I remember resisting the urge to admire the author of Melissa, the first of the mass-mailer worms. It wasnt even all that mass a mailer, since it only mailed itself to the first 50 entries in the users address book. But there was something clever about the way the worm self-propagated through what we had thought was a safe medium, e-mail. Seems so long ago.
Since then, mass-mailer worms have undergone a variety of technical innovations and encountered a variety of countermeasures. But really, after the first one it should have been possible to tell any of them just by looking at them.
But even if there are people who will never learn their lesson about these things, the era of the mass-mailer worm is coming to a close. Enough people do know not to spread them, and the countermeasures are becoming formidable, especially as more and more users get relatively up to date in their software and security patches.
Consider the things that have to be wrong in order for you to spread a worm (depending on the techniques used by the worm):
- You need to have very old e-mail software that allows executable attachments; this means no Microsoft clients or patches of clients from the last 3 years.
- Neither you nor your ISP can have remotely up-to-date anti-virus software.
- You cant have a firewall (any decent firewall would stop the worm from sending mail).
- Worst of all, youre a user of one of the public P2P networks like KaZaA.
Just the other day Kaspersky Labs wrote up a dire warning about the new Plexus.a worm that combines the usual mail and network share infection routes with exploits of the LSASS and DCOM vulnerabilities. Given that multiple individual worms exist that use these techniques individually, I fail to see why one worm that uses multiples of them is anything new to be scared of.
Mind you, Im much more concerned about the actual network worms like Sasser and Blaster. Its been easy to defend yourself against these attacks, but you do have to stay on top of things enough to apply critical patches or use a firewall intelligently. Actual mail worms have a much harder time getting through.
And its only going to get harder for these worms. As Ive written before, some form of SMTP authentication is coming, and one thing it is likely to do is to kill off the existing generation of mail worms, which should no longer even reach the destination mail server. Its conceivable that worm authors could employ new techniques to get their messages authenticated, but it still wont be the same for them. With no spoofing, it will be easier to track them down and alert infected users.
In the last few months there have been two families of mail worms that have had any real impact, Netsky and Bagle. We know why there have been no new Netsky variants for many weeks —the author got busted. Turns out he was the same guy who wrote Sasser, also dead in its tracks. Theres a rumor that the person who turned him in was the Bagle author, which might explain why there havent been any new Bagle variants for about as long.