That mailworms continue to be a plague is rather frustrating, not because it is a "commoner's disease" but because they could be effectively stopped with some simple, effective policies.

1) NO mailreader should ever execute content. The only option should be "save to disk". Just warning and executing is not sufficient, users have become so conditioned to clicking "OK" that such worms are still effective. This is the "bug", a user/user interface reaction which allows these pests to spread.

2) Mail servers should implement virus filtering (and many do), and should hold all executable content for a period of several hours before passing it on. Otherwise, a new mail worm can slip through. It also will condition the users not to send executable content.

Combine both and it is an effective barrier, or even just #2, or even just #2 without the delay, work very well.

Thus there are reasons why researchers like myself focus on fast, active worms. We can't get hit by the slow, stupid mail worms because we already have defenses (like the ones above) in place.

I've only received one or two ACTIVE copies of all the mail worms which slipped through the mail filter at the department (a copy of Nimda, IIRC, which moved much faster than a pure mail worm) and even they don't get run because of my mail reader choices.

And since I know how to defend against mail worms, if I was an attacker, I'd only use a mail vector as a secondary spread, instead focusing on attacks which are considerably harder to defend against. My concern is defending against sophisticated attackers (eg, a hypothetical evil twin), not 4 kiddiots from Israel (the Goner mail worm).

There is nothing I can do beyond advocating common sense (a
dismal task) to reduce the effectiveness of mail worms. So why should I spend more time on the subject? It's a dead end line from a research viewpoint. Active worms have huge ??s remaining (how fast will they spread in P2P networks, how to construct robust defenses, etc), so of course they get the research effort.

Perhaps there is still some public policy decisions which could be made (probably having to do with product liability for the ISPs and mail-agent writers, as a lever to get more filtering in place), but that isn't my field.

And mail worms have been used as attack tools: the goner mail worm contained a DDoS payload (which did get a bit of press), and there was another (I forget the name) which was designed to fetch update code. THis is a worrying trend, but these have been unsophisticated attackers, who made tools which were easily countered.

It is a nifty idea trying to create a suckerlist for the initial spread of a mail worm. And I doubt a mailworm would be ignored if it contained a working malicious payload, "Commoner's disease" or no.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/87/12982#12982