Yesterday a worm called AnnaKournikova spread aggressively through Outlook. The mechanism is essentially identical to ILOVEYOU ten months ago.
This is the third major incident of this category in 18 months. Worth writing about briefly to register the pattern.
What it does
The attachment is AnnaKournikova.jpg.vbs. The visible filename in Outlook (which hides the extension) is AnnaKournikova.jpg — looks like a picture. Double-clicking runs the VBScript.
The script sends a copy of itself to every entry in the user's Outlook address book, modifies the registry to launch on reboot, and attempts to fetch a payload from a Dutch web server (which is up and serving a banner — the author appears to be signing the work).
What is interesting
The author used a worm-construction kit. AnnaKournikova was not written from scratch. The author used VBSWG — a graphical tool that lets a user with no programming knowledge construct a worm by selecting options.
This is a meaningful escalation. ILOVEYOU required someone who could write VBScript. AnnaKournikova required someone who could click through a wizard.
The author was caught quickly. Within a week, Dutch police arrested a 20-year-old who confessed.
The damage was less than ILOVEYOU. The mass-mail filtering improvements operators deployed after ILOVEYOU caught much of the AnnaKournikova traffic at the relay. The cumulative defensive infrastructure has improved.
Microsoft has shipped no structural fix. The structural changes I described are not in 2001. Default Outlook still allows VBScript attachments to execute with the user's full privileges. The same attack continues to work.
What this teaches
Three mass-mailing worms in 18 months, all using the same fundamental mechanism. The defensive measures deployed are operator-side rather than platform-side. This is the wrong allocation; the platform should be addressing the structural issue.
For operators: the advice is unchanged. Strip executable attachments. Run antivirus. Educate users. Patch promptly.
There is, frankly, nothing new to do. The advice is unchanged because the platform is unchanged.