The Henna Page Tech Pages
Mass-Mailing Worms:
What's up with all the wierd stuff
in my inbox?

by Roy Jones © 2004
Worms in your Inbox
Internet worms first came to public attention in the late 1980s, when the Morris Worm was set loose to crawl through Internet servers. The computer-using public became more intimately acquainted with worms when the Love Letter worm swept through the Net in 2000. One of the differences between worms and viruses is that worms are designed with the ability to move about a network on their own. There are several ways to do this, but the most common these days is “mass-mailing.”

How Do They Do It?

A mass-mailing worm has as part of its code, an SMTP engine, software that can automatically generate and send e-mail. When a mass-mailer has infected a victim computer, it searches the file system for e-mail address books. An address book is typically a flat-file database, with an easily recognizable name or extension, for example: PST for MS Outlook, WAB for Outlook Express, NSF for Lotus Notes, MAB for Mozilla. The worm code includes the ability to locate and read address book files.

Using the e-mail addresses harvested from the address books on the victim computer, the worm begins sending e-mail copies of itself attached to messages with one of the harvested addresses used as a phony return address. In geekspeak, falsifying information in a data stream is called “spoofing.” The spoofed return address helps make it more difficult to trace the origin of the e-mail messages.

The spoofed return address and sender name are confusing for many users, because they are accustomed to trusting that a message is what it claims to be. When I’m at work, I can always tell when another mass-mailing worm has started up on the Net by the number of calls I get from mystified users wanting to know why they keep getting messages saying that messages they know they never sent have been “bounced” by a destination mail server because of an infected attachment.

The subject line on one of these bogus messages is either one line preset in the worm’s code - the “Love Letter” worm got its name from the “I love you” subject line of the e-mail messages it generated – or it will have a list of subject lines that it will choose from.
Here is a list of the subject lines used by the variant of the MyDoom worm that burst onto the net the week of July 26, 2004:
·    hello
·    hi
·    error
·    status
·    test
·    report
·    delivery failed
·    Message could not be delivered
·    Mail System Error - Returned Mail
·    Delivery reports about your e-mail
·    Returned mail: see transcript for details
·    Returned mail: Data format error 

This list is copied from the information page on MyDoom at http://vil.nai.com/vil/content/v_127173.htm , the McAfee Virus Information Library, one of a number of virus information databases operated by antivirus manufacturers and virus researchers. When your computer’s antivirus has alerted you to the presence of a bug, you can go to an online virus library to get details on how to get rid of it and clean up the residual damage.
 
Notice that the subject lines are intended to make the message appear innocuous, or important. Either way, the intent is to trick the recipient into opening the message and the attachment it carries.

Why Do They Do It?

It’s not difficult to imagine thousands computers infected shortly after the release of a mass-mailer, each sending dozens or even hundreds of e-mails with infected attachments.  That alone could clog e-mail gateways and slow or even interrupt the delivery of e-mail at some domains, but the mass-mailer usually has a more disruptive mission.

Mass-mailing worms frequently install a “backdoor” on the victim computer. A backdoor is a modification to the system that opens part of the operating system at a known location and may also include some sort of “beacon” so that the cracker who released the worm can find compromised computers and take control. A computer that has been taken over by a hacker is called a “zombie" or a "bot.” With enough bots, it’s possible to launch an attack against a specific Internet site, for example, by ordering all the compromised computers to send rapid-fire streams of requests to a Web server, making it impossible for any legitimate user to access the service.

A more common use of bots these days is spam delivery. Some hackers control great numbers of compromised computers that can be used to deliver huge amounts of spam e-mails. Computer crime investigators estimate that as many as 10% of the computer on the Internet may have "botnet" code present in their systems. A botnet is a group of bots that can be controlled by a single "herder" who can use them to deliver spam or launch an online attack. The spam messages can be a serious threat in themselves because they might contain keystroke loggers, password stealers or other threats to the security of your online information. The files needed to do this bit of dirty work can be made to look like legitimate files running essential system processes, so the operating system will protect them and keep them from being stopped or deleted.


Why Have Mass-mailing Worms Been Successful?
Mass-mailing worms have been successful for several reasons:

 E-mail is inherently insecure – The people who invented the Internet were concentrating on simplicity and ease of use, not security, when they developed the e-mail protocols.

Users don’t think before opening messages and attachments – E-mail seems safe, especially if the message appears to be from someone the recipient knows, but because e-mail is insecure, nothing can be taken for granted.

Many personal computers are poorly protected or not protected at all – Operating systems and software are far from perfect and can contain security breaches. Manufacturers announce patches and hotfixes and make them available through the Web, but it’s the owner’s responsibility to install them and take measures to keep the system safe.

How Do You Defend Yourself?
Two words…”Be proactive.” You know the threat exists, so take it into account when using your e-mail. You need a multi-layered defense against this and all other e-mail threats.

Start with your internet service provider (ISP). Do they offer e-mail filtering? If so, use it, if not, get another ISP that does. As an example, Earthlink offers spam and virus filtering on its subscribers e-mail accounts. Spam, questionable e-mails, and infected messages are held in special inboxes that users access through the Web. Other messages are allowed through to the user’s e-mail client software. The quarantined messages can be viewed, passed on to the client inbox or deleted through the Web interface.

ISP filtering is a good start, but no system is perfect, so you need additional lines of defense. On the computer itself, you should install an antivirus and keep it updated so it will be able to recognize new viruses as well as old ones.

Your e-mail client software might have some built-in protection features. Learn what they are and consider using them. These controls can be particularly useful in protecting against e-mail sent in HTML (webpage) form. The temporary communication link that opens between your computer and a Web server can be used to send and execute virus code as easily as sending a Web-based solicitation to buy some product. I recommend you turn off the HTML mail feature, or severely restrict its options, as is possible in MS Outlook and some other e-mail software.

Keep your operating system updated and patched. Closing security holes has been the most common reason for manufacturers to release operating system patches

Use a firewall. A firewall can keep infected computers from opening covert sessions with your computer and will log attempts at unsolicited connections with your computer.

Use your head – The most effective security tool I know of is the user’s good sense. Question all unsolicited messages that show up in your e-mail inbox regardless of the name of the sender. Remember, return addresses and sender names can be easily spoofed so they should never be taken for granted. When in doubt, you can always send a message back to the sender and ask if the message is the real article.
 
You can e-mail specific computer questions to Roy Jones at streetleveltech@hotmail.com.


Back to The Henna Page Tech Pages Index

Can't find what you want here?  Try The Henna Page Main Index.