MyDoom Lessons: Failures of Education, Antivirus Vendors

Another main disappointment from the MyDoom episode is the failure of the anti-virus community to respond in time.

Perhaps, the initial distribution of the worm might have confused them. I kept an eye out for Symantecs update from the time when I got my first copy. Something showed up on Norton Antivirus LiveUpdate around 3.5 hours later, but it didnt properly install. It wasnt until about 8:30 PM EST, more than five hours after my receipt, before a functional Norton update was available.

Thereafter, I checked the Web sites of other major antivirus companies through the day; some of them did better, but not that much better. By the time protection was available, this worm was widespread.

In addition, I tested three scanners and none of them detected the worm heuristically, although I got a press release from GFI Software Ltd. indicating that their gateway-level Trojan scanner did block MyDoom from the outset. At the same time, some administrators go to the extent of blocking ZIP files at the gateway as a regular practice.

There is an answer to the worm problem, and its a bit of a surprise: SMTP authentication. Designed largely to combat spam, it involves a modification to the SMTP protocol to allow servers to confirm that a message purporting to come from a particular server in fact does come from that server. Ive identified 9 proposals so far for SMTP authentication; a couple weeks ago I wrote about Yahoos Domain Keys proposal, and AOL recently began supporting Sender Permitted From (a k a SPF), which is the method furthest along in development and deployment.

Turns out that SMTP authentication would also stop worms like MyDoom and Sobig in their tracks. All the modern, successful mail worms incorporate their own SMTP servers, mostly for performance reasons but also because its the only reliable way for them to send mail. At the same time, most mail clients, including any version of Microsoft Outlook or Outlook Express for the last several years, blocks programmatic access to the mail client without explicit user permission. So when the worm sends the message with spoofed addresses the receiving mail server will quickly block them. A worm author will avoid a legitimate address because it could be traced back to the source quickly. Or if the address turns out to be someone elses, it would be shut down easily.

This approach would do more than stop the mass-outbreaks from worms like MyDoom. In the world, there are a large number of worms that have become endemic, such as Welchia and Sobig. Although these worms are past their heyday, there are still lots of copies out there, and SMTP authentication would stop them from spreading further. However, it would not disinfect systems or stop the worms from then-fruitless attempts to spread themselves.

Analysts Ive spoken to about SMTP authentication reminded me that e-mail is just one avenue of infection, and they seem convinced that if mail is shut down another route will open up quickly. But Im not so sure.

E-mail is a unique method of infection, as it is the one Internet application everyone uses. The virus problem was a hassle before e-mail worms, but their arrival made it a crisis. I wonder if anything as useful will ever come along again.

I urge the quick adoption of SMTP authentication, in one form or another. If we dont do it, e-mail will be ruined in the next couple of years as our inboxes are completely taken over by the spammers. But worm prevention is almost as good a reason to move quickly.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Be sure to check out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, views and analysis.

More from Larry Seltzer