• United States

Worm chatter

Sep 16, 20033 mins

* Anti-virus programs’ responses only add to worm chatter

As everyone probably knows firsthand by now, we’ve all been suffering through a particularly bad period of worm infestation on the ‘Net lately. Variants of the Sobig and Blaster (a.k.a. LovSan) worms (often called “viruses” in press reports) caused major hang-ups worldwide.

I want to focus today on the Sobig worm and other electronic thugs that use a victim’s e-mail address book to send out lots of e-mail messages. Many of the worms use their own SMTP interface, bypassing the victim’s e-mail client program and thus leaving no obvious trace (e.g., “sent” messages) that the user can spot early on in the infection.

Worse still, modern worms often use the victim’s address book not only for targets (destination addresses) but also to forge SMTP headers using spoofed origination addresses. That is, the worms are written to make it appear that their infected traffic comes from someone whose address has been picked up from another victim’s address book.

Some anti-virus programs respond to infected e-mail messages by sending a notice to the originator of the infected message. For example, you may have received message like these:



Sent: Thursday, September 04, 2003 22:30


Subject: Virus Detected by Network Associates, Inc. Webshield SMTP V4.5 MR1a

Network Associates WebShield SMTP V4.5 MR1a on mimesweeper detected virus W32/Sobig.f@MM in attachment document_all.pif from> and it was Cleaned and Quarantined.

At one time, such messages were helpful to the victims of worm and virus infections because:

(a) many victims lacked anti-virus products

(b) the infected e-mail actually came from the indicated sender

Unfortunately, although (a) may be true, (b) is almost certainly false. The chances that an infected message is coming from the indicated FROM address are small – they are 1/N where N is the total number of addresses in the e-mail address book of the actual victim (assuming that the victim’s own e-mail address is included in their list). So the chance that the automatic notification will go to a wrong address in a single infection is (N-1)/N.

If a victim has 1,000 addresses in his or her address book then the probability that replying to an infected message will reach the wrong person is 99.9% for a single incident.

What was once a courteous and helpful practice has now become an annoying contribution to the wasteful traffic generated by the worm, potentially doubling the number of spurious messages (for every one from the worm there’s one from the anti-virus software). I recommend that system administrators now disable the automatic notification to the supposed origin of infected messages. It’s just not working anymore.

It’s time to cut the worm chatter.