K-Squared Ramblings

Interesting Combination

This morning I recieved both a bogus “Out of Office” reply from someone at Halliburton (presumably from a virus that spoofed my address as the sender) and a new 419 scam variant, this one claiming to be someone in Iraq. (I still think of them as Nigerian scams, but they’ve gone seriously international over the past year or so.) Subject line: “EVERY IMPORTANT” (really!)

Something to consider on those vacation messages: I was just sent some random Halliburton employee’s cell phone number. Not that I have any use for it, but would you hand out your cell number to any random person on the Internet? I know I wouldn’t!

Doorway to Mac Viruses?

Apparently a security firm has discovered a way to trick Mac OS X into running a trojan horse. The technique involves creating a data file, but embedding a Carbon program in it. (Carbon is a programming interface aimed at making it easy to convert older Mac applications to run on Mac OS X without switching into Classic mode.)

According to Intego, Finder will see only the file type data display a spoofed icon identifying the file as (in their example) an MP3, but actually double-clicking on the file will cause the OS to notice the program code and run it. Their proof-of-concept code runs itself, then opens the file in iTunes in order to avoid looking suspicious.

This is very similar to a (fixed, but still present in a zillion unpatched systems) bug in Internet Explorer for Windows that was exploited by many mass-mailing viruses. In that case, IE would decide whether a file was safe by checking the MIME type sent by the server, then use the file extension to decide how to load the file. Viruses would generate messages embedding supposed MIDI files that Outlook would try to play, but instead of handing it to a MIDI player, it would ask the OS to open the file. Without the MIME info, Windows would see it was a program file and run the virus.

If this is confirmed, it will probably not be a vector for e-mail viruses, because the standard mail and web apps for Mac OS X don’t automatically run things the way Outlook, Outlook Express and Internet Explorer do.

No, the real danger will be viruses that spread through peer-to-peer file sharing networks. Download a supposed MP3 off of Gnutella, open up your music folder, double-click on it, and you’re infected.

Apple has said they “are aware of the potential issue… and are working proactively to investigate it.”

(Why is this news? Because it’s Apple, and because it’s so similar to a popular virus vector in Windows. Exploitable vulnerabilities are found so often in Windows I hardly blink.)

Updated slightly based on some real analysis (see comments).

One Degree

Anyone whose email address is posted on a web site probably doesn’t bother to identify who sent them viruses anymore. With faked return addresses and the high probability that your only connection to the sender is the fact that they visited your web page sometime in the last month, there really isn’t much point.

Every once in a while, you’ll see something weird.

Today I received what looked like a classic credit-card theft scam: a notice supposedly from PayPal claiming that my account would be canceled unless I re-entered all my credit card information into the linked web page. Right. Normally I just report it to PayPal and delete it, but this one had an attachment instead of a link, and that attachment had been defanged. With a name like www.paypal.com.scr, it was pretty obviously a virus. Read the rest of this entry »

Viral degrees of separation

With the new crop of email viruses - the ones that fake the return address based on the same sources (address books, web caches, etc.) as the target list - you get a few interesting effects.

The first is that there is a good chance you’ll recieve many copies of the virus from the same source, with different return addresses. I saw this a lot in the recent Sobig outbreak: when our mail server deletes a virus, it logs the sending and receiving addresses and the IP of the connecting server. Some IP addresses would send hundreds of copies of the virus, all to the same recipient, all with different return addresses. So it would look like hundreds of people are sending you the same virus, but in reality, it’s just one infected machine.

The other is the “friend of a friend” effect. You may get the virus from someone who knows you (or has just visited your web page), but it looks like it came from someone who knows them (or someone else whose web page they visited). Two degrees of separation.

Harry Potter computer viruses

Inspired by finding a list of Babylon 5 viruses earlier this week.

Harry Potter virus: Looks like the last file of a virus you just wiped out, until you try to erase it–then it wipes your drive.

Voldemort virus: You can’t get rid of it, only make it dormant. It can be reactivated by the Wormtail virus up to thirteen years later.

Dumbledore virus: Scares off all the other viruses but never seems to actually *do* anything.

Hermione virus: Fills up all available drive space with files of useless information.

Ron virus: Contains code, some of it buggy, from the author’s five previous viruses.

Read the rest of this entry »

Sobig PITA

The world of email viruses has changed. In the old days, they would piggyback on the messages you sent, or make your regular mail program send them out while you weren’t looking. These days they send the messages themselves, so they pick a fake return address from the same source as its list of victims: address books, web caches, and so on.

The return address on a virus like Sobig doesn’t mean crap.

So why the heck are all these idiotic virus scanners sending me messages saying “You sent us a virus!” when a cursory glance at the headers clearly shows that it originated on the other side of the planet?

I’ve already got the server filtering out the virus itself - I’m seriously thinking about filtering out the useless warnings.

Who’s really responsible for spreading viruses?

My dad forwarded me an opinion piece from the eWeek newsletter called Idiocy Imperils the Web. Jim Rapoza argues that - especially by now - people should really have figured out not to click on unknown attachments. My favorite quote: “Most people figure out that if they keep grabbing the electric fence, they’ll get a shock every time.”

I’ve thought along these lines for several years now. Once the first two waves of high-profile email viruses hit, it was time for people to wise up. Instead we have a variation on the classic joke:

Three guys walk into a bar. You’d think the third one would have ducked.

Except it’s more like “Ten guys walk into a bar. You’d think the third, fourth, fifth…”

Although I’m also reminded of a quote from Jakob Neilsen’s “Alertbox” usability column from April 1996:

The fact that the Internet doubles every year implies that at any time half of the users will have been on the net for less than a year. In other words, we are doomed to have 50 percent novice users for the foreseeable future.

This has, of course, slowed down since 1996 - recent statistics show Internet growth in the US has dropped to 5% - but it seems very unlikely that newbies can account for all - or even most - of the virus spreaders.

Yes, the responsibility rests ultimately on the jerks who write these things - but they wouldn’t be able to get anywhere without the idiots who click on them.

Random Rent

Got someone’s virus-generated email today (though that’s far from unusual). The mail server strips out known viruses and obvious subterfuge, but this one still had a huge HTML file attached… containing, oddly enough, the complete lyrics to Rent. (Incidentally, some idiot decided to make the entire official website appear in a popup. If you have popups disabled, all you see is a message telling you to install Flash, even if you already have it.)