Service providers weigh role in virus control

Just a week after being pounded by the destructive MSBlast worm last month, enterprises were hammered again when a new version of the Sobig virus hit the Internet. While IT organizations worked overtime to repair the damage and users wrestled with downtime due to the virus’ effects, both users and IT staffers were asking the same question: Isn’t there some way to outsource the virus control function?

The new version of Sobig, the fifth strain of a virus first released in January, is considered one of the most virulent mass-mailing viruses ever. “Sobig.F” infected hundreds of thousands of computers and sent millions of virus-carrying e-mail messages across the Internet, clogging home e-mail boxes and slowing corporate networks. Experts attempt to collect lessons from the virus, however, they are more interested in its genesis than in its effects.

According to industry reports, Sobig.F started on a home computer connected to a local ISP, Easynews, via a cable modem. The computer was hacked by an unknown user and an Easynews account was created with a stolen credit card, apparently for the purpose of uploading the virus. The virus was posted to the ISP’s Usenet newsgroup server, disguised as an adult photo, and then proliferated geometrically, using e-mail address books on PCs running Microsoft Windows.

In the wake of the virus, many IT staffers now are wondering whether something could have been done by the service provider – in this case, Easynews – to reduce Sobig.F’s impact before it spread to the Internet. In other words, is it possible to out-task the virus control effort to your ISP?

There are some steps a service provider can take to help identify and control a virus such as Sobig, which spreads via e-mail. First, the ISP can implement antispam filters that help to recognize unwanted e-mail and route those messages away from users. Such filters are normally used to detect junk e-mail, but they can be quickly adapted to identify malevolent e-mail once the parameters of the e-mail become clear.

Secondly, an ISP can serve as an “early warning system” to warn users of potential viruses. In the case of Sobig.F, the ISP could easily have warned its users of the presence of the virus, perhaps reducing the number of users who opened it. In other cases, such as the MSBlast worm, the ISP might have pointed users to the Microsoft Windows software patches that immunized many PCs before they were infected.

These are steps that a corporation might reasonably expect its service provider to take. However, due to financial and technical difficulties, the ability to implement virus detection and control software – long a responsibility borne by the end user – is unlikely to move to the ISP anytime soon.

The fact is that delivering virus control tools to each end user on an Internet service is just too expensive for most ISPs. Not only is there the cost of the software itself, but the cost of maintaining the software with upgrades and patches designed to eliminate the latest threats. These costs would have to be passed on to the end user in the form of higher service charges, and most users – particularly consumers – are unwilling to pay them.

Even if an ISP did successfully implement virus-control software across its own network, it would have limited value because the Internet, by its very nature, is a multi-provider network. Unless all service providers deployed the same virus-control software across all of their networks, there would be too many vulnerabilities to make such an “outsourced” system worthwhile.

When it comes to virus control, then, the best that IT organizations can hope for is a close partnership with their ISPs. The ISP should do all it can to reduce the spread and impact of malevolent code across its network, but the responsibility for protecting the end station necessarily lies with the enterprise. Working together, the two groups cannot eliminate viruses, but they can alleviate the damage they cause.