Category: Computer Security

Posted on
by

Last month I finally got around to installing antivirus software on the one Windows computer we have at home. While I’ve found Norton Anti-Virus has worked well on my system at work, I ended up choosing McAfee Internet Security Suite for two reasons: (1) unlike Symantec, they don’t use a product activation scheme, and (2) since McAfee bought Deersoft, purchasing a McAfee-related anti-spam product should help fund SpamAssassin development.

Big mistake.

Since installing McAfee, this computer has crashed at least once each time I’ve turned it on (usually with a McAfee dialog box visible). The privacy service adds another login prompt, whether you want it or not. It tends to pop up dialogs when you’re in the middle of, say, running ScanDisk to make sure the system survived the crash McAfee caused five minutes earlier. And, ridiculously, the software and virus definition update runs through Internet Explorer.

By this I don’t mean that it expects you to go to the website and download an installer. That would be inconvenient, but acceptable (since you could choose what web browser to use). No, it pops up a “Check for updates” dialog box which then opens Internet Explorer, goes through a set of redirects until it opens a pop-up that looks like a download manager (but is clearly done using HTML), and then downloads and installs the update.

Now forget any isues you might have with buggy rendering, feature parity, monopoly abuse, antitrust, etc. Just look at IE’s track record on security.

Why would you want a security system to rely on something so notoriously insecure?

Symantec has its own update program that calls out, checks for updates, downloads them and installs. You can run it manuallky, or you can set it to grab and install virus updates automatically. Nowhere in this whole process does Internet Explorer come into the picture – or if it does, it’s hidden away where the power user won’t see it and say “What the hell do they think they’re doing?”

Posted on
by

Anyone whose email address is posted on a web site probably doesn’t bother to identify who sent them viruses anymore. With faked return addresses and the high probability that your only connection to the sender is the fact that they visited your web page sometime in the last month, there really isn’t much point.

Every once in a while, you’ll see something weird.

Today I received what looked like a classic credit-card theft scam: a notice supposedly from PayPal claiming that my account would be canceled unless I re-entered all my credit card information into the linked web page. Right. Normally I just report it to PayPal and delete it, but this one had an attachment instead of a link, and that attachment had been defanged. With a name like www.paypal.com.scr, it was pretty obviously a virus. Continue reading

Posted on
by

With the new crop of email viruses – the ones that fake the return address based on the same sources (address books, web caches, etc.) as the target list – you get a few interesting effects.

The first is that there is a good chance you’ll recieve many copies of the virus from the same source, with different return addresses. I saw this a lot in the recent Sobig outbreak: when our mail server deletes a virus, it logs the sending and receiving addresses and the IP of the connecting server. Some IP addresses would send hundreds of copies of the virus, all to the same recipient, all with different return addresses. So it would look like hundreds of people are sending you the same virus, but in reality, it’s just one infected machine.

The other is the “friend of a friend” effect. You may get the virus from someone who knows you (or has just visited your web page), but it looks like it came from someone who knows them (or someone else whose web page they visited). Two degrees of separation.

Posted on
by

Inspired by finding a list of Babylon 5 viruses earlier this week.

Harry Potter virus: Looks like the last file of a virus you just wiped out, until you try to erase it–then it wipes your drive.

Voldemort virus: You can’t get rid of it, only make it dormant. It can be reactivated by the Wormtail virus up to thirteen years later.

Dumbledore virus: Scares off all the other viruses but never seems to actually *do* anything.

Hermione virus: Fills up all available drive space with files of useless information.

Ron virus: Contains code, some of it buggy, from the author’s five previous viruses.

Continue reading

Posted on
by

The world of email viruses has changed. In the old days, they would piggyback on the messages you sent, or make your regular mail program send them out while you weren’t looking. These days they send the messages themselves, so they pick a fake return address from the same source as its list of victims: address books, web caches, and so on.

The return address on a virus like Sobig doesn’t mean crap.

So why the heck are all these idiotic virus scanners (*cough* Declude *cough*) sending me messages saying “You sent us a virus!” when a cursory glance at the headers clearly shows that it originated on the other side of the planet?

I’ve already got the server filtering out the virus itself – I’m seriously thinking about filtering out the useless warnings.