REDWOOD CITY, Calif.--(BUSINESS WIRE)--Nov. 17, 2004--Clearswift, the MIMEsweeper company and world's No. 1 in content security, is urging businesses to consider deploying a multi-layered defense against viruses following ThreatLab analysis of the Bofra variant of MyDoom.
Antivirus experts have commented on the fact that this week's Bofra worm exploits an unpatched buffer overflow vulnerability in Microsoft's Internet Explorer to infect systems. The worm uses proof-of-concept code that was posted to the Full Disclosure security list just seven days earlier, on Tuesday, Nov. 2. This in itself is noteworthy as it indicates the speed at which virus writers can create their wares.
There are, however, quite remarkable aspects to these recent incidents that have largely escaped attention -- this MyDoom variant employs a novel spreading strategy. The worm e-mails itself to addresses found on the infected machine. The e-mail contains no attachment, nor any malicious script code in the HTML. It simply contains a link back to the previously infected host machine in the chain. The worm installs a small Web server on infected systems. Not all will have IP addresses and some may be fronted by firewalls. Nonetheless the numbers seen in the wild are significant and clearly the strategy is working.
In the past virus writers may have set links in the e-mail to Web servers under their control, but these were static IP addresses of a finite number that could be promptly taken down, once their identity was known. The virus writers have neatly sidestepped this problem. In contrast, the links used by these worms are dynamic and represent a moving target. It is simply impractical to attempt to chase around closing down the infected machines.
Not only has the strategy rendered Web site close-down responses useless, the technique has largely cut antivirus analysis out of the loop. The e-mail contains no viral code (neither attachment nor script) so leaves little to be analyzed -- an arbitrary URL is insufficient information to allow any meaningful antivirus analysis.
"Where antivirus defenses meet their limitations, content filtering security comes into its own," commented Pete Simpson, manager of ThreatLab at Clearswift. "Our MIMEsweeper family of content filtering solutions provides a double-pronged protection against this threat, illustrating the benefit of deploying a multi-layered defense against viruses and other malicious code."
Firstly, the worms employ their own built-in SMTP (Simple Mail Transfer Protocol) engines. These can produce very distinctive SMTP mail header characteristics, as is the case with the Bagle worm. Others such as Mydoom attempt to mimic Outlook Express SMTP headers, but small flaws give the game away and it is possible to identify Mydoom as the source of the e-mail, based on these flaws in the SMTP headers. MIMEsweeper for SMTP already has detected all new Bagle variants in this way. Work in progress will result in definitive identification of the new Mydoom worms in the same way.
Secondly, when the user clicks on the e-mail link, the small Web server on the previously infected host in the chain serves up an HTML Web page containing the javascript that when downloaded, forces the buffer overflow condition in Internet Explorer and injects and executes the worm infection code on the desktop. MIMEsweeper for Web can identify the distinctive properties of the javascript and recognize this as an attempt to inject code designed to cause a buffer overflow.
Firewalls also play a crucial role in this kind of scenario. Should infection occur within corporate perimeter defenses, the infection chain will come to an abrupt end. When, at the next stage, an external user clicks on the link in their e-mail, the connection will falter at the firewall. Furthermore, any corporation allowing SMTP mail from user desktop sources would need to seriously review their security policy. Home users simply must install a personal firewall, to nip this kind of worm in the bud and for many other basic security reasons.
Clearswift's October Virus Index revealed that MyDoom-O was the 8th most prominent virus of the month. Netsky variants dominated the charts with five entries in the top 10. According to the analysis, Netsky variants made up 65.8% of all viruses while MyDoom variants made up 7.2%.
See accompanying image for details.
The virus statistics are generated using raw data from Clearswift's e-Sweeper(TM), a managed e-mail content security solution for service providers.
About Clearswift
Clearswift secures content and protects against digital attacks by enforcing security policies that increase productivity, reduce IT costs and create a safer business environment. Its world-leading business is founded on providing Total Content Security for e-mail and Web.
The Internet is the greatest business tool ever invented, but with it comes a harrowing collection of threats. Protecting against the circulation of inappropriate images and text, spam, breaches of confidentiality, and viruses is now mission critical.
Clearswift enables organizations to protect themselves against digital attacks, meet legal and regulatory requirements, implement productivity-saving policies and manage intellectual property passing through their network.
About MIMEsweeper(TM) for SMTP 5.0
MIMEsweeper for SMTP 5.0 is the most comprehensive enterprise class e-mail content security solution available in the market, delivering the best scalability and robustness anywhere. It is a best-of-breed solution that counters all content security threats -- spam, viruses, worms, Trojan horses and DOS attacks, while allowing companies to remain compliant and meet best-practice standards.
MIMEsweeper allows consistent policy definition and enforcement, through automated policy replication. This new version incorporates a "roles-based" approach to administration too, moving mail management from back office to the front office. This allows, for example, the HR department -- rather than IT -- to implement company mail policy on, say, profanity, sexism or racism. Its unique approach to system management allows for hierarchical devolvement of duties to multiple administrators. IT managers can delegate specific responsibilities, such as server monitoring, access to particular quarantine areas and reporting, to the most appropriate administrators or department, therefore spreading the load of administration and significantly reducing the time it takes to process blocked e-mails.
About e-Sweeper(TM)
e-Sweeper is a managed e-mail content security solution for service providers. Experienced professionals handle protection from content threats at the e-mail gateway, freeing the organization from the cost of implementing the hardware, software and administration expertise necessary to effectively stop the myriad of content security threats.
Clearswift, MAILsweeper, MIMEsweeper, spamActive and ENTERPRISEsuite are trademarks or registered trademarks, in the United States, United Kingdom and certain other countries, of Clearswift Limited. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged.
