With the new crop of email viruses – the ones that fake the return address based on the same sources (address books, web caches, etc.) as the target list – you get a few interesting effects.

The first is that there is a good chance you’ll recieve many copies of the virus from the same source, with different return addresses. I saw this a lot in the recent Sobig outbreak: when our mail server deletes a virus, it logs the sending and receiving addresses and the IP of the connecting server. Some IP addresses would send hundreds of copies of the virus, all to the same recipient, all with different return addresses. So it would look like hundreds of people are sending you the same virus, but in reality, it’s just one infected machine.

The other is the “friend of a friend” effect. You may get the virus from someone who knows you (or has just visited your web page), but it looks like it came from someone who knows them (or someone else whose web page they visited). Two degrees of separation.

Inspired by finding a list of Babylon 5 viruses earlier this week.

Harry Potter virus: Looks like the last file of a virus you just wiped out, until you try to erase it–then it wipes your drive.

Voldemort virus: You can’t get rid of it, only make it dormant. It can be reactivated by the Wormtail virus up to thirteen years later.

Dumbledore virus: Scares off all the other viruses but never seems to actually *do* anything.

Hermione virus: Fills up all available drive space with files of useless information.

Ron virus: Contains code, some of it buggy, from the author’s five previous viruses.

Continue reading

The world of email viruses has changed. In the old days, they would piggyback on the messages you sent, or make your regular mail program send them out while you weren’t looking. These days they send the messages themselves, so they pick a fake return address from the same source as its list of victims: address books, web caches, and so on.

The return address on a virus like Sobig doesn’t mean crap.

So why the heck are all these idiotic virus scanners (*cough* Declude *cough*) sending me messages saying “You sent us a virus!” when a cursory glance at the headers clearly shows that it originated on the other side of the planet?

I’ve already got the server filtering out the virus itself – I’m seriously thinking about filtering out the useless warnings.

My dad forwarded me an opinion piece from the eWeek newsletter called Idiocy Imperils the Web. Jim Rapoza argues that – especially by now – people should really have figured out not to click on unknown attachments. My favorite quote: “Most people figure out that if they keep grabbing the electric fence, they’ll get a shock every time.”

I’ve thought along these lines for several years now. [Update: Not anymore (see below)] Once the first two waves of high-profile email viruses hit, it was time for people to wise up. Instead we have a variation on the classic joke:

Three guys walk into a bar. You’d think the third one would have ducked.

Except it’s more like “Ten guys walk into a bar. You’d think the third, fourth, fifth…”

Although I’m also reminded of a quote from Jakob Neilsen’s “Alertbox” usability column from April 1996:

The fact that the Internet doubles every year implies that at any time half of the users will have been on the net for less than a year. In other words, we are doomed to have 50 percent novice users for the foreseeable future.

This has, of course, slowed down since 1996 – recent statistics show Internet growth in the US has dropped to 5% – but it seems very unlikely that newbies can account for all – or even most – of the virus spreaders.

Yes, the responsibility rests ultimately on the jerks who write these things – but they wouldn’t be able to get anywhere without the idiots who click on them.

Update March 2023: In the 20(!) years wince I wrote this, I’ve come around to agree with Bruce Schneier’s remarks on the subject from 2011:

People get USB sticks all the time. The problem isn’t that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good. The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn’t safe to plug a USB stick into a computer. (emphasis added)

Yes, people absolutely need to be careful with storage they plug in, with files they download, with apps they install. Of course they do. But that only gets you so far. In addition to unintended security vulnerabilities, the software and hardware makers need to do better at not building glaring holes like auto-running malware.

I mean, just yesterday the YouTube channel for Linus Tech Tips — a channel that’s all about the tech — was taken over through malware that installed itself from a malicious PDF file and collected the session tokens from the computer’s web browsers, enabling the hackers to clone their login session and replace the channel with one promoting cryptocurrency. If YouTube — owned by Google, one of the biggest tech companies in the world — had flagged the IP-hopping or region-hopping of the login session, it could have at the very least thrown up some roadblocks.

(The number of things I just typed that wouldn’t have made any sense back in 2003…)

Admittedly, it’s hard to blame Microsoft or Google for exploding USB sticks, but I certainly wouldn’t blame the victim for it either.

Got someone’s virus-generated email today (though that’s far from unusual). The mail server strips out known viruses and obvious subterfuge, but this one still had a huge HTML file attached… containing, oddly enough, the complete lyrics to Rent. (Incidentally, some idiot decided to make the show’s entire official website appear in a popup. If you have popups disabled, all you see is a message telling you to install Flash, even if you already have it.)