Do you remember the last time you read something like this: "The countdown to the next Sober worm attack reaches zero Thursday afternoon in the U.S., but some analysts say they've seen clues that show hackers have been scared off their intended infection campaign."
Do you remember the security alert put out two months ago by the Bayerisches Landeskriminalamt in Munich?
I had to read the sentence about "hackers being scared off" a few times to make sure I'd got it right. That means their malicious plans were foiled. The latest Sober worm did not cause devastating problems. The combined efforts of the world's most-powerful software company, tens of thousands of vigilant IT customers, hundreds of security organizations, and an unknown but substantial number of law-enforcement agencies seem to have given the loathsome bastards a good swift kick in the ass, forcing them back into their rat holes to plot their next caper.
Can we score one for the good guys?
Do you believe in miracles?
Is this a sign that the, uh, worm has turned?
In his excellent coverage of the countdown to the scheduled release of the Sober.z worm, my TechWeb colleague Gregg Keizer delivered regular updates on the situation throughout the week, but the one that really grabbed my attention was one in which he wrote the sentence near the top of this column about hackers being "scared off." That dispatch from Keizer also included the following:
OTHER VOICES Is 37signals the new Google? What am I, a psychic? How the heck should I know? I don't know whether 37signals will grow from the plucky little startup it is today to become a multibillion-dollar world-shaking powerhouse. But 37signals does have the zesty, refreshing flavor of a little company called Google, ca. 1998. 37signals demonstrates its spunkiness in its application suite available on the company home page, and further described in this podcast interview with co-founder Jason Fried."
-- Mitch Wagner, InformationWeek blog, Jan. 4
" 'The attack, if it comes, could come anytime after the afternoon and the evening of [Jan.] 5th,' said Ken Dunham, director of the rapid response team for Reston, Va.-based security intelligence gatherer iDefense. But Dunham, and others, aren't expecting much to happen today, or if users are lucky, in the days ahead.
" 'In November, there were five different Trojans seeding Sober,' said Dunham. 'But we've not seen any Trojans in the run-up to today. That might mean the attacker or attackers are lying low.' "
Wait a minute--this isn't how these things are supposed to work, is it? Isn't our experience nothing more than a long and frustrating history of disturbing but seemingly inevitable incidents in which the criminals who create these types of destructive software do their dirty work while the rest of us brace for the worst, clean up the mess, and hope that somehow our systems might be spared next time? So what "scared off" the loathsome bastards? What caused them to spend the last few days "lying low"?
One factor could be the escalating involvement of law-enforcement agencies as they come to understand more clearly not only the massive damage these attacks can cause to businesses and individuals, but also the increasingly vigorous role local and national law enforcement must play in combating what is becoming a global network of very organized cybercrime. Let's go back two months to the work noted above by the German police in Munich, as detailed by the ubiquitous Mr. Keizer:
"One other aspect sets these editions apart from past Sober variations. Late Monday, apparently before the appearance of the three new Sobers, police in Bavaria, a southern German state, warned of an attack expected Tuesday. The alert was the result of a yearlong investigation, said the press release issued by the Bayerisches Landeskriminalamt in Munich. No additional details, said the police, would be issued at this time.
" 'The German police may know something,' theorized [Shane Coursen, a senior technical consultant with Moscow-based Kaspersky Labs], 'or it could have been based on, let's say, another branch of the German government being hit earlier than other victims by this one Sober.' "
Another factor, less dramatic but no less significant, could be that many millions of end-users around the world are finally getting wise to the "social engineering" tricks that the cybercriminals use to launch the worms. As Microsoft wrote in a posting about Sober.z on its site last week, "The worm tries to entice users through social engineering efforts into opening an attached file or executable in E-mail. If the recipient opens the file or executable, the worm sends itself to all the contacts that are contained in the system's address book."
Maybe that's the miracle we all need to believe in: that it actually is possible to get through the heads of employees that playing the sucker to such tricks can be disastrous. And maybe more companies should make it a fireable offense to open such attachments or executables--what's the policy at your company?
And not to be left out as the hearty handclasps are passed around is Microsoft itself, which responded aggressively to another security threat last week by releasing the patch for the zero-day Meta File vulnerability five days ahead of schedule. TechWeb's Keizer filed a story about the patch that included this comment from Microsoft: "Microsoft's monitoring of attack data continues to indicate that the attacks are limited and are being mitigated both by Microsoft's efforts to shut down malicious Web sites and with up-to-date signatures from antivirus companies."
Hmm. Malicious Web sites being shut down (go, HoneyMonkeys!!). Greater cooperation from antivirus companies. Patches released ahead of time. Police involvement. More communication and collaboration. More awareness among users. More action. More results.
More loathsome bastards being scared off and lying low in their rat holes.
Do you believe in miracles?
To discuss this column with other readers, please visit John Soat's forum.
To find out more about Bob Evans, please visit his page.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.