Opinion: Troubled Times for E-mail
- By Scott Bekker
A quick glance at MessageLabs' end of year statistics on virus activity
and an impression that's been growing since the summer gets sharper.
We've reached a tipping point with viruses, and it's very bad place to
It used to be that the bulk of virus e-mails had the intent of being
just annoying. An appropriate way to think about the virus/worm author
was the teenage tinkerer seeing what kind of trouble he could stir up.
Damage estimates were measured in downtime and theoretical lost
productivity from some hypothetical nirvana of 100 percent worker
productivity. Sure there were more serious types out there, actively
after your digitally-stored assets, but they tended to use lower
profile, smarter, means to attack systems.
The Sobig.F worm changed that in a big way. As the fastest-spreading
worm to date, Sobig.F became spam-like in the way it flooded users'
inboxes with hundreds of messages. For the record, MessageLabs, a
security vendor and e-mail hoster, reports that Sobig.F was the most
common e-mail infection of 2003, with 32 million Sobig.F mails
intercepted. The No. 2 infected e-mail, Swen.A, was way, way down at
4.1 million. (See table below).
But Sobig.F was more than similar to spam. It appears to have been
designed to turn infected PCs into spam-relay engines, MessageLabs
notes. Is it a coincidence that spam boomed in 2003? The overall ratio
for spam to e-mail for the year leapt from one in 11 for 2002 to one in
2.5 this year. MessageLabs also reports that more than 66 percent of
spam was sent through hijacked computers.
The flood of spam sent through hijacked computers, many of them
consumer systems with broadband connections, is leading to serious
questions about the future of e-mail. Perhaps nothing illustrates the
general frustration with spam as well as a survey done for Symantec of
500 small businesses. About 42 percent of the respondents said they
would consider abandoning e-mail for business correspondence if the
spam situation worsened. While the idea probably never occurred to most
of the respondents before being presented with it in the survey, the
fact that they didn't dismiss it out of hand is sobering. (View
Symantec's discussion of the survey here.
There is reason to suspect the Sobig author of aiming for more than
the disruption of the e-mail system. By creating an open proxy network
for spam relays, the virus author had an asset to sell to spammers, or
possibly a network to hand over to the bosses at a spamming
organization. Consider this: The Sobig e-mails each expired after a set
time, and each expiration date was followed immediately by a new
variant of the malware. When Sobig.F spread like a wildfire in high
wind, the spam-relay network would have been in place and probably
would have been much wider than the author could have hoped. If the
author was out to wreak havoc rather than chase profits, why not take
the lessons learned from Sobig.F and plow them into a Sobig.G?
This leaves us with a new model for the virus/worm author -- somebody with a profit motive. It's evident in another blockbuster worm of 2003. Mimail is the one with the variant asking PayPal customers to update billing information, including credit card numbers and expiration dates.
These are two pretty strong examples that profit motive, rather than
notoriety, is becoming the driver for authors of viruses that erupt
into mass outbreaks. Market forces being what they are, we should
expect competition to drive virus writing to new heights in 2004.
Following is MessageLabs' tally of virus e-mails it had stopped by Dec. 1:
- W32/Sobig.F-mm -- 32,432,730
- W32/Swen.A-mm -- 4,184,129
- W32/Klez.H-mm -- 4,006,766
- W32/Yaha.E-mm -- 1,920,424
- W32/Dumaru.A-mm -- 1,129,061
- W32/Mimail.A-mm -- 1,052,481
- W32/Yaha.M-mm -- 862,682
- W32/Sobig.A-mm -- 842,729
- W32/BugBear.B-mm -- 814,865
- W32/SirCam.A-mm -- 511,578
Scott Bekker is editor in chief of Redmond Channel Partner magazine.