Sobig's success prompts calls for secure e-mail
Even seasoned antivirus experts hadn't seen anything like the Sobig-F e-mail worm: Within hours of its release on Aug. 19, it created a million copies of itself and was spreading worldwide, shattering speed records set by earlier viruses.
In the wake of the attack, security experts uniformly credited the worm's sophisticated design for much of its success. However, the sheer magnitude of Sobig's attack led to questions about whether the Internet's current e-mail infrastructure is making things too easy for virus writers and spammers.
For systems administrators like Scott Nelson at Modular Mining Systems Inc., Sobig-F feels more like a persistent headache than a ravaging infection.
The e-mail worm directs a steady stream of infected messages to the systems of the mine management and control systems maker at a rate of about 200 each day, or more than 2,500 since mid-August, Nelson said.
"Just in the last five minutes, we got six more," he said on the phone on in early September at the company's offices in Tucson, Arizona.
Like many other organizations, Modular Mining uses antivirus and antispam technology to thwart Sobig-F infections, but the worm is highlighting shortcomings in the system used to deliver mail from one e-mail user to another, experts say.
"I think that the infrastructure usually evolves out of necessity, and viruses and spam have the potential to push the minimum requirements for the mail infrastructure to a new level," said Blake Ramsdell of Brute Squad Labs Inc. in Redmond, Washington.
In question is technology used to route e-mail messages from one Internet user to another, according to Ramsdell and others. The SMTP (Simple Mail Transfer Protocol), for example, was developed in the early 1980s and is still the primary protocol used to send e-mail messages between servers on the Internet.
Designed to provide a reliable and efficient way to relay messages, SMTP's greatest advantage is its ability to transport e-mail between host systems that use different computer hardware and operating systems. Security was not a major concern at the time SMTP was designed, experts said.
Like worms before it, Sobig-F takes advantage of SMTP's flexibility, sporting its own super-efficient SMTP engine to send out virus-laden e-mail messages.
"That 'S' in SMTP stands for 'Simple'," said Paul Hoffman, director of the Internet Mail Consortium, an international organization of e-mail vendors based in Santa Cruz, California. "And it is simple, you're only talking about 10K of code."
Worms like Sobig also exploit SMTP's lack of authentication, which allows anyone who can connect to an SMTP port on an e-mail server to use that server to send out e-mail, supplying valid or fictitious e-mail addresses in the message's "From:" line, according to the CERT Coordination Center in Pittsburgh, Pennsylvania.
Like viruses before it, Sobig-F steals e-mail addresses from the machines it infects and uses them to fake or "spoof" the origin of the e-mail it sends out. That means that e-mail account holders whose computers are not infected by Sobig-F, but whose e-mail addresses are spoofed by the virus, still receive complaint messages from e-mail servers targeted by Sobig-F, resulting in more Sobig headaches.
In recent weeks, Sobig-F spoofing created a massive increase in e-mail traffic to leading ISPs (Internet service providers) like America Online Inc. (AOL), which scanned almost 40 million e-mail messages a day following the worm's release, four times the normal volume for August, according to spokesman Nicholas Graham.
Almost 60 percent of those messages were infected with Sobig-F, he said.
SMTP's shortcomings have been common knowledge for years, prompting the creation of extensions to the protocol, dubbed ESMTP (Extended SMTP), and a number of authentication technologies to plug the security holes in e-mail systems, e-mail experts point out.
Perhaps the most popular of those is S/MIME (Secure Multipurpose Internet Mail Extensions), which uses public-key technology to enable users with different e-mail programs to send secure, encrypted e-mail to one another.
"If every message that you received was S/MIME digitally signed with a valid certificate that authenticated the e-mail address, that would go a long way towards helping," Ramsdell wrote in an e-mail response to questions for this article.
If everyone used S/MIME, spam and virus messages could be traced back to their source. Stolen or compromised digital certificates could be revoked, effectively cutting off the certificate holder from further e-mail communication, he wrote.
SMTP could also be used over TLS (Transport Layer Security), a protocol that secures communications between applications on the Internet. That would enable organizations to secure communications between the thousands of e-mail servers on the Internet, rather than between the millions of e-mail users, which S/MIME requires, said Eric Rescorla, principal engineer at RTFM Inc., in Palo Alto, California.
"These technologies would go a long way to building accountability into the mail infrastructure. I think that it would indeed be a very useful thing for us to start deploying these concepts, and requiring their use," Ramsdell wrote.
The challenge, according to Ramsdell and others, is in getting e-mail users and administrators to warm up to security features.
Microsoft's Outlook e-mail client software has long allowed users to use S/MIME to secure e-mail with digital certificates, but few Outlook users employ the security features.
One reason is that most e-mail users don't really understand encryption and are reluctant to use it.
"A lot of people don't see a need for it themselves until they become a victim," said Ken Silva, vice president in the Naming and Directory Services Group at VeriSign Inc. "And even when they do, they're not sure how to solve the problem."
There also isn't an easy way to deploy a system for authenticating e-mail messages without cutting off vast swaths of the e-mail user population who don't use authentication, said Hoffman of the Internet Mail Consortium.
"All the protocols for full authentication from end-to-end or server-to-server are in place, but we don't have a trust model that works," he said.
Such a system would require a centralized authority that could authenticate e-mail messages sent worldwide and revoke e-mail credentials from those found guilty of spamming or releasing viruses, Hoffman said.
"It's not a technical problem, it's a social problem: Would I bother to send e-mail to you? Why do you and I trust this central place?" he said.
Even with the twin demons of spam and e-mail viruses plaguing e-mail users, changing the way e-mail messages are sent and received will rob Internet communications of what people like best: the system's openness and ease of use.
Besides, the effort to move the world e-mail population to any SMTP alternative would take years, and there would be no guarantees that the replacement wouldn't contain shortcomings, as well, according to Harry Katz, program manager for Microsoft Corp.'s Exchange Server Group.
"My thought on this is the system may be imperfect, and if we were starting from scratch we might do it differently, but we can evolve it without tearing it down and starting from scratch," he said.
Rather than one monumental shift in technology, the system will likely be righted by a series of small "point" fixes, experts agreed.
E-mail software could be rewritten using more secure "managed" development environments like Java and managed C#, making them less vulnerable to buffer overflow attacks and other common assaults, Ramsdell said.
Messaging server and client software can also be made to dig deeper into e-mail messages and attachments, sniffing out viruses and spam messages, he said.
Other options might be better systems for distributing virus filters and software patches to users' machines, RTFM's Rescorla said.
Microsoft, the leading maker of e-mail technology, is evaluating all those options and more, according to Katz.
Finally, the U.S. federal government could enforce change by taking a tough stand on viruses and spam and educating the public, just as it did in addressing Year 2000 software vulnerabilities at the end of the last decade, according to Silva.
"What people want because of the problems with viruses and spam is a higher bar with e-mail," said Hoffman.
The challenge is setting that bar in a way that doesn't turn e-mail into something different than it is today, he said.