The Nyxem worm's file-destroying payload didn't bring the world to its knees Feb. 3. But Jim Moore, information security officer for the Rochester Institute of Technology in New York, grew concerned after reading media reports that dismissed the threat as hyperbole.
As far as he was concerned, people weren't seeing the opportunity that was in front of them.
"There was this consensus that the storm will miss us, that our AV is up to date and so let's move on," said Moore, whose department manages a network of about 20,000 users and 30,000 networked computing devices -- only 10,000 of which are owned by the institute. "Instead of just moving on, we should be using this as a good fire drill."
Moore said the Nyxem threat raised a lot of questions enterprises should be looking at. For example, do organizations have backup capabilities and a business continuity plan in the event AV signatures don't catch the next worm with a destructive payload?
A fresh look at backup procedures
Moore said many enterprises probably haven't put as much thought into data backup procedures as they should. This potential threat presents an opportunity to investigate weaknesses and solutions, he said.
Right now, he said, organizations often backup files to protect against a scenario in which a user might accidentally delete a file. Backup procedures are also part of larger business continuity plans. But he said it's unlikely that many IT shops have investigated how to back up a lot of files in a hurry in the event of a fast-spreading worm.
If hundreds of people in an organization started scrambling at once to back up their hard drives, the network probably wouldn't be able to support such a surge of activity, he noted.
"This is a case where speed is more of an issue than it would be for retrieving accidentally deleted files," he said. "The message for me is to take this as a point of review. It has appeared as a threat. Let's look at our overall backup architecture and see how to make it more resilient against this type of threat."
Moore recalled a recent conversation he had with a colleague on the subject. The colleague suggested having users back up data on CDs and DVDs. That sounds like the reasonable approach, but he realized there would be some danger involved.
"You're taking potentially sensitive data out from under the protection of the IT department's access control infrastructure," he said. "The person I was talking to said 'Yeah, I never thought of that.' Using a CD or DVD may be a good temporary solution, but maybe we should say that after the threat passes, we're taking the CDs back."
Many contingency plans come with temporary risk, he said. But there are ways to plan for that, to cushion vital assets from the temporary dangers.
The Nyxem post-mortem
As Moore explores ways to harden his own environment against future Nyxems, AV experts are scouring data from recent weeks to get a better handle on how big the infection rate was and why more trouble wasn't reported Feb. 3.
One such analysis came from the Cooperative Association for Internet Data Analysis (CAIDA), part of the San Diego Supercomputer Center (SDSC) on the campus of the University of California, San Diego.
According to the analysis, "The Nyxem e-mail virus is somewhat unique in that each infected computer generated a single request for a Web page. The global spread of e-mail viruses is typically impossible to track given the directed, topological manner in which they spread. Thus, Nyxem represented a rare opportunity to investigate the spread of an e-mail virus."
Throughout its germination period, the worm was reporting its infections to a Web based counter that at one point had shown close to a million infections. But it took some work to figure out how accurate the worm's Web-based infection counter really was. Deliberate attempts from outsiders to skew the counter results via denial-of-service attacks and other means polluted the Web logs, according to the report. Despite that, the analysts said, "We believe that we have arrived at a reasonable, if somewhat less than optimally constrained estimate of the total number of infected computers at between 469,507 and 946,835."
Why files survived Feb. 3
In his firm's blog, Mikko Hypponen, AV research director for Helsinki-based F-Secure Corp., tried to explain why files on some infected machines survived Feb. 3.
"Nyxem-E had infected hundreds of thousands of computers over the last two weeks. It activated on Friday, overwriting data. But almost nobody reported any problems. So what happened?" he asked.
He theorized that:
- The amount of machines still infected Feb. 3 was much smaller than the total amount of machines that got infected and cleaned during the entire outbreak. "This number is probably in the tens of thousands, which is not a lot of computers out of, say, one billion computers in the world," he said.
- Many of the infected machines were not rebooted Feb. 3. They were simply running all the time. The worm only does damage when a machine is rebooted on that precise date, Hypponen said.
- Many infected home machines were shut down all of Feb. 3, and nothing happened. People went to the movies, bars and parties on Friday night instead of surfing the Web.
- Media coverage prompted many people to check their systems and clean them of infections ahead of time.