Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

schwern (1528)

schwern
  (email not shown publicly)
http://schwern.net/
AOL IM: MichaelSchwern (Add Buddy, Send Message)
Jabber: schwern@gmail.com

Schwern can destroy CPAN at his whim.

Journal of schwern (1528)

Tuesday June 03, 2003
05:08 PM

Viruses, no front lines anymore

[ #12598 ]

Once upon a time, viruses were something that happened to someone else.

First, there was the Morris's Worm. Sure it brought the Internet to its knees, but in 1988 who was connected to the Internet? Not me. Ironicly, this was done via a hole in sendmail which plagues us still today.

Then there were trojan horses. But those were only a problem if you downloaded files from untrusted people, and I knew the sysops of the BBSs I downloaded from. So who cares?

Then there were the Word document macro viruses. But it only effected those users of that silly, bloated Word 6.

On comes the viruses using VBScript holes. But if you're smart you shut the VB scripting engine off, or just don't run Windows.

Along comes Cult Of The Dead Cow exploiting MS BackOffice holes. HAHAHA! Silly Windows users.

Then came the email viruses. HAHAHA! Look at the funny Outlook users opening executables and getting their machines trashed.

The venerable hoax virus rears its head transforming itself into a real email virus using humans as its vector, ignorant office mates forwarding on the hoax warnings. I once got so frustrated by these that I threatened to send a real virus to anyone in the office who send a hoax warning without first checking the Symantec Hoax Page.

So there I sit, smug on my Linux machine or Mac, virus free. Then along comes the new breed of email viruses. Melissa and I LOVE YOU. IIS viruses like Code Red. These spread so rapidly they effect the health of the Internet. Something has changed in the virus war. No longer is it only the ignorant Windows users being effected, or the fools who thought that was the last root exploit in sendmail. No, now everybody is feeling it.

And suddenly its not so funny anymore.

And it got worse.

Klez. This is when everything in the virus war changed. When it went from schadenfreude to sadism. No longer was it enough to just not run Windows and make sure you were reasonably up to date. No longer were viruses damaging only those who choose to be vulnerable. No, Klez started pulling email addresses from infected machines and replicating itself. Worse, it used those addresses as the From line. Now we're shooting non-combatants. This is the viral equivalent of carpet bombing.

Worse, these viruses aren't even interesting hacks. You used to have to cause a segfault and insert some Really Clever machine code to do an exploit. Now its gotten so easy to exploit holes in Windows or social engineer people to open untrusted files that even illiterates can write an Internet crushing virus in a few hundred lines of poorly formatted VB. Insecure by design, and they just keep coming. There's no challenge anymore. Its gone from an intellectual game to simple thug vandalism.

And now that I've got my mail filters running well enough to block both spam and viruses along comes a new problem. See, my email address is all over the place. So far, I've been able to hold back the crushing weight of spam and Klez-like viruses using SpamAssassin. I estimate it chucks about 50-500 pieces of email a day. Now there's a new kind of virus infecting my inbox. Its not a virus itself but a meta-virus caused by the virus itself. Every day I get dozens of emails from MTAs and virus protection software helpfully(?) informing me that I sent them an email virus. This is the result of my address being so wide-spread and the Klez viruses using it in From lines.

I have no defense against this new flood. They're so close to legit bounce messages that I can't tweak SA to throw them out without tossing real bounces. Its unfortunate that sysadmins with good intentions are now causing me more trouble than the viruses they're trying to inform me of.

And that's where it stands. Its unfortunate that like so many things these days the battle lines have been erased and everyone is getting dragged in and no amount of security measures on my part can do anything about it. Its only a matter of time before someone semi-literate writes an email virus that mutates its headers and body in such a way as to be unstoppable by current analysys techniques.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Dude! You're forgetting the 2400 baud subcarrier virus!

    http://ciac.llnl.gov/ciac/virdb/VIRS0107.TXT

    John

  • Someone in russia has started using my whole domain to send span from, I'm getting close to the point of just trashing all bounces and using a seperate account for personal mail. It's a pain, but might just save me a lot of time.
  • I've been receiving a lot of "Undeliverable mail" type messages recently. So I added procmail filters to reject any that don't have my real address in the To: line. It's not 100% perfect, and I suppose I could dump real bounces. But when am I ever going to use "uweigand at drewtaylor dot com" as an email address? Adding that filter makes me feel a lot safer, that and just putting it directly into my trash folder. :-)
    --
    "Perl users are the Greatful Dead fans of computer science." --slashdot comment