Strangers with candy
A "new" worm, dubbed OnTheFly or AnnaKournikova, hit hundreds of sites starting last Monday morning. According to TrendMicro and F-Secure, the worm was written by a Dutch script kiddie who goes by the name "OnTheFly" using the VBS Worm Generator toolkit. This tool makes it easy to write worms, and includes methods for crashing victims' systems.
A CERT advisory explains what you can do to avoid the worm.
More accurately, the CERT advisory tells you what you should already have done to prevent OnTheFly. Microsoft released a patch designed to deal with the ILOVEYOU worm way back on June 7, 2000. The OnTheFly worm uses exactly the same tactic as ILOVEYOU: provide an attachment with an intriguing name that is actually a Visual Basic script (.vbs). When an Outlook user receives the worm as e-mail, he must click on the attachment to open it. What the user is expecting is a picture; instead, a program executes. Microsoft's patch to Office would have prevented this from happening.
But there are other good reasons for avoiding this patch. Greg Shipley of Neohapsis, a security consulting firm, says the patch is too draconian for most people. The part of the patch that stops worms like ILOVEYOU and OnTheFly also prevents Outlook from ever displaying an executable attachment (those with file extensions of .com, .exe., .vbs, .bas, and .js) as well as shortcuts and URLs. Instead, the Outlook user gets warned (in the case of OnTheFly) that:
Outlook removed the following unsafe attachments:
AnnaKournikova.jpg.vbs
The Microsoft patch works. In fact, it works too well. Shipley says that once you have installed the patch, you cannot uninstall it. And the patch prevents you from receiving any executable content, which includes, for example, Exchange custom forms. So not only are you invulnerable to the OnTheFly worm, you may also have disabled part of your organization's e-mail system. The Microsoft patch turns out to be an all or nothing proposition.
There are other things you can do. Use anti-viral products, and keep them updated. People with up-to-date anti-viral software were generally successful in not falling victim to OnTheFly. Another technique is to block dangerous attachments as they come in from the Internet at the firewall or mail server. Again, organizations that were doing this were mostly unaffected by OnTheFly--I say mostly, because many organizations may exchange e-mail with other business units that did not have the filtering in place. And, once the worm gets inside, it propagates freely unless other measures are used. Disabling Windows scripting host would also have prevented the attack from succeeding, because when you clicked on the attachment, nothing would happen. However, VBShell relies on the Windows scripting host, so don't plan on using VBS for anything else.
Which comes back to the strangers with candy analogy. The concept of executing code that arrives attached to e-mail seems foolhardy to me. If a security researcher who I knew well sent me a PGP-encrypted e-mail with an attached executable, with the message "Check this out!", do you think I would execute it? No way! And that's even when I know who sent me the executable, because PGP has verified the sender's identity.
When you receive e-mail, unless you are using PGP or Secure MIME, you do not know who sent you the e-mail. It could be your coworker. It could be a worm. Or it could be a complete stranger who has spoofed your co-worker's e-mail address (it's easy to do).
The attachment with the attractive description is the candy. Please, don’t take candy from anyone. OnTheFly will not be the last worm to use this strategy.
Rik Farrow is an independent Unix and Internet security consultant who has specialized in Unix system administration and security since 1984. He is an instructor for the Computer Security Institute and has led training sessions at many US and European user groups. Farrow is the author of UNIX System Security, and writes columns for Network Magazine, ;login:, and several Web-based magazines.