Outlook Viruses Trash Non-Outlook Mailboxes

Mozilla developer Ben Goodger writes about losing his inbox to the latest virus… despite not using any vulnerable software. Apparently he’s been getting over 10,000 virus-laced messages every day, and with the four-day weekend they built up to the point that Thunderbird wasn’t able to handle the influx. (Imagine having to filter out 770 megabytes of junk every day, and having that build up over several days.)

Sure, the the pre-release Thunderbird still has problems dealing with very large folders, but 770 MB/day? Even Gmail only gives you 1 GB of total storage. I can’t think of any reasonable expectation that any mail client should have to deal with that at today’s level of data richness. Maybe in the future when we’re sending full-motion video on a regular basis, but not when most email is text with maybe some formatting and a couple of small images.

It’s just staggering that, even though the main email worms depend on Microsoft Outlook, Outlook Express, and Internet Explorer to spread themselves and infect new hosts, they can still damage systems that don’t use those programs!

Another bogus warning

Here’s another one. First the notice they sent me:

Subject: VIRUS (Worm.SomeFool.P) IN MAIL FROM YOU

VIRUS ALERT

Our content checker found
    virus: Worm.SomeFool.P
in your email to the following recipient:
-> ADDRESS REMOVED

Please check your system for viruses,
or ask your system administrator to do so.

Delivery of the email was stopped!

And now my response:

Subject: BOGUS ALERT (sent to wrong address) IN MAIL FROM YOU

BOGUS WARNING ALERT

My BS checker found
    bogus warning: notice sent to known-forged sender
in your email to the following recipient:
-> MY ADDRESS

Please check your virus scanner for better notification options,
or ask your system administrator to do so.

All modern email-based viruses forge the sender address. Additionally, since your virus scanner was able to identify the specific virus, it can determine on its own that this virus always uses a forged address.

By notifying the supposed sender of a message when you know that sender is forged, you are knowingly sending virus warnings to people who are, in all likelihood, not using an infected computer. Messages like these are just noise, and the more of them that are sent, the less attention people will pay to *real* warnings. Additionally, it also runs the risk of causing unnecessary concern among the less tech-savvy (and extra calls to tech support about the nonexistant virus they fear they have).

(Feel free to re-use my response. I partially quoted myself anyway.)

I’m contemplating building a “hall of shame” and actually posting the sources of some of these. Any thoughts?

Out in the open

Just what we need. Netcraft reports a worm that installs a network sniffer.

What’s that? It’s a program that listens in on traffic going across your network, looking for things like, oh, login names and passwords, credit card numbers, etc. They’re the reason online commerce requires SSL encryption.

Sniffers work because of the way ethernet is designed. Basically your local network is like holding a conversation in a crowded room. You focus on the people you’re talking with, and you tune out other people as best as you can. (In this case there’s also someone at the door who can relay your words to someone in another room, and relay back their responses.) To hold a private conversation you have to go somewhere else or talk in code. A traffic sniffer just doesn’t tune anyone out, so it picks up on everything in your local network.

So now, no matter how well you guard your own computer, if some moron on your network manages to get infected by Worm.SDBot (which thankfully hasn’t been spotted “in the wild” yet), you could still be handing out your email login/password when you log onto Yahoo/Hotmail/Outlook/etc.

You just might want to use that “secure login” option. Assuming, of course, that you have one.