labels: it features
Filtering the virusnews
23 August 2006

Spam attacks can lead to mail servers of legitimate organisations getting blacklisted. By Ambarish Deshpande, regional director India & SAARC, IronPort Systems.

Dangerous viruses continue to proliferate with new insidious tactics employed to penetrate networks. Increasingly, viruses are programmed to wreak havoc and destruction, assume identity, and defraud the public. New methods of delivery are successfully eluding network administrators-rendering viruses even more threatening than in the past.

A typical virus outbreak averages $300 per desktop in IT clean-up costs alone. Virus or spam in their earlier days of invention were just a means to gain publicity and to make the best use of free time as compared to today where its more of a money making business. Email and attachments are still the primary way of spreading harmful content. Iron Port''s Threat Operations Center reports that in the past 45 days, it has blocked 20 virus outbreaks — all of them quarantined before major anti-virus vendors released a signature.

Hackers and viral threats are also becoming far more targeted. We are seeing the rise of tailored Trojans aimed at customers of specific banks, dubbed "spear phishing" attacks. Of the email-based viruses that occur on a daily basis, only few qualify for "virus outbreak" status. For a virus to be classified as an outbreak, it must be a new virus or a new variant of an existing virus, have moderate significant damage potential and have a widespread distribution system. The most recent virus outbreaks were Trojan Variant, Worm_Locksky, Nymex-D, Bagle-GT, FeebDL-Q and Kukudro-A.

Kukudro-A, a dangerous Trojan that was recently spammed out to hundreds of thousands of email addresses, contained the subject line "worth to see", "prices", "Hi", or "Hello" was contained in a seemingly benign zipped Microsoft Word document and therefore bypassed almost all attachment filters.

As soon as the document was opened the virus exploited Microsoft Word vulnerability to install itself. Once installed, the virus opened a backdoor that remote hackers can use to take over the computer. Once taken over, hackers can use the computer to send spam and host spy ware. Remote hackers can also install key loggers and screen scrapers onto the infected PC to steal personal, confidential and financial information without the user''s knowledge.

The worrying trend is the increase in the volume of misdirected bounces that has grown 35 per cent since Q1, 2006. Misdirect bounces make up 15.2 per cent of hostile email, or approximately 7 billion messages per day. These messages clog the email systems of the forged domain owner, but never get delivered to an end- user. This is becoming an emerging technique for spammers to forge the end recipient''s email address (as the return address), so that legitimate organisations will bounce spam on to its final destination.

These attacks can cause the mail servers of these legitimate organisations to get blacklisted. Additionally, these attacks may result in more spam getting through to end-users, as legacy anti-spam solutions are forced to either accept bounces coming from these sources or risk blocking other legitimate email from these organisations.

A preventive outbreak filter provides a first layer of defense against new outbreaks in hours. It performs a threat assessment of inbound and outbound messages and quarantine suspicious messages temporarily. Later messages are automatically released once signatures from traditional anti virus are deployed. By detecting new outbreaks in real time and dynamically responding to prevent suspicious traffic from entering the network, the filters ensure customer uptime and business continuity for hundreds of companies worldwide.

Number of virus outbreaks in last 45 days: 20
Number of outbreaks VOF has caught before the major AV vendors: 20

 search domain-b
Filtering the virus