Virus alert!
Published Wed, Oct 28 2009 11:22 AM
Technorati Tags: Computers and Internet, Annoyances
“Weird Al” Yankovic has a fun song named “Virus Alert”. In the song he describes a particularly noxious computer virus that can do all sorts of terrible things both inside cyberspace and outside. This improbably powerful virus is described in one of those popular chain emails and has absolutely ridiculous capabilities. The email within the song warns you to “tell all your friends” and finishes with the words “hit send – right now!”.
Virus alert!
Delete immediately before someone gets hurt!
Forward this message on to everybody
Warn all your friends, send this to everybody
Tell everyone you know, tell everybody now
What are you waiting for?
Just hurry up and forward this to every single person that you know!
Hit send right now!
Weird Al is making fun of the people that send these emails out, always believing the worst things they read and feeling the need to warn us all, whether what they read is plausible or not. Those emails spread like a virus themselves. The only way to stop the pandemic spread is to toss them to the junk mail folder or delete them without forwarding them on. … but, how do you know when the threat of a virus is real or not?
I’ve been working with computers and the internet for nearly thirty years now. In that time I’ve had to deal with three viruses and trojan horses. It’s not fun when it happens, believe me. Both viruses and trojan horses can be blocked from accessing your computer, but you need to help to keep your machine safe. Anti-virus software isn’t enough.
This morning I received two suspicious emails. One purported to be from “Manager Stanley Davila [delivery@dhl-usa.com]” and the other from “The Facebook Team [service@facebook.com]”. Both of these emails carried an attachment. The attachment was a .ZIP file.
I’ve had dealings with DHL and with Facebook in the past, and neither of them have ever sent me attachments like this. UPS typically will send mailing labels as attachments to email, but they come in .PDF documents. DHL has never sent me a mailing label. Facebook was telling me that my account’s password had been changed and that the new password was contained in the attached document. That in itself was suspicious.
Normally, when an infected attachment comes with an email, McAfee’s anti-virus software flags it for me and leaves an attachment that contains a description of the virus. That didn’t happen this time. I saved both attachments to files on my computer. Then I ran a virus scan on each. McAfee still didn’t find anything. I opened the .ZIP files and found that they both contained executables. I stopped there and didn’t run the executables. Instead, I copied the executables and scanned them. McAfee still didn’t report a virus.
To tell you the truth, opening the .ZIP files like that was probably a dumb thing to do. I got lucky – I think. The files are really .ZIP files and nothing seems to have taken advantage of any flaws in the software I used to open them. But it could have, and if it did I’d probably be writing a very different article right now. I guess I’m not quite paranoid (Is it really paranoia if they really are out to get you?) enough yet. There’s a better way I could have handled this, using software that runs a “virtual computer” on my system.
Microsoft’s Virtual PC is free software. It allows you to create a simulation of a computer on your computer. There IS a version available for machines running Windows XP (that’s where the link goes) but Microsoft’s latest version is only available for Windows 7. Strangely enough, on the same page that contains a link to details about Virtual PC 2007, Microsoft says “No. Windows Virtual PC is an optional component of Windows 7 and is not available for Windows Vista or Windows XP-based PCs.” Trust me. I’m running it on my Windows XP-based PC right now. Windows 7 wasn’t even released in beta when I installed it.
Anyway, one of the features of Virtual PC 2007 is called “undo disks”. This is a special type of virtual hard drive that you can use with your virtual computers. When your virtual computer is running with undo disks, a shadow copy of the original configurations is stored. If you close your virtual session, everything you did to the virtual computer’s hard drive is discarded and your original configuration is restored, unless you choose to commit the changes to the hard drive. Naturally this requires more actual space than the virtual hard drive’s capacity, but then there isn’t any such thing as a “free lunch.”
So the right way to open an attachment that you aren’t sure about is to do it inside a virtual machine session on a virtual machine equipped with “undo disks.” That way, if the attachment is infected, you can discard the changes made to the virtual machine, discarding the virus. It’s sort of like using the Write-Protect tab on old floppy disks.
The only down side to this is that you have to have a license for the operating system you run on the virtual machine, as well as for the one you run on the host machine. Getting an FPP copy of Windows XP is probably a bit difficult right now. I fortunately have several extras laying about the house that I use for my virtual machines.
But, back to the email. Like I said, McAfee didn’t report any viruses, either in the .ZIP files, or in the executable files that they contain. That doesn’t mean too much. Malware authors are always looking for ways to get around anti-virus software, and if they don’t use a recognizable virus signature that doesn’t mean that the programs they create aren’t malware.
Alan Turing proved a long time ago that it’s not possible for a computer program to tell what another computer program will do, except by running that other computer program. This applies even to anti-virus software. It can’t tell what a particular program will do, it can only recognize viruses by their signature. The signature of a virus is a particular pattern of bits contained within the body of the virus. Anti-virus software scans to see if there are any recognized patterns of bits and if so flags the file being scanned. A virus that hasn’t been seen before will probably contain an unrecognizable signature, and so anti-virus software won’t flag it.
In other words, anti-virus software can recognize known viruses and warn you about them, but it can’t recognize viruses it hasn’t seen before. Just because a scan turns up negative doesn’t mean you’re safe! So still not feeling to secure about running these attachments I decided to do a little more investigation (after wiping the attachments from my hard drive).
Email is a wonderful thing. It’s cheaper (once you get past the cost of the hardware and connection to the Internet) than physical mail. But, there are people out there that like to pretend that they’re other people. I receive between 40 and 100 pieces of email a day. Some are due to having subscribed to one or another email lists, others are due to commercial relationships I have with various online enterprises, and others are from friends. The rest is spam. Anti-spam software works in a similar fashion to anti-virus software. It looks for recognizable patterns and flags some mail as spam. Even so, a lot of spam gets past it.
I have three layers of anti-spam software helping to keep the junk mail out of my inbox. My ISP filters out the most obvious spam, so I never even have to download it. McAfee has an anti-spam feature as well that flags a lot of spam and moves it to a spam folder in my email client (I use Microsoft’s Outlook out of habit and because I can get Microsoft’s software at an (ex) employee discounted rate). Finally, there’s anti-spam protection built into my email client as well. I check at my ISP occasionally and find that they flag about 20% of my incoming email as being SPAM. I have yet to see a legitimate non-spam message filtered out by them, but it could happen, so I check from time to time. McAfee’s anti-spam feature almost never flags anything as spam – I don’t know why, but it’s essentially useless. Outlook moves about 40% of the rest of the email I receive into my junk email folder. Every couple of days I go through that and retrieve one or two messages that aren’t spam and delete the rest.
Even so, about 10% of the rest of the email I receive is never flagged as spam. I have exception lists set up so that I trust email from specific people – unless they include an attachment, and I trust email from myself (my web site sends me email from time to time when certain events take place). Most of the uncaught spam I get comes from people impersonating me. If I send you email from my primary email address, it will always be digitally signed. If it’s not, it’s not from me. I don’t usually send email from my secondary or tertiary email addresses, so if you’re not sure, send me email at my primary address and ask me to re-send the original mail. If the return email contains my digital signature, then I probably sent the first one as well. If it doesn’t, it’s NOT from me.
Occasionally spam manages to get around all of these safeguards, such as the two messages today. Using Outlook, it’s relatively easy to do a little extra checking on your email. Simply select the message in the message list, right click on it, and select “Options…” from the context menu. A dialog will appear something like this…
The important part of this dialog is the scrollable box labeled “Internet headers”. One of the first things I looked at was the “Return-Path” header. This tells the email client were to send replies. You’ll notice that it’s different than the address of the sender. “educationq5@verymove.com” is not the same as “service@facebook.com.” That’s a real good clue that this email is probably NOT from Facebook's customer service. That’s reason enough right there for me not to trust it any further. We can check further though, to see where it might have come from in the first place. Often spammers will put a fake return address as well as a fake sending address, so you can’t just stop there.
The “Received” headers give you nearly the complete path that the email took to get to your machine. You can see here that my ISP’s mail server was mail5a.brinkster.com, and that it got the message from mta2.brinkster.com. What you can’t see are the other “Received” headers. To do that you have to scroll down in the box. Brinkster receive this email from a machine known as “datacenter-30-159-92-77.sadecehosting.net”, and that machine received it from “mxs1.saleandpartners.com”. Facebook was never in the chain of senders. This mail is obviously fraudulent.
One final clue. There are “X-” headers included in the message. These headers are usually added by the email software that sends the mail in the first place. Spammers know how to fake headers, and this email includes some faked “X-” headers as well, purporting to have done an anti-spam check and similar things. But the original email client also included its own “X-” headers. The original email client was “Microsoft Outlook Express 6.00.2900.2180”. So the sender was probably running Windows XP, and using an older version of Outlook Express, associated with Internet Explorer version 6.
Most people have no idea that they can examine the Internet headers associated with email to determine whether it can be trusted or not. Since some spammers are pretty good at even faking those, using custom software to do the email sending, you can’t even be certain that the Internet headers tell the whole story. You can’t be certain that email you receive is actually from the people it purports to be from. Anti-virus software doesn’t do much good at detecting viruses it hasn’t seen before. There are people out there spreading malware, whether because they’re the type of people that just want to see the world burn, or because they want to steal from you. No matter how hard you try to protect yourself, there’s someone out there trying just as hard to slip past your defenses.
This is NOT paranoia. Read the news. Examine your own email. But most importantly…
NEVER
TRUST
EMAIL
ATTACHMENTS
They are trying to get you!
"Just hurry up and forward this to every single person that you know! Hit send right now!"
Trackback URI for this post: http://perrinelson.com/track.aspx?postid=1384
Permalink URI for this post: http://perrinelson.com/2009/10/28/1384.aspx
Subscribe to this entry's
comment feed. (Atom)
Perri Nelson responded with: Images and addresses
 | Yes, I know that the image included in this article also happens to include my primary email address. Yes, I know that that puts my email address at risk from spammers. Somehow they've already managed to get it, so there's not much point in hiding it anymore. They probably first obtained it due to the way people forward email to one another. The way the Internet works, nothing is really secure, unless it's encrypted in transmission. Packet sniffers can intercept data en-route and scan it. People with infected computers can have their email scanned for addresses. There's dozens of ways for personal information to be gleaned from traffic on the Internet. So, if you're forwarding one of those humorous pieces of email around, like my friends do, and like I do sometimes myself, why not do us all a favor and edit it before sending it? Use the "BCC" option to specify your recipients. That way you don't spam everybody with your contacts list, giving away the email addresses of your "soon to no longer be" friends. While you're at it, those lists of recipients that are often included in the email when you get it? Edit them out before sending it on. Sure, it's a little extra work, but your friends, and those poor unfortunate friends of your friends will appreciate it in the long run. Or will they? |
Angel responded with:
 | those virus alerts arent taken too seriously I suppose but wow thanks for the info in this post Perri!!:) |
David responded with:
 | You already know I'm a fan of tesig things out in VMs. Some users just won't go there, though. An intermediate option is "sandboxing" apps that use the internet, so any changes made to the computer disappear when the app is closed. Files downloaded--pft. Drivebys--ditto. It's not as good as testing things in a VM, and it's easier to get infested using a sandbox than a VM, but it is a layer of protection ordinary users might e able to make fit their comfort zones.
Sandboxie is probably the easiest or an average user to swallow. http://www.sandboxie.com/
Still, like you, I prefer VMs for testing things out.
BTW, one of Jerry Pournelle's longstanding rules is
NEVER open email attachments
NEVER open email attachments
NEVER open email attachments
("What I say three times is true")
:-)
I'm a wee tad more lenient about attachments. If someone tells me in advance OR I request an attachment, AND I can verify that the attachment IS what I expected AND from the person I expected AND it then sans as clean in two or more anti-malware products as well, I'm more comfortable. Then, testing it in a VM is at east worth my time. *heh* |