Security Watch

Opinion: Overblown Malware Threats: The New Reality?

Hype might make for good news but bad security policies.

• By Russ Cooper
• 02/06/2006

What is the world coming to? Could it be that anti-virus companies are very concerned over the marketing campaigns of the likes of AOL and Earthlink, who both tell consumers they never need to worry about security concerns again? (I'll leave the joke about Earthlink believing in fairy tales alone for now.)

There's nothing new to fear-mongering by anti-virus companies...almost 14 years ago to the day the world was in a tizzy over another world-destroying virus -- namely the Michelangelo virus. John McAfee estimated that 5 million computers worldwide were infected with the virus, which purported to destroy files on Michelangelo's birthday, March 6. Interestingly, the Washington Post reported that past scares about viruses often had proven to be overblown. When March 6 finally arrived, John McAfee was quoted by Reuters as "estimating 10,000" systems had been infected; clearly not the 5 million he was saying were infected earlier in February. It seems nothing changes over time.

Worldwide disruptive malware events aren't a myth; Blaster and SQL Slammer really did occur and really did have a significant impact on the world's computing environment. Neither, however, came with much if any warning or predictions of the dire consequences that actually occurred.

There is, however, little rocket science involved in determining whether or not something is, or has the capacity to, become such an earth-shattering malware event. Consider the following facts about CME-24:

1. It did nothing new. That alone makes it a very attractive loser to basic heuristic anti-virus scanning and standard e-mail filtering best practices.
2. It used a heavily abused file type for the attachment. Similar to No. 1, but also add the fact that the only people likely to double-click on it are people who've probably double-clicked on such before. If you're smart enough to know not to double-click on a .PIF, then you won't double-click on this one either.
3. Its social engineering was non-stellar. I won't try to suggest "good social engineering techniques" -- dumb malware authors don't need such training from me. Suffice to say that CME-24 had nothing to offer that would've taken the average cautious person into the realm of being less cautious.
4. Its "seeding" was nothing special. The "seeding" of malware is the method by which it gets its initial spread, often via newsgroups or pre-existing bot-controlled systems. Some malware is deposited in hundreds or thousands of newsgroups at the same time in the hopes of catching many people unaware...CME-24 wasn't.

Need I go on? Taking these four facts alone, worldwide disruption isn't going to happen. So why the media frenzy?

Well, that's pretty easy. I won't get bogged down in motives and such, but just consider the following three tidbits thrown at the media:

• Every infected system "touches" a Web counter, and that Web counter is in the millions already!
• This malware is unlike other recent malware -- it attempts to destroy, not make money!
• It's got a trigger date, and on that date it will go and delete all of the files it can find of a certain type...and those types are business documents!

Well, gee, that's gotta be worth a story or two. Millions of systems infected, and a way to keep counting as that number goes up...gee, I can see a series of articles out of this one...and wow, business documents destroyed...perfect! Businesses are my prime audience!

The combination was just too tempting, both for many security companies and the media alike. I absolutely loved the fact that one company went and analyzed the Web counter traffic (what a way to spend your resources): "Hmm, naw, that couldn't be from a legitimate victim, it must be someone trying to inflate the counter...but this other stuff...yeah, that's gotta be real victims there!" Seems they really didn't get any of the four obvious facts if they were willing to devote resources to such a filtering exercise.

Now, I've been saying that CME-24 wasn't going to do anything since the day it was announced. Am I brilliant? Or could it just be that we, Cybertrust, aren't that desperate for the business some others figure they'll get with their analysis (or lack thereof)?

Either way, CME-24 cost businesses the world over considerable unnecessary expense. They raced around following stories, asking questions, backing up data, running anti-virus scans unnecessarily and generally panicking over the hype that was constantly being pushed in their faces. Some security vendors sought to assuage those concerns by telling them that their diligence was paying off -- someone even said that infected machines were being reduced in number by more than 10,000 a day..."because they were being cleaned!" Yeah, right! How the heck did they know the machine had been cleaned -- all they knew was that it wasn't sending out CME-24 any more (assuming it was actually sending it out in the first place). For what it's worth, many pieces of malware these days disrupt the functioning of other malware, so that if I stop sending CME-24, it doesn't mean I'm not now sending something else.

It's interesting to remember that back in 1992 these same explanations were offered for the Michelangelo non-event.

We, Cybertrust, believe we sell extremely valuable security analysis services, but anyone with a little common sense could've realized that CME-24 wasn't going to bite them. If your security product vendor was one of those claiming dire consequences, or suggesting quick and critical action due to CME-24, take a minute and e-mail them to find out why.

Let me know what they tell you.