Gadi Evron wrote: > As usual, CAIDA's people have done amazing work. I'd particularly like to highlight this para from the Conclusions section of their paper: However headlines such as 'File-destroying worm causes little damage' belie a major portion of the cost of viruses like Nyxem. How many hours of time were spent trying to identify and notify owners of infected computers? How many hours of system administrator time, professional or otherwise, were spent disinfecting compromised machines? While lost data may affect only a subset of infected computers, every infected machine must be repaired at significant temporal and monetary cost. Further, it seems unwise to downplay the effects of the virus while it continues to spread. Most antivirus products now protect against Nyxem, but without the media coverage and active mitigation attempts, computers infected in the future seem more likely to lose data as the worm deletes files on the third day of every month. ...and remind you all that, "way back when", CIH (the first, and IMNSHO almost only, virus whose payload was really worth being concerned about) had its biggest hit on the _second_ instance of its (date-based) payload triggering. In CIH's case that was actually just slightly more than a year after it was discovered. There were variants with monthly (day-of-month) based payload triggers, but by far the single most common variant (the one that got a massive distribution kick from infecting the organized underground warez scene) had an annual, single-date trigger. The international warez distribution channel, plus quite a few magazine cover CD distributions (all "tested virus free" of course, but don't get me started on that...) plus a few infected commercial software releases, all ensured that CIH had pretty much reached every corner of the globe by its first annual trigger date. The ensuing failure to properly clean-up after the small-ish hit of the initial BIOS-overwrite payload trigger date (and in many cases failure to improve quality assurance and system integrity management processes -- can we say "re- installing new machines from the same infected, pirated CDs/sources as caused the first machines to be trashed"?; yep, some folk _are_ that stupid) saw CIH's second "anniversary" produce a much larger hit, because it had a whole year to build up its infection base, rather than the likely few weeks it had between it's initial release and first trigger date (we don't know the initial release date with any certainty, but given the pattern of infection on magazine cover CDs, a little can be inferred about its likely release). Of course, despite being a very fast on-host replicator (being a fast- infecting, parasitic PE infector), normally CIH should have been a much slower _spreader_ than a mass-mailing Email worm like CME-24, as CIH had no deliberate distribution mechanisms and, perhaps luckily, it also could not infect the .EXE of the only binary self-mailer that existed at that time, Win95/Ska (aka "Happy99"). So, don't take "little apparent effect" from the "expected" payload hit of CME-24 as a "damp squib" -- hope like hell that means the efforts to mitigate its effects were successful, else next month we quite likely will have a great deal more victims (though they may not be any more visible for all the reasons this month's lot are not publicly identified/identifiable). I guess this might be an apposite point at which to wheel out that corny old aphorism about those who have forgotten [or failed to learn] the lessons of history, but as computer science in general, and comp- sec in particular, in its geek-oid rush to be at the bleeding edge of change seems to put so little value in teaching (or learning) its history, I expect the effect would be lost... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3267092
