Do any of you recall the last virus “outbreak”, way back in 2005? No? …What if I tell you it was an IRC bot which started out fairly slowly, infecting a major TV network in the process? Still probably not. If it weren't for a large number of calls from exceptionally panicked journalists that I fielded that day, I might have forgotten it myself.
It never generated the tsunami of inquiries from customers that usually came with new outbreaks. Perhaps traditional email virus outbreaks had become a relative non-issue in most people's minds. “Okay, strange email, don't click it.” Or…for those who clicked it: “Oops that was a virus, time to call IT.” A plan of action, however rudimentary, had been established in the minds of users and security people, based on a few relatively rough years full of outbreaks.
So when the VBMania virus outbreak hit, it seems that the lessons of the past held well. A large number of emails were generated, leading users to a malicious PDF file which in turn caused their computer to generate more malicious emails. Within a very short span the website the PDF resided on was cleared of the file, and so even though infected computers continued to spew email, it caused no further infections.
In some ways, this is an encouraging sign. People behind the scenes were able to neuter the threat quite quickly. Lines of trust and communication have been well established between researchers and many ISPs, so that it no longer takes days or weeks of battling to get things cleaned up. In other ways, this is quite frustrating. It shows us the weak link in the chain which technology cannot reach.
This same weak link has been noticed in other types of malware threats. There are certain ways in which malware has gotten incredibly advanced. Complexity of polymorphism, tenacity once on the system, stealthiness of the malware, these things have all increased to an astounding degree. But the techniques used to get on a system in the first place, these have changed very little. There is very little return on investment to create the newest, most complicated vulnerabilities when the promise of sexy pictures or a years-old vulnerability will do the trick quite nicely.
You can't force Grandpa to quit using System 9 if his machine can still limp along, or corporations to quit using that ancient niche-market software which only works on Windows 98. And you can't create a filter to screen out human gullibility, any more than you can stop people from trying to profit off the backs of others. We can't expect it to stop as long as there is money to be made, so we will always need to react to their new threats to some degree.
In short, this outbreak illustrates that the job of security software is to minimise the damage of our own efforts to shoot ourselves in the foot when malware authors offer us a loaded gun.