Sophos' Graham Cluley: The end of the widespread virus era is at hand

Kama Sutra an overblown hype?

TG Daily: Was all the hype about "Kama Sutra" overblown? Or by letting the media spread the word, in that special way they do, did that get more people prepared for it to disinfect their computers in time?

Graham Cluley: Worldwide, Sophos has received the grand total of zero reported computers losing any data. The big naught.

We do know, though, that there are computers out there which are infected. We have monitoring stations based around the globe, which are looking at e-mail traffic, and we're suddenly aware of thousands of computers which are blasting out copies of the Nyxem worm. The Nyxem worm continues to spread - it hasn't stopped just because it's payload is now triggered.

Also, we know that there are some companies and organizations - there's some offices in Milan, with the Italian government, which have closed down for the day because they found so many computers were infected, that they thought, "We're just not going to turn our network on today. We're going to have a long weekend, and we'll come back on Monday, and then we'll do the cleanup." Apparently, [Milan] has 10,000 infected computers.

So there are people with infected computers out there, but none of them have reported any damage to Sophos. Now, as you've speculated, there's a couple of reasons for that: One is that the anti-virus vendors actually had protection available against [Nyxem] over two weeks ago. We at Sophos rolled out the protection updates to all of our customers, so that was helping them defend themselves and find out if any virus had sneaked past their defense as well, and stop it that way.

The other thing is, the hype which really began to escalate this week began to make some of the home users think a little bit more about this as well, and maybe check their systems and clean themselves up. Certainly, we think there has been a reduction in the number of infected computers during the course of the week.

The figures which some vendors were coming out with at the beginning of the week were a bit crazy, in our view. There were early estimates that millions of computers might be infected, and that was based upon a Web counter which was incremented by the virus, but of course, would also be incremented by anybody visiting that URL. So every anti-virus nerd who went there, or anyone else who wanted to write little programs that increment that number, was able to do so.

TG Daily: So there was a system out there that was using its own Web traffic to estimate the possible infections?

Cluley: What it was, the worm itself maintained its own counter. It used a particular Web site just to increment it every time it found a new computer to infect. So it was a way for the author, I guess, to see how well he was doing.

TG Daily: His own little odometer, there.

Cluley: Yea, exactly. It was just like that. But other people going to the Web site could increment it as well, and some people even attempted to deliberately inflate the number, by visiting the Web site multiple times, or using zombie computers to do it. They were trying to increase the hype. Then, we found out, a single copy of the virus can count itself dozens of times. So [even] it could artificially boost [its own] numbers as well. Whether that was a programming fault by the author or not, we don't know.

All of the numbers which people have been coming out with are really just nonsense.

Graham Cluley, Sophos

All of the numbers which people have been coming out with are really just nonsense. It's really been impossible to tell just how many people are truly infected by this worm. What we do know is, there are some people infected, and we do still see its e-mail traffic as well.

So when it comes to the question of, "Well, did we all hype it up from the beginning anyway, or did the hype actually do us all good?" Really hard to answer. I think this was a genuine threat; it was a widespread virus, one of the most widespread in recent weeks - it was normally about the second or third most commonly encountered virus. And it did have a disruptive payload, which most viruses these days don't. But the point we were making a couple of days ago...was, even if this virus does trigger on your computer, even if you were infected and you ignored all the warnings, and you got wiped of your documents, it's not that serious. Because you've all got backups, right? Or at least you should be backing up your data. Certainly companies are doing backups, and hopefully at home these days, they're beginning to as well.

The worst that might happen is, you might have to retype in your documents. Now, compare that to what most malware does these days. Most malware these days is financially motivated, and it doesn't have such an obvious warhead built into it. What they tend to do these days is normally steal information. Okay, so you had a few documents wiped. What big a deal is that, as opposed to having information stolen from you? You can never un-steal documents. You can never un-capture any keyboard presses which were logged by a Trojan, as you logged into your bank online. You can never undo any screen captures it might have made, as it was trying to steal your identity. So a lot of things that other malware, which hasn't been making the headlines, does, is actually much nastier than Nyxem was.

TG Daily: I've noticed a lot of worms nowadays which, both for boasting and self-defense purposes, call themselves "Proof-of-concept" as a way of explaining, "We're not really damaging a whole lot, but we could have done a whole lot worse." Pulling the punch a little bit. Could Nyxem fall under that proof-of-concept category?

Cluley: It's not really proof-of-concept; rather, it's the concept which was first had ten years ago. It's a very old concept, which I'm afraid is, put a girl in a bikini in front of a guy, and he's probably going to click with his mouse. There's a Pavlov's Dog reaction: Men start salivating at the thought of sexy file attachments, and their finger begins to twitch, and they can't resist.

There's a Pavlov's Dog reaction: Men start salivating at the thought of sexy file attachments, and their finger begins to twitch, and they can't resist.

Graham Cluley, Sophos

I think in many ways, these old-school viruses, these sexy viruses - which are great for getting headlines, as compared to the ones which may be more of a threat - aren't really so much of a technology problem, they're more of a social problem. We can patch people's computers, but we can't put a Band-Aid over the bug in people's brain. And if we could upgrade people's brain with a new patch from Microsoft, then we'd stop guys clicking on these files. What did people expect when they got files with names like, "Schoolgirl Fantasies Gone Bad," or, "Arab Sex Object," these sorts of things? How many times do you have to be punched in the nose by a virus before you learn to duck and avoid it? It's really a human failing which has caused this problem to happen. I think that's why it affects the home users more than businesses; businesses know that their staff are dumb when it comes to attachments, so more and more of them are putting the protection in place before the file ever gets close to the users. Or they have a policy at their e-mail gateway that stops executable code coming in from the outside world.

TG Daily: They're using more WebWashers, things like that.

Cluley: There are things like that, but also anti-virus software can put an additional policy above scanning for known viruses. We can, for instance, say, "If you don't want to receive executable files from outside, just click this box." Why would you ever want your users running code sent to them from the outside world, rather than code which has come through the IT department, and has been approved, and is known to not clash or cause bugs or be pornographic, or anything like that?

Let's not forget that there are many viruses which don't travel via e-mail. They may travel via Internet, so they infect you without any attachments. There are viruses which may come on your USB stick or your CD-ROM drive. You still need technology and anti-virus on your desktops and on your service, but you can further reduce the risk by putting policies in place as well.