In the wake of what will likely go down as one of the worst weeks in the history of Internet viruses, security specialists say that the focus on user education is failing and that pressure must now be put on vendors to make their products safer. The tack toward the vendors comes after a week that saw 16 new viruses and worms—nearly half of which had a risk rating of at least medium—unleashed on the Internet. The threats, all but one of which are variants of previous malware, such as Bagle, Netsky or MyDoom, did not spread widely or do much damage. But IT managers say that with two or three new threats showing up daily, few enterprises can keep up.
"Virus writers have always been winning the war," said Paul Schmehl, adjunct information security officer at the University of Texas at Dallas as well as a founding member of the Anti-Virus Information Exchange Network. "Reactive technology is just that: something that reacts to a threat once its known. Its always been a bad approach, and it always will be. If the threat sails past your gateway unhindered, then the desktop is your last resort. And thats where Jane and John sit, just waiting for the next curiosity to come their way."
Educating users on the dangers of opening attachments from unknown sources clearly has not worked, he added. People still open the files and still are surprised when something bad happens, Schmehl said. "We have people in this country who cant name the president. What makes you think theyd be aware of viruses?" he said.
That problem is compounded by ever-evolving threats. Even companies that follow best practices and filter dangerous e-mail attachments at the gateway found themselves getting slammed by Bagle variants, thanks to a clever bit of coding.
The author of Bagle.H and its descendants sealed the virus-infected Zip archive with a password, which was included in the text of the e-mail message. Users must manually enter the password to open the archive and execute the virus. Not only does this make the attachment seem more legitimate to users, it also prevents gateway antivirus scanners from inspecting the contents of the attachment.
This state of affairs has led to increased frustration on the part of enterprise security personnel, who feel that theyre fighting the battle alone and with little hope of winning.
Schmehl and others who have been involved in user education efforts say vendors have to take a more aggressive role to protect users who just cant help being lured by viruses and worms.
While he sees the value of training users, "Id be the last one to let the AV vendors completely off the hook. I hate to see outfits spending vastly more on marketing than product development or malware research," said Rob Slade, a well-known virus researcher and author based in North Vancouver, British Columbia. "The inaccuracies and false positives generated create problems for other, more able AV researchers and vendors as they are required to respond to threats that dont exist."
"One of the things I think Microsoft [Corp.] needs to look at is maybe shipping Outlook so that its set to work offline by default," said Vinny Gullotto, vice president of research for the Antivirus and Vulnerability Emergency Response Team at Network Associates Inc., based in Santa Clara, Calif. "Then if you go online and see that you have 50 messages queued up in your out-box and you havent written any, maybe youll know theres a problem."
But there are a number of hurdles to overcome, not the least of which is workers dependence on e-mail for instant communications. Gullotto suggested that instant messaging software is far more suited to this task and is much less susceptible to viruses and other security threats.
Schmehl agreed, saying e-mail systems were not meant to be used the way that they are today.
"E-mail was never designed to be a file transfer mechanism, and it is time to stop using it that way," Schmehl said.
However, some administrators still see users as the key to stopping the cycle of virus infections.
"If we could get a significant number of home users to install anti-virus software and keep the definitions current, I feel that major virus outbreaks would be a thing of the past," said Pat Flannigan, systems administrator at CFS Mortgage Corp., based in Phoenix. "Users are the hardest part. They need to constantly watch for viruses in e-mails and Web sites at the forefront in their thinking."