The End of the Mass-Mailer Worm Era

By Larry Seltzer  |  Posted 2004-06-07 Print this article Print

It could be that conventional mass-mailer worms have seen their best days. They certainly seem to be in decline and the future is unpromising.

I remember resisting the urge to admire the author of Melissa, the first of the mass-mailer worms. It wasnt even all that mass a mailer, since it only mailed itself to the first 50 entries in the users address book. But there was something clever about the way the worm self-propagated through what we had thought was a safe medium, e-mail. Seems so long ago. Since then, mass-mailer worms have undergone a variety of technical innovations and encountered a variety of countermeasures. But really, after the first one it should have been possible to tell any of them just by looking at them.

But even if there are people who will never learn their lesson about these things, the era of the mass-mailer worm is coming to a close. Enough people do know not to spread them, and the countermeasures are becoming formidable, especially as more and more users get relatively up to date in their software and security patches.

Consider the things that have to be wrong in order for you to spread a worm (depending on the techniques used by the worm):
  • You need to have very old e-mail software that allows executable attachments; this means no Microsoft clients or patches of clients from the last 3 years.
  • Neither you nor your ISP can have remotely up-to-date anti-virus software.
  • You cant have a firewall (any decent firewall would stop the worm from sending mail).
  • Worst of all, youre a user of one of the public P2P networks like KaZaA.

Just the other day Kaspersky Labs wrote up a dire warning about the new Plexus.a worm that combines the usual mail and network share infection routes with exploits of the LSASS and DCOM vulnerabilities. Given that multiple individual worms exist that use these techniques individually, I fail to see why one worm that uses multiples of them is anything new to be scared of.

Mind you, Im much more concerned about the actual network worms like Sasser and Blaster. Its been easy to defend yourself against these attacks, but you do have to stay on top of things enough to apply critical patches or use a firewall intelligently. Actual mail worms have a much harder time getting through.

And its only going to get harder for these worms. As Ive written before, some form of SMTP authentication is coming, and one thing it is likely to do is to kill off the existing generation of mail worms, which should no longer even reach the destination mail server. Its conceivable that worm authors could employ new techniques to get their messages authenticated, but it still wont be the same for them. With no spoofing, it will be easier to track them down and alert infected users.

For insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog. In the last few months there have been two families of mail worms that have had any real impact, Netsky and Bagle. We know why there have been no new Netsky variants for many weeks —the author got busted. Turns out he was the same guy who wrote Sasser, also dead in its tracks. Theres a rumor that the person who turned him in was the Bagle author, which might explain why there havent been any new Bagle variants for about as long.

Next page: Wheres the innovation?

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel