Software

Tech Tip: How did MyDoom become the worst virus outbreak ever?

Find out how did MyDoom become the worst virus outbreak ever.

By Mike Mullins

In mid January, 2004, the MyDoom e-mail worm (also known as Novarg, Shimg, or Mimail.R) swept across the Internet in epic proportions. This worm arrives with the executable extensions of .pif, .scr, .exe, .cmd, .bat, or .zip.

With the exception of the .zip file extension, you should have all of these extensions blocked at your mail server. So why did the virus spread so quickly?

There are three main causes for this failure in e-mail security. Let's explore these reasons and discuss the future of e-mail security.

User education

It's just not working! Social engineering defeats user education, and it doesn't play favorites with operating systems.

It doesn't matter whether your users are running Windows, Linux, or any of a hundred other operating systems. E-mail is addictive, and users will open messages that they find interesting.

We can train and threaten users not to open unexpected attachments until the end of time. But authenticated users are the greatest threat to network security
—because they'll always be susceptible to a good, socially engineered attack.

The solution to this dilemma is to prevent users from directly receiving attachments. But this approach is severe, and it adds a huge burden on the people that would review, scan, and release attachments to users.

Slow updates

You can also attribute this worm's success to the failure of your antivirus vendor to provide the necessary definitions to detect and remove this worm. However, vendors must first see the worm, decode it, and design a mechanism to defeat it. This takes time, and the speed of the Internet will always defeat your antivirus vendor.

Virus protection only works for old viruses—not new ones. As long as you allow e-mail attachments to enter your networks, you'll have to live with the threat and patch security holes as they appear.

SMTP authentication

The industry is reviewing SMTP authentication as a means to combat the global spam problem. Modifying the SMTP protocol to allow e-mail servers to confirm that a message arriving from somecompany.com actually came from the somecompany.com mail server would practically eliminate worms and viruses transmitted via e-mail.

The reasoning is simple. The most successful e-mail worms use their own SMTP servers as a reliable and fast method for distribution.

Worm authors spoof addresses of legitimate servers to avoid detection and prosecution. If SMTP servers authenticated the traffic, they would easily reject spoofed traffic and log a visible trail right back to the author.

Final thoughts

Four issues remain an obstacle to true e-mail security:

  • Worms and viruses will continue to be the plague of the electronic 21st century.
  • User education is a vital but imperfect step toward e-mail security.
  • Antivirus vendors will always lag behind the criminals that create and deploy worms and viruses.
  • By design, the 22-year-old SMTP protocol is ineffective in the lawless environment that pervades the Internet.

Some of these factors may improve, but others will likely never change. In the meantime, companies must remain diligent in the fight against e-mail worms and viruses, continuing to educate users and update systems.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.

Editor's Picks

Free Newsletters, In your Inbox