Category Archives: Viruses

Check the wording!

Posted on September 12, 2004 by Kelson

Oh, this is good!

You may have heard a few days ago that the latest MyDoom variant includes a request for work in the antivirus industry.

Well, the comic strip User Friendly has come up with the perfect solution!

Posted in Humor, Viruses | Tagged , | Leave a comment

Giving virus writers honest work

Posted on August 12, 2004 by Kelson

By way of Justin Mason and the SpamAssassin mailing list comes this post about writing add-ons for Outlook.

Seth Goodman writes of Outlook’s contact list:

This feature was apparently added for the convenience of virus writers, who it appears were one of the key groups that set the design requirements for this product

Ronald F. Guilmette replies:

So if I want source code for a software tool that can extract addresses from a personal Outlook address book, I guess that I should just go out and hire a virus writer! Hummm. I would have no problem with that. At least this would give them some honest work for a change… keeping them off the streets and out of trouble for a short while.

So now, where does one post a ‘HELP WANTED’ ad for a virus writer?

Posted in Humor, Spam, Viruses | Leave a comment

Outbreak

Posted on August 9, 2004 by Kelson

A new virus has been running around today, hiding in files like price08.zip, new_price.zip, etc. We got a call from a customer asking what this [Defanged] notice was all about, at which point I looked at the logs and found a lot more instances. By the time our virus definitions were updated to recognize it (currently ClamAV identifies it as Trojan.JS.RunMe. Edit: McAfee and F-Secure identify it as a new Bagle variant – either W32/Bagle.aq@MM or Bagle.al), about 45 copies had made it through virus scanning but were caught by MIMEDefang, which found the attachment suspicious anyway.

The moral of this part of the story: relying on virus signatures isn’t enough. By the time Norton, McAfee, F-Secure, ClamAV, etc. has identified a signature and your scanner has grabbed the updated files, it’s too late. Some copies have gotten through.

The next part is kind of interesting: This virus is clearly harvesting addresses from the web or from browser caches, because we’re seeing hits to our spamtraps. The really weird part: half of those hits claim to be from our other spamtraps!

But it is kind of odd for a new outbreak to hit the day I read this article: Security expert Q&A: The virus writers are winning.

Posted in Viruses | 1 Comment

Wolf Cry

Posted on July 30, 2004 by Kelson

More “You sent a virus!” garbage going around. It’s gotten to the point where I don’t even look at most delivery failure notices, which means I could easily miss errors about mail I really did send.

I got ticked off enough this time that I wrote back to the return address on the warning, matching the tone and structure of their message as closely as possible:

An invalid virus notice was found in an Email message you sent. Your Email scanner recognized a virus as W32/MyDoom-O but did not take into account the fact that this virus always uses a fake sender address.

Please update your virus scanner or contact your IT support personnel as soon as possible as you are sending bogus virus warnings to third parties whose systems are not infected with the virus. This runs the risk of causing unnecessary concern among the less tech-savvy (and extra calls to tech support about the nonexistant virus they fear they have). I would recommend reading up on the phrase “crying wolf” as well.

Posted in Annoyances, Viruses | 2 Comments

Total Waste of Bandwidth

Posted on July 16, 2004 by Kelson

I regularly get bogus bounces from clueless virus scanners that don’t realize the sending address is fake 99% of the time, but this takes the cake:

Sometime last night I received three copies of the same notice from some system in Brazil. They had written their virus warning in Microsoft Word, saved it as HTML without cleaning up all the extra junk, and made it the only part of the message… in Base64 encoding!

If you’re going to send any kind of diagnostic notice by email, you want it to be as simple and widely readable as possible. That means plain text (not HTML or Base64, and certainly not both!) It also means if you do want to use HTML, at least clean it up and include a plain-text alternative. For all you know it’s going to be read by some admin logging into a GUIless server through SSH over a modem connection on a hotel phone line!

Posted in Annoyances, Viruses | Leave a comment

Interesting Combination

Posted on June 22, 2004 by Kelson

This morning I recieved both a bogus “Out of Office” reply from someone at Halliburton (presumably from a virus that spoofed my address as the sender) and a new 419 scam variant, this one claiming to be someone in Iraq. (I still think of them as Nigerian scams, but they’ve gone seriously international over the past year or so.) Subject line: “EVERY IMPORTANT” (really!)

Something to consider on those vacation messages: I was just sent some random Halliburton employee’s cell phone number. Not that I have any use for it, but would you hand out your cell number to any random person on the Internet? I know I wouldn’t!

Posted in Politics, Spam, Viruses | Leave a comment

Doorway to Mac Viruses?

Posted on April 9, 2004 by Kelson

Apparently a security firm has discovered a way to trick Mac OS X into running a trojan horse. The technique involves creating a data file, but embedding a Carbon program in it. (Carbon is a programming interface aimed at making it easy to convert older Mac applications to run on Mac OS X without switching into Classic mode.)

According to Intego, Finder will see only the file type data display a spoofed icon identifying the file as (in their example) an MP3, but actually double-clicking on the file will cause the OS to notice the program code and run it. Their proof-of-concept code runs itself, then opens the file in iTunes in order to avoid looking suspicious.

This is very similar to a (fixed, but still present in a zillion unpatched systems) bug in Internet Explorer for Windows that was exploited by many mass-mailing viruses. In that case, IE would decide whether a file was safe by checking the MIME type sent by the server, then use the file extension to decide how to load the file. Viruses would generate messages embedding supposed MIDI files that Outlook would try to play, but instead of handing it to a MIDI player, it would ask the OS to open the file. Without the MIME info, Windows would see it was a program file and run the virus.

If this is confirmed, it will probably not be a vector for e-mail viruses, because the standard mail and web apps for Mac OS X don’t automatically run things the way Outlook, Outlook Express and Internet Explorer do.

No, the real danger will be viruses that spread through peer-to-peer file sharing networks. Download a supposed MP3 off of Gnutella, open up your music folder, double-click on it, and you’re infected.

Apple has said they “are aware of the potential issue… and are working proactively to investigate it.”

(Why is this news? Because it’s Apple, and because it’s so similar to a popular virus vector in Windows. Exploitable vulnerabilities are found so often in Windows I hardly blink.)

Updated slightly based on some real analysis (see comments).

Posted in Apple, Viruses | 3 Comments

One Degree

Posted on November 13, 2003 by Kelson

Anyone whose email address is posted on a web site probably doesn’t bother to identify who sent them viruses anymore. With faked return addresses and the high probability that your only connection to the sender is the fact that they visited your web page sometime in the last month, there really isn’t much point.

Every once in a while, you’ll see something weird.

Today I received what looked like a classic credit-card theft scam: a notice supposedly from PayPal claiming that my account would be canceled unless I re-entered all my credit card information into the linked web page. Right. Normally I just report it to PayPal and delete it, but this one had an attachment instead of a link, and that attachment had been defanged. With a name like www.paypal.com.scr, it was pretty obviously a virus. Continue reading

Posted in Viruses | Tagged , , | Leave a comment

Viral degrees of separation

Posted on September 9, 2003 by Kelson

With the new crop of email viruses – the ones that fake the return address based on the same sources (address books, web caches, etc.) as the target list – you get a few interesting effects.

The first is that there is a good chance you’ll recieve many copies of the virus from the same source, with different return addresses. I saw this a lot in the recent Sobig outbreak: when our mail server deletes a virus, it logs the sending and receiving addresses and the IP of the connecting server. Some IP addresses would send hundreds of copies of the virus, all to the same recipient, all with different return addresses. So it would look like hundreds of people are sending you the same virus, but in reality, it’s just one infected machine.

The other is the “friend of a friend” effect. You may get the virus from someone who knows you (or has just visited your web page), but it looks like it came from someone who knows them (or someone else whose web page they visited). Two degrees of separation.

Posted in Viruses | 1 Comment

Harry Potter computer viruses

Posted on August 25, 2003 by Katie

Inspired by finding a list of Babylon 5 viruses earlier this week.

Harry Potter virus: Looks like the last file of a virus you just wiped out, until you try to erase it–then it wipes your drive.

Voldemort virus: You can’t get rid of it, only make it dormant. It can be reactivated by the Wormtail virus up to thirteen years later.

Dumbledore virus: Scares off all the other viruses but never seems to actually *do* anything.

Hermione virus: Fills up all available drive space with files of useless information.

Ron virus: Contains code, some of it buggy, from the author’s five previous viruses.

Continue reading

Posted in Harry Potter, Humor, Viruses | Tagged | 11 Comments