Halloween post — by tradition the mood is light, and this year the news is busy enough that I am writing about a new worm rather than the scariest log entries of last year.
A new mail-borne worm called Klez appeared earlier this month. It is, by my count, the fifth mass-mailing worm of 2001 (after AnnaKournikova, SirCam, Nimda's email vector, and several smaller ones). The cumulative volume of mail-borne malware this year exceeds every previous year combined.
What Klez does
Klez exploits an Outlook MIME-handling vulnerability that allows it to execute automatically on preview-pane display, without the user needing to click on the attachment. This is structurally important — it removes the user-action barrier that all previous mass-mailing worms required.
The propagation:
- Klez arrives as an email with an MIME-malformed attachment.
- Outlook (vulnerable versions) auto-executes the attachment when the email is previewed.
- The worm installs itself on the host.
- It propagates to every entry in the user's address book and to addresses harvested from documents on disk.
- It attempts to disable antivirus software.
The address-harvesting from disk is particularly aggressive. Klez reads through documents looking for email addresses; this gives it a much larger contact graph than just the address book. The propagation rate is correspondingly faster.
What is structurally novel
Three things.
Auto-execution on preview. This is the first widely-deployed worm to bypass the "user clicks on attachment" requirement. Klez infects a host as soon as the email is opened, even if the user does nothing.
Address harvesting beyond the address book. Reading documents to find addresses is a substantial expansion of the propagation graph.
Anti-AV countermeasures. Klez specifically targets antivirus software, attempting to disable it. The arms race between malware authors and AV vendors continues.
What is happening operationally
From the operator chatter:
- Klez's propagation has been the fastest of any mail-borne worm to date. Many organisations were hit before they could patch.
- Antivirus vendors are pushing signatures aggressively; the cycle from new variant to deployed signature is shrinking.
- The MIME vulnerability is patched; operators who applied the patch are not vulnerable to auto-execution. Operators who did not are.
What this teaches about the year
Looking at the cumulative malware events of 2001:
- January: Ramen (Linux)
- February: AnnaKournikova
- March: Lion (Linux)
- July: Code Red, Code Red II
- July-onwards: SirCam (continuing)
- September: Nimda
- October: Klez
Ten significant incidents in ten months. The cadence is now about one per month. Each is operationally consequential.
This is the new normal. Where 1999 had three major mass-mailing worms in a year, 2001 has had ten major incidents across multiple categories. The operational tempo for defenders is significantly higher.
What operators should do
The usual: strip executable attachments at the relay; keep antivirus signatures current; patch promptly.
For Klez specifically: ensure the Outlook MIME patch is applied. The auto-execution vulnerability is the structurally dangerous bit; patching it removes the bypass.
What I am thinking about
The accelerating cadence of incidents is starting to test the operational discipline of defenders. Many of the disciplines I have been writing about — structured logs, forensic readiness, response procedures — assumed an incident every few months. The current rate of one per month is straining the model.
For my own infrastructure and the friends I support, the operational cost of staying current is increasing. The advice has not changed; the cumulative work implied by the advice has.
For the field as a whole, I expect 2002 to see new approaches to handling the volume — better automation, better tooling, possibly some structural changes in how organisations are staffed for security work. The current model is sustainable but is being stretched.
More as the year wraps up. The year-end posts are coming.