Standard virus protection best way to fight Mydoom
- 29 January, 2004 14:25
Companies that are following recommended practices relating to secure e-mail use should be largely protected against the Mydoom virus and its variants, experts said.
Despite the speed with which the e-mail-borne menace has proliferated since the first variant was discovered on Monday, there's nothing about Mydoom, so far, that can't be dealt with by using antivirus, e-mail filtering and intrusion-detection technologies.
Mydoom, also known as Shimgapi and Novarg, started spreading earlier this week and has quickly become the most virulent e-mail virus ever.
The virus arrives as an e-mail with an attachment that can have various names and extensions, including .exe, .scr, .zip and .pif. When the attachment is executed, the worm starts sending copies of itself to other e-mail addresses stored in the infected computer. The first version of the virus, now called Mydoom.a is designed to attack The SCO Group's Web site. A newer variant, dubbed Mydoom.b, which began surfacing earlier Wednesday, is apparently designed to enable similar denial-of-service attacks against Microsoft's Web site. The variant also includes a feature that blocks infected computers from accessing sites belonging to vendors of antivirus products.
Companies that filter out e-mail attachments or analyze the contents of attachments are unlikely to have been affected much, said Darwin Ammala, computer security engineer for Harris Corp.'s STAT network security unit.
Bruce Hughes, director of malicious code research at TruSecure's ICSA Labs, said about 80 percent of the company's clients already filter out at least five attachments that are commonly used in e-mail attacks. The remaining companies filter out even more attachments as a precaution against e-mail attacks, he said.
"From all indications, corporations of a size large enough to afford antivirus (technologies) at the e-mail gateway were unaffected," said Russ Cooper, moderator of NT Bugtraq and analyst at TruSecure.
Even in cases where the virus might have managed to infiltrate desktops, "most corporations will either notice, or block, outbound SMTP during such a virus outbreak" to stop the virus from spreading, Cooper said.
According to Network Associates, 20 large enterprise organisations in Australia have reported infection. The company also claims that 35 per cent of Australian machines scanned by its McAfee consumer email scanning technology have been infected by Mydoom. All up, Network Associates says Mydoom currently accounts for 10 per cent of email traffic in Australia.
Several companies said that, so far at least, they have escaped the virus unscathed.
Online Resources, an online bill processing firm, hasn't been touched by Mydoom as yet. "We were not infected," said Hugh McArthur, information security officer at the firm. "I attribute that to a combination of keeping our antivirus products, especially at the gateways, up to date, along with a strong user awareness program."
The company also uses more than one antivirus product to add an extra layer of protection and redundancy to its virus detection efforts, McArthur said.
Edward York, chief technology officer at 724, an application service provider, also said he has had few problems dealing with Mydoom so far.
"It mildly affected us beginning on Sunday evening by way of network congestion only," York said. "No servers were infected. I quickly added some filters to our mail server to filter out most of it. We still get some attachments which somehow sneak through, but we are blocking about 90 percent of the incidents."
Baker Hill, an application service provider, saw about 50 of its systems infected by Mydoom before its antivirus vendor had a fix for the worm, said Eric Beasley, senior network manager at the company.
Even so, only one user actually clicked on the attachment to activate the worm, he said. An antivirus product installed on the user's desktop quickly detected the worm and alerted administrators, Beasley said.
Since then, Baker Hill has updated its antivirus signatures. Baker Hill also uses a service provider to scan all of its e-mail for spam and has seen no evidence of Mydoom since that provider began stripping out all e-mail attachments containing the worm, he said.
"We are pleasantly surprised by how little it has affected us so far," said Trey Miller, manager of telecom services at Vertis, an advertising and media services company.
Vertis uses virus protection services from Postini and has so far seen little evidence of Mydoom on its internal network, Miller said.