Mimail Worm Variations Launch Multi-Pronged Attack
"Get ready for the storm," warned Ken Dunham, the director of malicious code at iDefense, a Reston, Va.-based security intelligence firm.
Since Friday, when Mimail.C first surfaced, four variants -- dubbed Mimail.D, Mimail.E, Mimail.F, and MiMail.H -- have been uncovered by security firms. All share enough characteristics, ranging from packaging their payloads in compressed .zip files to targeting specific Web sites for denial-of-service attacks, that convince analysts that one individual, or a group of attacks working together, are conducting the assault.
"This wave of MiMail attacks reveals the sophistication of the attacker...this is not some 'script kiddie' getting lucky with spreading viruses in the wild. The author of MiMail worms has a carefully planned and calculated his attacks," said Dunham.
Chris Belthoff, a senior security analyst with anti-virus maker Sophos, agrees, although it's also possible, he said, that someone is simply cracking the code of Mimail.C, making changes, and releasing the worm back into the wild. "We may have some copycatting going on," he said.
Both analysts said that the biggest problem is the sheer number of variants, and the speed with which they've been released. "It's making it very difficult to block this at the gateway," said Dunham.
Like the worm that broke Friday, the new Mimail variants pose as e-mails from users that the recipient might know, since the worm harvests addresses from compromised machines before re-mailing itself to others.
Another characteristic shared by the variants is a .zip file attachment, which when opened, infects the target machine. Zip files, a popular format for compressing documents to send via e-mail, are not blocked by all organizations at the e-mail gateway, since unlike executables, they're considered safer.
To compound the problem, the variants' .zip files have been purposefully corrupted, said Dunham, so that they're not correctly scanned by some anti-virus software. "The Zip files are designed to choke up some anti-virus software, making the programs give up on the scanning and move on, letting the worm through," he noted.
Belthoff, however, said that when properly configured, the Sophos anti-virus software scans the compressed files and detects the worm variations.
Among the Web sites added to the denial-of-service (DoS) attack list by the new mutations are several spam information Web sites, such as Spamhaus.org and SPEWS.org, both of which were down as of mid-morning Monday.
Organizations should aggressive update their anti-virus definitions, filter against the worms' known file attachments, scan compressed files, and most importantly, alert employees yet again of the danger of opening unknown or unanticipated file attachments, said the experts.
"It all comes down to the human element," said Belthoff. "People still don't understand that they shouldn't blindly open file attachments."
Although the damage to infected machines is minimal, the e-mail traffic Mimail generates as it spreads may have an impact on businesses, Belthoff said.
Security firms have pegged the Mimail worm family as a medium or moderate threat, and none have revised their threat assessments since Mimail.C showed on Friday. So far, Mimail has not shown the legs, or the potential to wreck as much havoc as, for instance, major worm attacks such as Sobig.
New tools to clean infected systems have appeared, however, including an automated utility available from the Symantec Web site that wipes out the C, D, and E variations.