Bugwatch: The real cost of SoBig

This week David Emm, marketing manager at McAfee AVERT Labs, counts the cost of the recent spate of worm attacks and considers how to minimise the risk from future threats.

Last week's SoBig F worm has been widely labelled by many antivirus experts as the 'worst worm ever'.

Alarming statistics, estimating that between one in every 17 and one in every 29 messages contained the virus, were widely circulated by vendors.

SoBig is one of the most widespread threats we've seen, but in terms of damage it was relatively toothless. The sheer volume of traffic generated by the code caused the biggest headache.

Businesses were pretty much unaffected by this latest outbreak. Our risk assessment never rose above 'Medium' for the corporate world, and it had a lower impact than the Lovsan and Nachi worms that preceded it.

And, as inconvenient as this latest outbreak is, the associated costs appear to be relatively small.

So why has SoBig drawn so much attention? It is true that the number of infected emails has been high. However, this doesn't necessarily translate into actual infected machines.

Previous outbreaks, which infected fewer users than SoBig F, have incurred costs estimated in the billions of dollars. So why is the financial impact of SoBig expected to be substantially less?

There are usually four main associated costs for virus outbreaks: downtime, lost business, the cost of investing in new technology and wasted man-hours.

Since businesses were, in general, unaffected by the SoBig F outbreak, the costs were dramatically reduced, leaving the most significant financial impact on the consumer, where it was less noticeable.

SoBig F was a relatively insignificant threat for enterprise businesses, principally because most companies automatically screen for the .pif and .scr attachments that carry it. Like .exe files, .pifs and .scrs have no real reason to be allowed into a corporate IT environment.

But despite the media attention that these viruses now command, many consumers still seem to be ignoring the dangers. Effective and regularly updated antivirus is as crucial for home users as for businesses, especially with the increasing sophistication of viruses and worms and the use of spamming techniques.

But if this is an unmanageable task then perhaps managed antivirus is the solution. A number of internet service providers now offer virus scanning and managed services to take the responsibility out of the hands of the end-user.

Similarly, vendors have also turned towards managed antivirus to remotely protect a network from threats like SoBig F. This has proved useful for small companies lacking the resources for bolstering their IT environment from attack.

Home users and small businesses also need to recognise the importance of patching Windows flaws.

Education still plays a huge role. SoBig F was so successful at spreading because users double-clicked the infected attachment, which caused the worm to infect and spread. If the worm had reached corporate desktops, the implications could have been far more severe.

Antivirus vendors are becoming increasingly proactive with their methods of detection, and protection strategies - layering networks with antivirus, personal firewall, intrusion prevention and anti-spam software - mean that businesses can successfully secure themselvesagainst Lovsan, Nachi, SoBig and the threats that will follow.

The costs of SoBig will become apparent as time goes on. Other, similar threats, or variants of the same SoBig threat, could carry a more damaging payload.

This is the sixth variant of the worm in the last six months, and the virus writers continue to experiment and perfect the code with each new attack.

A SoBig virus that erases precious data, gathers confidential data or steals passwords or credit card details from a victim's machine - to say nothing of successfully coordinating an attack across the internet - could give a future variant a bit more bite and leave businesses and consumers really counting the cost.