Critical. Authoritative. Strategic.


CBR is proudly produced & published
by Technews
Issue Date: November 2003 (es)

Sobig - so costly?

1 November 2003
Christopher Bray, regional director of sub-Saharan Africa, Network Associates

The recent Sobig.f worm has been widely labelled by many anti-virus experts as the worst virus ever. According to vendors, between one in 17 and one in 29 messages contained the virus, filling the hearts of IT managers and home users alike with alarm. To compound reports on the scale of this threat, AOL estimated that it had stopped 23 million copies of the worm.
Sobig is one of the most widespread threats we have seen, but in terms of damage the threat was relatively toothless - the sheer volume of traffic generated by the code causing the biggest headache.
There are three concrete facts that the virus-conscious public should take on board following this outbreak. Firstly, the golden rule of security policy - make sure you keep your anti-virus software updated. Secondly, businesses were pretty much unaffected by this recent outbreak. The McAfee AVERT risk assessment never rose above Medium for the corporate world - and it had an impact lower than that of the Lovsan and Nachi worms that preceded it. And finally, as inconvenient as this latest outbreak is, the associated costs appear to be relatively small.
So why has Sobig drawn so much attention? It is true that the number of infected e-mails has been high. However, this does not necessarily translate into actual infected machines. In reality, the virus was more a nuisance with few reports of businesses suffering day-long disruptions as a result of the worm. Previous outbreaks, which infected fewer users than Sobig.f, have had costs estimated into the billions. So why is the financial impact of Sobig expected to be substantially less?
The reason is simple. The main associated costs for virus outbreaks normally come from four things: downtime; lost business; the cost of investing in new technology and wasted man-hours. Since businesses were, in general, unaffected by the Sobig.f outbreak, the costs are dramatically reduced, leaving the most significant financial impact on the consumer where it is less noticeable in terms of rands costs.
It is certainly encouraging that corporates seem to be effectively managing their security software. Of course, the recent Lovsan and Nachi outbreaks will have gone some way to encourage IT departments to ensure their virus definitions are up to date. After all, an IT manager may be able to justify his network falling under a virus attack in a period of inactivity. If his network crumbled under the third attack in a week, his excuses may run a little thin. It is rare for us to see such a deluge of activity in such a short space of time, and even rarer to see businesses relatively unaffected by such a high profile outbreak.
Sobig-f was a relatively insignificant threat for enterprise businesses, principally because most companies automatically screen for the PIF and SCR attachments that carry it. Like EXE files, PIFs and SCRs have no real reason to be allowed into a corporate IT environment, so why would any security conscious business not screen for and block, these attachments at the Internet gateway? Failure to screen for attachments like these can be the only reason some businesses may have fallen victim to Sobig-f.
If corporates are beginning to learn their lessons about patching systems and updating software, then anti-virus vendors need to take their programme of education to the home - and to the small businesses without dedicated IT staff who both fell victim to the Sobig.f attack, especially internationally.
Despite the media attention that these viruses now command, many consumers still seem to be ignoring the dangers. Effective and regularly updated anti-virus is as crucial for home users as for businesses - especially with the increasing sophistication of viruses and worms and their increased use of spamming techniques. If this is an unmanageable task then perhaps managed anti-virus is the solution.
A number of ISPs now offer virus scanning and management services that will take the responsibility out of the hands of the end-user. Similarly, vendors have also turned towards managed anti-virus to remotely protect a network from threats like Sobig.f - the ideal solution for small companies without the resource to dedicate to bolstering its IT environment from attack.
Home users and small businesses also need to recognise the importance of patching Windows flaws.
Either way, education still plays a huge role. Sobig.f was so successful at spreading because users double-clicked the infected attachment, causing the worm to infect and spread. If the worm had reached corporate desktops, the implications could have been far more severe.
Anti-virus vendors are becoming increasingly proactive with their methods of detection and protection in-depth strategies - layering networks with anti-virus, personal firewall, intrusion prevention and anti-spam software means that businesses can successfully secure themselves against Lovsan, Nachi, Sobig and the threats that follow.
The 'real' costs of Sobig will become apparent as time goes on. Whilst Sobig. is not expected to be as costly as its predecessors, other similar threats - or indeed variants of the same threat - could carry a more damaging payload. This is the sixth variant of the worm in the last six months as the virus writers experiment and perfect the code with each new attack. A virus that erases precious data, gathers confidential data or steals passwords or credit card details from a victim's machine - to say nothing of successfully co-ordinating an attack across the Internet - could give a future variant a bit more bite - and leave businesses and consumers counting the cost.
Christopher Bray, regional director of sub-Saharan Africa, Network Associates
Christopher Bray, regional director of sub-Saharan Africa, Network Associates
For more information contact Christopher Bray, Network Associates, 011 707 5500,

Others who read this also read these articles

Search Site

Search Directory

  • Search for:


Previous Issues