MyDoom Lessons: Failures of Education, Antivirus Vendors

How could a worm as pathetic as MyDoom have spread so far and so fast? Perhaps it's the moment to examine the key failures behind MyDoom's success: the failure of user education on prevention and the poor response from antivirus vendors.

When the Bagle worm hit a couple weeks ago I couldnt believe my eyes. How could so many people fall for an attack that was so obviously yet another computer worm? My incredulity was premature, as the arrival of the MyDoom worm blew Bagle away this week.

By Tuesday morning, less than 24 hours after I received my first copy of MyDoom, MessageLabs Inc. said that it had intercepted over 450,000 copies, more than Sobig.F in a similar period. Other security companies threw similar numbers at me.

Now, its worth noting these numbers dont really say anything definitive to us about the number of systems infected with the worm. There could be a relatively small number of systems sending out all the messages. But, without getting too quantitative, its likely that the number of infected systems is roughly proportional to the number of people receiving infected messages, since the worm spreads by harvesting addresses off peoples computers, and the more infections the more addresses to which it will spread.

How, in this day and age, could this happen? The answer, Im sad to say, is that the main pillars on which our security efforts stand have failed: user education and antivirus companies.

Our still-painful experience with Bagle and MyDoom have satisfied me that user education will never be effective enough to stop users from spreading even the most blatant of attacks.

The sorry truth is that people fall very easily for social engineering attacks. The problem has nothing at all to do with Windows; if end-users were running Linux or anything else, its clear that any e-mail message could persuade them into following whatever steps were necessary to compromise their systems.

User education has proved a failure. Sure, its better to have educated users than uneducated ones, and its worth continuing to try to drill the details, if only to give individuals a chance to protect themselves.

However, IT managers must assume that their clients are dumber than dirt about this antivirus stuff and will run whatever executable code strangers send them.

Worse, one vendor told me today that whenever one of these attacks happens a number of people intentionally run the virus—knowing its a virus—just to see what happens. This must be the digital equivalent of a kid wondering what happens when her or she puts their fingers in an electrical socket.


While I considered MyDoom somewhat pathetic at the start, others such as David Perry, Trend Micros global director of education, found it almost clever. In our discussion on the subject, Perry out that the worms social engineering was clever in an ironic way.

MyDooms message was made to look something like a bounce message, the sort of thing that real novices might open but that would pique the curiosity of more sophisticated users. Perry also said that the initial seeding of the worm targeted corporate users, rather than the typical porno-newsgroup crowd. ("Seeding" refers to the initial distribution of the worm, probably done by the author himself.) This seeding could explain why I received a copy so early, and perhaps why the antivirus companies were caught so off-guard.

I also applaud Thor Larholm, senior security researcher at PivX Solutions, who emphasized the backdoor code included in the worm. News coverage later in the day on Tuesday tended to emphasize the denial-of-service attack against SCO, because its a sexy story full of outrage. However, as Thor observed, the bigger problem for the Internet could easily turn out to be the open TCP proxy MyDoom installed on potentially millions of systems.

Over time, if we dont find a way to stop it, this aspect could turn out to be disastrous.

Next page: The Failure of Antivirus Companies and the Solution to the Problem