COLUMN

Security Blog Log: Is Nyxem really that dangerous?

By Bill Brenner 27 Jan 2006 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

--------------------------------------------------------------------------------------------------------

There's concern among AV experts in the blogosphere that Feb. 3 could be an awful day for IT professionals.

That's when a fast-spreading and hard-to-detect worm is set to detonate a file-corrupting payload.

The first alarm bell was sounded by Helsinki-based AV firm F-Secure Corp., which warned in its blog that Nyxem -- also known as Grew and Blackmal -- is infecting machines on a massive scale. The worm is using a Web site counter to tally its infections, and according to the blog kept by Russian AV firm Kaspersky Lab, that counter blew past the million mark Wednesday.

For that reason, the firm said, "there is no doubt that some people will have unpleasant surprises on [the] 3rd of February."

So is the threat overblown? Remember that in December, security experts warned that Sober was programmed to launch a big attack Jan. 5, yet that date came and went without incident.

AV firms acknowledge Nyxem's propagation is nothing compared to what worms like Sober and Netsky have accomplished in the past. It's also possible the worm's Web counter is inaccurate.

Alarm over Nyxem isn't universal among AV firms, either. Cupertino, Calif.-based Symantec Corp. was maintaining a Level 1 ThreatCon as of Friday morning. That day, Glendale, Calif.-based Panda Software was maintaining a Gobal ThreatWatch level of green, indicating normal conditions.

About Security Blog Log Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com. Recent columns: Oracle makes Microsoft look good Symantec flaw parallels Sony BMG Plenty of options on WMF patching

Still, the causes for concern can't be ignored. Let's review:

F-Secure designated Nyxem a Radar Level 2 threat, its second-highest alert level, and F-Secure AV Research Director Mikko Hypponen said the worm is programmed to corrupt a variety of files on infected machines the third day of every month, starting next Friday. That means not only could it wreak havoc next month, but also potentially for months to come.

Of Nyxem's programming, F-Secure said, "The worm's destructive payload activates on every third day of the month by replacing the content of users' files with a text string 'DATA Error [47 0F 94 93 F4 K5].' Among these files are .doc, .xls, .mdb, .mde, .ppt, .pps, .zip, .rar, .pdf, .psd and .dmp."

The blog also links to an F-Secure advisory describing a very long list of subject lines and message text that the worm is using.

A worm that may be capable of nuking such a diverse array of files certainly can't be ignored, especially when it claims to have infected more than a million machines. And here's another reason to worry:

Sunnyvale, Calif.-based Fortinet Inc. said in an advisory this week that the worm "will attempt to connect to networked computers using the logon name 'Administrator.' It will then try to delete files associated with antivirus software installations both locally and across networked systems. Additionally, the virus will attempt to damage P2P application installations by deleting .dll component files from various local folders."

Fortinet said the worm is also coded to register the dropped ActiveX control through changes to the system registry. By creating a variety of registry entries, the control is considered "safe" and digitally signed. A list of the registry entries appears in the advisory. So on top of everything else, infections may not be easily detected.

Security researchers don't have a crystal ball or a time machine to ensure their warnings are 100% on target. All they can do is look at the code and infection rates, then call it as they see it.

In the end, IT professionals may be wise to prepare for the worst-case scenario -- making sure their AV vendor is on top of things and that there's an in-house system to blunt the worm's potential impact. If an IT shop practices defense-in-depth, it probably has nothing to worry about. Home users and smaller companies without a security infrastructure might not be so lucky.

We'll find out one way or the other next Friday.

Digg This!     StumbleUpon     Del.icio.us

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary