Security Watch

Opinion: Overblown Malware Threats: The New Reality?

Hype might make for good news but bad security policies.

Three times in the last month we've had the world put on alert over a perceived threat from some malware. First there was the scramble between Christmas and New Year's over the .WMF exploit. Next was the doom and gloom surrounding Jan. 6 when Sober was expected to download new code. Finally, last week's debacle about CME-24, aka W32.VirusWithTooManyAliasesToRemember @mm-deletesmillionsoffiles (Nymex, Grew, myWife, whateverelseyoucanthink
tocallitinapressrelease).

What is the world coming to? Could it be that anti-virus companies are very concerned over the marketing campaigns of the likes of AOL and Earthlink, who both tell consumers they never need to worry about security concerns again? (I'll leave the joke about Earthlink believing in fairy tales alone for now.)

There's nothing new to fear-mongering by anti-virus companies...almost 14 years ago to the day the world was in a tizzy over another world-destroying virus -- namely the Michelangelo virus. John McAfee estimated that 5 million computers worldwide were infected with the virus, which purported to destroy files on Michelangelo's birthday, March 6. Interestingly, the Washington Post reported that past scares about viruses often had proven to be overblown. When March 6 finally arrived, John McAfee was quoted by Reuters as "estimating 10,000" systems had been infected; clearly not the 5 million he was saying were infected earlier in February. It seems nothing changes over time.

Worldwide disruptive malware events aren't a myth; Blaster and SQL Slammer really did occur and really did have a significant impact on the world's computing environment. Neither, however, came with much if any warning or predictions of the dire consequences that actually occurred.

There is, however, little rocket science involved in determining whether or not something is, or has the capacity to, become such an earth-shattering malware event. Consider the following facts about CME-24:

  1. It did nothing new. That alone makes it a very attractive loser to basic heuristic anti-virus scanning and standard e-mail filtering best practices.
  2. It used a heavily abused file type for the attachment. Similar to No. 1, but also add the fact that the only people likely to double-click on it are people who've probably double-clicked on such before. If you're smart enough to know not to double-click on a .PIF, then you won't double-click on this one either.
  3. Its social engineering was non-stellar. I won't try to suggest "good social engineering techniques" -- dumb malware authors don't need such training from me. Suffice to say that CME-24 had nothing to offer that would've taken the average cautious person into the realm of being less cautious.
  4. Its "seeding" was nothing special. The "seeding" of malware is the method by which it gets its initial spread, often via newsgroups or pre-existing bot-controlled systems. Some malware is deposited in hundreds or thousands of newsgroups at the same time in the hopes of catching many people unaware...CME-24 wasn't.

Need I go on? Taking these four facts alone, worldwide disruption isn't going to happen. So why the media frenzy?

Well, that's pretty easy. I won't get bogged down in motives and such, but just consider the following three tidbits thrown at the media:

  • Every infected system "touches" a Web counter, and that Web counter is in the millions already!
  • This malware is unlike other recent malware -- it attempts to destroy, not make money!
  • It's got a trigger date, and on that date it will go and delete all of the files it can find of a certain type...and those types are business documents!

Well, gee, that's gotta be worth a story or two. Millions of systems infected, and a way to keep counting as that number goes up...gee, I can see a series of articles out of this one...and wow, business documents destroyed...perfect! Businesses are my prime audience!

The combination was just too tempting, both for many security companies and the media alike. I absolutely loved the fact that one company went and analyzed the Web counter traffic (what a way to spend your resources): "Hmm, naw, that couldn't be from a legitimate victim, it must be someone trying to inflate the counter...but this other stuff...yeah, that's gotta be real victims there!" Seems they really didn't get any of the four obvious facts if they were willing to devote resources to such a filtering exercise.

Now, I've been saying that CME-24 wasn't going to do anything since the day it was announced. Am I brilliant? Or could it just be that we, Cybertrust, aren't that desperate for the business some others figure they'll get with their analysis (or lack thereof)?

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

Either way, CME-24 cost businesses the world over considerable unnecessary expense. They raced around following stories, asking questions, backing up data, running anti-virus scans unnecessarily and generally panicking over the hype that was constantly being pushed in their faces. Some security vendors sought to assuage those concerns by telling them that their diligence was paying off -- someone even said that infected machines were being reduced in number by more than 10,000 a day..."because they were being cleaned!" Yeah, right! How the heck did they know the machine had been cleaned -- all they knew was that it wasn't sending out CME-24 any more (assuming it was actually sending it out in the first place). For what it's worth, many pieces of malware these days disrupt the functioning of other malware, so that if I stop sending CME-24, it doesn't mean I'm not now sending something else.

It's interesting to remember that back in 1992 these same explanations were offered for the Michelangelo non-event.

We, Cybertrust, believe we sell extremely valuable security analysis services, but anyone with a little common sense could've realized that CME-24 wasn't going to bite them. If your security product vendor was one of those claiming dire consequences, or suggesting quick and critical action due to CME-24, take a minute and e-mail them to find out why.

Let me know what they tell you.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular

SharePoint Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.