SoBig virus update

wsrp message

I only had 12 new Sobig.F messages overnight, so that is an improvement over the last two days, but, following the news about this is leading to some unpleasant conclusions.

One of the reasons why I am writing about this has to do with the fact that this is the first unabashed and unconcealed or unconcerned glimmering of what I considered to be the inevitable course of malicious and/or greed-based hacking back in 1999-2000 when I thought about these issues after having spent two years getting accustomed to working cross-platform. I was deciding then how to configure my own office.

In terms of malicious hacking, I worried about the blackout, but it has not proven to be a result of this kind of activity as terrorist tactic, yet. Unfortunately, if it was successful, it would not be discovered easily, so the jury is still out on that.

However, with the coincidence of MSBlaster and the .F variant of Sobig, we are seeing the first fairly clear evidence of widespread, indiscriminate, criminal hacking for profit. When I say this, I mean that we are seeing the first such efforts that seem fairly unconcerned about being successfully tracked down or which have arranged for prepared fall-guys to take the blame and do the time after having already banked their advance payments in secured accounts. This is not just paranoid speculation, it is the way the smartest people I talked to about it, would do it, if they were going to do it.

Regardless, paranoid delusions or not, the point is that the perpetrators appear to have the kind of grasp of how to successfully turn a profit on this stuff--by making it unavoidable, painful, not too-costly, and widely publicized. This means a lot of growth for the anti-virus, security community. If it were catastrophic, I would be worried about the skill and intelligence of the terrorists, not that I am not, but that's another issue. Based on the evidence, this is more parasitic than fatal. That is to say, it's a cash cow.

The last piece of the puzzle, for me at least, was the essentially re-useable nature of the Sobig core program, and the ability to succesfully forge source addresses without having to actually send from the individual's machine while not also completely bogging down the infected servers long enough to spread effectively. It will take quite a bit of work, and more profit of course, to require verification for source addresses, so this particular scam has a limited lifecycle, but the point is just that, it has a lifecycle, and the re-useability makes it clear that is simply going to milk us in the fine old tradition of planned obsolescence which plagues our entire economy, not just the software industry where it is so egregious.

That is also why I recommend to those irretrievably married to Windows servers that they skip the intervening, and endless, troubleshooting, hit and miss, measures. Get and keep a clean install. Wash all your data. and scrub you servers down to the metal and reinstall that clean install. And start negotiating with you outsourced security. It will have to hurt them, beyond simply losing your business, as much as it hurts you. If you are doing your own security, be paranoid.