Observations on Rapid Malware Spread

With the MyDoom virus still rampaging on the Internet, there has been much speculation on why viruses not only continue to spread, but continue to get worse with each passing wave. Although there has been a large increase in technological means to stop the spread of email viruses, MyDoom still ranked as the fastest spreading virus or worm in the history of the Internet.

Since the days when the Morris worm attacked machines on the Internet back in 1988, viruses and worms have had a bad relationship with networked computers. With the explosion of popularity, the Internet has not only greatly enhanced our ability to rapidly and easily communicate with one another, but also has given virus and worm authors a massive channel of attack.

Although worms and viruses are different creatures, for the purpose of simplicity and examination we will treat both types of malicious mobile code, or malware, similarly throughout this document. Technically, worms are self-replicating programs that often spread through purely technological means, while viruses have an "infection" aspect, in which they embed themselves in another program or file, "piggybacking" on its functionality and spreading through the normal use of the resource. Another common distinction is that viruses usually require some human interaction, while worms can spread without it.

Smarter, Faster, and More Dangerous
The Morris worm was able to bring the infant Internet to its knees using only about 100 lines of code. Since that time, we have seen wave after wave of malware attacks. A close look at this trend shows a marked increase in the sophistication of every aspect of malware spread and infection. Attempts to obfuscate, confuse, and bewilder the defenders are now commonplace, as are multiple vectors of attack.

MyDoom was a fairly nondescript virus in terms of how it spread -- distinguished primarily by its speed and completeness of propagation. It was a common email attachment infector. It used multiple methods to locate potential email addresses to send to, such as address books, saved HTML, and other files on target machines. MyDoom also left a backdoor on computer systems, offering the harm-doer access to execute code or commands on infected machine at a later date. This backdoor code reloaded after system reboots and also contained a denial of service client that was initially targeted against SCO, then later against Microsoft.

How Did MyDoom Spread So Widely So Quickly?
The spread of malware has many aspects that can be factored to see how "successful" it will spread. The way it enters a system is one factor. How it propagates once a machine is infected is another. Finally, any "payload" the malware has in it can also affect the speed and effectiveness of a virus when spreading.

MyDoom used email attachments to get to a user's system. This has been a common way for email viruses to spread, and many email clients have features that block many types of attachments from even appearing to the end user. User training materials and corporate policy often state that email attachments containing executables (.exe, .bat, .pif, .com, .scr, etc.) should never be opened. So what allowed MyDoom to spread like it did? One theory is that one of the attachments MyDoom used was a .zip attachment. Zip is a compression system that allows files to be archived. In many cases, corporate policy does not block these types of attachments, which allowed the MyDoom virus embedded in Zip files to actually get to the end users. MyDoom also used vague wording in the email to attempt to get the user to execute the attached file, or open the Zip and explore files inside. Finally, the use of forged email senders attempted to capitalize on existing trust relationships between people.

MyDoom used a propagation mechanism that has become almost commonplace in malware circles. It spoofed source email addresses, following the psychological trick that you have a higher chance of opening an email received from someone you know. The email addresses were harvested from the host machine and also from a common list. It used an internal mail engine in an attempt to avoid the telltale signs of using your ISP or corporate email server to resend, as this is often a place where viruses can be quarantined. Although the email engine was fairly rudimentary, it ended up being quite effective in locating remote mail servers for addresses it intended to infect. Although not spectacular code, the email engine in its simplicity offered a benefit to spreading in that it was very fast. This allowed compromised systems to quickly attempt to compromise new users.

The effect of the virus once it is on a system can also drastically affect spread rate and success. The MyDoom payload had an adverse effect on propagation. The payload of this virus opened a backdoor on the machine, leaving visible evidence of an infection. Some viruses have silent payloads, but this one allowed a scanning tool to be written that could quickly and effectively locate infected machines, giving administrators the ability to disinfect machines before they started to spread the virus.

Other factors allowed for the fast spread of MyDoom as well. The popularity of the Internet, and the raw number of people on it gave the virus fertile ground to spread. The availability and use of always-on broadband Internet connections offered MyDoom a way to continue to spread for longer periods of time, and at higher rates than ever previously seen.

So What Could Have Stopped This?
Quite simply, user error allowed this virus to reach epidemic proportions. Users being improperly trained, or lacking the basic understanding of the dangers of opening email attachments, even from people they know, accounted 100% for the continued spread of this virus. Although there are technical ways to limit and diffuse situations like these, often times malware is specifically designed to subvert and avoid these countermeasures. This leads to a malware "arms race" of sorts, between the authors of these creations and the people creating tools and systems designed to stop them. Even though the antivirus companies detected and published details and updates to their software for this virus quite soon after it was discovered in the wild, there is always a gap between the time a virus is created and when the antivirus community knows about the threat. It really drives home the point that most security begins and ends at one point, between the ears of the person behind the keyboard.

Ryan Permeh
Senior Software Engineer
eEye Research Team

The Register: Viruses and Hackers Make Windows More Secure
"Virus writers and hackers are helping Microsoft to develop more secure products, Bill Gates claimed yesterday." Full Article

ITToolbox.com: Vital e-Crime Evidence Often Destroyed
"Companies that fall victim to computer crime may be inadvertently destroying evidence in their efforts to find the perpetrators." Full Article

'Mydoom' Computer Virus Brings Down SCO Group's Web Site
"A computer virus that targeted a small Utah software company performed as its perpetrators promised on Sunday, bringing down The SCO Group's Web site two days before a similar virus was programmed to attack Microsoft Corp." Full Article

Q: What can you do to prevent being deceived (spoofed) by fake URLs?

A: A vulnerability in Internet Explorer allows a malicious person to display a fake URL in the address bar which is different than the actual page. You may be tricked into downloading and executing malicious code that would infect your system or disclose information.

The best practice to avoid falling for this vulnerability is to filter malicious characters and character sequences in a proxy server or firewall with URL filtering capabilities. Additionally, do not follow links from untrusted sources.

Microsoft also suggests the following:

1. Identify the URL of the current web page
2. Use the Internet Explorer history pane to try to identify the actual URL for the current web site
3. Paste the URL in the address bar of a new instance of Internet Explorer
4. Try to identify the URL that a hyperlink will use

FREE Scanner to Combat MyDoom
eEye Digital Security released a free scanning tool to detect machines infected with the MyDoom email virus on January 27th, 2004. This virus, which propagated quickly, could significantly impact network services worldwide. The free Retina MyDoom scanning utility enables security professionals to identify infected assets, and is available for immediate download. Full Article

Vote For Your Favorite eEye Product or Solution
The People's Choice Awards for Security Vendors awards the products and companies that the user community recognizes as the best. Unlike most trophies, which are awarded to the largest advertiser, the People's Choice award is 100% chosen by the user community. Award winners will be announced at RSA San Francisco at the end of February. Click here to vote: Full Article

Was 2003 As Secure As They Say?
Microsoft promised a more secure 2003, but did they really succeed? As a service to the network security community, eEye has posted a list of upcoming advisories. This list is comprised of vulnerabilities discovered in 2003 that have yet to been addressed. Full details of each vulnerability will be disclosed to the public at the time a patch is released from the vendor. To view the list, click here: Full Article

Webinar: Vulnerability Expert Forums
eEye Digital Security is hosting special web seminars focusing on recently announced critical vulnerabilities. Prospects, customers and partners are invited to participate in these discussions with eEye's vulnerability experts, such as co-founder Marc Maiffret, and explore the impact high-risk vulnerabilities and exploits have on network environments and infrastructures.
Date/Time: Wednesday, February 10 @ 1pm PST / 4pm EST
Location: Online Event Full Article

U.S. to Issue Cyber-Threat Warnings
The federal government today announced a new, centralized system for alerting the country to threats to computer systems, from business and government networks to consumers' home machines. More

Officials Investigate Hack at University of Georgia
Federal and state authorities are investigating whether hackers gained access to Social Security and credit card numbers for at least 20,000 University of Georgia students and applicants, officials said Thursday. More

HOW TO SUBSCRIBE
To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html

FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com.

DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission.