mailing list archives
Re: CAIDA analysis on CME-24/BlackWorm
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 07 Feb 2006 14:15:18 +1300
Gadi Evron wrote:
As usual, CAIDA's people have done amazing work.
I'd particularly like to highlight this para from the Conclusions
section of their paper:
However headlines such as 'File-destroying worm causes little
damage' belie a major portion of the cost of viruses like Nyxem. How
many hours of time were spent trying to identify and notify owners
of infected computers? How many hours of system administrator time,
professional or otherwise, were spent disinfecting compromised
machines? While lost data may affect only a subset of infected
computers, every infected machine must be repaired at significant
temporal and monetary cost. Further, it seems unwise to downplay the
effects of the virus while it continues to spread. Most antivirus
products now protect against Nyxem, but without the media coverage
and active mitigation attempts, computers infected in the future
seem more likely to lose data as the worm deletes files on the third
day of every month.
...and remind you all that, "way back when", CIH (the first, and IMNSHO
almost only, virus whose payload was really worth being concerned
about) had its biggest hit on the _second_ instance of its (date-based)
In CIH's case that was actually just slightly more than a year after it
was discovered. There were variants with monthly (day-of-month) based
payload triggers, but by far the single most common variant (the one
that got a massive distribution kick from infecting the organized
underground warez scene) had an annual, single-date trigger.
The international warez distribution channel, plus quite a few magazine
cover CD distributions (all "tested virus free" of course, but don't
get me started on that...) plus a few infected commercial software
releases, all ensured that CIH had pretty much reached every corner of
the globe by its first annual trigger date. The ensuing failure to
properly clean-up after the small-ish hit of the initial BIOS-overwrite
payload trigger date (and in many cases failure to improve quality
assurance and system integrity management processes -- can we say "re-
installing new machines from the same infected, pirated CDs/sources as
caused the first machines to be trashed"?; yep, some folk _are_ that
stupid) saw CIH's second "anniversary" produce a much larger hit,
because it had a whole year to build up its infection base, rather than
the likely few weeks it had between it's initial release and first
trigger date (we don't know the initial release date with any
certainty, but given the pattern of infection on magazine cover CDs, a
little can be inferred about its likely release).
Of course, despite being a very fast on-host replicator (being a fast-
infecting, parasitic PE infector), normally CIH should have been a much
slower _spreader_ than a mass-mailing Email worm like CME-24, as CIH
had no deliberate distribution mechanisms and, perhaps luckily, it also
could not infect the .EXE of the only binary self-mailer that existed
at that time, Win95/Ska (aka "Happy99").
So, don't take "little apparent effect" from the "expected" payload hit
of CME-24 as a "damp squib" -- hope like hell that means the efforts to
mitigate its effects were successful, else next month we quite likely
will have a great deal more victims (though they may not be any more
visible for all the reasons this month's lot are not publicly
I guess this might be an apposite point at which to wheel out that
corny old aphorism about those who have forgotten [or failed to learn]
the lessons of history, but as computer science in general, and comp-
sec in particular, in its geek-oid rush to be at the bleeding edge of
change seems to put so little value in teaching (or learning) its
history, I expect the effect would be lost...
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/