Cyber Security Watch 
october.6.2003


US.BLAST.D Worm Wreaks Havoc on US Post Office, Mail Delivery Halted

The first computer worm to be able to infect regular paper mail and transmit itself through the U.S. Postal Service was discovered early morning Monday, October 6, in a suburban Memphis distribution center.  At approximately 9:45am, postal carrier Lawanna Philips discovered three envelopes infected with the new kind of virus in her carrying bag as she began her morning delivery rounds.  She immediately called her supervisor and notified him of the strange envelopes, and was instructed to return to the distribution center and not deliver any more mail until her supervisor had an opportunity to review the situation. 

The speed at which the virus spread was shocking, even to seasoned virus researchers.  By the time Lawanna returned to the Steinbeck, Tennessee distribution center at 10:00am, the virus was already interrupting a few deliveries between Memphis and Chicago.  Eight minutes later, the entire United States Postal Service suffered massive, cascading failures and ground deliveries came to an unexpected halt as the virus choked the network with its own traffic.  Virtually every piece of paper mail in the entire country, from birthday cards to magazines, from summons to subscription renewals, was infected with the worm in a matter of minutes -- and there was nothing anyone in the government or the computer industry could do to stop it.

A crisis of this nature has never hit the United States--or any developed nation--before.  Up until now, most security experts have accepted as common knowledge that computer viruses can only be spread through Microsoft Office documents, the Microsoft Worm Server, Microsoft Outlook email messages, or the Microsoft Internet Explorer web browser.  

The vulnerable Microsoft canvas mailbag, carried by more than ninety percent of US postal workers.

Analysis of the virus is still in its preliminary stages, but reports have begun to emerge from researchers which warn that the virus transmits itself by exploiting a previously unknown security hole sewn into the canvas mail bags carried by postal workers all over the country. Since early July when the terms of the government's previous contract with Canvas USA Co. expired, canvas bags have been provided to the government exclusively through a textile subsidiary of Microsoft Corporation.  According to statistics gathered in late August, more than ninety percent of postal carriers in the United States are already carrying the new Microsoft bags.

This dependency on a single vendor of canvas bags is what made the ground mail delivery network especially vulnerable to just this sort of attack, experts say.

The U.S. government has not yet released specific details regarding how the virus is transmitted.   Some clue may be provided by a recent story in Wired, which reports that a message was posted to a Japanese-language discussion board on September 26 of this year, and it described how to exploit a "theoretical security hole" a seamstress in Laos had discovered while she was assembling one of the Microsoft bags.  The "buffer exploit", as it was described, could hypothetically cause one of Microsoft's mail bags to bulge and then overflow slightly.  The "worm" would then use the overflow to trick the bag into running a malicious script of the attacker's choosing.

A worm, also known as a "trojan" or a "macro", is a computer program written to do harm. 

According to the message which described the theoretical attack, the virus would then look for names and addresses on the backs of envelopes to which it would mail copies of itself.  Once received and opened by recipient X, the infected letter will mail itself to any names and addresses it finds written in a journal, an address book or a daily planner.  It could even possibly cull addresses from post-it notes on a refrigerator.  The worm will also mail copies of itself back to everyone who has sent recipient X a piece of mail in the last five days.  

If this theoretical security hole could be exploited, wrote the anonymous poster, "a sudden overload of the US Mail system could occur in just minutes, almost too fast for anyone to realize what has happened."

No one is certain if this is exactly the type of attack that occurred.  One solid detail that has emerged from virus researchers working on restoring the US mail system is that in addition to spreading through ground delivery routes and home address books, the virus also uses a wedding invitation that has an RSVP card enclosed to establish a connection to the IRC network, but the method and purpose of this connection are still unknown.

There are already numerous reports that the letter which has crippled ground mail delivery across the entire nation will be addressed to the victim who receives it, but it will have a return address purporting to be from "Credit Card Company" followed by a post office box number in Taiwan, and it will be stamped "Three Due Notice Late Payment" in red ink on the front.  Everyone is therefore warned not to open any such letter if it is received.  Dispose of it immediately either by burning or shredding.  Until a patch can be created by Microsoft and deployed by the MCSEs who maintain the nation's critical infrastructure, President Bush has urged all Americans to lock in a safe or a drawer all of their pens, pencils, stamps, white paper and envelopes so that they cannot be exploited by the virus and used to write out more copies of itself.

Microsoft CEO Steve Ballmer condemned the attacks as the work of "thieves, con artists, terrorists and hackers".

Microsoft CEO Steve Ballmer issued a statement in response to the catastrophe, where he condemned the attacks as being the work of "thieves, con artists, terrorists and hackers" who are intent on destroying American freedoms and embarrassing Microsoft.  He also reiterated that Microsoft is focused first and foremost on the security of its products, as it always has been since early last year.  He said the scripting vulnerability discovered today in the Microsoft canvas mail bag was due to a rich content feature the company's customers had asked for. 

He also said the situation will improve in coming years, as big changes are in store for the WormBasic programming language and its web derivative, WormScript.  Once ported over to the Microsoft .NET trusted framework, rich worms written using the new Worm# (worm-sharp) language will be much more secure, he promised.

Microsoft is about to release a preliminary security patch which should protect some of its mail bags from the exploit utilized by the US.BLAST.D worm.  The company said it will release a patch for this patch in a month or two, which should secure more bags and correct problems caused by the initial patch.

Users of alternative mail and package delivery systems such as FedEx and UPS are not affected by the virus, researchers said.  "It's not that the non-Microsoft canvas bags used by FedEx and UPS are inherently more secure," explained Jorge Lopez, a Microsoft Certified Systems Engineer, "it's that the U.S. Postal Service represents a much, much larger target for hackers."

RELATED STORIES ON DIVISIONTWO:


divisiontwo main page


Notice: this site (Division Two magazine) was restored from its original location by Shlomi Fish, as he found it amusing. He hosts it on his domain and maintains information about it on his home site. Shlomi Fish is not responsible for its contents of divisiontwo.shlomifish.org.