Sobig's Success Prompts Calls for Secure E-Mail
Simple Mail Transfer Protocol may be too simple, some experts warn.
Paul Roberts, IDG News Service
Friday, September 12, 2003

Even seasoned antivirus experts hadn't seen anything like the Sobig-F e-mail worm: Within hours of its release on August 19, it created a million copies of itself and was spreading worldwide, shattering speed records set by earlier viruses.

In the wake of the attack, security experts uniformly credited the worm's sophisticated design for much of its success. However, the sheer magnitude of Sobig's attack led to questions about whether the Internet's current e-mail infrastructure is making things too easy for virus writers and spammers.

Still Spreading
For systems administrators like Scott Martin at Modular Mining Systems, Sobig-F feels more like a persistent headache than a ravaging infection.

The e-mail worm directs a steady stream of infected messages to the systems of the mine management and control systems maker at a rate of about 200 each day--more than 2500 since mid-August--Martin said.

Just in the last five minutes, we got six more, he said by phone in early September from the company's offices in Tucson, Arizona.

Like many other organizations, Modular Mining uses antivirus and antispam technology to thwart Sobig-F infections, but the worm is highlighting shortcomings in the system used to deliver mail from one e-mail user to another, experts say.

I think that the infrastructure usually evolves out of necessity, and viruses and spam have the potential to push the minimum requirements for the mail infrastructure to a new level, said Blake Ramsdell of Brute Squad Labs in Redmond, Washington.

Too Simple?
In question is technology used to route e-mail messages from one Internet user to another, according to Ramsdell and others. The SMTP (Simple Mail Transfer Protocol), for example, was developed in the early 1980s and is still the primary protocol used to send e-mail messages between servers on the Internet.

Designed to provide a reliable and efficient way to relay messages, SMTP's greatest advantage is its ability to transport e-mail between host systems that use different computer hardware and operating systems. Security was not a major concern at the time SMTP was designed, experts said.

Like worms before it, Sobig-F takes advantage of SMTP's flexibility, sporting its own super-efficient SMTP engine to send out virus-laden e-mail messages.

That 'S' in SMTP stands for 'Simple', said Paul Hoffman, director of the Internet Mail Consortium, an international organization of e-mail vendors based in Santa Cruz, California. And it is simple--you're only talking about 10K of code.

Worms like Sobig also exploit SMTP's lack of an authentication procedure. Anyone who can connect to an SMTP port on an e-mail server can use that server to send out e-mail, providing a valid or fictitious e-mail address in the message's From: line, according to the CERT Coordination Center in Pittsburgh, Pennsylvania.

Spoofing Problems
Like viruses before it, Sobig-F steals e-mail addresses from the machines it infects and uses them to fake or spoof the origin of the e-mail it sends out. That means that e-mail account holders whose computers are not infected by Sobig-F, but whose e-mail addresses are spoofed by the virus, still receive complaint messages from e-mail servers targeted by Sobig-F, resulting in more Sobig headaches.

In recent weeks, Sobig-F spoofing created a massive increase in e-mail traffic to leading ISPs like America Online, which scanned almost 40 million e-mail messages a day following the worm's release, four times the normal volume for August, according to spokesperson Nicholas Graham.

Almost 60 percent of those messages were infected with Sobig-F, he said.

More Secure
SMTP's shortcomings have been common knowledge for years, prompting the creation of extensions to the protocol, dubbed ESMTP (Extended SMTP), and a number of authentication technologies to plug the security holes in e-mail systems, e-mail experts point out.

Perhaps the most popular of those efforts is S/MIME (Secure Multipurpose Internet Mail Extensions), which uses public-key technology to enable users with different e-mail programs to send secure, encrypted e-mail to one another.

If every message that you received was S/MIME digitally signed with a valid certificate that authenticated the e-mail address, that would go a long way towards helping, Ramsdell wrote in an e-mail response to questions for this article.

If everyone used S/MIME, spam and virus messages could be traced back to their source. Stolen or compromised digital certificates could be revoked, effectively cutting off the certificate holder from further e-mail communication, he wrote.

SMTP could also be used over TLS (Transport Layer Security), a protocol that secures communications between applications on the Internet. That would enable organizations to secure communications between the thousands of e-mail servers on the Internet, rather than between the millions of e-mail users, which S/MIME requires, said Eric Rescorla, principal engineer at RTFM, in Palo Alto, California.

Ramsdell agreed.

These technologies would go a long way to building accountability into the mail infrastructure. I think that it would indeed be a very useful thing for us to start deploying these concepts, and requiring their use, Ramsdell wrote.

Challenges Ahead
The challenge, according to Ramsdell and others, is to get e-mail users and administrators to warm to security features.

Microsoft's Outlook e-mail client software has long allowed its users to employ S/MIME to secure e-mail with digital certificates, but few Outlook users take advantage of the security features.

One reason is that most e-mail users don't really understand encryption and are reluctant to use it.

A lot of people don't see a need for it themselves until they become a victim, said Ken Silva, vice president in the Naming and Directory Services Group at VeriSign. And even when they do, they're not sure how to solve the problem.

In addition, there is no easy way to deploy a system for authenticating e-mail messages without cutting off vast numbers of e-mail users who don't use authentication, said Hoffman of the Internet Mail Consortium.

All the protocols for full authentication from end-to-end or server-to-server are in place, but we don't have a trust model that works, he said.

Centralized Control
Such a system would require a centralized authority that could authenticate e-mail messages sent worldwide and revoke the e-mail credentials of those found guilty of spamming or releasing viruses, Hoffman said.

It's not a technical problem, it's a social problem: Would I bother to send e-mail to you? Why do you and I trust this central place? he said.

Even with the twin demons of spam and e-mail viruses plaguing e-mail users, changing the way people send and receive e-mail messages will rob Internet communications of their openness and ease of use.

Besides, the effort to move the world e-mail population to any SMTP alternative would take years, and there would be no way to guarantee that the replacement wouldn't contain shortcomings as well, according to Harry Katz, program manager for Microsoft's Exchange Server Group.

My thought on this is, the system may be imperfect, and if we were starting from scratch we might do it differently, but we can evolve it without tearing it down and starting from scratch, he said.

One Step at a Time
Rather than depending for its future health on a single monumental shift in technology, the system will likely be righted by a series of small point fixes, experts agreed.

E-mail software could be rewritten using more secure managed development environments such as Java and managed C#, making them less vulnerable to buffer overflow attacks and other common assaults, Ramsdell said.

Messaging server and client software can also be made to dig deeper into e-mail messages and attachments, sniffing out viruses and spam messages, he said.

Other options might include better systems for distributing virus filters and software patches to users' machines, RTFM's Rescorla said.

Microsoft, the leading maker of e-mail technology, is evaluating all of those options and more, according to Katz.

Finally, the U.S. federal government could enforce change by taking a tough stand on viruses and spam and by educating the public, just as it did in addressing Year 2000 software vulnerabilities at the end of the last decade, according to Silva.

What people want because of the problems with viruses and spam is a higher bar with e-mail, said Hoffman.

The challenge is setting that bar in a way that doesn't turn e-mail into something fundamentally different from what it is today, he said.

PCW