Digg this story   Add to del.icio.us  
Nimda: a flash in the pan
Shane Coursen, 2001-10-01

Why viruses are getting faster and louder, but not more successful.

Nearly every month, the computing world falls victim to another, more complex computer virus or worm. Based on the recent ones, it appears that virus writers have decided that their creations are not successful unless they have the ability to propagate across the globe in 24 to 48 hours.

The new Nimda virus is the clearest example of this trend. It spreads through every means possible, combining the characteristics of a classic file-oriented computer virus, a worm, and a mass-mailer, while searching for network shares. It is perhaps the ultimate virus built for rapid worldwide propagation.

But was it a success?

While the idea of spreading as far and as fast as possible has its merits, from a virus-writer's point of view, there is a limit to just how fast a virus can spread before its advantage becomes its Achilles heel.

I would argue that Nimda -- like its predecessors Code Red, LoveLetter and Melissa -- simply spread too fast for its own good.

It was so invasive and so successful in propagating, that it broke rule number one of what most antivirus researchers would call a successful virus: it made itself too apparent. Much too apparent. Once Nimda flew above the radar, it gave people a reason to sit up and pay attention, it gave the media something to talk about, and it gave virus-fighters a signature to identify and filter it by.

If we were to judge the success of a virus by its longevity, the so-called Happy99 worm, properly called W32/Ska.A@m, was much more successful.

Happy99 first appeared in January, 1999. Less than two months later, it appeared on the WildList of viruses spotted at large, and one short month after that it was one of the WildList's most frequently reported viruses. Since then, it has stayed at the top of the heap. Only recently has its decline in prevalence begun, and I'd argue that it may still be the single most prevalent virus in the wild. It only appears to be less prevalent now -- over two years later -- because it is such a well known virus that many people aren't alarmed by its presence, and it goes unreported.

Happy99 spreads at a modest pace, compared with today's Swiss Army knife super-viruses. It propagates only though email messages and Usenet postings. But given its 'success', as measured by longevity, one wonders why there aren't more viruses coded like Happy99.

The trend towards speed seems to have begun with the 1999 Melissa virus, the first successful fast mass-mailing virus, and doubtless the inspiration for many of the others that have appeared since. Melissa marked a definite change in the mindset of virus writers. No longer were they interested in writing viruses intended to be successful through longevity, rather the interest shifted to viruses that were successful in extremely rapid propagation, apparently without a care in the world about how quickly the antivirus and security world found the creation.

If one were to give in to paranoia, one might come to the conclusion that viruses such as Code Red and Nimda are mere experiments, performed with far more devious intentions in mind. The virus writers are simply testing the boundaries of our security perimeters, logging and using successful methods of propagation and characteristics, noting collateral effects for possible future exploits (for example, bringing down routers), and most importantly, learning from failures.

More likely, Code Red and Nimda are simply two more viruses we have to deal with. Interesting and new they certainly are, but probably not part of a grand conspiracy. Nimda may be the first to employ a combination of several known-successful virus characteristics and methods of propagation, but it will not be the last. It is simply the next level of competition between virus writers and antivirus and computer security specialists.

Nimda came and went. As is usually the case with viruses that make a big media splash, it will die quicker than it would have if it had been a silent virus, slow to infect and difficult to detect through casual observation. Nimda will soon become just another memory.

Shane Coursen has worked in the field of antivirus research since 1992. He is currently CEO of WildList Organization International.
    Digg this story   Add to del.icio.us  
Comments Mode:


Privacy Statement
Copyright 2010, SecurityFocus