Protecting networks at the Internet level

commentary Is desktop protection sufficient against the relentless onslaught of computer viruses?
Written by Alex Shipp, Contributor
commentary The recently-released Fizzer worm which spreads exponentially by creating duplicates of itself was described by an anti-virus software company as "code spaghetti"--a virus with multiple components and an internal timer to trigger different processes at different times.

Fizzer was a complex piece of work, gathering information from a number of areas on each machine it infected for use in its mass mailing routine. It was dangerous, damaging and effective, but let us put it in perspective.

Fizzer was just one of dozens of viruses and trojans released this month. Most of the others didn't get as much media clout because security software firms got a handle on them before they could do widespread damage.

The point is that the market is hit with around 10 new viruses and trojans each day. If you have a PC and you are licensed to download signatures, you can manually request updates as often as you want, but few people do it more than once a day. This is horror territory for enterprises.

Any network administrator will tell you that downloading one signature a day is a nuisance. Downloading 10 signatures each day and pushing them out to every PC in a medium-sized company is a near-impossible task. This highlights the vulnerability of antivirus solutions for companies that update their virus signatures once a day or once a week.

This is an international problem with quantifiable productivity and revenue losses for companies. In the most recent Security Survey released in Australia, 126 of 200 respondent companies reported "losing time" due to viruses despite 98 percent of them having antivirus protection, firewalls and other security measures in place. The cost of virus cleanup was just as high, with, these companies racking up a tidy US$7.7 million in security losses and recovery costs in a single year.

Is there really no end in sight? Are we that helpless against this relentless virus onslaught?

Getting ahead and detecting viruses
Why do virus writers create viruses and why are these viruses difficult for AV vendors to detect?

Some virus writers ‘feed’ AV companies by writing malicious code and sending it to these companies just to demonstrate how clever they are. These are known as ‘zoo’ viruses - viruses that have not been released into the community or ‘wild’. Most of the 50,000 to 70,000 known viruses are in fact zoo viruses, but every so often a virus writer might decide to release their creation into the wild. This of course sparks the damage.

With about 10 new viruses, worms or Trojans appearing each day, AV companies on their part have no choice but to fight a rearguard action. Most often they are unable to detect the virus when there is a first sign of outbreak, as they often rely on their customers or competitors to provide them with evidence of a virus so that they can create a signature that covers it. As such, many of them are not able to develop the virus signature until hours and, sometimes, days later.

Unfortunately, the reality of the situation is that the virus is already in the wild and doing damage by the time the AV companies see it. In the case of the Bugbear outbreak, it took most AV software vendors more than 18 hours to detect the virus after the first email-infected virus was stopped through Internet scanning technology. The same happened with Fizzer, but with Fizzer the timescale was days, not hours.

How can end-users protect themselves and what do IT managers need to look into to help their company’s staff do so?

There needs to be a two-pronged approach especially for enterprise users--protection at the desktop level and protection at the Internet level. Protection at the desktop level ensures that viruses are not being spread at levels where Internet scanning is futile, such as floppy disks.

But why protect at the Internet level? Internet level virus protection can use a vast amount of resources simply not available on the desktop or gateway. For example, Internet level scanning normally uses a knowledge base several gigabytes in size.

However, the desktop market is very sensitive to the size of the virus pattern files provided by the software vendor. Go much over a megabyte and the complaints start rolling in from users who have to deploy them on hundreds and thousands of desktops.

Number-crunching heuristics technology is also well-suited to the massive processing power available at the Internet level. If you try doing this on your desktop or gateway, you will find very little processing power left over for routine operations. However, doing this in data centers at Internet exchanges in multi-million dollar configurations allows much more processing power to be directed at the problem. The service is also remarkably low cost to test. There is also no investment in hardware, software, staff or training needed. Instead, all that needs to happen is a redirection of email.

There are companies providing Internet email scanning services today, and doing it well. The benchmark is a zero enterprise virus infection level and at last count 96 per cent protection against spam.

Alex Shipp is the chief technologist of e-mail security solutions firm MessageLabs.

Editorial standards