Experts who predicted the death of the mass-mailing worm should eat some crow, compliments of Mydoom-A. The fact that mass mailers are here to stay is just the first lesson one can learn from the Mydoom outbreak.
When a massive worm like Mydoom-A hits, it's easy to forget that users still break the cardinal rule of e-mail security and open attachments. "We can have authenticated SMTP. We can shut down open relays. We can use PGP," said Ken Dunham, director of malicious code at Reston, Va.-based iDefense Inc. "But technology is only one piece of this layered puzzle."
Most large corporations weren't hit too hard by Mydoom-A because they strip executable files at the gateway.
Still, some copies of the worm travel as .zip files, which most companies allow through the gateway. Experts remind administrators, however, that gateways can be configured to disallow .zip files containing executable code. Taking this step would have stopped Mydoom-A in many places.
The worm appeared early last week and spread aggressively. Its movement did not wane until the weekend. During that time, U.K.-based e-mail content filter MessageLabs Inc. intercepted more than 7 million copies. At the worm's peak, the company found a copy of the Mydoom in one in 12 e-mail messages.
Experts think Mydoom spread widely because it traveled attached to legitimate-looking e-mails. Also, it was difficult to filter for Mydoom's varied subject lines and message bodies.
Mydoom-A used conventional social engineering, and that tricked many users into executing the worm. "It doesn't use the typical sex-based social engineering. In other words, it's not promising pictures of a tennis player with nice legs," said Graham Cluley, senior technology consultant with U.K.-based Sophos PLC.
Many recent worms have relied heavily on bogus, urgent message text to entice recipients into opening the message. For example, the Mimail family of worms arrived with messages purporting to be from Microsoft and PayPal. They played on greed and fear to get people to run the attached executable.
By contrast, the messages containing Mydoom-A were basic -– and believable. Subject lines varied, but they included "Error," "Status," "Mail Transaction Failed" and "hello." Some messages appeared to be returned e-mails.
"If you are not sufficiently familiar with the technical details of a returned message, you may have opened the message," said Jimmy Kuo, a McAfee fellow with Network Associates Inc. "I may even have double-clicked on it if I wasn't aware it was a worm."
No one can say exactly how many machines actually were infected with Mydoom-A. Estimates range from thousands to a million. However, the most vexing problem was the traffic -- traffic generated by the e-mails carrying the worm, as well as other e-mail traffic caused by the worm.
Even companies that have the latest and greatest antivirus protection and which strip executables at the gateway had to contend with the traffic issues caused by Mydoom-A. The worm mailed copies of itself so aggressively that some companies' e-mail systems ground to a halt because of all the extra traffic.
Mydoom-A generated e-mail in a variety of ways. First, there was the traffic it generated when it sent copies of itself using its own SMTP engine. The worm harvested e-mail addresses from a host of files on infected machines. It also contained a mechanism to reverse common antispam techniques. For example, it would convert addresses spelled with "At" -- a common technique used by companies trying to avoid spam -- to mailable form with the "@" symbol.
Because the worm mailed itself so aggressively, many return messages were created -- the problem was that Mydoom-A forged the "From" address on the e-mails it sent. The returned messages ended up in the inboxes of systems that had their addresses spoofed, not of the sending computer. Then the recipient of a bounced-back e-mail may have opened the message, which contained the worm.
Finally, antivirus scanners generated traffic related to the worm. The scanners sent notification messages to the senders of e-mails found to have contained Mydoom. The intention of these antivirus techniques is laudable, but in the case of Mydoom-A, such messages aren't helpful because the worm spoofs the sender addresses. People whose e-mail addresses were spoofed by Mydoom-A found these notification messages in their inboxes -- even though the worm had not been mailed from their systems.
Companies should, as a matter of policy, shut off the notification feature on their scanners when there is a major worm outbreak, said iDefense's Dunham.
NA's Kuo said the antivirus companies have some work to do as well.
"We need to make our products work better," he said. "For example, when we know that a worm forges the 'From' line, then we do not send messages notifying the sender."