The SirCam worm/virus has now crashed across the Internet and has pretty much taken its best shot at corporate e-mail servers. What is notable about this infection is not so much the complexity of the code but the response of corporate networks that shut this worm down as quickly as they did.

In this week’s From the Trenches, we’ll look at TechRepublic’s experience with SirCam and talk with a virus detection expert about what makes our response to the worm typical of the IT industry in general.

Does this sound familiar?
Perhaps as much as any industry on the Internet, TechRepublic depends a great deal on interaction with its membership (now approaching 2 million members). Like other organizations, our e-mail addresses are in the contact lists of members and customers around the globe.

With the spread of a virus/worm like SirCam—which essentially uses an infected user’s address book and its own little e-mail client to spread itself to the addresses in the infected user’s directory—any public company is likely to be a target of the next attack.

A couple of months after the LoveLetter virus struck, essentially knocking our operations offline for a day, we installed Trend Micro‘s VirusWall product on our e-mail servers.

A year later, that investment is looking better and better.

According to TechRepublic’s Exchange Server administrator Mike Laun, the application was able to filter out the worm on all of our incoming messages without one infection getting through. “The Trend VirusWall was extremely fast in getting the update,” Laun said. “I configured the servers to download the latest signature files at 8 A.M. every morning.”

VirusWall routinely eradicates a number of other viruses on a daily basis, which can sometimes create a lot of traffic.

“Part of the obligation of running virus software is to notify the sender that they sent us a virus, particularly in our business, where we communicate with our members,” Laun said. “What often happens, however, is that our system sends their system the notification, and that puts us back in their directory, perhaps with a different response address, and the virus picks up on the new address and sends the virus to us again. Our system then notifies them again, and sometimes the virus responds again and so on.

“These things create tons of useless traffic.”

Luckily, SirCam hasn’t been as bad as other notable viruses, such as I-Worm.Badtrans or I-Worm.Hybris.B, Laun said.

There’s a reason SirCam flopped
TechRepublic’s experience is more common this year than last, according to Pat Martin, a development manager for the Symantec AntiVirus Research Center. Symantec is a major provider of antiviral and security software.

“From a corporate standpoint, SirCam is more under control because of the security in place,” Martin said. “Every IT manager right now is well aware of the filtering capabilities for e-mail servers and gateways.”

Two years ago, filtering software was seen as simply a cool technology that would be nice to have but was difficult to justify without more financial data.

“AV software, or any kind of security software, is seen as an insurance policy,” Martin said. “One of the hard things with that is how do you measure how much you save if nothing ever happens?”

That changed last year when the LoveLetter virus rocked the world.

“Companies were actually able to make a dollar figure as to how much it cost in downtime, how much in lost productivity, Internet bandwidth, etc.,” Martin said. “Once they saw those numbers, they realized it’s a very small investment, not only in the software but managing the software without much more effort than they are doing now.

“They’re reaping the additional benefits of not having to worry about these kinds of attacks. I think the finance people in most corporations are sleeping better at night knowing that even though they are spending a little money up front, it’s going to pay off many times through the coming years.”

LoveLetter forced the issue of viruses to a higher corporate level than network administrators and IT managers, Martin said. Now, CEOs, CFOs, and CIOs understand what a virus can do—and that adds the support that admins need to justify protecting their networks.

How did you fare?

How did your filtering software work with SirCam? Do you even have filtering software? If you have antiviral software on your network, was it a hard sell to management? Send us a note or post a comment in the discussion below.