When the Bagle worm hit a couple weeks ago I couldnt believe my eyes. How could so many people fall for an attack that was so obviously yet another computer worm? My incredulity was premature, as the arrival of the MyDoom worm blew Bagle away this week.
By Tuesday morning, less than 24 hours after I received my first copy of MyDoom, MessageLabs Inc. said that it had intercepted over 450,000 copies, more than Sobig.F in a similar period. Other security companies threw similar numbers at me.
Now, its worth noting these numbers dont really say anything definitive to us about the number of systems infected with the worm. There could be a relatively small number of systems sending out all the messages. But, without getting too quantitative, its likely that the number of infected systems is roughly proportional to the number of people receiving infected messages, since the worm spreads by harvesting addresses off peoples computers, and the more infections the more addresses to which it will spread.
How, in this day and age, could this happen? The answer, Im sad to say, is that the main pillars on which our security efforts stand have failed: user education and antivirus companies.
Our still-painful experience with Bagle and MyDoom have satisfied me that user education will never be effective enough to stop users from spreading even the most blatant of attacks.
The sorry truth is that people fall very easily for social engineering attacks. The problem has nothing at all to do with Windows; if end-users were running Linux or anything else, its clear that any e-mail message could persuade them into following whatever steps were necessary to compromise their systems.
User education has proved a failure. Sure, its better to have educated users than uneducated ones, and its worth continuing to try to drill the details, if only to give individuals a chance to protect themselves.
However, IT managers must assume that their clients are dumber than dirt about this antivirus stuff and will run whatever executable code strangers send them.
Worse, one vendor told me today that whenever one of these attacks happens a number of people intentionally run the virus—knowing its a virus—just to see what happens. This must be the digital equivalent of a kid wondering what happens when her or she puts their fingers in an electrical socket.
While I considered MyDoom somewhat pathetic at the start, others such as David Perry, Trend Micros global director of education, found it almost clever. In our discussion on the subject, Perry out that the worms social engineering was clever in an ironic way.
MyDooms message was made to look something like a bounce message, the sort of thing that real novices might open but that would pique the curiosity of more sophisticated users. Perry also said that the initial seeding of the worm targeted corporate users, rather than the typical porno-newsgroup crowd. (“Seeding” refers to the initial distribution of the worm, probably done by the author himself.) This seeding could explain why I received a copy so early, and perhaps why the antivirus companies were caught so off-guard.
I also applaud Thor Larholm, senior security researcher at PivX Solutions, who emphasized the backdoor code included in the worm. News coverage later in the day on Tuesday tended to emphasize the denial-of-service attack against SCO, because its a sexy story full of outrage. However, as Thor observed, the bigger problem for the Internet could easily turn out to be the open TCP proxy MyDoom installed on potentially millions of systems.
Over time, if we dont find a way to stop it, this aspect could turn out to be disastrous.
The Failure of Antivirus
and the Solution to the Problem”>
Another main disappointment from the MyDoom episode is the failure of the anti-virus community to respond in time.
Perhaps, the initial distribution of the worm might have confused them. I kept an eye out for Symantecs update from the time when I got my first copy. Something showed up on Norton Antivirus LiveUpdate around 3.5 hours later, but it didnt properly install. It wasnt until about 8:30 PM EST, more than five hours after my receipt, before a functional Norton update was available.
Thereafter, I checked the Web sites of other major antivirus companies through the day; some of them did better, but not that much better. By the time protection was available, this worm was widespread.
In addition, I tested three scanners and none of them detected the worm heuristically, although I got a press release from GFI Software Ltd. indicating that their gateway-level Trojan scanner did block MyDoom from the outset. At the same time, some administrators go to the extent of blocking ZIP files at the gateway as a regular practice.
There is an answer to the worm problem, and its a bit of a surprise: SMTP authentication. Designed largely to combat spam, it involves a modification to the SMTP protocol to allow servers to confirm that a message purporting to come from a particular server in fact does come from that server. Ive identified 9 proposals so far for SMTP authentication; a couple weeks ago I wrote about Yahoos Domain Keys proposal, and AOL recently began supporting Sender Permitted From (a k a SPF), which is the method furthest along in development and deployment.
Turns out that SMTP authentication would also stop worms like MyDoom and Sobig in their tracks. All the modern, successful mail worms incorporate their own SMTP servers, mostly for performance reasons but also because its the only reliable way for them to send mail. At the same time, most mail clients, including any version of Microsoft Outlook or Outlook Express for the last several years, blocks programmatic access to the mail client without explicit user permission. So when the worm sends the message with spoofed addresses the receiving mail server will quickly block them. A worm author will avoid a legitimate address because it could be traced back to the source quickly. Or if the address turns out to be someone elses, it would be shut down easily.
This approach would do more than stop the mass-outbreaks from worms like MyDoom. In the world, there are a large number of worms that have become endemic, such as Welchia and Sobig. Although these worms are past their heyday, there are still lots of copies out there, and SMTP authentication would stop them from spreading further. However, it would not disinfect systems or stop the worms from then-fruitless attempts to spread themselves.
Analysts Ive spoken to about SMTP authentication reminded me that e-mail is just one avenue of infection, and they seem convinced that if mail is shut down another route will open up quickly. But Im not so sure.
E-mail is a unique method of infection, as it is the one Internet application everyone uses. The virus problem was a hassle before e-mail worms, but their arrival made it a crisis. I wonder if anything as useful will ever come along again.
I urge the quick adoption of SMTP authentication, in one form or another. If we dont do it, e-mail will be ruined in the next couple of years as our inboxes are completely taken over by the spammers. But worm prevention is almost as good a reason to move quickly.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Be sure to check out
More from Larry Seltzer