As law enforcement officials continue their search for the origin of the SoBig.F computer worm that clogged servers and networks last week, security experts are watching for the next variant and worrying that antivirus defenses might be flawed.
The FBI, which subpoenaed an Internet service provider in Arizona, is working on leads in the case while security experts and victims assess the damage done by the variant worm.
While the outbreak might have both home and corporate computer users on guard, it is also signaling to some the need for a change in antivirus protection, which is based on a sometimes slow process of updating virus definitions to identify and block threats.
“The whole model behind fundamental antivirus is basically flawed,” ISS X-Force engineering manager Dan Ingevaldson told TechNewsWorld. “There is this window or opportunity — 5 to 12 hours to propagate. It seems [virus writers] are concentrating on that window.”
Hunt Is On
In its search to find out who wrote and released the variant, the FBI subpoenaed Arizona Internet provider Easynews.com. The FBI informed Easynews that an individual had used the Easynews UseNet server to upload the SoBig.F virus on Monday, August 18th, the company said in a statement.
FBI deputy assistant director of cybercrime Jim Farnan would not confirm the Easynews lead, but he told TechNewsWorld that the bureau is making progress in finding the SoBig.F author, who might face a penalty of 5 to 20 years in prison and several thousand dollars in fines.
“Our job is to find out who authored and who launched the code,” Farnan said. “We do have leads, and we are pursuing them aggressively — we’re always hopeful we’ll find the perpetrators.”
Forrester industry analyst Jan Sundgren, who referred to law enforcement’s poor track record with virus writers, told TechNewsWorld that capture of the SoBig.F author depends mostly on how skilled the person is at remaining anonymous.
Sundgren said that according to the spamming elements of the worm — which included an e-mail engine — the author might be more technically sophisticated than the average virus writer. He also noted that, unfortunately, inclusion of spam or unwanted e-mail features in the worm makes the use of malicious software, also known as malware, more attractive.
“You have this linkage to a huge moneymaking endeavor. Before it was just to show off,” he said. “It is troubling because now there’s another motivator for spreading viruses.”
While antivirus and security experts were able to avert a timed download included as part of SoBig.F late last week, MessageLabs chief information security analyst Paul Wood told TechNewsWorld that the worm’s variants have followed an evolutionary path that is expected to continue.
“It’s evolved quite considerably in each incarnation,” he said.
The watch for another variant after SoBig.F, which expires September 10th, is ongoing, but Wood said the virus writer probably does not want to draw any more attention, given law enforcement’s current investigation.
Race To Release
Wood said that because antivirus software uses signature-based defense to combat known viruses, the inclusion of heuristics-based scanning is becoming more of a necessity to ward off worms such as SoBig, particularly for enterprises.
He said the 12 hours it took to update virus signatures was significant because SoBig.F was so pervasive in its first 24 hours.
ISS’ Ingevaldson said that by optimizing e-mail capabilities, the SoBig.F worm showed that spam and worms are coming together and that virus writers are zeroing in on the time it takes antivirus vendors to catch a sample, then update and distribute new virus definitions.
“This whole strategy is what we’re going to see in the future,” Ingevaldson said, referring to exploitation of the time lag to update signatures.