One interesting thing about being a columnist who has a publicly known email address is that my Inbox is a pretty good barometer for measuring how well people are implementing antivirus solutions. In the case of this month's attack of the Sober.P worm, the answer is "not very well."
Since the beginning of May, I've received about 4000 messages spawned by this attack. The messages are easy to spot--the subject line is in German. (That German subject line also helped my antispam software catch the messages.) At one point this month, antivirus vendor Sophos estimated that the Sober.P worm was generating 5 percent of all email traffic on the Internet. The implication is that tens of thousands of users must have been caught by this attack. Given my own experience, I'd say that a large portion of those users are in the corporate world because I was receiving the spam primarily on my business email accounts with almost no hits on my less well-known personal email account.
IT personnel need to step up their antivirus and antispam methods, but unfortunately, that job is becoming more difficult. During the past few weeks, two attacks that use IM systems gained prominence--one a straightforward phishing attack over Yahoo Messenger and the other a more subtle Trojan horse attack that uses AOL Instant Messenger (AIM).
The Yahoo attack pops up a message that attempts to entice users to go to a Web site that hosts Star Wars-related games. The site then prompts the user to enter his or her Yahoo credentials. This attack is strictly a social engineering one--the user must be a willing participant, giving up the requested information.
The AIM attack comes as a message from a user on the recipient's AIM buddy list and contains a message about a funny video on the Web and a link to that purported video. When the recipient clicks the link, the worm installs itself on that person's machine and sends itself to every user on that computer's AIM buddy list. The worm also connects itself to a public Internet Relay Chat (IRC) server. Antivirus vendors report that the worm could potentially open up an infected machine to remote access.
Businesses that use public IM services need to install as many software and hardware safeguards as possible and to thoroughly educate their users about the social-engineering aspects of these attacks. Users can become complacent about security when they presume their IT department is protecting them. Administrators need to remind users that the hand on the mouse is the final step in the chain of protection and that when faced with suspicious communications, clicking "delete" is the best choice.