| OK. This is an unabashed scare story. It hasn't happened yet. It's always possible that it will never happen. So that's the disclaimer over. Now take a look at the series of articles here. This is a collection of speculations about SOBIG.G which hasn't appeared yet. If the history of the SOBIG series is anything to go by, then it's quite likely to appear on Sept 11th. Hmmm. Interesting date. It's also very likely that SOBIG.G will be further debugged and enhanced using the lessons learnt from the F infection. I'm really expecting SOBIG.G to spread extremely fast and to do some real damage. The really scary bit is that even if SOBIG.G gets stopped, the same will be true of SOBIG.H One of the interesting tidbits is an answer to a question I'd been asking. How did SOBIG.F spread so fast initially? This is the first suggestion I've seen that the initial injection used SPAM techniques to get a few tens of millions of copies of the initial email out into the world in a couple of hours. Some person or group of persons appears to be working pretty hard on this and they appear to be pretty damn clever and definitely not stupid. Which doesn't exactly square with the usual virus writer/hacker image of the confused loner teenager. Which then begs some difficult questions. Just exactly what are they aiming to achieve? This may be a technological war that nobody wins and ends up as a stalemate. In the short term, there are some things that can be done. I've been thinking a lot about what went wrong with SOBIG.F and how it could have been less bad than it was. Here's some suggestions:- - ISPs routinely block port 25 to anywhere but their own relay server. This stops viruses using their own smtp engine to spread. This is already happening. - ISP relay servers should use authentication. This stops viruses from using the relay server directly to send email out. This is something that ISPs should do anyway. I really don't understand why they don't. - Outlook and Outlook Express are changed so that you have to save an attachment to disk before opening it outside the program. This actively discourages users from "just clicking" on attachments. Don't hold your breath for this one. - People stop using auto-responders. Anti-virus programs stop trying to notify the forged from addresses of virus emails. This cuts down the number of completely useless notifications. - Mail servers only send back bounce messages to the envelope from address and not to the from: address. And when they do they send headers and first lines only. Not completely sure about this one. But in theory it sends bounces back to the legitimate sender only. And if there's no obvious legitimate user, then it dumps it in /dev/null instead of clogging up the system. - ISPs start offering anti-virus and anti-spam filtering as a premium service. This takes some of the onus off the end user and rewards the ISP with some extra money to pay for the cost of running it. I really think that BT, AOL, Freeserve, Blueyonder and all the others ought to think seriously about this. Especially as we see more broadband services provided as "Wires only". In all that, for "ISP", read "Corporate IT" as appropriate. And if you manage or run an Anti-virus system TURN OFF THE AUTO-RESPONDER. If you don't you're part of the problem. [from: JB Ecademy] |
[ << Opodo presentation from Wed event ] [ Linux access on the WRT54G >> ]
[ 07-Sep-03 11:10am ]
