nCircle.com >> nCircle Blog >> Sync

« Free Lunch :: Cacti | Main | Skype to partner for security in the workplace »

Who cared about Peacomm?

Earlier this month the Internet saw a newsworthy Trojan called Peacomm. It spurred gasping headlines such as “Storm Worm hits 1.6 million PCs” and “Storm worm still on botnet-building patch” and “Storm virus gathers pace”. I got a request to do a press interview on this Trojan. My response was, no kidding, a large laugh out loud. Why would I take such a quixotic view? The virus just wasn’t a contending threat to enterprise networks. The threat delivered itself in a spam email with as an .exe attachment. I can’t think of a single enterprise where this wouldn’t be automatically caught.

After the press frenzy dwindled I had a chance to do some more research. I wanted to find the answer to why this Trojan got so much attention. It turns out that since all of our antivirus vendors have yet to adopt a standard risk metric, it takes but one vendor to make a virus newsworthy. I might also note that just one of the major AV vendors distinguish threats differently for enterprises and consumers. Here is a recap of how AV vendors classified the Peacomm Trojan:

Symantec
Name: Trojan.Peacomm
Severity: 3
Severity ratings are given as 0 to 5 bars

TrendMicro
Name: TROJ_SMALL.DSI
Overall Risk Rating: Low
Risk ratings can be: Very Low, Low, Medium, High

F-Secure
Name: Small.DAM
Radar Alert: Level 2
Radar Alerts include: None, Level 3, Level 2, Level 1 where Level 1 is a “Worldwide epidemic of a serious new virus”

McAfee
Name: Downloaders-BAI!M711
Corporate User: Low-Profiled
Home User: Low-Profiled
Risk levels can be: Low, Medium, High, Critical

Sophos
Name: Troj/Dorf-Fam
Prevalence: High
Note: Sophos uses a prevalence rating, not really a risk rating.


For the most part the AV teams did rate this as a rather low threat. I really haven’t determined why this Trojan garnered so much news. Though, I did learn 2 things:

1) The rating systems among vendors for AV threats is a learning experience among itself.
2) Only one of the vendors, McAfee, specifically provides separate ratings for corporate and home users.

So whats the point? The point is, don’t trust a media frenzy to make a risk assessment. You’ll have to do that on your own. When it comes to determining the risk of a virus, you’ll have to decide to rely on a single vendor, or try and make heads of the varying metrics provided. Hrmm, sounds like AV risk assessments are just like all other risk assessments.

Posted by Andrew Storms on January 31, 2007 10:49 AM |

TrackBack

TrackBack URL for this entry:
http://blog.ncircle.com/cgi-bin/mt-tb.cgi/124

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Verification (needed to reduce spam):

Bio

Blog: Sync
Author: Andrew Storms

As nCircle's Director of Security Operations, Andrew Storms is responsible for setting and enforcing the company's security compliance programs as well as overseeing day-to-day operations for the Information Technology department. He is a Certified Information Systems Security Professional (CISSP).

About

This page contains a single entry from the blog posted on January 31, 2007 10:49 AM.

The previous post in this blog was Free Lunch :: Cacti.

The next post in this blog is Skype to partner for security in the workplace.

Many more can be found on the main index page or by looking through the archives.

Search


Subscribe to this blog's feed
[What is this?]