I remember resisting the urge to admire the author of Melissa, the first of the mass-mailer worms. It wasnt even all that mass a mailer, since it only mailed itself to the first 50 entries in the users address book. But there was something clever about the way the worm self-propagated through what we had thought was a safe medium, e-mail. Seems so long ago.
Since then, mass-mailer worms have undergone a variety of technical innovations and encountered a variety of countermeasures. But really, after the first one it should have been possible to tell any of them just by looking at them.
But even if there are people who will never learn their lesson about these things, the era of the mass-mailer worm is coming to a close. Enough people do know not to spread them, and the countermeasures are becoming formidable, especially as more and more users get relatively up to date in their software and security patches.
Consider the things that have to be wrong in order for you to spread a worm (depending on the techniques used by the worm):
- You need to have very old e-mail software that allows executable attachments; this means no Microsoft clients or patches of clients from the last 3 years.
- Neither you nor your ISP can have remotely up-to-date anti-virus software.
- You cant have a firewall (any decent firewall would stop the worm from sending mail).
- Worst of all, youre a user of one of the public P2P networks like KaZaA.
Just the other day Kaspersky Labs wrote up a dire warning about the new Plexus.a worm that combines the usual mail and network share infection routes with exploits of the LSASS and DCOM vulnerabilities. Given that multiple individual worms exist that use these techniques individually, I fail to see why one worm that uses multiples of them is anything new to be scared of.
Mind you, Im much more concerned about the actual network worms like Sasser and Blaster. Its been easy to defend yourself against these attacks, but you do have to stay on top of things enough to apply critical patches or use a firewall intelligently. Actual mail worms have a much harder time getting through.
And its only going to get harder for these worms. As Ive written before, some form of SMTP authentication is coming, and one thing it is likely to do is to kill off the existing generation of mail worms, which should no longer even reach the destination mail server. Its conceivable that worm authors could employ new techniques to get their messages authenticated, but it still wont be the same for them. With no spoofing, it will be easier to track them down and alert infected users.
In the last few months there have been two families of mail worms that have had any real impact, Netsky and Bagle. We know why there have been no new Netsky variants for many weeks —the author got busted. Turns out he was the same guy who wrote Sasser, also dead in its tracks. Theres a rumor that the person who turned him in was the Bagle author, which might explain why there havent been any new Bagle variants for about as long.
Neither of these worms should have fooled anyone, and there was very little that was innovative about either. Some variants of Bagle made the leap, which had been expected for some time in the security community, of spreading through password-protected ZIP files with the password included in the body of the message. It even generated the password as a graphic to make it harder for anti-virus software to scan. But even so, the message screamed, “I am malware!”
Another important point about these worms that I believe has been true for quite some time, months at the least: Theyre at most a minor problem for enterprises. Almost any enterprise is going to have adequate safeguards at the perimeter and elsewhere on the network to block all of this stuff. Im sure the vast majority of victims for a long time have been consumer users.
And how many users really are infected? I dont think we really know the numbers with respect to mail worms. We often see the numbers of copes of a worm being sent around, but thats no direct indicator of the number of systems infected. Maybe its not all that large a number. And heres another piece of data Ive hungered for: How many people are infected with more than one of these things? Id bet the percentage of infected users with more than one (designated SUCKER%) is huge.
Everyone, from the press to the security companies and IT, needs to change their strategies for security problems. We need to focus on the threats that we arent as good at stopping, and on making proactive, preventative measures like intelligent patch management and penetration testing high priorities.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:
More from Larry Seltzer