2007-10-01
Abstract
'Why is the number of malicious attachments decreasing - and why shouldn't I be happy about it?' Paul Dickens, Institute of Physics Publishing.
Copyright © 2007 Virus Bulletin
Most users of email will know that the spam problem just keeps on getting bigger, yet the number of computer viruses received as attachments in email is decreasing. What's not so obvious is that the threat of computer viruses is as prolific as ever - it's just not as common to see viruses arriving as email attachments, and for some end-users this promotes a false sense of security.
Within my own corporate environment, we are finding fewer malicious programs being received as attachments than previously, whilst the volume of spam is increasing and new viruses are continuing to test the local desktop protection. So where are the viruses coming from?
During December 2005 we saw vast numbers of malicious attachments in email. In an organization of 400 mailboxes there were 90,000 unwanted malicious attachments per week. I admit that this was an unusually high number, probably caused by a variant of an email worm such as Sober, but in the preceding months 40,000 malicious attachments per week was common. Today, the number of malicious attachments has dwindled to a fifth of what it was then, and the number is still decreasing. So, why is that number decreasing - and why shouldn't I be happy about it?
I know that the anti-virus program used at the mail gateway of my organization is effective, because secondary levels of detection are in place to catch anything it misses (any technology that uses a signature-based strategy demands layered security). The educated assumption, therefore, is that the malware is increasingly hidden from the email scanner through the use of URL links in spam messages. But why is this still a problem if we can catch spam and quarantine it?
I have worked closely with an anti-spam vendor and I know that recipients of email want access to their spam. Providing your users with the ability to search for legitimate email held in spam quarantine is sensible: it reduces the demand on IT support staff, since they do not have to search masses of spam for a lost message (the user can do so themselves), and it builds the users' confidence in the anti-spam solution as they can see that spam is being blocked.
However, providing the user with the ability to search their own quarantine also poses a risk. A user may release a malicious email from their quarantine area, believing it is legitimate. Spoofed email addresses are everyday stuff and ambiguous links within messages present a real threat.
Of course, one way of protecting against malicious downloads would be to filter out and remove all spam found to contain URL links. This sounds reasonable enough, but false positive management would present a burden on IT support staff. We have found that the best answer - for our organization - is to prevent the threat at the door using active Internet behaviour scanning.
Previously we used a subscription service to detect suspicious URLs alone, but this presented windows of vulnerability and wasn't sufficient to block all malicious websites. Rather than allow the unknown content through, we block behaviour which can compromise the desktop before it reaches the end-user. By adopting this policy we are able to supplement signature-based technology and remove the window of vulnerability.
This allows our users to browse relatively freely whilst providing a robust security strategy. Even when some functionality of a site is considered risky and removed, the user is able to read the text without downloading risks to the desktop and in that sense it's less restrictive and safer for the business.
Today's use of the Internet requires the adoption of a security policy to detect incoming behaviour; however I am also keen to see improvements to anti-virus products for email gateways. Although we can use web security to check content on demand, it would be preferable to segregate the malicious email from the spam quarantine area and prevent it from reaching the user's spam management service. No doubt this is easier said than done - it's difficult to imagine a solution without having to launch the link within the email, identify the threat and remove it - but a solution by Christmas would be nice.
