Why MyDoom-like attacks will persist

Is email doomed by the IT industry's greed?

Already, experts are beginning to talk about how MyDoom revealed the inadequacies of countermeasures designed to thwart such attacks. Respectively, MyDoom and Sobig rank first and second in terms of the severity and global scope of the damage. Just in case security experts get too focused on the distributed denial of service (DDoS) component of MyDoom, let's not forget that both attacks had some commonalities that the vendor community has so far refused to collectively deal with, despite being asked to intervene.

Were it not for the greed of many email technology companies and Internet Service Providers (ISPs) who are looking for ways to capitalise on the root cause of these two transgressions (spam), a majority of the undesirable results from Sobig and MyDoom (ranging from inbox nuisance to monetary damage) could have been avoided.

Who's on my "most greedy" list? First, the ISPs through whose systems most of the Internet's email traverses. This group includes Yahoo, MSN, Earthlink and AOL, among others. Second on my list are the companies that make the email client and server technologies that send and receive email. This group includes IBM, Microsoft, Novell, and Qualcomm (makers of Eudora), to name a few.

Unfortunately, the revenue potential associated with stopping spam appears to be more seductive than the social responsibility that goes with being influential Netizens. While direct blame for the problem lies with the perpetrators, the aforementioned technology companies are now equally culpable for failing to do the right thing.

Ultimately, however, as Internet users we must share some of the blame because we haven't held those companies accountable by hitting them where it hurts most -- in their pocketbooks.

Anatomy of the modern-day attack
Now, let's look at how the MyDoom virus attack implicates email as the weak link. Perhaps the most headline-grabbing aspect of MyDoom was the way in which experts were able to predict what was going to happen next, but could do almost nothing about it. It was as if the virus were Hurricane Andrew bearing down on South Florida. We saw it coming, we knew how bad it was and where it was going to land. But, there was little that could be done to keep Andrew from wreaking havoc.

One reason MyDoom was worse than Sobig is that it took the basic email-borne virus principle of Sobig and added a DDoS component to it. In my analysis of Sobig (where I similarly held our technology companies accountable for failing to prevent it), I fell short of describing the next evolutionary step for such attacks, but dropped a pretty good hint when I said, "It's bad enough that Sobig, in DDoS fashion, is deputising thousands of systems across the Internet to send Net-artery clogging traffic."

After watching MyDoom knock SCO's domain off the Internet, I'm not sure anything can be done about DDoS attacks. After all, what is a DDoS attack? It's when systems that are distributed all over the world all send requests to the same entity (could be a Web server, an FTP server, and email server, an entire domain, etc.) at precisely the same time. If enough systems are enlisted in the attack, the target (or the paths to it) becomes so overwhelmed that a majority of the requests, including the legitimate ones, either can't get through or can't be serviced because the network is too congested or the system is too busy.

Jeff Carlon, SCO director of worldwide IT infrastructure, knows this principle all too well. In my interview with him, Carlon said that as the attacks become more sophisticated, it's becoming more difficult to detect and defend against them.

Indeed, the DDoS attack launched by the MyDoom virus had certain signature characteristics that helped SCO to survive the initial wave of traffic and Microsoft to successfully thwart it. Microsoft, incidentally, had very little to say about how it managed to thwart the DDoS that targeted its Web site other than that, by the time the attack was scheduled to launch itself, the number of infected machines that participated in the attack was greatly reduced.

In the same way that MyDoom represents an evolutionary step over Sobig, I can guarantee you that the evolution of these DDoS attacks hasn't reached an end point. For example, one signature element of the MyDoom DDoS was the number, size, and frequency of packets that infected systems were sending to SCO's Web site. Anyone who thinks that the perpetrators of these attacks won't come up with mutations that are harder to detect is fooling themselves.

Putting myself in the shoes of such a person for a moment, what would stop me from making sure each attacking system spits out a different number of packets, each of varying size, and with random frequency? Whereas Carlon was able to say with some confidence that a single system that spewed 64,000 packets at SCO's Web site over a period of a few seconds was probably involved in the DDoS attack, the next attack could involve many more systems each sending far fewer packets, thus making it more difficult to separate the bogus traffic from the legitimate traffic.

While evolving the Net's defences against DDoS attacks is a worthy cause, my fear is that if we take our eyes off the real issue -- that of a broken email system -- we'll never see an end to this problem. Whereas the first wave of the DDoS genre of attacks involved coordinated attacks by a handful of systems under the direct control of the perpetrators, the second wave involved the transmission of the attacking code to unwitting participants using worms. The first wave was easy to stop with common anti-DDoS tools. But the second wave involved more vigilance on the transmission front -- shutting down the worms. Have you noticed that we don't hear nearly as much about worms now? Likewise, this third wave of DDoS attacks must focus on the method of transmission -- email.

Like Sobig, MyDoom distributed its payload in a very sneaky way. Not only did MyDoom get each infected system to send itself via email to other systems, it spoofed the sender's address in the process of doing so. If your system became infected, and it subsequently sent the virus via email to someone in your Outlook address book, it first changed the FROM address to an address other than yours to make it look to the recipient as though it didn't come from you.

If the Internet's email standards had been fixed by now (which they could easily have been) to make sure that when you receive an email, it actually came from who it says it came from (a form of authentication), then your system, or one of the ones through which that email passed on its way to you, would have ultimately prevented you from receiving and opening that email and infecting your system. Had such a credential and authentication system been in place, Sobig and MyDoom would have been stopped dead in their tracks.

Unfortunately, despite AOL giving an interesting authentication approach called SPF a try (a move which is to be commended and an example that I wish others would follow), such a universally supported system doesn't exist. The reason is that, in the same way it would have stopped the emails carrying Sobig and MyDoom, it would also have stopped other unwanted emails, otherwise known as spam. For such a system to work, all of the various email systems and providers would have to agree to support a single authentication and credential standard that allows their systems to seamlessly interoperate with each other. So far, despite numerous calls for the email community to develop and support such interoperable authentication and credential standards, most members of the email community are still trying to beat each other to the ultimate-spam-solution punch with stand-alone, proprietary solutions that will win them more customers and revenue.

As an example, whereas AOL is looking at SPF, Yahoo is trying out a home-grown solution it calls Domain Keys, which could end up in court since the Philadelphia-based ePrivacy Group claims to have a patent on the technique. (Patents are just another problem with proprietary technologies and a reason they have no place in the war on spam.)

Regardless, the "successes" of Sobig and MyDoom are living proof that these non-interoperable solutions are the wrong approach. Sobig and MyDoom achieved success because they didn't satisfy the different criteria that these proprietary solutions use to define and identify spam. As I have said many times before, we are doomed to fail in the war against unwanted email if the technology and legislative communities get too hung up on defining spam.

The first and most important step in determining if an email is unwanted has nothing to do with whether it's commercially-oriented, has some percentage of HTML or if it contains certain words, fonts or patterns. It has to do with establishing with some degree of confidence that email is coming from the person who it says it came from.

The various purveyors of email technology and services know this and have all sorts of reasons for not working together. The one that I like best is the length of time it would take for such standards to be produced. To that argument, I point to the Web services movement (led by IBM and Microsoft, both of which happen to be email technology and service providers), which is hammering out standard specifications at a record-breaking pace.

The faster these companies can hammer out and support standard Web services specifications, the sooner they can start generating significant revenue off the next generation of the Internet. If the same companies were to expeditiously hammer out and support the sort of standards needed to stop unwanted email, they'd lose a revenue opportunity. There would be nothing to sell, other than that which they already sell, or give away.

While it's relatively easy to follow the money, and prove that greed is what really stands in the way of true progress on the unwanted email front, we ultimately have ourselves to blame as well. So far, those of us who were impacted by Sobig, MyDoom, or both (which directly or indirectly amounts to all Internet users) have refused to hold these companies accountable for their failure to act. Until we do, email will continue on its course to becoming so useless or such a threat that we'll all do what SCO's Carlon said Brigham Young University did as the threat of MyDoom loomed -- turn it off.