MyDoom Lessons: Failures of Education, Antivirus Vendors

By Larry Seltzer  |  Posted 2004-01-28 Print this article Print

How could a worm as pathetic as MyDoom have spread so far and so fast? Perhaps it's the moment to examine the key failures behind MyDoom's success: the failure of user education on prevention and the poor response from antivirus vendors.

When the Bagle worm hit a couple weeks ago I couldnt believe my eyes. How could so many people fall for an attack that was so obviously yet another computer worm? My incredulity was premature, as the arrival of the MyDoom worm blew Bagle away this week. By Tuesday morning, less than 24 hours after I received my first copy of MyDoom, MessageLabs Inc. said that it had intercepted over 450,000 copies, more than Sobig.F in a similar period. Other security companies threw similar numbers at me. Now, its worth noting these numbers dont really say anything definitive to us about the number of systems infected with the worm. There could be a relatively small number of systems sending out all the messages. But, without getting too quantitative, its likely that the number of infected systems is roughly proportional to the number of people receiving infected messages, since the worm spreads by harvesting addresses off peoples computers, and the more infections the more addresses to which it will spread.

How, in this day and age, could this happen? The answer, Im sad to say, is that the main pillars on which our security efforts stand have failed: user education and antivirus companies.
Our still-painful experience with Bagle and MyDoom have satisfied me that user education will never be effective enough to stop users from spreading even the most blatant of attacks. The sorry truth is that people fall very easily for social engineering attacks. The problem has nothing at all to do with Windows; if end-users were running Linux or anything else, its clear that any e-mail message could persuade them into following whatever steps were necessary to compromise their systems.

User education has proved a failure. Sure, its better to have educated users than uneducated ones, and its worth continuing to try to drill the details, if only to give individuals a chance to protect themselves. However, IT managers must assume that their clients are dumber than dirt about this antivirus stuff and will run whatever executable code strangers send them. Worse, one vendor told me today that whenever one of these attacks happens a number of people intentionally run the virus—knowing its a virus—just to see what happens. This must be the digital equivalent of a kid wondering what happens when her or she puts their fingers in an electrical socket.

While I considered MyDoom somewhat pathetic at the start, others such as David Perry, Trend Micros global director of education, found it almost clever. In our discussion on the subject, Perry out that the worms social engineering was clever in an ironic way. MyDooms message was made to look something like a bounce message, the sort of thing that real novices might open but that would pique the curiosity of more sophisticated users. Perry also said that the initial seeding of the worm targeted corporate users, rather than the typical porno-newsgroup crowd. ("Seeding" refers to the initial distribution of the worm, probably done by the author himself.) This seeding could explain why I received a copy so early, and perhaps why the antivirus companies were caught so off-guard.

I also applaud Thor Larholm, senior security researcher at PivX Solutions, who emphasized the backdoor code included in the worm. News coverage later in the day on Tuesday tended to emphasize the denial-of-service attack against SCO, because its a sexy story full of outrage. However, as Thor observed, the bigger problem for the Internet could easily turn out to be the open TCP proxy MyDoom installed on potentially millions of systems. Over time, if we dont find a way to stop it, this aspect could turn out to be disastrous.

Next page: The Failure of Antivirus Companies and the Solution to the Problem

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel