E-mail-borne viruses have reached something of a watershed in their potential to wreak economic damage on hapless organisations throughout the world. Witness the ILoveYou worm, which spiralled out of the Philippines in May, ultimately delivering an astronomical repair bill (in fixes and lost productivity) estimated in the tens of billions.
"We are effectively the radar looking for viruses on the horizon," said a Telstra spokesperson recently at the announcement of a joint partnership with Trend Micro that would see the telco and ISP use the antivirus and malicious code specialist's scanning products linked to a control module on the Telstra BigPond network.
The service, called eDoctor, is probably just the cusp of what the consumer and business market in Australia can expect from the service providers, particularly as the threat of viral infection is so prevalent.
Recently, Simon Perry, VP of security at Computer Associates, derided Australian businesses, which, he suggested, are courting danger with their lax attitudes. Compared to the "enormous" level of awareness in the US, Perry sees an overall lower level "fear factor" at work down under.
"Australian companies get online quickly, get a firewall, run an antivirus program and then think they're protected. This is very dangerous thinking as there is no such thing as an Australian Internet," Perry observed.
CA's thrust of late has been that Internet security should be delivered along the lines of a rapid response service, not reliant on shrink-wrapped software installs.
The Computer Security Institute (http://www.gocsi.com/) found that from a selection of 273 companies and organisations, 85 per cent detected computer viruses on their networks during the 12 months to March this year. The same survey also found that 96 per cent of the system administrators polled were using some form of antivirus protection. Unfortunately, the prevalence of viruses "in the wild" greatly exceeds the development time antivirus software scanner developers have at their disposal.
ICSA.net found in its fifth, yearly Computer Virus Prevalence survey that the average virus infestation, which attacked up to 25 computers or more on a network, cost $US1750 on average, to the business infected and chewed up 24 hours of labour to fix. In ICSA.net's survey, 83 per cent of system administrators concluded that they had 90 per cent or more of their networks covered against virus attack.
E-mail virus scanners should be seen as one of a set of tools needed by system administrators in the battle against security threats. Authentication and content checking should also be addressed.
Scanning e-mail for content filtering purposes is a matter that raises privacy issues and legal concerns, but is necessary to ensure adherence to corporate policies on matters such as distribution of pornographic images. (See Computerworld September 4, page 1). Tools that provide this kind of vigilance include Content Technologies' MimeSweeper, Eye-T Technology's Eyeguard, and WebSecure Technologies' Mail Marshall.
Australian experience suggests that governments would like a legislative wall around the country's computer networks. Following the Queensland government's lead, the NSW government recently proposed amendments to the criminal code that would outlaw virus writing, amongst other things. While the existence of the amendment means that governments are thinking about the issue, the best protection still lies in permanently stationed e-mail scanning solutions. These should be actively managed to take the responsibility of vigilance away from the individual end user.
Unix systems security specialist Sarah Gordon does not expect end users to be quite so hands off. She says that more often than not, it is user ignorance that is most responsible for spreading viruses throughout networks and believes that end users should play the role of informed gatekeepers, guarding against the threat. In her paper, Why computer viruses are not - and never were - a problem, Gordon identifies a need for "public discussion and dissemination of accurate information" as being crucial to the management of virus infection.
Virus scanning programs look for the virus signatures that are unique identifiers to the virus code. These are matched against known viral signatures in an antivirus developer's database, a technique known as signature scanning.
Signature scanning, used by the major selling software packages, comes bundled with disinfection software and is often complemented by auto-update features that update that software's record of virus signature.
Obviously with so many viruses lurking out on the Net, signature scanning has its limits. This technique may give adequate protection against existing viruses, already flagged in the database, but to be truly effective must work with activity monitoring or change detection functionality which can alert the user to threats from 'unknown' files. Fortunately this extra level of protection is present in many commercial virus protection packages.
Software vendors, wise to the apparent flaws of the signature scanning system, have established emergency response centres that can process files stored in 'quarantine' folders that many antivirus packages come with. Norton's AntiVirus 2001, McAfee's ViruScan 2000 and Trend Micro's PC-cillin 2000 all have this feature, which introduces the user to the concept of 'managing' the process of scanning, disinfecting and reporting viruses to the vendors, who can then further update and improve their database of viral signatures.
Virus signatures themselves are carefully chosen and identified short strings of bytes for a particular virus. A signature should be chosen so that it always discovers the virus if it is present, but seldom gives a false alarm, or false positive.
Guilty until proven innocent
Security analyst/hacker 'black-hand', who has published an analysis of the "ILoveyou" worm at http://black.wiretapped.net/, believes that the solution adopted at present for virus signature scanning and detection will change as the environment into which viruses are being released changes.
"A new strategy needs to be taken by antivirus manufacturers. Instead of antivirus tools monitoring for things that are wrong, an approach is needed to define what's right."
The scope of the problem is a perpetual challenge to software makers and security experts, with even juggernauts like Microsoft having to admit vulnerabilities in its Outlook mail and program, issuing updates this year to address holes exploited through VBScript viruses.
This "guilty until proven innocent" is the approach that is taken on by modern firewalls", and according to black-hand is the same philosophy that antivirus makers adopt.
* See buyers guide on page 30