MyDoom is the latest worm unleashed on the Internet. It spreads by sending itself as an email attachment. There's nothing unusual here.
But how does it spread, really? I created a "Hello, World" Windows executable file and mailed it to myself as an attachment. When I received the attachment, I tried to open it. Here's what I found out: Outlook would not let me get to the attachment at all. I couldn't open it. I couldn't save it. Nothing. Outlook Express was the same as Outlook. Mozilla Mail would only let me save the attachment; it would not run the executable. IncrediMail, which my wife uses, displays a warning when you open the attachment, and if you choose to disregard the warning, IncrediMail will open the attachment and run the executable.
Considering that Outlook and Outlook Express are really protective, and that Mozilla Mail is probably protective enough, and that IncrediMail is probably not widely deployed enough to spread a worm, how is MyDoom spreading? Two thoughts: First, there may still be a lot of people using older versions of Outlook or Outlook Express. That's bad. Second, MyDoom often arrives as a zip file. It turns out that receiving a zip file containing an executable takes only about two extra mouse clicks to run, if you have WinZip installed or if you are using Windows XP.
I tried another experiment. I created a zip file that contained the "Hello, World" executable file. Then I sent that zip file as an attachment to myself. Here's what I found out: If you have WinZip installed, when you open the attachment, Outlook starts WinZip and WinZip opens the zip file. Now, if you double click on the icon in the WinZip window, WinZip runs the executable. The whole process takes less than five seconds. If you don't have WinZip installed, but you have Windows XP, then the procedure is similar, except that Windows Explorer takes the place of WinZip. (I checked this with the Windows XP Home Edition.)
So, who's to blame about this MyDoom worm? If you ask Microsoft, it's the person(s) who created the worm. Microsoft is right, of course. But what can we do, if anything, to avoid a repeat of MyDoom? Larry Selzer, in "MyDoom Lessons: Failures of Education, Antivirus Vendors," claims that user education and anti-virus services have failed. He believes that we cannot possibly rely on user education to stop the spread of worms through email, and that anti-virus services failed to respond in time.
While I think he makes some good points, I have my own ideas. First, it should not be so easy to run an executable file that comes in an email attachment. With Windows XP, or with WinZip installed, it takes only two more mouse clicks -- probably another three seconds -- to run the executable file. There is no excuse for making it that easy. I understand that these utilities, Windows Explorer and WinZip, make it easy for users to view the files that are in a zip file. But there is no reason why they should launch an executable. I believe Microsoft and WinZip should be condemned by the security community until they fix this security hole.
Second, Windows needs to break from its DOS history and change the way executable files become executable. In Windows, a file becomes executable if it has the file extension of an executable file, like .exe, .bat, .scr, .pif, and a few more. Since the file name is never changed, an executable file is always executable, even when one sends it as an attachment.
If DOS and Windows were all we knew, we would probably think that this is all quite normal. But in Linux -- and I assume Mac OS X -- a file is executable if its executable bit is set in the file attributes. When one sends an executable file as an email attachment, the file attributes are not sent, and the attributes are set to a default value when the attachment is saved. The executable bit is off in the default value. The net result is, that the sender of a file cannot make that file executable; only the recipient can make the file executable.
This difference between Linux and Windows is profound. Data and code are different, and it's a fundamental security principle that data and code be treated differently. Open a file explorer application. Double click on one of the icons. What happens? What should happen? If the file is data, it starts an application that knows what to do with that data. If the file is an executable file -- that is, code -- it launches the executable. This may not sound like a big deal. But when we consider email attachments, in the case of Windows, it's the sender who decides if the file is code. In the case of Linux, it's the recipient who decides if the file is code. The reason this matters is because ordinary users don't normally make a distinction between data and code. All they know is that they double click on an icon. Utilities like the Windows Explorer and WinZip allow them to think this way. It's the same action to open a data file and to launch an executable file. Before computers were well-connected, this may not have been an issue. But when one can send a file and decide for the recipient whether that file should be treated as data or code, the consequence is the spread of nasty worms.
There's a fairly simple, short-term solution to this problem. Create an anti-virus email scanner that finds every email attachment and changes file extension so that the file is no longer executable. For example, the scanner should change the file name readme.exe to readme.exe.dat. Then, if the recipient really wanted to make the file executable, he would have to save the file and change the file name. This is similar to a Linux user having to change the executable bit to make a file executable. Because of the WinZip vulnerability, the scanner would also have to look inside every zip file and change the file names of executable files.
In summary, I think the MyDoom worm demands two action items. First, security experts should complain to WinZip and Microsoft about their running executable files that have not been extracted first by the user. Second, anti-virus tools should change the file names of executable files in attachments so that the files are not executable.
Posted by Doug Sauder at January 31, 2004 08:10 AM