How did MyDoom become the worst virus outbreak ever?

by Michael "Mullins CCNA, MCP" | Apr 09, 2004 7:00:00 AM

Tags: Cyberthreats, Viruses and worms, SECURITY, MyDoom virus, Michael Mullins CCNA, MCP, virus, e-mail, worm, e-mail security, SMTP, server, User education

46 comment(s)

Takeaway: Find out why the MyDoom worm tricked so many users and IT departments.

This article is from TechRepublic's Security Solutions e-newsletter. Sign up instantly to begin receiving the Security Solutions e-newsletter in your inbox.

During the last two weeks of January 2004, the MyDoom e-mail worm (also known as Novarg, Shimg, or Mimail.R) swept across the Internet in epic proportions, causing some analysts to declare it the worst-ever virus outbreak.

This worm arrived with the executable extensions of .pif, .scr, .exe, .cmd, .bat, or .zip. With the exception of the .zip file extension, most IT departments should have all of these extensions blocked at the mail server. So why did the virus spread so quickly?

There are three main causes for this failure in e-mail security. Let's explore these reasons and discuss the future of e-mail security.

User education
It's just not working! Social engineering defeats user education, and it doesn't play favorites with operating systems.

It doesn't matter whether your users are running Windows, Linux, UNIX, or any other operating system. E-mail is addictive, and users will open messages that they find interesting.

We can train and threaten users not to open unexpected attachments until the end of time. But authenticated users are the greatest threat to network security, because they'll always be susceptible to a good, socially-engineered attack.

The solution to this dilemma is to prevent users from directly receiving attachments. But this approach is severe, and it adds a huge burden on the people who would review, scan, and release attachments to users.

Slow updates
You can also attribute this worm's success to the failure of your antivirus vendor to provide the necessary definitions to detect and remove this worm. However, vendors must first see the worm, decode it, and design a mechanism to defeat it. This takes time, and the speed of the Internet will always defeat your antivirus vendor.

Virus protection only works for old viruses—not new ones. As long as you allow e-mail attachments to enter your networks, you'll have to live with the threat and simply patch security holes as quickly as possible.

SMTP authentication
The IT industry is reviewing SMTP authentication as a means to combat the global spam problem. Modifying the SMTP protocol to allow e-mail servers to confirm that a message arriving from somecompany.com actually came from the somecompany.com mail server would practically eliminate worms and viruses transmitted via e-mail.

The reasoning is simple. The most successful e-mail worms use their own built-in SMTP servers as a reliable and fast method for distribution.

Worm authors spoof addresses of legitimate servers to avoid detection and prosecution. If SMTP servers authenticated the traffic, they would easily reject spoofed traffic and, in many cases, log a visible trail right back to the author.

Final thoughts
Four issues remain obstacles to true e-mail security:

Worms and viruses will continue to be the plague of the electronic 21st century.
User education is a vital but imperfect step toward e-mail security.
Antivirus vendors will always lag behind the criminals that create and deploy worms and viruses.
By design, the 22-year-old SMTP protocol is ineffective in the lawless e-mail environment that pervades the Internet.

Some of these factors may improve, but others will likely never change. In the meantime, companies must remain diligent in the fight against e-mail worms and viruses by continuing to educate users and update systems.

46 comment(s)