You Sent Me A Virus! Have A Nice Day!

By Larry Seltzer  |  Posted 2003-07-09 Print this article Print

Don't take it personally if someone tells you that you sent them a virus. Don't assume they know what they're talking about either.

Have you ever received an e-mail from someone, or maybe from an automated agent or mail administrator of a site informing you that you had sent them an infected message? Theres a good chance you didnt actually send the infected message.

Gateway anti-virus software often has the capability, when it detects an infected message coming in, to send a notification message to the purported sender of the infected message, telling them that an infected e-mail was sent from them and that they should take appropriate actions.

People complain about these notification messages almost as much as they complain about the viruses themselves. Theres a legitimate point to it, although exaggeration abounds all over the arguments. The main problem is that we all tend to take viruses personally; we howl when we receive an infected message as well as when were accused of spreading them. I think many users still dont appreciate that virus/worm spreading these days is an entirely unintentional affair.

Some e-mail virus/worms, send their message not from the user of the infected computer, but from an address made up by the worm itself, called a "spoofed" address. Sometimes these addresses come from a simple list hard-coded into the worm, and sometimes from your address book, but the current preferred method is to search key files, such as the users browser cache, for addresses.
For example, Klez, undoubtedly the Virus Of The Year for the 2002-2003 season, uses such address spoofing. In these cases, if the gateway anti-virus software sends a message to the sender of the infected message, they are sending it to an uninvolved third party.

This is partly why I think that the overall scale of the problem is exaggerated. I have a large number of e-mail addresses and because of web pages linking to them, like this one, those addresses are posted all over the web. This is why I get a lot of infected e-mail, because my address is in a lot of browser caches. But I dont get a lot of notifications that I have sent people viruses.

The more intelligent anti-virus gateways, like Trends InterScan Messaging Security Suite, decide based on the capabilities of the worm whether its worth sending a notification to the sender of the message. This is actually a simple decision, since the scanner needs to have a database of worms and their characteristics anyway. Why not make "spoofs sender address" one of those characteristics?

Notification messages can even be worse than useless. If you were able to receive enough notification messages you could determine their senders and create a profile of who runs what anti-virus software, valuable information for an attacker to have. The downside to this is that you might call too much attention to yourself by receiving all those notifications.

This all raises the issue of what to do with a message when anti-virus software detects an infection, and here all too often anti-virus software acts illogically. In the early days of e-mail viruses (1999, 2000) there was a chance that an infected message had actual content in it that one might want to save. But all of the recent attacks send their own completely synthetic messages. Perhaps the message body contains text pulled pseudo-randomly from files on the disk, but its not a real message and nothing worth saving. My own anti-virus software tries to send me a cleaned version of infected files. I wish it would stop trying.

And I would argue that most notifications are useless to most people and counter-productive. Unless you know from the virus characteristics that the sender address is the actual sender theres no point in looking at the message. Why would the recipient ever need to know that the anti-virus software blocked an infected message? Theres almost no chance that it contains actual data.

So if someone tells you that they blocked a virus, congratulate them. If its an automated message, write a rule to trash the messages. And if youre writing anti-virus software, think critically about how you notify people.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel