabs' tally of virus e-mails it had stopped by Dec. 1:

  1. W32/Sobig.F-mm -- 32,432,730
  2. W32/Swen.A-mm -- 4,184,129
  3. W32/Klez.H-mm -- 4,006,766
  4. W32/Yaha.E-mm -- 1,920,424
  5. W32/Dumaru.A-mm -- 1,129,061
  6. W32/Mimail.A-mm -- 1,052,481
  7. W32/Yaha.M-mm -- 862,682
  8. W32/Sobig.A-mm -- 842,729
  9. W32/BugBear.B-mm -- 814,865
  10. W32/SirCam.A-mm -- 511,578

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

  • Most Microsoft Retail Locations To Shut Down

    Microsoft is pivoting its retail operations to focus more on online sales, a plan that would mean the closing of most physical Microsoft Store locations.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.