The biggest storm in F Secure's "Storm Worm" is a FUD storm


I arrived at work this morning to find a slew of news reports describing a new, supposedly large-scale threat dubbed the Storm Worm. According to one of these reports, this worm has infected hundreds of thousands of people, adding its unknowing victims to a malicious bot net. But how significant is this threat? Many articles [ 1 / 2 ] make it sound pretty wide-spread and especially scary. Is it really?

These news articles are all based on reports from F-Secure; which provided a press release, some blog entries [ 1 / 2 ], and some statements from F-secure's Head of Research, Mikko Hypponen. F-Secure warns of a "significant" spam attack that started early Friday morning, January 19. According to their reports, this significant spam attack arrives with a subject line of "230 dead as storm batters Europe" and contains a trojan horse attachment named Read More.exe. If you launch the malicious attachment, the trojan zombifies your computer, adding it to some attacker's malicious bot net. Apparently, this spam author hopes that his timely "European storm" hook will lure many unsuspecting victims into launching his trojan.

After I did a little digging with some other antivirus (AV) companies, it looks like the media -- and perhaps F-Secure -- have over-hyped this "Storm Worm." According to Symantec and Mcafee, this spammed trojan poses a very low risk. In fact, Mcafee specifically rates it "low-profiled," which means it hasn't really affected many people. Furthermore, the media and F-secure have represented the threat inaccurately. First, they keep calling it a worm when it is a trojan. It doesn't spread on its own. Second, they mostly concentrate on its storm-related subject. However, the spam actually uses a variety of subject lines.

So what's the big deal? The big deal is this type of FUD doesn't help the poor security administrators struggling to keep their networks safe. It screws up prioritization, causing those administrators to focus on relatively minor issues when they have much bigger risks to combat.

Furthermore, this sort of quick-spreading hype always seems to promote misinformation. By focusing on the European storm subject line, these articles might cause administrators to miss the five other subject lines this threat uses (which, incidentally, have nothing to do with a storm). If the media and security vendors such as F-Secure really want to help keep us all secure, they should stick to warning about the truly dangerous issues and not just those with the most striking headlines.

But the Storm Worm is still receiving a lot of media attention. Must be a slow news day or something. Corey Nachreiner, CISSP



CopyrightŠ 2007 WatchGuardŽ Technologies, Inc.

Linked by shanmuga Friday, 19th January 2007 11:26PM