How tighter security can limit damage from worms like SirCam
The SirCam worm/virus has now crashed across the Internet and has pretty much taken its best shot at corporate e-mail servers. What is notable about this infection is not so much the complexity of the code but the response of corporate networks that shut this worm down as quickly as they did.
In this week’s From the Trenches, we’ll look at TechRepublic’s experience with SirCam and talk with a virus detection expert about what makes our response to the worm typical of the IT industry in general.
Does this sound familiar?
Perhaps as much as any industry on the Internet, TechRepublic depends a great deal on interaction with its membership (now approaching 2 million members). Like other organizations, our e-mail addresses are in the contact lists of members and customers around the globe.
With the spread of a virus/worm like SirCam—which essentially uses an infected user’s address book and its own little e-mail client to spread itself to the addresses in the infected user’s directory—any public company is likely to be a target of the next attack.
A couple of months after the LoveLetter virus struck, essentially knocking our operations offline for a day, we installed Trend Micro's VirusWall product on our e-mail servers.
A year later, that investment is looking better and better.
According to TechRepublic’s Exchange Server administrator Mike Laun, the application was able to filter out the worm on all of our incoming messages without one infection getting through. “The Trend VirusWall was extremely fast in getting the update,” Laun said. “I configured the servers to download the latest signature files at 8 A.M. every morning.”
VirusWall routinely eradicates a number of other viruses on a daily basis, which can sometimes create a lot of traffic.
“Part of the obligation of running virus software is to notify the sender that they sent us a virus, particularly in our business, where we communicate with our members,” Laun said. "What often happens, however, is that our system sends their system the notification, and that puts us back in their directory, perhaps with a different response address, and the virus picks up on the new address and sends the virus to us again. Our system then notifies them again, and sometimes the virus responds again and so on.
“These things create tons of useless traffic.”
Luckily, SirCam hasn’t been as bad as other notable viruses, such as I-Worm.Badtrans or I-Worm.Hybris.B, Laun said.
There’s a reason SirCam flopped
TechRepublic’s experience is more common this year than last, according to Pat Martin, a development manager for the Symantec AntiVirus Research Center. Symantec is a major provider of antiviral and security software.
“From a corporate standpoint, SirCam is more under control because of the security in place,” Martin said. “Every IT manager right now is well aware of the filtering capabilities for e-mail servers and gateways.”
Two years ago, filtering software was seen as simply a cool technology that would be nice to have but was difficult to justify without more financial data.
“AV software, or any kind of security software, is seen as an insurance policy,” Martin said. “One of the hard things with that is how do you measure how much you save if nothing ever happens?”
That changed last year when the LoveLetter virus rocked the world.
“Companies were actually able to make a dollar figure as to how much it cost in downtime, how much in lost productivity, Internet bandwidth, etc.,” Martin said. “Once they saw those numbers, they realized it’s a very small investment, not only in the software but managing the software without much more effort than they are doing now.
“They’re reaping the additional benefits of not having to worry about these kinds of attacks. I think the finance people in most corporations are sleeping better at night knowing that even though they are spending a little money up front, it’s going to pay off many times through the coming years.”
LoveLetter forced the issue of viruses to a higher corporate level than network administrators and IT managers, Martin said. Now, CEOs, CFOs, and CIOs understand what a virus can do—and that adds the support that admins need to justify protecting their networks.
How did you fare?
How did your filtering software work with SirCam? Do you even have filtering software? If you have antiviral software on your network, was it a hard sell to management? Send us a note or post a comment in the discussion below.
No messages found
No messages found
Sircam not that bad
Our mail-server is programmed to restrict access to attachments judged to contain viruses, but send a message to admin (me) about the message for me to check out.
This works great, although our adresses receives about 10 infected messages a week.
Beeing able to warn others about their computer being infected, may not help you, as you know it is, but others, so they can clean up and stop spreading.
It depends on the purpose of the virus..
I also find it sickly humorous that the Symantec rep. is talking about how we all understand the need for email filtering these days, however at least in some cases (if not all), Symantec's email filtering software (the gateway version) couldn't block SirCam and let it right into our network.
Luckily, all these years of pounding "don't open attachments" actually does have an effect (only one user opened it) and also the desktop software was able to catch it.
All these things (such as viruses and security patches) require too much time & resources to keep up with for too many small-company IT departments. I don't justify the spread of these things, but I do understand how it can happen.
I wouldn't say that it flopped.
In the first week of the sircam virus, my network received over 300 virus' a day. This past week has tapered down to about 30-50 a day. As we speak my cell phone just received 2 more alerts from the mail server blocking the virus.
I still beleive that we as IT professionals, have done a very poor jobin stopping the spread. Myself included. We have not educated our users in a way that is needed.
When people are hired they should have a document that they need to read and sign alerting them to virus'. All mail servers must have extension filtering on them. Admins need to keep up on the latest threats. (The latest is the pdf threat, this should be fun) And we need to keep our users informed of the latest threats.
We need to act responsibly when confronted with theses threats. Unlike one network admin who just cut off all e-mail access until the threat passes.
Maybe I'm just cynical and self-righteous. I know that we can do more to combat these threats.
But to think that this round was won by us, well that is plain ignorance. Sorry.
There are no posts from your contacts.
Adding contacts is simple. Just mouse over any member's photo or click any member's name then click the "Follow" button. You can easily manage your contacts within your account contacts page.