BlackWorm Peters Out

Advance warning takes the sting out of feared worm attack

It isn’t every day IT departments take their marching orders from malware authors, but Friday, Feb. 3, was one of them.

Last Friday, the BlackWorm virus (also known as Nyxem, MyWife, Kama Sutra, and sundry other names) went off.  BlackWorm was designed to disable anti-virus software, install back doors on infected systems, and overwrite 11 types of data files -- including all the major Office formats -- on the third of each month.

But the attack largely fizzled, with scattered reports of minor damage around the world. First detected by anti-virus firms in mid-January, BlackWorm gave enterprises plenty of time to update their virus signatures, run full scans, and lock down their networks.

IT managers we contacted had the matter well in hand. Ian Marlow, CIO/COO of commercial realty firm The Gale Group said six of his firm’s 700 machines were infected, but they were detected and treated early. Others we contacted had seen no outbreaks at all.

At its height, BlackWorm infected an estimated 600,000 machines, according to managed security services firm LUHRQ. But fewer than 100,000 of those were in the United States, and more than three-quarters of those infections were limited to a single enterprise, said Joe Stewart, senior security researcher at LUHRQ.

Unlike most modern malware, which relies on stealth, BlackWorm made no secret of its presence or intent. It even accessed a Web counter to keep tabs on the number of machines infected. 

“The last time we had such advance warning was with the Michelangelo virus [in 1992], but back then people were running around wondering what to do,” said John Pironti, principal security consultant at Unisys. “This time I’ve been impressed by the number of our clients taking a proactive approach to the problem. It was almost a proof of concept virus, a ‘Let’s see what happens if you give people all the time in world to prepare’ attack.”

BlackWorm’s modus operandi wasn’t especially original. The malware had to slip past an enterprise’s spam and virus filters, then induce users to open an attachment typically claiming to be pornographic. Greg Toto, vice president of product management at enterprise security vendor BigFix, said the threat served as a wake-up call for enterprises, reminding them to not only keep their anti-virus software up to date but also to scan backups, shut down file sharing for users who don’t need it, keep rogue mobile devices from infecting the network, and educate users that they shouldn’t blindly open attachments, no matter how enticing.

However, home users and small businesses, who are less likely to have strict anti-virus procedures or security policies, may still be at risk, warns Mikko Hypponen, chief research officer of security software vendor F-Secure in Helsinki, Finland.  Reports of individual users nailed by the virus were beginning to trickle in at press time.

In any case, those who escaped BlackWorm’s wrath this time may get a chance to do it all over again on March 3, when the malware is scheduled to reawaken.


Copyright © 2006 IDG Communications, Inc.