It's not often that an incident occurring in the security world captures the essence of larger changes taking place in other areas of the computing landscape. We were "fortunate" enough recently to witness one of those events early last month, with the release of the virus/worm known as Worm.ExploreZip.
We are referring to the similarities between ExploreZip and what many consider one of the seminal events in network security, the Morris worm incident in November 1988. By examining these similarities, and their differences, we get two snapshots in time that show how far we've progressed on many fronts during the past 10 years.
The Morris worm was an elegantly coded, self-propagating entity that checked standard Unix host tables for remote connections, probed hosts at the other end of those connections for common vulnerabilities in services such as Finger and Sendmail, and copied itself to the remote system through these holes. (Many classic papers on the Morris worm can be read at www.cs.purdue.edu/coast/archive; the Seely piece, "Tour of the Worm", is a good start.) This mechanism of propagation was quite effective in the relatively open Internet environment of the late '80s. The worm also disguised itself, and thus was difficult to eradicate. The main effect of the beast was to replicate itself ad infinitum (due to an overlooked bug in its own code) until system resources were totally consumed.
Twenty years later, after many more firewalls have sprung into existence, ExploreZip would have enjoyed a limited debut had it relied on simple host-to-host replication. Being a '90s kind of culprit, however, it sought the one guaranteed chink in the digital armour of modern network defences: e-mail. Once resident in the memory of clients running the Microsoft Messaging Access Protocol Interface (MAPI), ExploreZip sent itself out in responses to incoming e-mail messages. These replies were padded with a convincing bit of social engineering designed to entrap the next recipient into launching it. A secondary mechanism spread this Trojan horse via mounted Windows network drives containing writable Windows system folders. The payload delivered by ExploreZip zeroes the length of certain files (including .doc, .xls, and .ppt), effectively deleting them, in contrast to the much less malevolent intent of the Morris worm. (For more information, see www.symantec.com/avcenter.) ExploreZip copies itself to standard locales, makes minimal efforts to hide, and is easily eradicated.
We have done away with some of the most obvious trust relationships that assisted the spread of the Morris worm. But what to do about e-mail and end users with itchy mouse fingers? Like the common cold, this bug apparently will be with us for a long time.
Remedies for these maladies have improved slightly. The scramble at the University of California, Berkeley and MIT to understand the Morris worm and to hand-code patches in a matter of days for vulnerable software has been replaced by the smooth distribution of virus-signature update files from anti-virus software vendors.
But is this really the responsibility of antivirus software to solve this problem? This is the second major incident this year that relied on MAPI to propagate itself. Microsoft seems to think that admonishing users to be wary of file attachments within the Outlook GUI is sufficient. (For Microsoft's exact words, see www.microsoft.com.) How about reducing the capability of mail attachments to generate spam?
In the end, the problem falls into the laps of the network administrators. Some creative solutions we've heard included sending companywide e-mails in an effort to smoke out infected end users when ExploreZip diligently responds to the query. Of course, no matter how creative you get, combating these nuisances ends up taking a huge chunk out of a dwindling budget. Companies spent $7.6 billion on virus attacks in the first two quarters of 1999, according to Computer Economics, in Carlsbad, Calif. (www.computereconomics.com). Such is the cost of doing electronic business, something that Robert Tappan Morris, author of the original worm, probably never considered.
It is a dubious honour indeed to be the target platform for malicious hackers. Is Microsoft ready to inherit the mantle worn in 1988 by non-Windows operating systems? ExploreZip suggests that it will, like it or not: rhosts and Sendmail have been replaced by NetBIOS and MAPI, for better or worse. Send your thoughts on the evolution of network parasitism to email@example.com.
Who's the fellow in the black hat?
One indicator that Microsoft's heart may be in the right place is its co-sponsorship of last week's Black Hat Briefings in Las Vegas, where the Security Watch team was again in attendance (www.blackhat.com). Keep your eyes on this space for coverage of the conference and the ensuing DefCon hackers gathering, where Back Orifice 2000's debut was rumoured be showy.
Stuart McClure is a senior manager and Joel Scambray is a manager at Ernst & Young's eSecurity Solutions group. They have managed information security in academic, corporate, and government environments for the past nine years.