1. Create a worm that contacts a website. Give it a strange, meaningless name. (No wait, let the av companies do that ).
2. Create a counter on the website. Start it at 350,000.
3. Increment the counter by 10,000 every time it is contacted (don’t forget to configure the worm to phone home every 10 minutes).
4. Submit the worm to an av company as "something you’ve been hit with" (aka "the sound that’s sweeping the Nation! "Hey, baby, I’m the telephone man, won’t you tell me where you want it…" I am not making this up, it was an old commercial).
5. Skip the part (that I didn’t include) about releasing the worm.
6. Every once in a while, increment the counter by 10 million. (Oops, if you hit 800 million, that’s too high).
7. Watch with wonder.
You know, Nyxem could be a serious problem. The payload itself is definitely worthy of notice and review. It may even have infected 700,000 machines. So Why don’t people treat it seriously? To somehow suggest that it is a problem simply because of a counter on the attacker-owned Internet site is absolutely ridiculous. No security professional worth his salt would believe "evidence" like this, and yet we have organizations screaming "the sky is falling."
Is 2006 going to be the year of amateur security folks sending people on wild goose trips?
Oh, that reminds me of the best worm joke ever.
I agree that basing the stat on one webcounter would be silly. I also think BLckworm is getting more attention because the threat level is more obvious. However I think you are being too flippant in your analysis.
First, the actual worm code has been decompiled so they should be able to tell whether the worm is incrementing the counter by 1 or 10k per infected machine. Also it seems http://webstats.rcn.com/ are a normal webstat monitoring service, not under the control of the worm creator, making it difficult to jimmy the stats before hand, but not impossible.
It would be nice to see some evidence beyond the web counter though. It seems two AV sensor networks, F-Secure and Symantec disagree. F-Secure has the threat at 2nd on their malicious activity list, and Symantec’s DeepSight analyser seems to not be picking up anything ‘anomalous’.
I guess we will just have to wait till Feb 3rd to guage the impact.
@Dominic -
This isn’t an “analysis” – it is flippant because it makes fun of our evidence, not the potential impact of the worm itself, which I agree has a much more destructive payload than most worms do and deserves some attention. I guess my worry is that the threat level really isn’t obvious and yet we are treating it as such.
Decompiling the worm helps with payload, but I don’t see how it helps with the counter. Keep in mind that any access increments the counter, so two ways right off the bat where I can doctor it are 1)write a script that requests that page and just loop it; or 2) mimic the worm and keep it running on a test machine. I still suspect the counter can be incremented manually, but I haven’t done any detailed analysis.
Part of the problem with this type of evidence is simply that we jump to conclusions that support our way of thinking. If this counter were of, say, the number of machines on the Internet that aren’t 0wn3d, then everyone would make fun of it. But because it fits in with our view of the world, we trumpet it from the highest mountain. I think that is dangerous and it creates a blindside.
Constant Vigilence…This time Nyxem
Pete Lindstrom of Spire Security has a great post on some of the mania inherent to the possibility and reality of virus outbreaks. His little exp