In the summer of 2003 a new email virus hit the front pages of the newspapers worldwide.
SoBig was famous initially for being exactly what its name suggests - the massive and rapid spread of the virus across the globe made it the worst ever in terms of volume. At one stage in August, MessageLabs stopped over a million copies in a single day, at an astonishing ratio of one every seventeen emails.
Looking back however, it will not just be the sheer size of it that will make SoBig notorious. It was also a prime example of a new email threat, and one which will change forever the way companies should consider their email security protection. SoBig was a classic example of convergence - the uniting of virus and spam techniques to present a much more sophisticated problem.
This convergence is a crucial new development because it unites twin threats that previously could be considered and dealt with separately. Email viruses have of course continued to increase in activity - in 2002 MessageLabs stopped a virus every 212 emails, in 2003 the ratio was just one in 33. Global levels of spam have rocketed alongside this. In 2003 the figure was up over 50% in terms of spam per email, with MessageLabs stopping an incredible 25 spam emails every second.
At the heart of this growth is the much closer relationship developing between viruses and the proliferation of spam. Traditionally viruses were nasty but random, written by misguided youths with either malicious intent, a chip on their shoulder or most likely a desire for notoriety within the virus writing community.
What SoBig demonstrated clearly is that viruses are increasingly being used as the delivery mechanism for a more sinister, fraudulent intent. Spammers - seeking to gain as wide an audience as possible for their messages - have taken to using virus techniques to propagate their information.
The most obvious mechanism is via a new breed of 'Trojan' virus, which seeks not only to infect a machine and mass mail, but also to open up the unfortunate system to future attacks by leaving the infected system "open proxy".
Proxy servers were initially developed to perform a useful function as they linked a PC to the internet via a local network. But this usefulness has perhaps now been overtaken by the fact that, if left unguarded and open, they present a 'back door' route into computer networks for a grateful spammer.
Internet security companies and ISPs have become more aware of this problem and closed the open proxies on a lot of machines. As a result, those looking to exploit them have had to become more sophisticated - leading to the introduction of new viral attacks containing a Trojan programme that will work to reopen the proxy server once inside.
This technique has been particularly adopted by spammers who use the vulnerable and unknowing machines to distribute their junk mail on a massive scale. Recent estimates suggest that as much as 60% of all spam is distributed using open proxies in this way.
What this convergence presents is a new and worrying development for all those charged with protecting companies against email threats. Spammers have always defended the legitimacy of their actions by claiming they are doing nothing illegal and that spam is a recognised marketing tool. The use of malicious email viruses to hijack computers and the identity of their users undermines this claim. And in the future the prevalence of spam being sent from unknowing, innocent servers is likely only to increase.
The problem is also worsened by the mass introduction of broadband connectivity. Recent research commissioned by Star Internet shows that over the past 12 months there has been a significant increase in the number of broadband internet connections taken up by small and medium sized companies - with around half a million lines in place by the end of 2003.
This always on connection is a weakness as well as a strength. Always on means always vulnerable - making life very much easier for the spammer seeking to hijack a machine. The Star research, carried out by analysts the Yankee Group, estimated that firms using broadband are up to five times more vulnerable to attack than those using traditional dial up access - costing SMEs alone nearly £2 billion a year.
The combination of the convergence of viruses and spam with the greater vulnerability created by broadband connectivity means that more than ever firms need to be aware of what is going on and think more holistically about their security solution.
Traditional anti-virus or anti-spam solutions are not in themselves going to be effective. Reactive software simply cannot handle this increasing threat, and separate solutions are always going to be flawed.
The only viable solution is to seek a more sophisticated form of protection, and to stop the problem before it arrives by scanning for unwanted content at the internet level. As the level of threat increases so does the need for vigilance. A managed service, proactively seeking to identify the dangers contained within seemingly harmless emails, is the best way to reassure those responsible for internet security within a business that they are properly protected when spammers attack.
Mark Sunner is CTO of MessageLabs
MessageLabs are exhibiting at Infosecurity Europe 2004 which is Europe's number one IT Security Exhibition. The event brings together professionals interested in IT Security from around the globe with suppliers of security hardware, software and consultancy services. Now in its 9th year, the show features Europe's most comprehensive FREE education programme, and over 200 exhibitors at the Grand Hall at Olympia from 27th to the 29th April 2004. www.infosec.co.uk
