Mimail is a worm that takes advantage of a vulnerability in Microsoft Corp.'s Windows Explorer to harvest email addresses and propagate itself. The worm arrives disguised as a message from the network administrator with an attached zip file. The message suggests that the recipient's email account will soon expire and urges him to read the attached information. The attachment, called 'message.zip', contains an HTML file which is a copy of the worm that then scours the user's hard disk looking for email addresses for its next round of victims.
Mimail doesn't carry a destructive payload, though, so only serves to clog up email systems and confuse users about a note from their administrator.
"It propagated really aggressively at first and got past a lot of anti-virus software," says Dan Ingevaldson, an engineering manager with Altanta-based Internet Security Systems, Inc. "It's spiking this morning but should calm down by the end of the week... There's lots of machines out there -- like a leper colony. They never get patched. They're not secure. And they get hit."
Mimail was first detected this past Friday when it raised concerns around the security industry, which is already on high alert for an expected worm that could exploit a vulnerability in Windows desktop and server operating systems to cause significant slow-downs and damage across the Internet. Security analysts say an upswing in hacker activity could be signaling the coming of a broad-scale attack that could potentially affect millions of networks.
The increased hacker activity is pinpointing a vulnerability in Microsoft Corp.'s Windows operating system. A problem with the Windows RPC Interface Buffer Overrun was first disclosed on July 16. Security experts say hackers started experimenting with the vulnerability almost immediately, and the rate of system probes and online chatter about the vulnerability has been skyrocketing.
When Mimail was released into the wild, many security analysts initially thought this was the attack they had been expecting. Those fears even shut down Internet connections Friday afternoon at several government agencies, including the Department of Homeland Security and the U.S. Secret Service.
David Wray, a spokesman for the Department of Homeland Security, says he did not have any information at deadline today about how many machines were affected or how long the shut downs lasted.
"Initially, people thought this was the worm exploiting the RPC vulnerability," says Chris Belthoff, a senior security analyst with Sophos, Inc., a security and anti-virus company based in Lynnfield, Mass. "Everyone is just on high alert."
Security analysts say hacker activity around the RPC vulnerability increased over the weekend. And Steven Sundermeier, vice president of products and services at Central Command Inc., an anti-virus company based in Medina, Ohio., says over the weekend they spotted a few pieces of malware, which they marked as proof of concepts, or experimental viruses.
"First, they scan to see how many servers out there are vulnerable," explains Sundermeier. "Then they release an initial code to get a gauge on how effective it will or will not be. Then they'll release a wilder version... At any given point, we can expect to see a worm based on RPC."
But industry observers say they're hopeful that the amount of publicity surrounding the RPC vulnerability and the increase in hacker activity could help defuse the attack once it arrives. The more computers that are patched and updated, the fewer machines that can fall victim to the coming worm. Analysts, also warn however, that they fear there are still millions of machines out there that have not yet been patched, leaving the Internet open to a potential large-scale problem.
"In cases like this when there are millions of vulnerable devices out there, there's a danger," says Ingevaldson. "Patching thousands of desktops is a lot of work. Everyone knows that patching is the solution in the long run, but the problem is that sometimes it takes months to install a patch across an enterprise."