The Failure of Antivirus

By Larry Seltzer  |  Posted 2004-01-28 Print this article Print

and the Solution to the Problem"> Another main disappointment from the MyDoom episode is the failure of the anti-virus community to respond in time. Perhaps, the initial distribution of the worm might have confused them. I kept an eye out for Symantecs update from the time when I got my first copy. Something showed up on Norton Antivirus LiveUpdate around 3.5 hours later, but it didnt properly install. It wasnt until about 8:30 PM EST, more than five hours after my receipt, before a functional Norton update was available.
Thereafter, I checked the Web sites of other major antivirus companies through the day; some of them did better, but not that much better. By the time protection was available, this worm was widespread.
In addition, I tested three scanners and none of them detected the worm heuristically, although I got a press release from GFI Software Ltd. indicating that their gateway-level Trojan scanner did block MyDoom from the outset. At the same time, some administrators go to the extent of blocking ZIP files at the gateway as a regular practice.

There is an answer to the worm problem, and its a bit of a surprise: SMTP authentication. Designed largely to combat spam, it involves a modification to the SMTP protocol to allow servers to confirm that a message purporting to come from a particular server in fact does come from that server. Ive identified 9 proposals so far for SMTP authentication; a couple weeks ago I wrote about Yahoos Domain Keys proposal, and AOL recently began supporting Sender Permitted From (a k a SPF), which is the method furthest along in development and deployment.

Turns out that SMTP authentication would also stop worms like MyDoom and Sobig in their tracks. All the modern, successful mail worms incorporate their own SMTP servers, mostly for performance reasons but also because its the only reliable way for them to send mail. At the same time, most mail clients, including any version of Microsoft Outlook or Outlook Express for the last several years, blocks programmatic access to the mail client without explicit user permission. So when the worm sends the message with spoofed addresses the receiving mail server will quickly block them. A worm author will avoid a legitimate address because it could be traced back to the source quickly. Or if the address turns out to be someone elses, it would be shut down easily.

This approach would do more than stop the mass-outbreaks from worms like MyDoom. In the world, there are a large number of worms that have become endemic, such as Welchia and Sobig. Although these worms are past their heyday, there are still lots of copies out there, and SMTP authentication would stop them from spreading further. However, it would not disinfect systems or stop the worms from then-fruitless attempts to spread themselves.

Analysts Ive spoken to about SMTP authentication reminded me that e-mail is just one avenue of infection, and they seem convinced that if mail is shut down another route will open up quickly. But Im not so sure. E-mail is a unique method of infection, as it is the one Internet application everyone uses. The virus problem was a hassle before e-mail worms, but their arrival made it a crisis. I wonder if anything as useful will ever come along again.

I urge the quick adoption of SMTP authentication, in one form or another. If we dont do it, e-mail will be ruined in the next couple of years as our inboxes are completely taken over by the spammers. But worm prevention is almost as good a reason to move quickly.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Be sure to check out eWEEK.coms Security Center at for the latest security news, views and analysis.

More from Larry Seltzer

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel