Threat Report, 2002

Anti-virus and anti-spam service provider MessageLabs released its threat report for 2002. The company predicts the evolution path of malware for 2003 and details the biggest problems faced in 2002.

by Alex Goldman ISP-Planet Associate Editor [December 16, 2002]

Anti-virus and anti-spam service provider MessageLabs released its threat report for 2002, summarizing the malware that permeated the Internet during the past year, and extrapolating forward in time to predict the threats for the coming year.

MessageLabs is able to compile real-time statistics because its clients' mail is actually processed on MessageLabs' servers (to which client companies redirect their mail). While it does gather and publish these statistics, MessageLabs is careful to preserve its clients' anonymity. Currently, the company posts a daily virus summary on its VirusEye Web page; it plans to produce a similar statistical summary of spam in the future.

Anticipating future threats is not a mere academic exercise for the company, but a strategic necessity. MessageLabs' software not only catalogs details of known viruses, it uses artificial intelligence to ferret out new, unknown threats. For example, Mark Sunner, MessageLabs' CTO, told us earlier this year that his software has determined that spammers are more likely to put colored backgrounds on their e-mails than legitimate e-mail users. For the moment, a message with a colored background is considered likely to be spam.

MessageLabs claims it stopped 10 million viruses in 2002—one virus every three seconds. The company also says that the prevalence of virus infections rose to one in every 212 e-mails in 2002, up from one in every 380 in 2001.

Spectacular spam
MessageLabs highlighted two particularly malicious spam attacks from the past year. The first is the increasing prevalence of the "419" or "Nigerian" scam, in which someone claiming to have access to illegally obtained millions promises to share the loot. The recipient need only send a few thousand dollars to help move the money. The money, of course, never arrives. The threat report claims, "a recent report by the UK's National Criminal Intelligence Service stated that up to five Americans per day have been witnessed waiting in London hotel lobbies to meet people connected with the scam." MessageLabs says that if people are not warned about the scam, it could gross over $2 billion in 2003, becoming Nigeria's second largest industry (after oil).

The second spam epidemic noted in the threat report is called "FriendGreeting"; it is unusual because it is an application, not just a message. The "greeting" specifically warns its recipient what it is about to do (download mass mailing software that will take over the user's computer and send out spam) and then asks the user to click "OK" to accept it. Because it asks for permission, this viral spam is actually legal in most jurisdictions—it is within the letter of the law although it clearly violates the spirit of whatever e-mail marketing laws exist.

Noted Sunner, "The 'FriendGreeting' program preys on human ignorance. Technically, it's not spam, because you do opt in. However, we as a company take the view that you do not want it even if you think you want it, so we classed it as malicious and are stopping it for our customers. Some anti-virus companies said that it's not a virus so they do not have to stop it. We feel that it's simply human nature—people will click on it because they're curious."

The threat report further warns that in the future, spam will adopt the characteristics of a virus, carrying its own SMTP mailer, accessing address books in mail clients and sending mail to all the addresses there, and even checking a browser cache for e-mail addresses to which it might send spam.

Virulent viruses
Although the Klez virus was the most widespread virus in 2002, the authors of the threat report are more concerned with the number four virus, SirCam. That's because SirCam was released in 2001. "There's no excuse for getting SirCam," said Sunner. "If you keep your AV products up to date, you should not get SirCam infections."

Nevertheless, Sunner reported that SirCam remains a threat to all networks, even corporate networks. He said, "It's as if known viruses are being kept alive by a population of home users who take little or no precautions when accessing the Internet. Then, when a weak spot opens up in the corporate network, the virus gets in. It could be that someone acquires a new PC and there's a window of time before they install AV software. Maybe it's just that the IT guy is absent that day. From our perspective it validates our model, that networks require software that does not need to be updated constantly."

The folks at MessageLabs believe that as threats become more sophisticated, the traditional anti-virus software model, which requires specific "virus definitions," will be inadequate. The report touts the MessageLabs model. MessageLabs' product is described in greater detail in other articles here on ISP-Planet, as are many of the products that compete with it.

— End