Gavin, 22 August 03
The Washington Post reviews the past fortnight where we have seen two of the most vicious viruses causing widespread damage. Both Mblaster and Sobig are targetted to computers running Microsoft software, but even running linux and using alternatives to Microsot Outlook – nobody can be said to be unaffected by the viruses.
Perhaps I have been complacent, almost all recent viruses have relied upon transmission through Outlook, scripting and general low priority given to security in Microsoft applications. As a Mozilla Mail [thunderbird] user I can be fairly confident such attacks will not effect me. There are however other ways for viruses to propagate as mblaster reminded us.
Mblaster uses an exploit in Microsoft’s RPC implimentation, and has caused serious problems for those effected – however the nature of the exploit means it could have been much much worse – and no doubt there will be further attacks in a similar vein in the coming months. I do have good firewalling on both Windows and Linux – checking with The Gibson Research online testing tools to ensure the firewall is effective for current threats.
The other virus to hit has used the traditional exploits and psychology to entice users into opening attachments (these often have pif file extensions, which could be confused with pdf, and will run the malicious code on any windows system whether or not Microsoft Office is installed or scripting is enabled). Sobig has been seen in over 5% of the emails monitored by MessageLabs (with the Sobig emails having attachments – this may well have been nearer 10% of mail bandwidth). The previous high was with Klez, which even at it’s peak accounted for well under 1% of email traffic. The effect of this has increased traffic accross the board, disrupting mailing lists and other email even for users running Mozilla under Linux.
Analysts have suggested that the different variants of Sobig have been released to determine a strategy for causing maximal disruption. With the current variant due to expire on September 10th – it is just possible something worse is planned for next month, perhaps even marking September 11th.
Even knowing that I will not be infected by Outlook viruses myself, I can be certain that the disruption that they cause will be substantial. The best line of attack is defence – a safe mail client like Mozilla Mail [Thunderbird] and a good firewall (I use Kerio Personal Firewall) are a good start. These offer free and effective layers of protection, even if there is no immunity.
