Klez appeared in October 2001. Six months later, the worm continues to circulate at substantial volume. The long tail of malware persistence is becoming a structural feature of the threat landscape worth writing about.
What I am observing
From my mail relay and from operators I correspond with:
- Klez-pattern email continues to arrive at roughly 5-10% of pre-cleanup volumes.
- The variants have multiplied — at least 8 distinct Klez variants are in circulation.
- The compromised-host pool that produces Klez traffic has shrunk but not by much. Estimated at hundreds of thousands of hosts globally still infected.
- Antivirus signatures for the original Klez variants are universal; new variants continue to evade until the next signature update.
This is not unique to Klez. Code Red residuals continue. Nimda residuals continue. The internet's malware-noise floor has stepped up and is staying up.
What this means
Two things.
Cleanup is incomplete by default. Most operators do not fully clean compromised hosts; the residual infections continue. The economic incentive to clean fully is weaker than the economic cost of cleaning. The result is permanent residual infection.
Defensive infrastructure has to assume permanent malware presence. The model where worms came and went is being replaced by a model where worms come, leave a residual population, and continue to exist as background noise. Defensive disciplines need to assume this.
What operators should do
For mail relays: continue aggressive filtering. The ongoing Klez traffic is part of the baseline; filter accordingly.
For any compromised host: complete cleanup is essential. Reinstall from clean media is the only fully-reliable approach. Partial cleanup leaves residual capability that contributes to the persistent population.
For any operator: account for the elevated baseline in capacity planning. The mail volumes, the scan rates, the alert volumes are all permanently higher than 2000 levels.
More as the year develops.