All day today I’ve been receiving W32/Sobig.f@mm-related emails. This is another nasty attachment-based email virus that spreads through the thoughtless clicks of unwitting email readers. I’m not trying to be condescending; I can’t really since I’ve been the victim before. Once upon a time I received an email containing some pictures of an attractive tennis player from an equally famous Media Lab professor, I couldn’t help but wonder what it was all about. I learned my lesson on that one (I ended up infecting my mom, among others).
These email viruses are social viruses, depending on real human networks to propagate. Since they typically come from trusted sources, they have the necessary believability to make users take action. They have decreased in popularity substantially over the past couple of years thanks to the collective browbeating of IT professionals worldwide who have educated us on the topic. Most email users now know not to trust anything that comes from your friends. So how is it that the W32/Sobig.f@mm virus is having such success? What differentiates it from it’s former ancestors?
As Lockergnome reported, many of these are coming from technical email addresses. As the McAfee profile of W32/Sobig.f@mm describes, this is because emails are being selected at random from the host machine’s cache. These could be other friend’s email addresses, or more specifically those collected from web pages the host machine has visited. One popular website that has an email address happens to be Blogdex, of which I am the sole proprietor. And, as one might expect, the Blogdex email address has been selected for a number of these viruses. Since the beginning of the day I’ve received bounced/quarantined emails from about 40 different servers claiming to have been sent from me. Of course I don’t use Outlook, nor have I ever sent an email as Blogdex, it’s simply an address that is sitting in the cache of hundreds of thousands of machines around the world.
I’ve been conditioned not to trust my friends, as well as to be suspicious of any attachments. But of course there are some circumstances in which I will open an attachment (as I do every day). I use the powers of context to decide for each and every attachment that the content of the attachment is not a virus. For most files I receive, I can assume a high level of contextual description, e.g. some reference to the project it’s associated with or names of other people working on it. Not enough context, BLAMO! Virus-be-gone.
The key to this W32/Sobig.f@mm’s success is a different kind of trust: trust in authority. Instead of coming from my friends, W32/Sobig.f@mm originates from the email address of a popular website (in some cases). This website was located on my friend’s machine, and since most of my friends tend to read the same subset of the web that I do, this email address is probably familiar. These are big, powerful email addresses like firstname.lastname@example.org, email@example.com or (oof) blogdex[at]media.mit.edu. Even though people know not to open attachments, the authority of that email address throws an exception in their brains and thus the virus is propagated. It’s a new breed of virus, and it’s spreading like crazy.
Of course after another few months of IT castigation, the email world will return to normal. But this is an arms race between email virus authors and the pattern recognition in all of our brains. For every patch that a network administrator makes by slapping our wrists, someone is engineering more and more sophisticated techniques for bypassing our preconceptions. Before long they will be taking advantage of more personal information, referring to meetings we’ve attended, projects we’re working on, or even our personal interests. Maybe then we’ll revert back to the tried and tested snail-mail system. Try and hack that!