Kama Sutra Worm Flummoxes Experts


The year's worst worm is either growing stronger or getting weaker, said security vendors Monday as they couldn't reach agreement on how Kama Sutra -- just one of the names tagged to the malicious code -- is affecting users.

Finnish security firm F-Secure, which first spotted a trigger in the worm that will corrupt a wide range of document file formats on infected PCs starting Feb. 3, said Monday that the worm was still gaining ground.

"It's still climbing," said Mikko Hypponen, the chief research officer of the Helsinki-based company. "It's not the worst we've seen, but the infection is sizable."

Wrong, argued Alfred Huger of Symantec. "We think it's peaked," he said Monday. "It looks now like [its rate of propagation] is coming back down." Saturday, for instance, Symantec recorded a large drop in the number of Kama Sutra submissions to its global network, spiked early Monday, but then fell off again later in the day.

Hypponen and Huger agreed on several things, however, including that the worm was dangerous, 2006's biggest attack so far, and could wreak havoc come Feb. 3, when it's scheduled to overwrite data in several Microsoft and Adobe document formats with a useless text string.

"Unlike most other [worms], this one is really destructive," said Hypponen. For some reason, he went on, the author of Kama Sutra turned back the clock to the days when viruses and worms deleted files or erased hard drives. For some time, that destructive strategy has been pass; hackers have realized they can make money off compromised machines, so harming the computer makes no sense, and only attracts attention.

"This has to be a hobbyist," said Hypponen, using the term to describe an old-school hacker who writes malicious code for kicks and notoriety, not for profit. "If it's a professional, why would they do this?"

"There's obviously an ego here that needs to be satisfied," said Huger.

One of the oddities of the worm is that the numbers of infected PCs can be easily gauged; each compromised computer trips a counter on a Web site. Both F-Secure and Symantec have monitored the site and its counter.

"On Friday the counter was at 270,000," said Hypponen, "but early Monday, it was at 680,000. That's 400,000 PCs that have been infected in one weekend."

Updated anti-virus software should detect and delete the worm, but users not running an AV program can download several free tools that sniff through a system, and delete the worm if it's spotted. Symantec, for instance, offers a detector here.