Washington U. professor offers a Sobig answer By David Nicklaus 08/24/2003 Like many people, I watched with a mixture of fascination and dread as the Sobig.F computer virus multiplied across the Internet. Infected computers sent me more than 80 copies of Sobig on Tuesday before the Post-Dispatch's computer technicians could update our filtering software. In the next three days, the filters blocked 170 more copies that were headed my way. In addition, I've had dozens of automated messages from network administrators who thought I was sending infected e-mails. The intended destinations were addresses I'd never heard of, including one in the United Arab Emirates. The problem is that Sobig disguises the return address of the messages it sends, picking up legitimate addresses like mine off the Internet. I really shouldn't complain. Christopher Faulkner, president of a Web-hosting company in Dallas, tells me that he got 1,400 copies of Sobig. The deluge caused some corporate networks, including the one at Barnes-Jewish Hospital, to shut off access to outside e-mail. MessageLabs, a British firm, said it found Sobig in one of every 17 e-mails that it scanned on Tuesday. The time that workers spent deleting unwanted messages, and waiting for legitimate e-mail to make its way through bogged-down servers, adds up to a huge loss in productivity. Variants of the Blaster worm, which was unleashed a few days before Sobig, were even more destructive. They took down Air Canada's check-in system and caused delays on CSX Corp.'s railroad. The existing technology for fighting such infections - mostly antivirus software - only protects the Internet if the software's installed and constantly updated by every single Internet user. John Lockwood, assistant professor of computer science at Washington University, thinks he has invented a better virus-trap. It's a box, called a data enabling device, that filters out unwanted packets of information and can be reprogrammed in minutes to respond to a new threat. Hardware is much better than software at protecting against viruses, Lockwood says. It can be deployed on the Internet backbone and at the gateway to each company's or university's network, rather than having to be installed on every end user's PC. It also is much faster, scanning up to two gigabytes of information each second. Faulkner, president of CI Host in Dallas, said his virus-scanning software takes 3 seconds to scan a single piece of e-mail, and twice that long if it finds a virus. Because Sobig was causing such long delays, "we've had to turn off the virus scan and let the end user deal with it," Faulkner said. Global Velocity, a small St. Louis company, is trying to commercialize Lockwood's invention. A handful of companies are marketing similar solutions, but Lockwood said his box has some key advantages: its speed and the ability to program it from a central site. If Global Velocity's devices were deployed around the Internet when a new threat like Sobig was discovered, the company could update all of them within minutes. "It seems like a real waste of time to make the end user deal with the problems," Lockwood said. "We can cut the life of a virus from months to minutes." Of course, you can't run out and buy one of these boxes to protect yourself from the next Blaster. Global Velocity is getting ready to release a beta, or experimental, version and it expects to land its first contract next week from a government agency. If anyone can find good news in the Sobig outbreak, it's an entrepreneur who's trying to convince the world that existing Internet defenses are woefully inadequate. "This reinforces everything we're trying to do," said Matt Kulig, president of Global Velocity. "It allows us to point out that current technology just can't deal with the threat." E-mail: dnicklaus@post-dispatch.com Phone: 314-340-8213 Radio report: 6:21 p.m. weekdays on KMOX (1120 AM)