BlackWorm stats

BlackWorm aka BlueWorm aka Nyxem aka Grew aka Kapser aka Blackmal aka Tearec aka MyWife is making some noise this week. It’s just another in a long line of relatively uninteresting VB worms – why are so many people clicking on it? How do we know how many people are actually clicking? BlackWorm logs each infection to a webstats counter. Last time I checked it was over 453,000 users infected. A variant from 2004 made it to 920,000 infections, so clearly plenty of people are still willing to click on whatever attachment they are sent.

The one thing that can stop these worms is user education. That’s certainly a point of contention with many people, who claim that users at a certain level simply can’t be educated. Probably because we’ve taken the wrong approach to user education. Providing information is not education. Education is sticking your bare hand on a hot stove. The problem with viruses is, there are plenty of users sticking their hands on a hot stove, but don’t realize it’s hot – so the education doesn’t occur.

We’ve all heard the anecdotal story about the BOFH network admin who periodically sends his users executable attachments, warns them not to click on it, and then some form of public humiliation/punishment ensues when the user clicks on it anyway. We need to be doing way more of that. For example, instead of blocking executable attachments at the gateway, strip and replace the attachment with one of your own making. Something suitably humiliating. Anyone doing anything like this already they’d like to share?

Share
  • http://www.wueest.ch/dublin/ Candid

    I definitely like the idea of replaceing the attachments with some joke. Might not be feasable on all occasions, but sure would give you some good laughs. Although you then might face the problem that some users click on the attachments just to see what you prepared for them.

    So in the end I think user education is important, but it will never be enough to solve the problem. Better lock down the system so that the damage is limited.

  • http://radcenter.blogspot.com Jim Voorhees

    While the idea of replacing the executable with a benign attachment has some appeal as an educational tool. It might even help. But public humiliation should be avoided. For one, it could get you fired (try humiliating senior management or the friends of senior management). For another, it is simply the wrong way to deal with mature people who, despite their propensity for errant clicking, may well be otherwise intelligent and responsible. A third reason is that simple mistakes are sometimes made–how many of us have never, ever done something security-stupid by mistake. A private chiding would be smarter and, with most people, more productive.

    One must ask how scalable that or any other approach to user education can be. If only 0.5 percent of a organization of 10,000 needs to be educated privately, that still translates to 50 conversations, which can eat up a huge chunk of time.

    Of course, as has already been said, user education alone will never suffice. Patching and locking systems provide another layer of protection. In the longer term, only when the code is written to be secure will we be able to keep these problems to a minimum.

  • Drew

    What is the website with the counter? I’ve been looking all over.

  • http://www.security-protocols.com Tom Ferris

    nice joke, way to much time on your hands. ;)

  • http://www.joestewart.org/ joe

    Heh, glad someone realized I wasn’t totally serious. But, if you want some more useful information, see my later post:
    http://blogs.securiteam.com/index.php/archives/243

  • http://www.soultalkstories.com Roger King

    Any suggestions on what anti vrus programs should be used?
    Thanks

  • sunshine

    The same one I suggested when you asked this elsewhere:
    http://blogs.securiteam.com/index.php/archives/241

  • sunshine

    There is a users’ FAQ posted here:
    http://blogs.securiteam.com/?p=260