SoBig: Worst is Yet to Come

bl8n8r writes "Experts say when vacationers get back to work Monday, Inboxes will unleash the worms worst attacks. Sunner said that most of the problems caused by SoBig involve the time and cost of cleaning the worm from computer systems. "

Microsoft has serious problems

2 worms (DCOM and Welchia) and a virus variant in less than two weeks.

This should tell investors that they are wasting their money.

This should tell companies that they are wasting their money.

Someone, somewhere, will hopefully get a clue.

Re:Microsoft has serious problems

[Kenja]

How much do you want to bet that the people getting the clue are not the ones who keep putting unpatched computers on the internet without a firewall? Come on, regardless of the platform thats just asking for it.

Brain-dead auto-responders...

[ktakki]

So far this week, I've received only seven actual copies of W32/Sobig. However, the number of messages from mailer-daemons and mail server virus scanners has exceeded this by a factor of ten. Some of these rejection messages actually include a copy of the infected .PIF file.

You would think that after Klez, the people who write these virus scanners and those who administer mail servers would realize that viruses sometimes spoof the "From:" field. I didn't send it, my Mac is not infected. You're just annoying me. Please go away.

At best, this is collateral damage. At worst, these rejection messages are actually advertising the IP addresses of infected systems. Should a virus drop a back door payload, this would multiply the damage.

k.

Re:Worst I've seen by FAR

[aridhol]

plus maybe 30 automated msgs saying _I'd_ sent out such nastiness/bloat.

I was getting that, too. I think it generates the return address the same way it sends the to: address. They both come from the user's address book. Because of this, other people get the warnings, not the person who's actually infected. This allows the virus to go undetected longer.

Vacation?

[*weasel]

did a statistically significant portion of the workforce on vacation this week?

that seems like a pretty weak overall premise for an expected resurgence.

now if he said that he expects a steady stream of continued activity into early next month, due to all the people who take vacations throughout august - he might have a point.

but to suggest that these 'vacationers' will unleash the same spam deluge monday that the rest of the unwashed have given us this past week, is a bit shaky.

Even worse...

[cperciva]

You would think that after Klez, the people who write these virus scanners and those who administer mail servers would realize that viruses sometimes spoof the "From:" field.

The situation is even worse than that: Most (all?) of the virus scanners sending me autoreplies correctly identified the virus as being Sobig -- which always uses spoofed source addresses.

Sending autoreplies is sometimes useful, but these scanners should at very least have a table which tells them, for each virus, whether an autoreply should be sent (ie, a table which specifies if a virus uses spoofed source addresses).

Read between the lines

[Rosco+P.+Coltrane]

Sunner said that most of the problems caused by SoBig involve the time and cost of cleaning the worm from computer systems rather than the destruction of files or the opening of files to outsiders on the Internet, which can be problems with many computer viruses. Pescatore said that the cost of both technical support personnel and lost productivity by the computers' users can range from $500 to $1,000 per infected machine.

And who is Marc Sunner? he's the CTO of MessageLabs. And what does MessageLabs do, you ask? see for yourself, from the main page at messagelabs.com:

Email security today is a global issue which pervades whole organizations. Viruses, spam, pornographic material and other harmful or unwanted content represent a serious risk to your company. To combat these all too real threats, you need a total, proven and effective solution. Only MessageLabs can assure you of complete peace of mind from complete email security

$500 to $1000 to clean up each infected machine? Right, whatever Marc. And it's obvious you don't have *any* interest in propagating that baloney too. (on second thought, if you hire me to clean your machines, I'll do 5% discount off that price).

Another fine impartial article reposted by Slashdot. (By the way, the word you're looking for is "advertising") ...

Re:Cost Benefit Analysis

[BWJones]

That's my plan. Just pull the plug on the Wintel stuff, toss em in the trash and replace them with Macs running OS X. :-)

I was being a little glib there, but it should be pointed out that the labor costs associated with managing all of this crap are pretty serious. Overtime charges, benefits and basic salary for an $74k employee for the last three days are running what? At least $1000k per employee. With eight IT dudes running around fixing all of the Wintel systems that's eight grand worth of new Macs that will have much better uptime and lower costs just from the last three days alone. Now, consider how many of these little virus and worm issues there have been in the past year.

how can people fall for it... again

[kubla2000]

What I find discouraging is that the lemmings are falling for it despite this being The Week of Teh Worm.

All the hopeful articles that have sited users claiming a new awareness of the risk of worms and virii seem to be pipe dreams.

Dumb users are dumb users and the more infectuous and persistant the virus, the more networks are going to get hammered. Why oh why aren't all pif, scr, exe, com, and vbs attachments just blocked by the MDA. There is no good reason for allowing an end user the huge complexity of choosing whether or not to click on the latest attachment that's come to them from "the internet".

If the lemmings are getting suckered this week... when every news medium is blathering on about viruses worming their way through nuclear reactors and motor vehicle registration offices, what hope is there for when the attention has settled?

Re:Cost Benefit Analysis

[Frymaster]

f they had done their job properly in the first place, they wouldn't have to fix anything at all.

does "doing their job properly" include preventing end-users from touching the keyboards? let's face it, the network that remains unused always stays in a stable, functioning state. put users on it and then things go wrong.

Re:Cost Benefit Analysis

[jonbrewer]

No "IT dudes" worth anything will be "running around fixing" things. If they had done their job properly in the first place, they wouldn't have to fix anything at all.

I don't know what world you're living in, but it isn't the one I'm posting from. You can be a brilliant IT guy who does his job incredibly well, but if a corporation's policies (i.e. waiting until a patch has been regression tested with bespoke applications) have you running around fixing things, it's the CIO that's not "worth anything" and not the "IT dudes".

And, of course, in the case where you're paid $74k/year (as the parent post mentioned), You Do What You're Told, or you quickly lose said salary.