The End of the Worm Era

[DakX]

The End of the Worm Era

Atleast according to this article [1]

The article is about the fact that we seem to be getting less serious outbrakes of worms. Example of things that help these are given, Microsoft's Malicious Software Removal Tool and even an NAT router.


The whole article:
[1]:http://www.eweek.com/article2/0,1759...129TX1K0000614]
-----------------

I posted this because I wanted to know your oppinions. Do you think conventional and IM worms are dying out?
And above all do you think this is a good think or do you worry (like me) that "They " will find/make new, even more distructable programs?

Looking forward to reply's, DakX

[skiddieleet]

He's just trying to jinx it so he can make more money cleaning pc's of malware. :P

[cdkj]

No the worms aren't dying out and never will their just keeping the third party companys happy :P

[morganlefay]

Makes you wonder whos creating them...and the FUD that goes with it

MLF

[nihil]

"Lies, damn lies, and statistics"

There is general agreement in the industry that malware authors have turned into a "for profit" enterprise. Gone are the days of wiping out half the internet for the hell of it and the bragging rights.

Now, if you can infect half the globe with a worm, you cannot rip them all off because there are too many, and the scale of your activity makes it immediately apparent.

Similarly, decent sized corporations do not make good victims because you cannot get the money out............... they have other financial controls to prevent this.

Basically, I believe that victims have to be individuals, so attacks are being conducted at the individual level.

The problem with individual level, small scale attacks is they never get reported, so they don't figure in the statistics.

I do not think that there is enough solid evidence to say that the worm is dying out. After all, it is only a propagation mechanism?.............. I think that the way that these mechanisms are being used has changed, such that many incidents never get reported?

Most of these statistics come from mail providers and large corporations, and they report the ones that they have caught. Also data comes from AV companies on the number of incidents cleaned. Not a lot of data is collected at the private/SOHO level which is where the action seems to be these days?

I am yet to be convinced that this is a true trend, rather than an "artifact" of the statistics and their collection process.

It is true that anti-malware products improve over time, but you should also remember that user awareness is improving as well (albeit painfully slowly at times). Perhaps this has helped to reduce the effectiveness of a "shotgun" approach............... that does not mean that the actual attack vector has declined in significance.

Just my £0.02

[ByTeWrangler]

Greeting's


Not really : http://isc.sans.org/diary.php?storyid=1660

[HTRegz]

Hey Hey,

I'd have to say that I think everyone is right... and everyone is wrong..(Obviously I'm the only one that can be completely correct ).

Everyone's comments have been, "There's no worm for MS06-040.". ByTeWrangler has posted a link to ISC (btw in the future could you add a litle detail to your actual posts ... if I hadn't already read the post I'd have had no idea why you were referencing it ) where they talk about how we are NOW seeing worms for it... I still consider the original MocBot to be a worm... I'm the only one that thinks that... but it's my belief..

Both the Free On-line Computing Dictionary and the Jargon File give this definition of worm:

A program that propagates itself over a network, reproducing itself as it goes

Most people would agree with that... I also agree... MocBot was given a range of IP Addresses, it then scanned those addresses for infected machines, propagated inself over a network and reproduced itself on the victim machine... That seems like a worm to me... The only difference was that its targets were picked instead of it being a random process. But this is all beside the point... "Real" worms are now circulating..

However I think that Larry Seltzer has some valid points... We'll see bad worms again... however, I don't feel they'll compare to some previous worms.. Even this new MS06-040 worm... it won't be as bad as previous worms..

People are more aware these days... after Nimda, Sasser, Code Red and Slammer... IT people keep an eye on what's going on... they patch more frequently, etc...

For home users.. well things like Code Red and Slammer affected very few home users... and Larry talks about NAT helping out... but I don't think Larry realizes just how many people use their DMZ because their game goes to slow... or bit torrent doesn't download fast enough.. Still Sasser wouldn't affect 75% of home users in North America today... I'm guessing it's partially true around the world... MS06-040 won't affect that same number of people..... At some point do a port scan across your external subnet for 139 and 445 (Although I don't condone this as your ISP will most likely turn you off because they'll think you're infected) but ISPs are getting smarter... They turn off infected machines.. My sister took her PC online without updating first... she was shut down that night... The other thing is that more and more ISPs are filtering ports 139 and 445... which means the next BIG worm will have to be for IIS, SQL, VMWare Server, Exchange... some sort of server... and most homes won't have that running..

So.... the title of Larry's article is "The End of the Worm Era"... I'd say that's accurate... Worms.. while still a concern and a threat... are not the biggest issue out there... Perhaps a title that would have summbed it up better (but that he didn't use because he only addresses the end fo the worm era) wold have been "The End of the Worm Era and the Start of the (Phishing|Malware|Cyber Scam|Identity Theft) Era"... So it's "The end of the Worm Era"... not "The end of the worm"... That makes a big difference... One is very true... the other is an outright lie.

Peace,
HT

[codelogman]

in agreement to nihil, the AV "industry" need food, need pay takes and employees.

where they i supose the "instant" worms appear?

the same AV enterprises free those codes on the net for make a "logical hoax" for the real damage in the virus factoring.

i say, when a independient virus writter it sends a worm, that enterprises it found in a serios troubles because "they don't have the antivirus code" then offer 500,000 for reward to who expose an a virus (virus/worms) authors.. it is very funny, how the "industry works", is very dissapointing how the falsehood of the big corporations consume also this piece of systems evolution...

The people today must know how his systems are really protected (windows backdoor intalled sucesfull...."windows finalize for updates!!")

is my personal opinion about that.


AzRaEL
[NuKE]

[nihil]

Everyone's comments have been, "There's no worm for MS06-040.".

Where in my post was that stated, or even implied?...................... crap I can tolerate, inaccurate crap I chose not to, so please read all posts carefully before responding?

"The End of the Worm Era and the Start of the (Phishing|Malware|Cyber Scam|Identity Theft) Era"... So it's "The end of the Worm Era"... not "The end of the worm"... That makes a big difference... One is very true... the other is an outright lie.

Now that I do agree with, 100%

[HTRegz]

Originally posted here by nihil
Where in my post was that stated, or even implied?...................... crap I can tolerate, inaccurate crap I chose not to, so please read all posts carefully before responding?

Sorry, I suppose I should have explained better... It goes with my next statement about mocbot.... the everyone refers to a more global sense of IT blogs and IT News sites... not necessarily the posts here..
http://searchsecurity.techtarget.com...211364,00.html <-- this for example
http://episteme.ca/cblog/index.php?/...rreaction.html <-- Response to the above statement.

Peace,
HT