Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: CAIDA analysis on CME-24/BlackWorm
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 07 Feb 2006 14:15:18 +1300

Gadi Evron wrote:

As usual, CAIDA's people have done amazing work.

I'd particularly like to highlight this para from the Conclusions 
section of their paper:

   However headlines such as 'File-destroying worm causes little
   damage' belie a major portion of the cost of viruses like Nyxem. How
   many hours of time were spent trying to identify and notify owners
   of infected computers? How many hours of system administrator time,
   professional or otherwise, were spent disinfecting compromised
   machines? While lost data may affect only a subset of infected
   computers, every infected machine must be repaired at significant
   temporal and monetary cost. Further, it seems unwise to downplay the
   effects of the virus while it continues to spread. Most antivirus
   products now protect against Nyxem, but without the media coverage
   and active mitigation attempts, computers infected in the future
   seem more likely to lose data as the worm deletes files on the third
   day of every month.

...and remind you all that, "way back when", CIH (the first, and IMNSHO 
almost only, virus whose payload was really worth being concerned 
about) had its biggest hit on the _second_ instance of its (date-based) 
payload triggering.

In CIH's case that was actually just slightly more than a year after it 
was discovered.  There were variants with monthly (day-of-month) based 
payload triggers, but by far the single most common variant (the one 
that got a massive distribution kick from infecting the organized 
underground warez scene) had an annual, single-date trigger.

The international warez distribution channel, plus quite a few magazine 
cover CD distributions (all "tested virus free" of course, but don't 
get me started on that...) plus a few infected commercial software 
releases, all ensured that CIH had pretty much reached every corner of 
the globe by its first annual trigger date.  The ensuing failure to 
properly clean-up after the small-ish hit of the initial BIOS-overwrite 
payload trigger date (and in many cases failure to improve quality 
assurance and system integrity management processes -- can we say "re-
installing new machines from the same infected, pirated CDs/sources as 
caused the first machines to be trashed"?; yep, some folk _are_ that 
stupid) saw CIH's second "anniversary" produce a much larger hit, 
because it had a whole year to build up its infection base, rather than 
the likely few weeks it had between it's initial release and first 
trigger date (we don't know the initial release date with any 
certainty, but given the pattern of infection on magazine cover CDs, a 
little can be inferred about its likely release).

Of course, despite being a very fast on-host replicator (being a fast-
infecting, parasitic PE infector), normally CIH should have been a much 
slower _spreader_ than a mass-mailing Email worm like CME-24, as CIH 
had no deliberate distribution mechanisms and, perhaps luckily, it also 
could not infect the .EXE of the only binary self-mailer that existed 
at that time, Win95/Ska (aka "Happy99").

So, don't take "little apparent effect" from the "expected" payload hit 
of CME-24 as a "damp squib" -- hope like hell that means the efforts to 
mitigate its effects were successful, else next month we quite likely 
will have a great deal more victims (though they may not be any more 
visible for all the reasons this month's lot are not publicly 

I guess this might be an apposite point at which to wheel out that 
corny old aphorism about those who have forgotten [or failed to learn] 
the lessons of history, but as computer science in general, and comp-
sec in particular, in its geek-oid rush to be at the bleeding edge of 
change seems to put so little value in teaching (or learning) its 
history, I expect the effect would be lost...

Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]