Do you remember the last time you read something like this: "The countdown to the next Sober worm attack reaches zero Thursday afternoon in the U.S., but some analysts say they've seen clues that show hackers have been scared off their intended infection campaign."
Do you remember the security alert put out two months ago by the Bayerisches Landeskriminalamt in Munich?
I had to read the sentence about "hackers being scared off" a few times to make sure I'd got it right. That means their malicious plans were foiled. The latest Sober worm did not cause devastating problems. The combined efforts of the world's most-powerful software company, tens of thousands of vigilant IT customers, hundreds of security organizations, and an unknown but substantial number of law-enforcement agencies seem to have given the loathsome bastards a good swift kick in the ass, forcing them back into their rat holes to plot their next caper.
Can we score one for the good guys?
Do you believe in miracles?
Is this a sign that the, uh, worm has turned?
In his excellent coverage of the countdown to the scheduled release of the Sober.z worm, my TechWeb colleague Gregg Keizer delivered regular updates on the situation throughout the week, but the one that really grabbed my attention was one in which he wrote the sentence near the top of this column about hackers being "scared off." That dispatch from Keizer also included the following:
OTHER VOICES Is 37signals the new Google? What am I, a psychic? How the heck should I know? I don't know whether 37signals will grow from the plucky little startup it is today to become a multibillion-dollar world-shaking powerhouse. But 37signals does have the zesty, refreshing flavor of a little company called Google, ca. 1998. 37signals demonstrates its spunkiness in its application suite available on the company home page, and further described in this podcast interview with co-founder Jason Fried."
-- Mitch Wagner, InformationWeek blog, Jan. 4
" 'The attack, if it comes, could come anytime after the afternoon and the evening of [Jan.] 5th,' said Ken Dunham, director of the rapid response team for Reston, Va.-based security intelligence gatherer iDefense. But Dunham, and others, aren't expecting much to happen today, or if users are lucky, in the days ahead.
" 'In November, there were five different Trojans seeding Sober,' said Dunham. 'But we've not seen any Trojans in the run-up to today. That might mean the attacker or attackers are lying low.' "
Wait a minute--this isn't how these things are supposed to work, is it? Isn't our experience nothing more than a long and frustrating history of disturbing but seemingly inevitable incidents in which the criminals who create these types of destructive software do their dirty work while the rest of us brace for the worst, clean up the mess, and hope that somehow our systems might be spared next time? So what "scared off" the loathsome bastards? What caused them to spend the last few days "lying low"?
One factor could be the escalating involvement of law-enforcement agencies as they come to understand more clearly not only the massive damage these attacks can cause to businesses and individuals, but also the increasingly vigorous role local and national law enforcement must play in combating what is becoming a global network of very organized cybercrime. Let's go back two months to the work noted above by the German police in Munich, as detailed by the ubiquitous Mr. Keizer:
"One other aspect sets these editions apart from past Sober variations. Late Monday, apparently before the appearance of the three new Sobers, police in Bavaria, a southern German state, warned of an attack expected Tuesday. The alert was the result of a yearlong investigation, said the press release issued by the Bayerisches Landeskriminalamt in Munich. No additional details, said the police, would be issued at this time.
" 'The German police may know something,' theorized [Shane Coursen, a senior technical consultant with Moscow-based Kaspersky Labs], 'or it could have been based on, let's say, another branch of the German government being hit earlier than other victims by this one Sober.' "
Another factor, less dramatic but no less significant, could be that many millions of end-users around the world are finally getting wise to the "social engineering" tricks that the cybercriminals use to launch the worms. As Microsoft wrote in a posting about Sober.z on its site last week, "The worm tries to entice users through social engineering efforts into opening an attached file or executable in E-mail. If the recipient opens the file or executable, the worm sends itself to all the contacts that are contained in the system's address book."
Maybe that's the miracle we all need to believe in: that it actually is possible to get through the heads of employees that playing the sucker to such tricks can be disastrous. And maybe more companies should make it a fireable offense to open such attachments or executables--what's the policy at your company?
And not to be left out as the hearty handclasps are passed around is Microsoft itself, which responded aggressively to another security threat last week by releasing the patch for the zero-day Meta File vulnerability five days ahead of schedule. TechWeb's Keizer filed a story about the patch that included this comment from Microsoft: "Microsoft's monitoring of attack data continues to indicate that the attacks are limited and are being mitigated both by Microsoft's efforts to shut down malicious Web sites and with up-to-date signatures from antivirus companies."
Hmm. Malicious Web sites being shut down (go, HoneyMonkeys!!). Greater cooperation from antivirus companies. Patches released ahead of time. Police involvement. More communication and collaboration. More awareness among users. More action. More results.
More loathsome bastards being scared off and lying low in their rat holes.
Do you believe in miracles?
To discuss this column with other readers, please visit John Soat's forum.
To find out more about Bob Evans, please visit his page.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.