We are losing the malware war. Conventional antivirus and anti-spam countermeasures seem ineffective against an increasingly sophisticated enemy. The argument is that server- and client-side solutions draw the battle lines far too deeply inside their own territory, robbing computing, bandwidth and other resources. What's more, their inherently reactive approach dooms IT staff to an endless cycle of patching and pushing out client updates.
E-mail security provider Messagelabs is taking the fight against spam and viruses elsewhere by offering proactive managed services that stop spam and virus threats at the Internet level, before they reach corporate networks and end users.
ZDNet spoke with Messagelabs chief technical officer Mark Sunner about current Internet threats, organised crime, and the latest trends in combating today's overwhelming flood of unsolicited mails and dangerous malware.
Within the last year, have you monitored an increase in the number and/or severity of Internet attacks? What were the hallmark features of recent Internet threat activity?
We've definitely noted an increase in overall traffic. I think the biggest trend we're seeing now is the increasing sophistication of the techniques used specifically in viruses. The sophistication is very much geared around subverting the flaws within traditional antivirus protection. Rather than obfuscating the viral code as in the past, virus writers are now changing the encoding techniques.
We've also seen social engineering being a factor as well, where virus writers are introducing a human element by putting malicious code in password-protected Zip-files and finding some route to encourage the user to then unlock the virus once it reaches the desktop.
The final trend that we're seeing is a new convergence between viruses and spam. Just to put a mark on that, 66 percent of the spam that we're now intercepting is coming from open proxies -- these are machines that have been infected with Trojans similar to those dropped with viruses such as Sobig, Fizzer or MyDoom. The use of large zombie networks is definitely becoming the en vogue technique of choice within the hard-core spammer community.
Security experts claim that a new generation of malicious code seems to specifically target business and industry, and that a connection exists to organised crime. What evidence is there to support this?
The connection to organised crime can be seen specifically in two areas. The first is the already mentioned convergence between spam and viruses. What we're now seeing is that spammers are essentially bankrolling virus writers -- or people who are capable of writing viruses -- to harvest very large networks of zombie machines that can then be used to send huge quantities of spam or launch denial-of-service attacks. What really are linking the spammers to organised crime directly are the recent "phishing" attempts that we've seen and the way in which the money is subsequently being laundered. These are techniques that have existed in organised crime for a very long time. When someone actually tries to follow the money to see what happens financially, the way the money gets moved around definitely hints at people that are very familiar with laundering money in this kind of way.
The second, slightly more tenuous point is that the areas where the attacks, i.e. the Web pages, are hosted are areas that have been associated with organised crime in the past. Specifically we have seen a lot of "phishing" Web sites hosted in Russia.
What are governments currently doing to control the Internet and what might they do in the future?
Certainly I think since we've crossed the threshold of more than 50 percent of all mail being spam, it shows that things are getting out of hand in the absence of a good filtering solution. The trouble is that the laws both here in Europe and in America are slightly out of touch with practicality in terms of the way they work -- certainly in the US, where the laws have potentially created more confusion than they've actually helped. With the opt-out approach they have actually endorsed the concept of a user opening an unsolicited mail in order to then unsubscribe from it. The fatal flaw, of course, is that the law assumes that the spammers are scrupulous, which we definitely know not to be the case. I don't think legislation should ever be viewed as a magic bullet type solution.
Going forward, the way that this problem will really be solved is to move filtering to the Internet level, where the scale and the speed of updates mean that you can do a much better job, especially when you look at the home-user market, where the task of filtering is being placed on the end user. This is really the wrong place to put it; it's not the end user's core competence.
Currently, many ISPs are allowing all Internet traffic to simply flow through completely unfiltered, which is akin to a water authority pumping out raw sewage to its customers and leaving it to them to fend for themselves. Advanced scanning needs to be shifted upstream to the Internet level, where it is possible to be proactive as opposed to reactive. Governments really need to put additional pressure on the ISPs to take ownership of the problem, and to filter the connections that they are providing to businesses and to home users.
Spam and viruses are often mentioned in the same context, and there is much talk about the so-called "blended threats". Is spam then more than just a nuisance? How does it fit into the big picture?
One of the main reasons that you hear about spam so regularly now is that spam is a daily problem, whereas viruses tend to be not quite so much in people's faces so immediately. Spam and viruses are very much mentioned interchangeably now since we've seen the convergence where the purpose behind many viruses is ultimately the proliferation of more spam. Generally, consumers or businesses tend to trust their antivirus partners and are now turning to them to ask how they can help them with their spam problem.
Current spam and virus solutions have arguably had limited success, primarily because they all tend to be reactive in nature. What are the most promising ideas for tackling the spam problem?
There are two answers to that question. The first side of it is, coming back to the reactive nature, you definitely need something that is proactive, or more accurately, very dynamic. For instance, the profile of spam changes not just by the day, but almost by the hour. You need something where the filtering rules and techniques both to eliminate spam and eliminate false positives are literally changing in real time as the profile of spam is changing. An Internet-level approach, where you have complete control of the environment, is much more tailored to deliver on this because detection profiles can be changing in real time without having to push out updates to clients in the hope that they get applied… you've got total control.
But more importantly, Internet-level scanning becomes much more pertinent when you look at the sheer volume of mail that's involved. Even if you had actual desktop prevention that was effective, the simple fact is that you've still got to receive all that mail to then decide you don't want it -- it's too late. By this time, your bandwidth and mail processing resources have already been tapped. The trend for the future, and obviously we are in this business, but we are seeing a trend -- not just ourselves, but also companies like us -- for Internet level protection to become the next big thing… to stop spam at its source before it gets anywhere near corporate boundaries or home users and erodes resources. Ultimately, as these Internet-level solutions become more prolific, the costs that spammers themselves incur will increase dramatically. As it becomes harder and harder for spammers to achieve results, they will look on to something else.
Internet-level filtering is exactly Messagelabs' business. This means that all your clients' email communication is monitored by you. Is this a potential cause for concern for corporate clients, specifically, that there is a third party out there that has root-level access to all mail that it sends or receives?
I think confidentiality is an initial concern, but this is a concept that has existed for a long time. All the same issues exist for any company's upstream ISP. What we need to do is make people think about the scanning concept more, and make great steps to give our customers the highest possible level of comfort and confidence. We are certified ISO 17799 and BS 7799. What that means is that we are externally audited about exactly how we manage our data and even who we can employ. We're also looking at providing an encrypted link from ourselves to our customers. Once we become the trusted party, we can also guarantee that the traffic between us and them is safe. We're looking at supporting the TLS (Transport Layer Security), which is emerging as the de facto standard for encrypted email. Messagelabs right now has a lot of financial, legal and even government customers, who themselves have performed a high degree of due diligence on our service.
Can you name some of your customers?
Our customers include the entire British Government, The Bank of New York, EMI Music, HealthPartners, StorageTek, Air Products and Chemicals, SC Johnson, Conde Nast Publications and Fujitsu, to name a few. There are other important clients who wish to remain nameless.
Messagelabs is the leading provider of managed email security services with more than a 50-percent share of the managed email security services market. The company currently protects more than 8,000 businesses worldwide from email threats such as viruses, spam and other unwanted content before they reach their networks, without requiring additional hardware or software.