Mail Viruses


The Summer Palace.

Thoughts on e-mail viruses: Since I spend quite a lot of time dealing with email, an increasing amount of which is generation by various virus programs, and since I don't use any windows machines that could be affected, I feel I'm in a great position to make dispassionate comments on where things are going.

Here's a selection of my musings, thoughts, and fears.

March 8 2004

Well, the worst seems to be over, or at least the users are well on their way to next week, when all the warnings about dangerous behavior will have faded into the background.

All we're left to think about now is "What next?". In some senses, we'd be hard pressed to think of anything more effective than some of the existing viruses, but there's plenty of scope. Along the lines of the latest Bagle, a better approach would probably be to scour mail for various Ccs which could then be replayed to all recipients faked from the original sender. Adding keywords like "Update" and "Resend" would probably help. Naturally any attachments would now by virus vectors. It would certain save a lot of effort on the part of intelligent virus body generators, and who can really imagine educating your average email user to avoid such a threat?

While we're on the subject of viruses, it's not going to be too long before we see javascript in emails that can, with the addition of a password, decrypt some payload, or key-requiring Word documents that unencrypt some payload. The idiots running the borders cannot sustain an everything that cannot be scanned must be thrown away policy when the force of user indifference over the virus threat comes to bear.

Has anyone considered the damage a well-designed virus payload which has an armour-piercing profile could do? Something that stealths its way through a network border in some way and then once it hits the typical corporate soft underbelly immediately attacking and destroying all the local machines via the windows remote exploit of the day. A more stealthy blaster that struck slowly and *internally* causing complete destruction rather than sending out beacons would have ensured far more actual effect.

March 4 2004

It seems clear that we're on the cusp of a whole new type of email virus threat. Whereas every attempt until today has been genuinely crude, I think we're seeing the first of a new approach by virus writers. Instead of relying on innate user stupidity, or trying to invent fictitious relationships, this new virus actively seeks to infiltrate existing communication relationships. Possibly the most deserving victims have been the massive non-voluntary-membership mailing lists run by most universities. When you send messages to thousands of students via these lists, and when list posting is moderated only on a From: header, the phrase "like a dose of salts" doesn't come close to describing the alacrity with which the obvious vulnerability would be exploited.

Bagle's selection of existing Cc lists to find source and destination addresses has led to even hardened sensible users having doubt as to whether a particular email is genuine. Other variants seem to be pretending to come from the local support address, but this has been done before. Noone really believes that Microsoft would send them a security patch now, either.

The use of encrypted zip files with a password included in the body of the email was sheer genius. This was the first body-blow against the establishment's border virus scanners. Particularly amusing was watching the panic as responsible parties scrambled to find a scapegoat for the sudden unchecked stream of virus vectors when the only culprit was their own lack of imagination. These same people then believed that merely blocking every zip attachment would make the problem go away.

I'm glad that the people behind the virus appear to have made at least one small mistake we can use to get a fingerhold on the damn thing.

February 2004

Remember the days of the Internet virus hoax? Don't open this email titled "Good Times" or it will hurt you? There's a virus-image on the porn newsgroups, looking at it can wipe your computer...

I can't think of a *single* virus hoax of the last decade that isn't, or hasn't been, true thanks to the massive shortsightedness of the crack-monkeys who have given the world the windows/office/outlook/IE platform. This isn't a happy thought.

August 2003

People put a lot of faith in border virus protection. I watched a laptop leave this site and meander its way across Europe. Every now and then, it would be dialed into the internet for a few minutes to check email. A little over a month after it left here, it was set up in a certain Italian University whereupon the various blaster variants it had picked up brought whole sections of that institution to its knees.

There's almost certainly something deeply meaningful in there, if only the policymakers had the wits to see it.

© Bruce Murphy 2004
pack-rnet@rattus.net