Opinion: Overblown Malware Threats: The New Reality?
Hype might make for good news but bad security policies.
Three times in the last month we've had the world put on alert over a
perceived threat from some malware. First there was the scramble between Christmas
and New Year's over the .WMF exploit. Next was the doom and gloom surrounding
Jan. 6 when Sober was expected to download new code. Finally, last week's
debacle about CME-24, aka W32.VirusWithTooManyAliasesToRemember @mm-deletesmillionsoffiles
(Nymex, Grew, myWife, whateverelseyoucanthink
What is the world coming to? Could it be that anti-virus companies are very
concerned over the marketing campaigns of the likes of AOL and Earthlink, who
both tell consumers they never need to worry about security concerns again?
(I'll leave the joke about Earthlink believing in fairy tales alone for
There's nothing new to fear-mongering by anti-virus companies...almost
14 years ago to the day the world was in a tizzy over another world-destroying
virus -- namely the Michelangelo virus. John McAfee estimated that 5 million
computers worldwide were infected with the virus, which purported to destroy
files on Michelangelo's birthday, March 6. Interestingly, the Washington
Post reported that past scares about viruses often had proven to be overblown.
When March 6 finally arrived, John McAfee was quoted by Reuters as "estimating
10,000" systems had been infected; clearly not the 5 million he was saying
were infected earlier in February. It seems nothing changes over time.
Worldwide disruptive malware events aren't a myth; Blaster and SQL Slammer
really did occur and really did have a significant impact on the world's
computing environment. Neither, however, came with much if any warning or predictions
of the dire consequences that actually occurred.
There is, however, little rocket science involved in determining whether or
not something is, or has the capacity to, become such an earth-shattering malware
event. Consider the following facts about CME-24:
- It did nothing new. That alone makes it a very attractive loser to basic
heuristic anti-virus scanning and standard e-mail filtering best practices.
- It used a heavily abused file type for the attachment. Similar to No. 1,
but also add the fact that the only people likely to double-click on it are
people who've probably double-clicked on such before. If you're smart enough
to know not to double-click on a .PIF, then you won't double-click on this
- Its social engineering was non-stellar. I won't try to suggest "good
social engineering techniques" -- dumb malware authors don't need such
training from me. Suffice to say that CME-24 had nothing to offer that would've
taken the average cautious person into the realm of being less cautious.
- Its "seeding" was nothing special. The "seeding" of
malware is the method by which it gets its initial spread, often via newsgroups
or pre-existing bot-controlled systems. Some malware is deposited in hundreds
or thousands of newsgroups at the same time in the hopes of catching many
people unaware...CME-24 wasn't.
Need I go on? Taking these four facts alone, worldwide disruption isn't
going to happen. So why the media frenzy?
Well, that's pretty easy. I won't get bogged down in motives and
such, but just consider the following three tidbits thrown at the media:
- Every infected system "touches" a Web counter, and that Web counter
is in the millions already!
- This malware is unlike other recent malware -- it attempts to destroy,
not make money!
- It's got a trigger date, and on that date it will go and delete all of the
files it can find of a certain type...and those types are business documents!
Well, gee, that's gotta be worth a story or two. Millions of systems
infected, and a way to keep counting as that number goes up...gee, I can
see a series of articles out of this one...and wow, business documents destroyed...perfect!
Businesses are my prime audience!
The combination was just too tempting, both for many security companies and
the media alike. I absolutely loved the fact that one company went and analyzed
the Web counter traffic (what a way to spend your resources): "Hmm, naw,
that couldn't be from a legitimate victim, it must be someone trying to
inflate the counter...but this other stuff...yeah, that's gotta
be real victims there!" Seems they really didn't get any of the
four obvious facts if they were willing to devote resources to such a filtering
Now, I've been saying that CME-24 wasn't going to do anything since the day
it was announced. Am I brilliant? Or could it just be that we, Cybertrust, aren't
that desperate for the business some others figure they'll get with their analysis
(or lack thereof)?
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
Either way, CME-24 cost businesses the world over considerable unnecessary
expense. They raced around following stories, asking questions, backing up data,
running anti-virus scans unnecessarily and generally panicking over the hype
that was constantly being pushed in their faces. Some security vendors sought
to assuage those concerns by telling them that their diligence was paying off
-- someone even said that infected machines were being reduced in number by
more than 10,000 a day..."because they were being cleaned!"
Yeah, right! How the heck did they know the machine had been cleaned -- all
they knew was that it wasn't sending out CME-24 any more (assuming it
was actually sending it out in the first place). For what it's worth,
many pieces of malware these days disrupt the functioning of other malware,
so that if I stop sending CME-24, it doesn't mean I'm not now sending
It's interesting to remember that back in 1992 these same explanations
were offered for the Michelangelo non-event.
We, Cybertrust, believe we sell extremely valuable security analysis services,
but anyone with a little common sense could've realized that CME-24 wasn't
going to bite them. If your security product vendor was one of those claiming
dire consequences, or suggesting quick and critical action due to CME-24, take
a minute and e-mail them to find out why.
Let me know what they tell you.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.