(no subject) [entries|reading|network|archive]
simont

[ userinfo | dreamwidth userinfo ]
[ archive | journal archive ]

Mon 2004-03-01 10:51

Oh no. I have a horrible sinking feeling this morning.

There appears to be a new email virus getting started; I've received two copies of it this morning and have never had any like it before today.

We have previously seen many, many viruses which attach Windows executables to mails; these are easy to spot and reject at SMTP time, and the machine on which I receive my mail has been cheerfully doing so for about a year and a half, leaving me only the cruft of misaimed virus warning mails responding to things forged on my behalf. ixion's virus webpage recommended that if you really needed to send a Windows binary you could zip it to get it through the filters.

Some time last year, some virus author escalated the issue and started zipping their viruses. Arrgh. Seeing no alternative, I upgraded my virus scanner to look inside zip files too, and the wording of the advice on ixion's web page had to be changed. An uneasy peace prevailed for a while.

Today, I have received two viruses each quoting a five-digit password in the mail body. The attached zip file is encrypted with that password.

This horrifies me for two reasons.

Firstly, I had previously assumed that the vast success of email viruses was primarily due to Windows mailers either automatically opening and running executable attachments, or at the very least making it easy to do so with a single misaimed click. And I had assumed that the reason zipped viruses still worked was that Windows was trying its hardest to treat archive files as subdirectories, so that it didn't make much difference to the recipient. But this kind of virus is AI-complete; there's no reasonable way in which a mailer could automatically pick out the password, decrypt the zip file and offer the user its contents to click on. This virus genuinely works on (as one running joke had it) the honour system: you have to deliberately type in the password before you can get infected. And the idea that there are enough people out there who will go to those lengths to fall for a scam just depresses me.

Secondly, this is going to be a serious problem to my virus scanning strategy. Hitherto I've been employing measures that don't in general need to be updated when new viruses come along; as long as the new viruses work on basically the same model as the old ones (mailing a possibly-zipped executable as a MIME attachment), they have been automatically rejected without me ever needing to know or care that the details had changed. But in order to correctly identify this kind of virus, my scanner will need to pick the password out of the message body and then apply it to the zip file; and since it isn't an AI and can't understand English, the only way I can think of for it to do that is by having a specific knowledge of the precise format of the messages sent by this particular virus, which sets the dangerous precedent that perhaps I might have to turn into one of those people who devotes a perceptible fraction of their time to virus-fighting, responding individually to every new strain. Which I suppose I wouldn't mind too much, if email were my job or anything approaching my primary function; but really it isn't, and it annoys me that it's threatening to have to be.

Also it somehow feels deeply unfair, since I'm not even the target of these viruses; I read my mail on a Linux box, for goodness' sake, which wouldn't be able to run the wretched binaries even if my mailer did automatically extract them from their multiple layers of wrapping. Their only inconvenience to me is as a particularly high-volume form of spam, and one which has historically made up for this extreme volume by being extremely identifiable and easy to block. It somehow makes me feel particularly irked that all of this inconvenience is by way of fallout from a war between virus writers and Windows users, and I'm pretty much an innocent bystander caught in the crossfire…

Oh well. I've just gone for an hour-long meeting in the middle of writing this and I haven't seen any more of them in the meantime, so perhaps this one won't spread. I hope.

LinkReply
[identity profile] feanelwa.livejournal.comMon 2004-03-01 02:56
Yes; to my shame, one of aforementioned people who will go to such lengths to infect their own computer is on my friends list and had a go at me for complaining that people who open this kind of thing should know better:
http://www.livejournal.com/~feanelwa/398145.html
Nooo. I am so ashamed.
Link Reply to this | Thread
[identity profile] valkyriekaren.livejournal.comMon 2004-03-01 03:33
There's a difference between being stupid and being ignorant, I suppose.
Link Reply to this | Parent | Thread
[identity profile] damerell.livejournal.comThu 2004-03-04 19:58
Wilful ignorance is equivalent to stupidity for practical purposes.
Link Reply to this | Parent
[identity profile] deliberateblank.livejournal.comMon 2004-03-01 03:11
AZPR can do several million password attempts against a zip file per second on oldish hardware. Assuming there's some way of scripting this, throwing every collection of non-whitespace characters in the message at the zipfile ought not to be too draining. You can even manage various alterations such as stripping characters of the beginning and end (to catch quoted passwords and passwords followed by punctuation). If the passwords are short (4-5 characters) then they can be brute forced in seconds.

Alternatively, why bother. There's probably enough information in the message body/headers to decide it's viral. Possibly just the fact that it's a password protected zip - would you ever expect to receive one of these normally?
Link Reply to this | Thread
[personal profile] simontMon 2004-03-01 03:20
Possibly just the fact that it's a password protected zip - would you ever expect to receive one of these normally?

Well, possibly I would, if someone had a genuine need to send me a Windows executable and couldn't get it through my mail filters any other way! I usually recommend that they put any large attachments on a website and send me the URL rather than the file, but there's always someone for whom that's terribly inconvenient...

I have a particularly nasty memory of the guy who mailed me a copy of PuTTY and said "I think this might be infected with a virus, can you shed any light?", and my automatic virus rejector bounced it straight back to him with "554 We won't let this mail in because we aren't confident it isn't a virus". The worst of it was, when I saw that one in the logs I went and extracted the binary and checked it carefully, and it turned out to be a perfectly pristine copy of 0.51; but the bounce he got probably didn't boost his confidence in it :-/

(Yeah, I know he didn't read our Feedback page and therefore it's His Own Fault, but even so I don't have to like that sort of result.)
Link Reply to this | Parent
[identity profile] crazyscot.livejournal.comMon 2004-03-01 03:26
We have had trouble in the past with a customer's firewall not allowing ordinary zipfiles through, but having no qualms over password-protected zips. They zipped the logfile, then super-zipped it with a password, which our support guys helpfully stripped out before passing it on to us. Makes one boggle...

This comment is infected with an honour-system virus. Please delete some files at random, reboot three times and pass it on to another post.
Link Reply to this | Thread
[personal profile] simontMon 2004-03-01 03:28
Yes, that's precisely the running joke I was thinking of :-)
Link Reply to this | Parent
[identity profile] mooism.livejournal.comMon 2004-03-01 04:22
New old sayings
Curiosity killed the Windows install.
Link Reply to this
[identity profile] senji.livejournal.comMon 2004-03-01 05:02
Have an 'opt in' system for sending zip files (like a magic string in the subject)?
Link Reply to this | Thread
[personal profile] lnrMon 2004-03-01 06:51
Fine until it's one of the viruses which reuses bits of old mails for sending itself. This one already occurred in engineering.
Link Reply to this | Parent | Thread
[identity profile] senji.livejournal.comMon 2004-03-01 06:53
You're still OK so long as the infected people haven't mailed you a zip file before, and the virus doens't happen to pick that Subject: line; which is at least better odds.
Link Reply to this | Parent | Thread
[personal profile] lnrMon 2004-03-01 07:38
The thing is the better you do a job of protecting your users from virus-ridden mail the more likely they are to fall for it and get infected if it does somehow get through.
Link Reply to this | Parent
[identity profile] dennyd.livejournal.comMon 2004-03-01 10:08
Are you not using any bayesian filtering? I'm finding SpamAssassin remarkably effective for a very low maintenance solution, and it seems to take out spam, worms, and 419 emails with similar efficiency.
Link Reply to this
[personal profile] fanfMon 2004-03-01 13:38
Note that you can list a password-protected zip file without knowing the password, which will allow you to ban zip files containing executables.

I'm worried about the attachments+stupidity arms race. Might have to ban executables altogether, or just put in a forced delay of a day so that there's time for the AV software to catch up :-)
Link Reply to this | Thread
[personal profile] simontWed 2004-03-03 03:13
Note that you can list a password-protected zip file without knowing the password, which will allow you to ban zip files containing executables.

James and I think this is the best solution anyone has suggested, so we're now doing that and it seems to be working so far. Thanks :-)
Link Reply to this | Parent
navigation
[ go | Previous Entry | Next Entry ]
[ add | to Memories ]