Whose Doom? Mydoom
By late Tuesday, Jan. 27, experts estimated that 20 percent of the world's e-mail traffic was attributable to the virulent worm known as Mydoom, or Norvag -- the latest Internet scourge to send panicked corporate tech managers to the Symantec and McAfee Web sites for virus-protection updates. This monster virus is spam on steroids. Attached to a seemingly innocent e-mail, Mydoom copies itself to the computer of whoever happens to be curious enough to open its attached file, e-mails itself all over again, then awaits instructions -- perhaps, like SoBig and other previous worms, to use the invaded PC as a conduit for future spam. Computer-security experts say this is a battlefield-changing tactic in the spam war. "I'm really starting to believe that as much as 75 percent of spam is coming from our own machines," says Lawrence Baldwin, a computer-security expert who runs MyNetWatchman.com. That's right, most spam is actually being circulated by us through our innocent-looking home PCs.
"A lot of Microsoft software is so unsecure that spammers are now writing viruses that infect home computers and turn them into spam sources," says Laura Atkins, president of the Spamcon Foundation. "That's probably the biggest source of spam on the Net right now." The new marriage of computer viruses and spam is the most dangerous threat to the Internet in the coming year, contends MessageLabs, a leading anti-spam outfit based in Minneapolis.
The means by which spammers commandeer home PCs is complicated and continues to evolve, but essentially a piece of "malware," like Mydoom, is delivered to your machine, either by e-mail or more directly, which then enables the spammer to relay masses of spam through your living room and suck up your bandwidth, hiding behind your computer's unique Internet Protocol (IP) address. "You'll see [the same] e-mail coming from a hundred computers all at once all over the Internet," says Julian Haight, founder of Spamcop.net, which monitors Net traffic. Meanwhile, the unwitting computer owner might not notice anything besides a sluggish Internet connection. Joe Stewart, of computer security firm LURHQ, puts the number of PCs "hijacked for spam" at "probably well into the millions by now."
And what accounts for the ease with which wily spammers prey on PCs?
Of course, it's the many cracks in Windows software. "Unfortunately, Microsoft has had literally hundreds of security vulnerabilities in the last few years," says Baldwin. "If you haven't applied all your security patches and you put a Microsoft system directly onto the Internet," without a firewall, "you can be pretty much guaranteed it will be infected, probably in under five minutes."
Late last year, users of Microsoft's Hotmail service awoke to something they'd never experienced: no spam. Microsoft's free, Web-based e-mail service has long been an infamous hotbed of spam. Thanks to such spammer strategies as "dictionary attacks" -- in which the spammer sends out thousands of messages using random combinations of letters in front of the @hotmail.com address -- new Hotmail users could see spam landing in their inboxes even before they'd sent out their first message. People who used Hotmail only sparingly might still receive a couple dozen pieces of spam each day. But all that changed when Microsoft introduced SmartScreen Spam Filtering Technology. Some users have found that incoming spam, for the moment at least, has shrunk to near zero. "Anecdotally, Microsoft has been consistently hearing from customers and testers that SmartScreen tools are blocking upwards of 80 to 95 percent of their spam," according to the company.
Microsoft's filter employs methods similar to those of other anti-spam systems currently in use: The software scans incoming messages for keywords and other characteristics that the system "learns" are typical of spam and segregates them. Microsoft says its proprietary system is better than those of competitors because it "learns" from such a huge inventory of Hotmail spam and because it combines a bunch of spam-targeting technologies. (Personally, I've never had a single spam at my two-year-old Yahoo! account.)
The introduction of SmartScreen is recognition by the company of how serious an inconvenience spam has become, because with spam, as with so many other things, Microsoft has lagged behind competitors, allowing them to make the first moves before the company finally decided to weigh in with massive resources and a high-profile campaign (often prescribing, of course, a software upgrade). Where EarthLink and America Online started suing spammers in the late 1990s, says Atkins of the Spamcon Foundation, Microsoft only recently began going after them aggressively, filing several suits last summer and then, last fall, teaming up with New York's dogged attorney general, Eliot Spitzer, to sue a bunch of big guns.
Without doubt, the gloves are off and the microphones are on. Bill Gates used his closely watched annual address at the industry confab known as Comdex to declare war on spam and has recently written guest columns, such as "Why I Hate Spam" in The Wall Street Journal and "A Spam Free Future" in the The Washington Post.
Microsoft is trying to integrate anti-spam technology into its core products, adding the SmartScreen filter, for instance, to the 2003 version of Outlook, the widely used e-mail and calendar program that's part of Microsoft's Office suite. Of course, "innovations" aren't always welcomed when they come from a monopoly: After Microsoft announced it was integrating the spam filter into its own software, some in the industry fretted that the Redmond giant was going to put all the other companies that make spam filters out of business. Microsoft says its system is designed to work in tandem with third-party systems, not replace them.
But while Microsoft has been taking some strong, visible steps to prosecute spammers and shoot down spam before it soils the inboxes of its customers, it has been quieter and, some contend, less responsive on the issue that many spam watchers believe is now central to the problem: the role of virus-infected, Microsoft-run desktop computers as the primary conduit for spam.
Perhaps it's no surprise that the role of Microsoft software in the spam infrastructure has gone unmentioned in the spam speeches and guest columns by Gates. Typically, he promotes the federal CAN-SPAM legislation (now passed by Congress and signed by President Bush), lauds Microsoft's new filter technology, and advises e-mail users not to reply to spam or click on those unknown file attachments. But he has avoided mentioning the security flaws in his company's products and the spam epidemic in the same breath. Microsoft's voluminous Web site, while addressing both spam and computer infections at length, never links the two problems.
In a speech last spring, Microsoft exec Ryan Hamlin, who oversees the company's anti-spam group, acknowledged, "We feel like solving the inbound problem," diverting spam from customer inboxes, "is a much greater issue right now than solving the outbound problem" of preventing spam from being sent in the first place. The one could lead to the other, according to Gates, who, writing recently in The Washington Post, said, "Our goal is to develop filters that are so effective that spamming becomes increasingly futile and ultimately unprofitable." But spam experts aren't so sanguine. "Filtering is a losing proposition," argues Spamcon's Atkins. "We can never make filters faster than the spammers can come up with ways to best them."
Spam fighters acknowledge that as the dominant operating system, Microsoft Windows is a big, fat target for unrelenting adversaries. Says Atkins: "We can argue about whether Microsoft is responsible for the fact that its users have not kept their security up to date or installed a hardware firewall that costs $59 at CompUSA." (Indeed, Microsoft recently launched a "Protect Your PC" campaign directed at home users.) But, Atkins notes, "Shipping secure software would help."
"On the bright side," says Joe Stewart of LURHQ, "it looks like Microsoft is making an effort to solve some of the core problems that make Windows so easy to infect. It may, however, be already too late."
Stewart, it should be noted, was speaking before last week's Mydoom outbreak. Meaning "too late" is right now.