Nyxem's lessons can't be ignored

By Bill Brenner, Senior News Writer 09 Feb 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The Nyxem worm's file-destroying payload didn't bring the world to its knees Feb. 3. But Jim Moore, information security officer for the Rochester Institute of Technology in New York, grew concerned after reading media reports that dismissed the threat as hyperbole.

As far as he was concerned, people weren't seeing the opportunity that was in front of them.

"There was this consensus that the storm will miss us, that our AV is up to date and so let's move on," said Moore, whose department manages a network of about 20,000 users and 30,000 networked computing devices -- only 10,000 of which are owned by the institute. "Instead of just moving on, we should be using this as a good fire drill."

Moore said the Nyxem threat raised a lot of questions enterprises should be looking at. For example, do organizations have backup capabilities and a business continuity plan in the event AV signatures don't catch the next worm with a destructive payload?

The Nyxem timeline So far, Nyxem damage minimal Images: Nyxem infests America, Europe Why the sky may not fall Feb. 3 Security Blog Log: Is Nyxem really that dangerous? Nyxem expands its reach Nyxem worm may wreak havoc Feb. 3

As he tries to answer those questions in his own environment, AV experts are warning people not to dismiss Nyxem as a dud. Sure, it didn't create chaos this time. But there are several reasons why files on some infected machines were not overwritten Feb. 3. And since the worm's payload is programmed to detonate on the third day of each month, machines left unscathed this time might not be so lucky next time.

A fresh look at backup procedures
Moore said many enterprises probably haven't put as much thought into data backup procedures as they should. This potential threat presents an opportunity to investigate weaknesses and solutions, he said.

Right now, he said, organizations often backup files to protect against a scenario in which a user might accidentally delete a file. Backup procedures are also part of larger business continuity plans. But he said it's unlikely that many IT shops have investigated how to back up a lot of files in a hurry in the event of a fast-spreading worm.

If hundreds of people in an organization started scrambling at once to back up their hard drives, the network probably wouldn't be able to support such a surge of activity, he noted.

"This is a case where speed is more of an issue than it would be for retrieving accidentally deleted files," he said. "The message for me is to take this as a point of review. It has appeared as a threat. Let's look at our overall backup architecture and see how to make it more resilient against this type of threat."

Moore recalled a recent conversation he had with a colleague on the subject. The colleague suggested having users back up data on CDs and DVDs. That sounds like the reasonable approach, but he realized there would be some danger involved.

"You're taking potentially sensitive data out from under the protection of the IT department's access control infrastructure," he said. "The person I was talking to said 'Yeah, I never thought of that.' Using a CD or DVD may be a good temporary solution, but maybe we should say that after the threat passes, we're taking the CDs back."

Many contingency plans come with temporary risk, he said. But there are ways to plan for that, to cushion vital assets from the temporary dangers.

The Nyxem post-mortem
As Moore explores ways to harden his own environment against future Nyxems, AV experts are scouring data from recent weeks to get a better handle on how big the infection rate was and why more trouble wasn't reported Feb. 3.

One such analysis came from the Cooperative Association for Internet Data Analysis (CAIDA), part of the San Diego Supercomputer Center (SDSC) on the campus of the University of California, San Diego.

According to the analysis, "The Nyxem e-mail virus is somewhat unique in that each infected computer generated a single request for a Web page. The global spread of e-mail viruses is typically impossible to track given the directed, topological manner in which they spread. Thus, Nyxem represented a rare opportunity to investigate the spread of an e-mail virus."

Throughout its germination period, the worm was reporting its infections to a Web based counter that at one point had shown close to a million infections. But it took some work to figure out how accurate the worm's Web-based infection counter really was. Deliberate attempts from outsiders to skew the counter results via denial-of-service attacks and other means polluted the Web logs, according to the report. Despite that, the analysts said, "We believe that we have arrived at a reasonable, if somewhat less than optimally constrained estimate of the total number of infected computers at between 469,507 and 946,835."

At least 45,401 of the infected computers were also compromised by other forms of spyware or bot software that advertised themselves in the browser identification string, the report said.

Why files survived Feb. 3
In his firm's blog, Mikko Hypponen, AV research director for Helsinki-based F-Secure Corp., tried to explain why files on some infected machines survived Feb. 3.

"Nyxem-E had infected hundreds of thousands of computers over the last two weeks. It activated on Friday, overwriting data. But almost nobody reported any problems. So what happened?" he asked.

He theorized that:

• The amount of machines still infected Feb. 3 was much smaller than the total amount of machines that got infected and cleaned during the entire outbreak. "This number is probably in the tens of thousands, which is not a lot of computers out of, say, one billion computers in the world," he said.
• Many of the infected machines were not rebooted Feb. 3. They were simply running all the time. The worm only does damage when a machine is rebooted on that precise date, Hypponen said.
• Many infected home machines were shut down all of Feb. 3, and nothing happened. People went to the movies, bars and parties on Friday night instead of surfing the Web.
• Media coverage prompted many people to check their systems and clean them of infections ahead of time.

Tags: Information Security Incident Response,  Malware, Viruses, Trojans and Spyware,  Enterprise Risk Management: Metrics and Assessments,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information Security Incident Response Data breach notification legislation: What info must be released? Incident response planning Mature SIMs do more than log aggregation and correlation New partnerships, creative thinking help security bust recession Senators hear call for federal cybersecurity restructuring Tying log management and identity management shortens incident response Tabletop exercises sharpen security and business continuity Security incident response 101 Firms muddle security breach response, expert says Microsoft Conficker worm offers attack prevention lesson Information Security Incident Response Research Malware, Viruses, Trojans and Spyware Cybercriminals invest in social networking attacks Information security book excerpts and reviews The world's top 5 riskiest domains New Zeus spam poses as Social Security statements Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Enterprise Risk Management: Metrics and Assessments How to detect and respond to money laundering How to justify information security spending on cloud computing Layoffs prompt insider threat fears, cybersecurity survey finds How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC Enterprise Risk Management: Metrics and Assessments Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary incident response  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary