Oxford (UK) – The warning that came yesterday from Sophos Labs – which has vaulted to a position among the world’s most respected security software providers – did not echo the story of the likelihood of 500,000 Windows computers infected by the Nyxem worm, repeated yesterday by local TV news and some technology press sources.
Instead, the company’s senior technology consultant, Graham Cluley, warned of something else entirely: the possibility that panic could end up causing more damage than the virus itself would have. So he advised, take it easy. “Sit down, have a cup of tea, and work out if you have done everything you should have done to ensure your computer isn’t at risk from the Nyxem worm, and indeed any of the other 120,000 pieces of malware in existence,” Cluley wrote.
It turned out to be sound advice, as we learned this morning from Cluley himself, whom TG Daily contacted in the wake of the first news that computers in Asia and Europe were reporting minimal damage from the virus trumpeted to strike on 3 February. We spoke at length with Cluley about whether the press over-hyped the possible danger of the Nyxem worm, and what its low impact may mean for the evolution of malware. Here now is the transcript of TG Daily’s interview with Sophos’ Graham Cluley:
Kama Sutra an overblown hype?
TG Daily: Was all the hype about “Kama Sutra” overblown? Or by letting the media spread the word, in that special way they do, did that get more people prepared for it to disinfect their computers in time?
Graham Cluley: Worldwide, Sophos has received the grand total of zero reported computers losing any data. The big naught.
We do know, though, that there are computers out there which are infected. We have monitoring stations based around the globe, which are looking at e-mail traffic, and we’re suddenly aware of thousands of computers which are blasting out copies of the Nyxem worm. The Nyxem worm continues to spread – it hasn’t stopped just because it’s payload is now triggered.
Also, we know that there are some companies and organizations – there’s some offices in Milan, with the Italian government, which have closed down for the day because they found so many computers were infected, that they thought, “We’re just not going to turn our network on today. We’re going to have a long weekend, and we’ll come back on Monday, and then we’ll do the cleanup.” Apparently, [Milan] has 10,000 infected computers.
So there are people with infected computers out there, but none of them have reported any damage to Sophos. Now, as you’ve speculated, there’s a couple of reasons for that: One is that the anti-virus vendors actually had protection available against [Nyxem] over two weeks ago. We at Sophos rolled out the protection updates to all of our customers, so that was helping them defend themselves and find out if any virus had sneaked past their defense as well, and stop it that way.
The other thing is, the hype which really began to escalate this week began to make some of the home users think a little bit more about this as well, and maybe check their systems and clean themselves up. Certainly, we think there has been a reduction in the number of infected computers during the course of the week.
The figures which some vendors were coming out with at the beginning of the week were a bit crazy, in our view. There were early estimates that millions of computers might be infected, and that was based upon a Web counter which was incremented by the virus, but of course, would also be incremented by anybody visiting that URL. So every anti-virus nerd who went there, or anyone else who wanted to write little programs that increment that number, was able to do so.
TG Daily: So there was a system out there that was using its own Web traffic to estimate the possible infections?
Cluley: What it was, the worm itself maintained its own counter. It used a particular Web site just to increment it every time it found a new computer to infect. So it was a way for the author, I guess, to see how well he was doing.
TG Daily: His own little odometer, there.
Cluley: Yea, exactly. It was just like that. But other people going to the Web site could increment it as well, and some people even attempted to deliberately inflate the number, by visiting the Web site multiple times, or using zombie computers to do it. They were trying to increase the hype. Then, we found out, a single copy of the virus can count itself dozens of times. So [even] it could artificially boost [its own] numbers as well. Whether that was a programming fault by the author or not, we don’t know.
All of the numbers which people have been coming out with are really just nonsense.
Graham Cluley, Sophos
All of the numbers which people have been coming out with are really just nonsense. It’s really been impossible to tell just how many people are truly infected by this worm. What we do know is, there are some people infected, and we do still see its e-mail traffic as well.
So when it comes to the question of, “Well, did we all hype it up from the beginning anyway, or did the hype actually do us all good?” Really hard to answer. I think this was a genuine threat; it was a widespread virus, one of the most widespread in recent weeks – it was normally about the second or third most commonly encountered virus. And it did have a disruptive payload, which most viruses these days don’t. But the point we were making a couple of days ago…was, even if this virus does trigger on your computer, even if you were infected and you ignored all the warnings, and you got wiped of your documents, it’s not that serious. Because you’ve all got backups, right? Or at least you should be backing up your data. Certainly companies are doing backups, and hopefully at home these days, they’re beginning to as well.
The worst that might happen is, you might have to retype in your documents. Now, compare that to what most malware does these days. Most malware these days is financially motivated, and it doesn’t have such an obvious warhead built into it. What they tend to do these days is normally steal information. Okay, so you had a few documents wiped. What big a deal is that, as opposed to having information stolen from you? You can never un-steal documents. You can never un-capture any keyboard presses which were logged by a Trojan, as you logged into your bank online. You can never undo any screen captures it might have made, as it was trying to steal your identity. So a lot of things that other malware, which hasn’t been making the headlines, does, is actually much nastier than Nyxem was.
TG Daily: I’ve noticed a lot of worms nowadays which, both for boasting and self-defense purposes, call themselves “Proof-of-concept” as a way of explaining, “We’re not really damaging a whole lot, but we could have done a whole lot worse.” Pulling the punch a little bit. Could Nyxem fall under that proof-of-concept category?
Cluley: It’s not really proof-of-concept; rather, it’s the concept which was first had ten years ago. It’s a very old concept, which I’m afraid is, put a girl in a bikini in front of a guy, and he’s probably going to click with his mouse. There’s a Pavlov’s Dog reaction: Men start salivating at the thought of sexy file attachments, and their finger begins to twitch, and they can’t resist.
There’s a Pavlov’s Dog reaction: Men start salivating at the thought of sexy file attachments, and their finger begins to twitch, and they can’t resist.
Graham Cluley, Sophos
I think in many ways, these old-school viruses, these sexy viruses – which are great for getting headlines, as compared to the ones which may be more of a threat – aren’t really so much of a technology problem, they’re more of a social problem. We can patch people’s computers, but we can’t put a Band-Aid over the bug in people’s brain. And if we could upgrade people’s brain with a new patch from Microsoft, then we’d stop guys clicking on these files. What did people expect when they got files with names like, “Schoolgirl Fantasies Gone Bad,” or, “Arab Sex Object,” these sorts of things? How many times do you have to be punched in the nose by a virus before you learn to duck and avoid it? It’s really a human failing which has caused this problem to happen. I think that’s why it affects the home users more than businesses; businesses know that their staff are dumb when it comes to attachments, so more and more of them are putting the protection in place before the file ever gets close to the users. Or they have a policy at their e-mail gateway that stops executable code coming in from the outside world.
TG Daily: They’re using more WebWashers, things like that.
Cluley: There are things like that, but also anti-virus software can put an additional policy above scanning for known viruses. We can, for instance, say, “If you don’t want to receive executable files from outside, just click this box.” Why would you ever want your users running code sent to them from the outside world, rather than code which has come through the IT department, and has been approved, and is known to not clash or cause bugs or be pornographic, or anything like that?
Let’s not forget that there are many viruses which don’t travel via e-mail. They may travel via Internet, so they infect you without any attachments. There are viruses which may come on your USB stick or your CD-ROM drive. You still need technology and anti-virus on your desktops and on your service, but you can further reduce the risk by putting policies in place as well.
Do more Trojan horses come from basements or caves?
Cluley: Last month, we saw the biggest amount of brand-new malware we had seen since we started in this business 20 years ago. We saw 2,312 brand new Trojans, viruses, worms, and pieces of spyware, which is astonishing. When I started in this business, there weren’t 400 in total. So it was a huge jump that we saw. And because of that, people need additional ways to protect themselves, because the new stuff is coming out so quickly now, and in such quantity.
TG Daily: Of that 2,312 from last year, at least some of it had a little bit of ingenuity to it. I mean, it wasn’t just the ILOVEYOU virus rewritten, was it?
They don’t want 200,000 credit card details; they couldn’t handle it. What they want is 200 credit card details.
Graham Cluley, Sophos
Cluley: No, although an awful lot are very similar Trojan horses these days. That’s one of the real big growth areas we’ve seen. As you probably know, the virus writers are becoming more financially motivated. That’s why they don’t write worms like “Kama Sutra,” because [when] they infect too many people, they make the headlines and they’re too obvious. So they write Trojan horses which don’t travel under their own steam, that can be sent to a small number of people. Then the virus writers know who they’re targeting. They don’t want 200,000 credit card details; they couldn’t handle it. What they want is 200 credit card details, and once they’ve dealt with those, “Right, let’s have another 200.”
TG Daily: You make an interesting point there, because by its nature, you’d think a virus must spread itself; but part of the reason for doing that is the notoriety of it, which the financially motivated guy doesn’t want.
Cluley: Definitely do not want. What they are doing is using other people’s computers to span out the Trojans – maybe to a small number of people, so they go under the radar, don’t draw attention to themselves, they can be in place maybe for weeks or months. They don’t want to draw attention to themselves from the anti-virus community either. Whereas a worm like this recent one is so obvious that, of course, all the anti-virus vendors had patches for it two weeks ago.
So it is fascinating how the whole scene’s changing. Trojan horses used to be a complete non-area in viruses; they didn’t appeal to the virus writers because they didn’t spread themselves, didn’t give them the notoriety they wanted. Now, over 63% of all the malware we’ve seen written, are Trojan horses.
TG Daily: Six years ago, when the Y2K scare turned out not to be a terribly bad thing after all, a lot of individuals blamed the messenger for over-hyping it, as if the danger wasn’t real to begin with. I wonder whether a similar backlash will happen as more of these less financially motivated, more conventional, viruses start to play themselves out in the media. There were reports of up to 500,000 computers possibly infected; and as it was discovered today, no, it’s not that bad because, as you say, everybody’s prepared. But once that cycle starts to close, I’m wondering whether there’s going to be a backlash of skepticism among individuals, saying, “Ah, these viruses are overblown…it’s not such a big deal!” And then that actually creates a lack of preparedness as a backlash, which may start the whole wave over again.
Cluley: There has always been, and probably always will be, a cynicism about the anti-virus industry. I’ve heard for years, “I bet it’s you guys who really write the viruses.” I say, “Yea, yea, and it was us on the grassy knoll in November 1963.” And “it’s the dentists who put all the sugar in fizzy drinks.” The thing is, with this latest worm, I’m sure some people will be thinking today, “Augh! They spun us a line again; they let us down again!” And that is a shame, because people might let down their guard.
But I think most businesses recognize that actually, although this may not have been as big an event as some of the newspapers and vendors may have suggested it might have been, they still know that they have to keep on protecting themselves every single day of the year, not just focusing on today, but there are threats coming out all the time which they have to defend themselves against.
I don’t actually expect that this new virus is the first of many old-school viruses to return. I think most of the amateurs – if you can call them that, the teenage kids – have sort of left this market. There’s probably a few hanging around; but I think [the rest] have been scared off, because these days, the virus writers, the hackers, the spammers are getting serious jail sentences. Most people in the underground community who are doing it for kicks realize that they’ve got an awful lot to lose these days from getting themselves involved. It’s not like the old days. So it’s the more professional organized criminals who are doing this.
I don’t think we’re going to see an avalanche of headline inducing viruses in the future. I think the financial ones are going to carry on, and probably get much worse.
TG Daily: You’re saying, we’re moving away from the era of what I call the “Elroy Jetsons” of the world, the boys in their dads’ basements who are trying to make a show for themselves, and we’re starting to see an era where we need to turn our attention more to professional thieves and, conceivably, terrorists.
If terrorists could cause such a big problem with viruses, why haven’t they done it already?…It’s an awful lot easier for them to write a virus from some cave in Afghanistan, than it is to get a lorry full of explosives at the center of New York.
Graham Cluley, Sophos
Cluley: Yea, the terrorist thing…Certainly, I agree about the thieves. I think the terrorist thing has been overplayed in the past. Of course, there is disruption you can do with computers and things like this, but I always think, well, if terrorists could cause such a big problem with viruses, why haven’t they done it already? It’s not hard to write a virus. I could teach you how to write a virus in 45 minutes. In fact, it’s an awful lot easier for them to write a virus from some cave in Afghanistan, than it is to get a lorry full of explosives at the center of New York – it puts themselves at less risk.
So the terrorist thing might be overplayed, but I think certainly, there are many criminals out there who are recognizing they can make a lot of money. Of course, terrorist groups need money, too. So they may well be using this as a way to help finance some of their operations.
TG Daily: But you ask, why haven’t the terrorists done this already? There are some people in Homeland Security and other departments who say, “Well, the reason you don’t know that it’s happened is partly proof that we’ve been doing our job, but we just can’t tell you how well we’ve been doing it.”
Cluley: Yeah, well, come off it. That’s handy, isn’t it? We’ve got bases all around the world, we’re looking at the world’s e-mail, we protect government departments. We do occasionally see hacking attempts and Trojans which have been written for specific government departments; there’s been no evidence, though, that these have been terrorist-inspired. And the other thing is, of course, it’s just as easy for us to write an antidote to a virus written by a terrorist as it is to write one [for a virus] written by a pimply teenager. It makes no difference to us. There are over 120,000 viruses in existence now. So a handful more really don’t make much difference.