Why I Hate Microsoft
Part 1: Worms and Viruses

Phil Karn, KA9Q

We don't care. We don't have to. We're Microsoft.
(Apologies to Lily Tomlin)
People sometimes ask me why I loathe and detest Microsoft with such a visceral passion. A major reason is the never-ending stream of viruses and worms infesting their abysmally insecure software.

My wife is a nurse. If one of her patients developed a staph infection because she neglected to follow proper sanitary procedures, would she be able to blame it all on the staph bacteria? Of course not! But when Microsoft fails to practice proper software engineering hygiene, they just shrug off the resulting flood of worms and viruses as the fault of the lower life-forms who write them. And they get away with it!

Just as Ronald Reagan became the Teflon President by smiling, shrugging and acting (?) senile, Microsoft has become the Teflon Software Monopoly. And Bill Gates is still the world's richest man. Not because he's earned it, but because he has strong-armed his competition so successfully with dishonest business practices that most people simply don't know that computer software doesn't have to be so wretched.

There are, of course, better alternatives: GNU/Linux, BSD and Mac OSX. They are completely immune to every Windows virus or worm, unless they're running a Windows emulator. But Windows worms can still clog up our mail systems and network links. I have been especially inconvenienced by two virulent email worms, Klez and SoBig.F. (Also see this writeup on SoBig.F) All because I contributed to a piece of open-source software that people found useful. As the saying goes, no good deed goes unpunished.

First, some background. In 1995, I became interested in error correction coding. I found a nice Reed-Solomon encoder/decoder written by Robert Morelos-Zaragoza and Hari Thirumoorthy at the University of Hawaii. I enhanced their software, added my own name to theirs, and put it on my website. A year later, Luigi Rizzo, an Italian programmer, picked up my package and made it the basis of a "reliable multicast" protocol implementation. He credited us for the Reed-Solomon routines and, like us, made his software freely available.

The Klez Worm

In early 2002, I was flooded by a new email worm, Klez, with many copies appearing to come from Robert, Hari or Luigi. I quickly verified that they weren't at fault; they, like me, run Linux or BSD so we're all immune to the many worms and viruses endemic to Microsoft systems.

Deepening the mystery was the fact that nearly all of the Klez was coming to an old email address, karn@ka9q.ampr.org, that I stopped actively using when I got the domain name ka9q.net. Relatively few came to my current email address, karn@ka9q.net. Why was this?

A Google search quickly provided a clue. Microsoft distributes the file RELNOTES.HTM with Windows XP. (It may actually be downloaded automatically during the registration process. I don't have Windows XP, so I can't check.) It contains copyright and authorship credits for all the third-party software that Microsoft includes in its releases. (Like Disney, Microsoft is happy to borrow from the public domain without giving anything back.) And because Microsoft had picked up Luigi's reliable multicast implementation and included it in Windows XP, this file contained all our email addresses.

I learned that the Klez worm compiles a list of email addresses by scanning files on the machines it infects. It uses this list both as targets to attack and in the "From" field of the copies of itself that it sends out. Since RELNOTES.HTM was on so many Windows machines where it could be found by Klez, many copies of Klez were sent to the addresses it contained, or with one of those addresses in the "From" field. Not only was Klez relentlessly attacking me, but it was making it appear to the whole world that I was infected and spreading the worm myself!

I quickly reconfigured my mail system to shunt incoming Klez copies to a separate file. I had vague notions of eventually performing a statistical analysis on this data. A year later, after collecting many gigabytes (compressed) of Klez worms, I still hadn't gotten around to doing anything with them. Noticing that Klez still accounted for about 98.5% of all my incoming email traffic by byte count (with all spam included in the remaining 1.5% percent) I decided to pull the plug.

Rather than just revoke the ka9q.ampr.org domain, I kept its MX records in place and removed ka9q.ampr.org from the list of local aliases in Exim, my email transfer agent. Exim's anti-relay rule then rejected any attempt to send mail to ka9q.ampr.org after logging the attempt but before the body of the message had been sent. This cut the traffic down enormously but still allowed me to log the worm's activity.

SoBig.F

Klez is still out there, but its activity had steadily decayed over the past year so I wasn't paying much attention to my log files. All that changed on the morning of August 19, 2003. Several copies of a new worm landed in my regular mailbox, so after adding a procmail rule to detect it I looked at my mail log. My eyes almost popped out. Every few seconds, my mailer rejected another attempt to send mail to karn@ka9q.ampr.org. I then read about yet another new email worm, SoBig.F, that spreads in the same manner as Klez, by harvesting email addresses from local files on the infected machine. And unlike Klez, SoBig.F is multi threaded. This makes it incredibly virulent. Argh!

I tossed together some Perl and shell scripts to crunch my mail log files and generate plots of SoBig.F's activity on my machine. The numbers are simply astonishing. I'm generating these plots manually, so they may not be up to date. But they give a good idea of the sheer scale of this thing. And it was all made possible by Microsoft's carelessness, incompetence, arrogance and the sheer contempt they display toward their captive users.

The two big dips in the arrival rate on Aug 22 are local artifacts. The first apparently started when the rapidly growing mail log file on one of my two mail servers ran its disk partition out of space; note that the arrival rate dropped roughly in half. It ended when cron performed its automatic daily log rotation and compression. The second dip started when the disk again filled up, and it ended when I noticed the problem and moved the /var/log directory to a bigger disk partition.

The big rate spike on August 25 is unexplained.

On August 27, I submitted a request to delete homer.ka9q.net as a MX for the ka9q.ampr.org zone. By accident, both MX records were deleted for a period of hours on the 28th, resulting in a decay of worm activity as the older records' time-to-lives expired. I have since reinstated the record for tunnel.qualcomm.com, so I expect that the activity will soon settle at one half of its previous level.

It is most depressing to see the activity settle into a consistent daily pattern with no sign of a decline after an entire week of activity. SoBig.F may turn out to be as persistent as Klez, only more virulent. Sigh.

The large ISPs must share some of the blame with Microsoft for the unabated spread of this worm. For days I have been trying without success to reach competent humans at SBC (formerly Pacific Bell) and Time Warner Road Runner to report that several IP addresses belonging to their DSL and cable networks have been hammering nonstop on my mailservers. One SBC DSL IP address, 63.206.89.239, singlehandedly accounts for over half of the hits! Another SBC DSL IP address is 63.202.177.68, accounting for another 20% or so. In third place is 24.106.16.169, a Road Runner Business IP address, with 6% of the total.

Complaints to abuse@sbcglobal.com and similar addresses have gone unanswered. I repeatedly tried to navigate the voice-mail hell at SBC's main published number, 1-800-463-8724. There is no menu item specifically for security or abuse, and when I try the others I am either placed on hold for long periods or reach operators who don't know how to handle the problem. One finally referred me to SBC's dedicated policy and abuse number, 1-866-241-7363, but no one answers.

As for Road Runner, several days after forwarding them mail server log excerpts with an explanation that I was blocking the body of the worm because of the enormous amount of traffic, they replied with a form letter asking for message headers! The apathy and incompetence in these organizations is eclipsed only by Microsoft.

Perhaps some good will come out of this sorry episode. Although worms and viruses have been endemic to Microsoft software for a long time, the current swarm is so bad that many people are finally taking notice. See, for example, this open letter to Tom Ridge from the Computer and Communications Industry Association. It warmed my heart.

Last updated: 6 Sep 2003 Phil Karn