Truth About Computer Security Hysteria
MessageLabs CTO: 'our company is doomed!'Rob Rosenberger, Vmyths co-founder
Sunday, 30 September 2001 MESSAGELABS SOMETIMES ISSUES an unbelievable press release. The British-based firm did it again last week to predict the Internet will die of a wasting disease by 2008. Viruses in email attachments are the cancer of the computing world, they announced.
THE PRESS RELEASE blatantly touts "[this] warning comes as MessageLabs stops its one millionth virus." Aha, now we see the real reason for this hysterical press release!
The recent Nimda outbreak has prompted some industry commentators to say that the virus threat is overhyped. Don't believe a word of it... While the Internet will not collapse, it will certainly cease to be usable as a safe and credible means of communication for business and home users... Computer networks could grind to a halt because of the overwhelming volume of infected material circulating.We at Vmyths do indeed think the virus threat is overhyped; so does The Register. Sunner's chutzpah merely proves our point. His hysterical prediction overshadows his firm's ability to protect clients. Take the Nimda virus, for example. MessageLabs flunky Alex Shipp emailed me on 19 September — the day after Network Associates urged a precautionary shutdown of the entire Internet — to brag how effortlessly his firm detected the virus:
Nimda attempts to spread itself in so many different ways, that I would have been very, very unhappy if Skeptic [their flagship heuristic scanner] had not detected this... Skeptic detected three components of Nimda which caused it to immediately stop the virus. Two of these components were detected by the exploit detector. These were both exploits that had been published for a long time, and that had been used in previous malware. The third component was detected by the code analyser — Skeptic detected that the executable showed virus-like activity.Why couldn't Sunner use this simple PR tactic? Why did he go so far as to predict the death of his own company? Now, normally, I'd quote Shipp's email in an effort to highlight profile-based virus detection methodologies. Indeed, this column began its life as a thumbs-up to Skeptic's heuristic capabilities. My writing took a left turn only when Sunner wailed about the coming e-Rapture. (Shipp made roughly the same claim in August, but at least he didn't go on the offensive against his detractors.) And I'd normally gloss over the fact Skeptic only detected Nimda three ways better than today's popular antivirus software. The savvy insider knows MessageLabs focuses on mass-mailing techniques used in viruses like Melissa and ILoveYou. I infer their heuristics didn't detect other obvious aspects of Nimda, and it leads me to believe Skeptic needs an upgrade. But like I said, I'd normally gloss over this minor shortcoming — because Skeptic didn't require an update to detect Nimda. If your antivirus product needed a patch, then you need a better antivirus product.
SUNNER WOULDN'T FEAR Vmyths or The Register if he behaved more like Shipp. He wouldn't fear us if he behaved more like Command Software or Sophos or Central Command or other low-key antivirus vendors out there. Instead, Sunner decided to follow in Steve Gibson's footsteps. But let's give Sunner credit where due. He turned my pro-MessageLabs column into an anti-MessageLabs slam. It takes an e-diot to snatch defeat from the jaws of victory...