MyTob Hits

School was hit by the MyTob worm this week. We plugged the hole with tighter restrictions on SMTP traffic within our network, but the successful infection underscores a larger problem with networks on the whole. Schools and other institutions typically protect their networks with firewall, antivirus software, and spam filters. This kind of worm defies all three of these in the typical network, because it only takes one infected laptop carried onto campus to bypass these server-based, externally-focused defenses. In a mobile world, we need to focus more attention on protective measures for internal traffic. Unfortunately, this creates more work to implement these measures and deal with restrictions on legitimate uses that will undoubtedly arise.


  1. Zach Lipton says:

    The really dangerous thing with this is not just how easy it is for one mobile user to spread the worm to the whole internal network, but in how well it is able to convince people to open the attachment and infect themselves. Most students (and probably many faculty and staff as well) are likely to open a message from the "Sfuhs Account Team" ordering them to take action, especially when it comes through a school account where they rarely receive spam and viruses. One of them that I got was really lucky and spoofed its From header with your email address. I think that most people are likely to obey instructions from you about their account, especially if they don’t have the training or knowledge to look for danger signs.

    If nothing else, perhaps it is time for outgoing mail servers to quarantine messages that appear to consist of the mass communication of viruses. At least right now, these messages follow an incredibly predictable pattern (sent to a large number of users, containing some kind of executable attachment, etc..).

  2. rkassissieh says:

    I absolutely agree with this point. Specifically, we now reject all messages from internal addresses other than our own mail server and web site. MyTob runs a tiny SMTP server on the infected comptuer to generate mail.

  3. rkassissieh says:

    We examined nearly 100 teacher/staff machine and found eight infections. So the message is getting around, but it doesn’t take many to create a big headache. No school student computers were infected, since student accounts are not allowed to run non-permitted applications. I don’t know how many student home computers were infected, nor can I guess who brought the first infected computers on campus.

  4. Zach Lipton says:

    8/100 isn’t bad actually, although I suppose that some number of those teacher/staff machines are macs. I am glad the security policy worked on the school machines, as trying to clean up the damage otherwise would be a real pain (not that examining 100 machines isn’t a pain in and of itself). I hate to think how many people opened the attachment at home.