Business Technology: Prep For Sober.z Sends Vermin Back Into Rat HoleBusiness Technology: Prep For Sober.z Sends Vermin Back Into Rat Hole

Do you remember when Al Michaels yelled "Do you BELIEVE in miracles?" when the U.S. hockey team beat the U.S.S.R. in the 1980 Olympics?

Do you remember the last time you read something like this: "The countdown to the next Sober worm attack reaches zero Thursday afternoon in the U.S., but some analysts say they've seen clues that show hackers have been scared off their intended infection campaign."

Do you remember the security alert put out two months ago by the Bayerisches Landeskriminalamt in Munich?

I had to read the sentence about "hackers being scared off" a few times to make sure I'd got it right. That means their malicious plans were foiled. The latest Sober worm did not cause devastating problems. The combined efforts of the world's most-powerful software company, tens of thousands of vigilant IT customers, hundreds of security organizations, and an unknown but substantial number of law-enforcement agencies seem to have given the loathsome bastards a good swift kick in the ass, forcing them back into their rat holes to plot their next caper.

Can we score one for the good guys?

Do you believe in miracles?

Is this a sign that the, uh, worm has turned?

In his excellent coverage of the countdown to the scheduled release of the Sober.z worm, my TechWeb colleague Gregg Keizer delivered regular updates on the situation throughout the week, but the one that really grabbed my attention was one in which he wrote the sentence near the top of this column about hackers being "scared off." That dispatch from Keizer also included the following:

" 'The attack, if it comes, could come anytime after the afternoon and the evening of [Jan.] 5th,' said Ken Dunham, director of the rapid response team for Reston, Va.-based security intelligence gatherer iDefense. But Dunham, and others, aren't expecting much to happen today, or if users are lucky, in the days ahead.

" 'In November, there were five different Trojans seeding Sober,' said Dunham. 'But we've not seen any Trojans in the run-up to today. That might mean the attacker or attackers are lying low.' " Wait a minute--this isn't how these things are supposed to work, is it? Isn't our experience nothing more than a long and frustrating history of disturbing but seemingly inevitable incidents in which the criminals who create these types of destructive software do their dirty work while the rest of us brace for the worst, clean up the mess, and hope that somehow our systems might be spared next time? So what "scared off" the loathsome bastards? What caused them to spend the last few days "lying low"?

One factor could be the escalating involvement of law-enforcement agencies as they come to understand more clearly not only the massive damage these attacks can cause to businesses and individuals, but also the increasingly vigorous role local and national law enforcement must play in combating what is becoming a global network of very organized cybercrime. Let's go back two months to the work noted above by the German police in Munich, as detailed by the ubiquitous Mr. Keizer:

"One other aspect sets these editions apart from past Sober variations. Late Monday, apparently before the appearance of the three new Sobers, police in Bavaria, a southern German state, warned of an attack expected Tuesday. The alert was the result of a yearlong investigation, said the press release issued by the Bayerisches Landeskriminalamt in Munich. No additional details, said the police, would be issued at this time.

" 'The German police may know something,' theorized [Shane Coursen, a senior technical consultant with Moscow-based Kaspersky Labs], 'or it could have been based on, let's say, another branch of the German government being hit earlier than other victims by this one Sober.' "

Another factor, less dramatic but no less significant, could be that many millions of end-users around the world are finally getting wise to the "social engineering" tricks that the cybercriminals use to launch the worms. As Microsoft wrote in a posting about Sober.z on its site last week, "The worm tries to entice users through social engineering efforts into opening an attached file or executable in E-mail. If the recipient opens the file or executable, the worm sends itself to all the contacts that are contained in the system's address book."

Maybe that's the miracle we all need to believe in: that it actually is possible to get through the heads of employees that playing the sucker to such tricks can be disastrous. And maybe more companies should make it a fireable offense to open such attachments or executables--what's the policy at your company?

And not to be left out as the hearty handclasps are passed around is Microsoft itself, which responded aggressively to another security threat last week by releasing the patch for the zero-day Meta File vulnerability five days ahead of schedule. TechWeb's Keizer filed a story about the patch that included this comment from Microsoft: "Microsoft's monitoring of attack data continues to indicate that the attacks are limited and are being mitigated both by Microsoft's efforts to shut down malicious Web sites and with up-to-date signatures from antivirus companies."

Hmm. Malicious Web sites being shut down (go, HoneyMonkeys!!). Greater cooperation from antivirus companies. Patches released ahead of time. Police involvement. More communication and collaboration. More awareness among users. More action. More results.

More loathsome bastards being scared off and lying low in their rat holes.

Do you believe in miracles?

To discuss this column with other readers, please visit John Soat's forum.

To find out more about Bob Evans, please visit his page.