Individual Liberty — Individual Responsibility 

Virus alert!

“Weird Al” Yankovic has a fun song named “Virus Alert”. In the song he describes a particularly noxious computer virus that can do all sorts of terrible things both inside cyberspace and outside. This improbably powerful  virus is described in one of those popular chain emails and has absolutely ridiculous capabilities. The email within the song warns you to “tell all your friends” and finishes with the words “hit send – right now!”.

Virus alert!
Delete immediately before someone gets hurt!
Forward this message on to everybody
Warn all your friends, send this to everybody
Tell everyone you know, tell everybody now
What are you waiting for?
Just hurry up and forward this to every single person that you know!
Hit send right now!

Weird Al is making fun of the people that send these emails out, always believing the worst things they read and feeling the need to warn us all, whether what they read is plausible or not. Those emails spread like a virus themselves. The only way to stop the pandemic spread is to toss them to the junk mail folder or delete them without forwarding them on. … but, how do you know when the threat of a virus is real or not?

I’ve been working with computers and the internet for nearly thirty years now. In that time I’ve had to deal with three viruses and trojan horses. It’s not fun when it happens, believe me. Both viruses and trojan horses can be blocked from accessing your computer, but you need to help to keep your machine safe. Anti-virus software isn’t enough.

This morning I received two suspicious emails. One purported to be from “Manager Stanley Davila [delivery@dhl-usa.com]” and the other from “The Facebook Team [service@facebook.com]”. Both of these emails carried an attachment. The attachment was a .ZIP file.

I’ve had dealings with DHL and with Facebook in the past, and neither of them have ever sent me attachments like this. UPS typically will send mailing labels as attachments to email, but they come in .PDF documents. DHL has never sent me a mailing label. Facebook was telling me that my account’s password had been changed and that the new password was contained in the attached document. That in itself was suspicious.

Normally, when an infected attachment comes with an email, McAfee’s anti-virus software flags it for me and leaves an attachment that contains a description of the virus. That didn’t happen this time. I saved both attachments to files on my computer. Then I ran a virus scan on each. McAfee still didn’t find anything. I opened the .ZIP files and found that they both contained executables. I stopped there and didn’t run the executables. Instead, I copied the executables and scanned them. McAfee still didn’t report a virus.

To tell you the truth, opening the .ZIP files like that was probably a dumb thing to do. I got lucky – I think. The files are really .ZIP files and nothing seems to have taken advantage of any flaws in the software I used to open them. But it could have, and if it did I’d probably be writing a very different article right now. I guess I’m not quite paranoid (Is it really paranoia if they really are out to get you?) enough yet. There’s a better way I could have handled this, using software that runs a “virtual computer” on my system.

Microsoft’s Virtual PC is free software. It allows you to create a simulation of a computer on your computer. There IS a version available for machines running Windows XP (that’s where the link goes) but Microsoft’s latest version is only available for Windows 7. Strangely enough, on the same page that contains a link to details about Virtual PC 2007, Microsoft says “No. Windows Virtual PC is an optional component of Windows 7 and is not available for Windows Vista or Windows XP-based PCs.” Trust me. I’m running it on my Windows XP-based PC right now. Windows 7 wasn’t even released in beta when I installed it.

Anyway, one of the features of Virtual PC 2007 is called “undo disks”. This is a special type of virtual hard drive that you can use with your virtual computers. When your virtual computer is running with undo disks, a shadow copy of the original configurations is stored. If you close your virtual session, everything you did to the virtual computer’s hard drive is discarded and your original configuration is restored, unless you choose to commit the changes to the hard drive. Naturally this requires more actual space than the virtual hard drive’s capacity, but then there isn’t any such thing as a “free lunch.”

So the right way to open an attachment that you aren’t sure about is to do it inside a virtual machine session on a virtual machine equipped with “undo disks.” That way, if the attachment is infected, you can discard the changes made to the virtual machine, discarding the virus. It’s sort of like using the Write-Protect tab on old floppy disks.

The only down side to this is that you have to have a license for the operating system you run on the virtual machine, as well as for the one you run on the host machine. Getting an FPP copy of Windows XP is probably a bit difficult right now. I fortunately have several extras laying about the house that I use for my virtual machines.

But, back to the email. Like I said, McAfee didn’t report any viruses, either in the .ZIP files, or in the executable files that they contain.  That doesn’t mean too much. Malware authors are always looking for ways to get around anti-virus software, and if they don’t use a recognizable virus signature that doesn’t mean that the programs they create aren’t malware.

Alan Turing proved a long time ago that it’s not possible for a computer program to tell what another computer program will do, except by running that other computer program. This applies even to anti-virus software. It can’t tell what a particular program will do, it can only recognize viruses by their signature. The signature of a virus is a particular pattern of bits contained within the body of the virus. Anti-virus software scans to see if there are any recognized patterns of bits and if so flags the file being scanned. A virus that hasn’t been seen before will probably contain an unrecognizable signature, and so anti-virus software won’t flag it.

In other words, anti-virus software can recognize known viruses and warn you about them, but it can’t recognize viruses it hasn’t seen before. Just because a scan turns up negative doesn’t mean you’re safe! So still not feeling to secure about running these attachments I decided to do a little more investigation (after wiping the attachments from my hard drive).

Email is a wonderful thing. It’s cheaper (once you get past the cost of the hardware and connection to the Internet) than physical mail. But, there are people out there that like to pretend that they’re other people. I receive between 40 and 100 pieces of email a day. Some are due to having subscribed to one or another email lists, others are due to commercial relationships I have with various online enterprises, and others are from friends. The rest is spam. Anti-spam software works in a similar fashion to anti-virus software. It looks for recognizable patterns and flags some mail as spam. Even so, a lot of spam gets past it.

I have three layers of anti-spam software helping to keep the junk mail out of my inbox. My ISP filters out the most obvious spam, so I never even have to download it. McAfee has an anti-spam feature as well that flags a lot of spam and moves it to a spam folder in my email client (I use Microsoft’s Outlook out of habit and because I can get Microsoft’s software at an (ex) employee discounted rate). Finally, there’s anti-spam protection built into my email client as well. I check at my ISP occasionally and find that they flag about 20% of my incoming email as being SPAM. I have yet to see a legitimate non-spam message filtered out by them, but it could happen, so I check from time to time. McAfee’s anti-spam feature almost never flags anything as spam – I don’t know why, but it’s essentially useless. Outlook moves about 40% of the rest of the email I receive into my junk email folder. Every couple of days I go through that and retrieve one or two messages that aren’t spam and delete the rest.

Even so, about 10% of the rest of the email I receive is never flagged as spam. I have exception lists set up so that I trust email from specific people – unless they include an attachment, and I trust email from myself (my web site sends me email from time to time when certain events take place). Most of the uncaught spam I get comes from people impersonating me. If I send you email from my primary email address, it will always be digitally signed. If it’s not, it’s not from me. I don’t usually send email from my secondary or tertiary email addresses, so if you’re not sure, send me email at my primary address and ask me to re-send the original mail. If the return email contains my digital signature, then I probably sent the first one as well. If it doesn’t, it’s NOT from me.

Occasionally spam manages to get around all of these safeguards, such as the two messages today. Using Outlook, it’s relatively easy to do a little extra checking on your email. Simply select the message in the message list, right click on it, and select “Options…” from the context menu. A dialog will appear something like this…

The important part of this dialog is the scrollable box labeled “Internet headers”. One of the first things I looked at was the “Return-Path” header. This tells the email client were to send replies. You’ll notice that it’s different than the address of the sender. “educationq5@verymove.com” is not the same as “service@facebook.com.” That’s a real good clue that this email is probably NOT from Facebook's customer service. That’s reason enough right there for me not to trust it any further. We can check further though, to see where it might have come from in the first place. Often spammers will put a fake return address as well as a fake sending address, so you can’t just stop there.

The “Received” headers give you nearly the complete path that the email took to get to your machine. You can see here that my ISP’s mail server was mail5a.brinkster.com, and that it got the message from mta2.brinkster.com. What you can’t see are the other “Received” headers. To do that you have to scroll down in the box. Brinkster receive this email from a machine known as “datacenter-30-159-92-77.sadecehosting.net”, and that machine received it from “mxs1.saleandpartners.com”. Facebook was never in the chain of senders. This mail is obviously fraudulent.

One final clue. There are “X-” headers included in the message. These headers are usually added by the email software that sends the mail in the first place. Spammers know how to fake headers, and this email includes some faked “X-” headers as well, purporting to have done an anti-spam check and similar things. But the original email client also included its own “X-” headers. The original email client was “Microsoft Outlook Express 6.00.2900.2180”. So the sender was probably running Windows XP, and using an older version of Outlook Express, associated with Internet Explorer version 6.

Most people have no idea that they can examine the Internet headers associated with email to determine whether it can be trusted or not. Since some spammers are pretty good at even faking those, using custom software to do the email sending, you can’t even be certain that the Internet headers tell the whole story. You can’t be certain that email you receive is actually from the people it purports to be from. Anti-virus software doesn’t do much good at detecting viruses it hasn’t seen before. There are people out there spreading malware, whether because they’re the type of people that just want to see the world burn, or because they want to steal from you. No matter how hard you try to protect yourself, there’s someone out there trying just as hard to slip past your defenses.

This is NOT paranoia. Read the news. Examine your own email. But most importantly…


NEVER

TRUST

EMAIL

ATTACHMENTS

They are trying to get you!

"Just hurry up and forward this to every single person that you know! Hit send right now!"