There is a thing going around called Happy99 — also known by some scanners as Ska. It arrives as an email attachment. The attachment is a small Windows executable that, when run, displays a brief firework animation and a "Happy New Year 1999" greeting.
This is the cover story. Underneath the cover story it is doing something I have not seen done before: it is propagating itself by intercepting your own outbound email.
How it works, mechanically
The payload patches the WSOCK32.DLL — the Windows networking library that almost every Internet-aware Windows program uses. The patch installs a small piece of code between the program and the networking layer.
When your mail program later sends a message, the patched WSOCK32 quietly inserts a copy of the worm as an attachment to the outgoing mail before passing it on. The original mail goes through normally. The recipient gets your real message. They also get a small Happy99.exe they did not ask for, alongside it.
If the recipient opens the attachment, the same hook gets installed on their machine. Their mail program then carries the worm to its contacts. And so on.
Why this is a category change
This is not the first email-borne piece of malicious code. It is not even the first one this decade. What it is, as far as I can tell, is the first to combine three properties simultaneously:
- Self-propagation as the primary mechanism, with no further user action needed beyond opening the attachment once.
- Use of the user's own legitimate communications as the vector. Every email Mum sends to her sister now carries the payload.
- A persistence mechanism — the WSOCK32 hook — that survives reboots and most casual cleanup.
Put together, those properties produce something that grows without bound until two things happen: enough users patch their machines, or enough mail filters learn to strip the attachment.
Neither of those is fast. The first depends on noticing you have it, which Happy99 actively works against. The second depends on the mail provider implementing attachment-filtering, which most have not.
What it teaches us
A few things that are worth writing down before the obvious lessons calcify into truisms.
Trust is transitive in a way that the email model does not represent. When you receive a message from someone you know, the medium does not give you any way to distinguish your friend wrote this from your friend's machine generated this autonomously. Both look identical to your mail client. The email-client UI is the wrong place to fix this; the protocol design is.
The blast radius of any compromised machine is now "the address book". This is much larger than "the local filesystem", which used to be the worst case. Every modern desktop has, sitting in plain text, the keys to a hundred more desktops in the form of regularly-corresponded-with addresses.
Executable attachments should never have been considered a normal mode of communication. The mistake here is twenty years old, dating back to early MIME. Most users now associate "received an attachment" with "open it". Reversing that is going to take a long time.
What can be done about it
For home users on Windows, very little, until the antivirus people produce a signature. By the end of next week, every major scanner will detect Happy99. Until then, if you have it, you have it.
For people running mail servers — and this is where I think the practical lesson lies — there is more that can be done. A mail relay can:
- Strip executable attachments by default. Yes, this annoys some users. Yes, the alternative is worse.
- Log the names and hashes of every attachment passing through, so that when you discover an attack pattern you can find every recipient.
- Implement attachment-stripping at minimum for the obvious extensions —
.exe,.scr,.pif,.com,.bat,.vbs. The list of dangerous extensions is finite and shorter than people think.
For anyone running a Linux mail server in front of Windows users, the appropriate place to do this stripping is at the SMTP gateway. procmail recipes can do it. So can Sanitizer. The principle is the same: the perimeter mail relay is the right place to apply policy that the endpoint cannot be trusted to apply.
What I think happens next
Happy99 is the proof of concept. The category is now demonstrated. I would expect, over the next twelve to eighteen months, to see at least one more email worm of similar architecture but more aggressive payload — something that does not just propagate, but also does damage on the way through.
It is hard to be sure of much in this discipline. I am fairly sure of this one. The economics are too favourable to the worm author, and the barrier to writing one is now obviously low.
More on this as the year develops. For now, I have spent the morning auditing the mail server I run for friends, and I am much less comfortable with what I find than I was a week ago.