Home Page

  


EARLIER FEATURES

  


FEATURES CONTENTS

  


LATER FEATURES

  

Features Contents
20th January 2002

THE PROBLEM WITH VIRUSES

Brian Grainger

email.gif (183 bytes)
brian@grainger1.freeserve.co.uk
 

Year 2001 has already been dubbed the year of the virus by some and I am not going to argue. Virus writing certainly came on leaps and bounds last year and if you, or someone you knew, were not affected at least once then you were lucky. This article looks at the phenomenon, why it is happening and the steps to take to minimise disruption. It goes beyond the stock answer of 'get an anti-virus package' and is based on my own experience.

Before I start I should mention that I am going to use the common term virus for all manifestations, where the pedantic may prefer the terms viruses, Trojans and worms depending on type. Lets face it, they are all a blasted nuisance.

At the end of 2000 you may remember I used a Readers Write article to write how the Kak worm had been caught by one of our readers. This was the extent of things back then.

The early part of the year saw manifestations of the Love Bug virus and the Kournikova virus. Both of these relied on providing a tempter so that the receiver would open a file attachment. This would then instigate the mechanism for further transmission and activate the various payloads. The payloads in viruses can range from fairly harmless silly messages through those that erase the hard disks to probably the worst of all, those that erase the CMOS and flash the BIOS! The Magistr virus, from March-April time, was just such a virus. The incredible spread and havoc caused by of the Love Bug and Kournikova viruses shows just how trusting people are and where their weak points can be found! The attachment to open in the former case was entitled 'I Love You' and the Kournikova virus promised some interesting views of someone who thinks she can play tennis.

As the year progressed we saw virus methodology getting more sophisticated. Obviously, relying on a user to open an attachment is not a perfect transmission mechanism. While it still works with novices, they will stop opening things automatically once they have been hit once. To avoid this problem virus writers decided to exploit the way that Internet Explorer and Outlook Express, by default, run script files without asking first! Once the e-mail was opened off it would go. Of course, if you do not open the e-mail nothing happens. However, asking a user to not open an e-mail is even more difficult than asking them not to open attachments. The use of the preview pane in Outlook Express exacerbated this because as soon as a message arrived and appeared in the preview pane it was effectively opened. The user did not have to do anything to get the virus started!

As time has gone by virus writers have exploited further holes in all sorts of software to run malicious code on the user's PC. The technical term is that the software has a buffer overflow problem. Basically, a buffer is held within the software to transfer information in and out of it. Poorly designed software does not check to see if the buffer is full when transfer in occurs. Consequently, a virus writer can transfer in enough code to do something nasty to your PC.

A final level of sophistication was added later in the year, which increased the spread of viruses still further. It even began to affect me and there was nothing I could do about it. The first major virus that exploited the new technique was the 'Sir Cam' virus and it spread like wildfire. Previously, most viruses spread by looking at an infected users address book and mailing itself to everyone it found there. The new technique was to look, in addition, at all the pages in the users Internet cache. These are the pages stored when you surf the web so that you can read them later while not connected to the Internet. If any addresses were found on these pages then the virus would mail itself to them. As it is good practice to have contact e-mail addresses on web sites the virus usually found some addresses. This is why I started to be targeted. I may not be in many people's address book but everyone who surfed the ICPUG pages could potentially have my e-mail address in the internet cache. In the first week of Sir Cam entering the wild I received three such e-mails. The Sir Cam e-mail was about 130K long so a significant amount of my time, (and money), was being spent downloading these unwanted messages. All it required for me to be sent a message was for someone to surf the ICPUG pages and to be infected themselves. Well, it is nice to know I have some readers, but the receipt of the e-mails was not so good. I could do nothing about it short of removing my e-mail address off all the ICPUG pages, which would be silly. It is a cost I have to bear for being a Webmaster.

I believe the Badtrans virus, which appeared in November, exploited this still further as I received a few of these. I contact those who send me viruses to warn them. One of these contacts, from Australia, says he had not surfed the ICPUG pages but the only connection he could see was that he did communicate with another Freeserve user in Scotland. Was the server being used in some way to transmit the virus? I still do not know.

The next question I asked myself was why is this increase in virus activity occurring? Is it likely to recede or do I need to take permanent evasive action? I think, at present, there are two main types of virus writers. The majority are those that want to get noticed, not necessarily publicly, but by their activity. The second type are those with a grudge against someone, usually Microsoft, and thus target their products. It seems to me that neither of these types are likely to go away. I believe there is the slight risk of them being joined by a third type in the future, the cyber-terrorist.

OK, there are plenty of people with motive. Why are they capable of performing their actions? Can they be stopped from doing so?

Computing has come a long way in the 20 plus years that personal computers have been around. Before then we had mainframes which, in essence, were networked dumb terminals. There was no connection with the outside world so if havoc were to be created it would be limited to the reach of the dumb terminals. However, in those days the operating systems were highly esoteric and there were few people with the skill to write anything malicious. In addition the software security was much better than today. However, it WAS possible. I always remember one bright spark from the same year as me who brought down the University mainframe for a while. It was not malicious, but a mistake.

When personal computers came on the scene they were stand alone machines so no havoc could spread. However, it did mean a lot more people were introduced to computing. This has led to many people who can cut code, even at the operating system level.

The real problems started with the rise of the network in the mid 1990s. Now computers were connected together again and, in theory, trouble could be caused. It was not until the rise of the Internet, and world-wide connectivity, that things started to move. People could get noticed on a world-wide scale now and it is this, more than anything else, that has led to the rise in virus writing. Another problem is that developed operating system software is much less secure than that of the mainframe days. The concept of testing, until of good enough quality to release, seems to have been replaced by a model where buggy software is released, which is updated by service patches as problems arise. This means there are more holes in the software for the virus writers to exploit.

I believe another problem is now starting to fuel the virus writers. Certain agencies are on the lookout for viruses and vulnerabilities. When they find some they tell everyone. The idea is that they expect software writers to remove the vulnerabilities if they are told about them. However, it also gives useful information for virus writers. They now know what to target. Microsoft have already started to get upset about information being released before they have time to get the patches written. I can sympathise with them - well, I could if they provided better quality software in the first place.

All the things which encourage virus writers, the world-wide network, knowledgeable individuals, poor quality operating system software are not going to go away in the near future. Consequently, viruses will continue to be written and we will have to protect against them. What can be done?

The first thing everyone says is get an anti-virus package. Well, that is fine but is only the first step. It will only protect you against the known viruses. It is the unknown ones and the havoc they spread before the next update of the anti-virus packages that you need protection against.

Ken Ross's solution to the virus problem is to avoid Microsoft products! There is a certain truth in this. The majority of viruses are targeted at Windows and Outlook. However, I am sure that if everyone started standardising on something else then the virus writers would follow them. Despite what you read, the Mac and Linux are not invulnerable. There have been viruses written for them and vulnerabilities have been found. Nevertheless, using non-Microsoft products will probably protect you.

Me - I have to use Windows because it gives me the widest choice of software to do what I want to do. I also like Outlook as my e-mail client but, as we will see, it may make sense to change that! What have I done to combat the virus problem?

Firstly, by the time I wanted to keep a list of contacts it was clear that viruses were using the contents of the Outlook address book to spread. My first action was therefore negative. I did not use the Outlook address book! I keep my contact list somewhere else, a Microsoft Word document. It is slightly more inconvenient but it does the job. This action does not stop me getting attacked of course. It just reduces the chance of spreading the virus. I am a nice guy - I think about you.

Just recently I have made one slight amendment to this policy. I have added just one, fictitious, contact to my address book. Now, if I inadvertently get hit by a virus and it uses the fictitious address to spread I hope I will get a message back saying the recipient could not be found. It is an early warning system for me.

The second thing I did was accidental. I took a long time to get hold of Internet Explorer v.5 and then took a long time to install it. Before I had installed it I was sent the Kak worm. I was surprised to find I was not attacked and investigation suggested it was because I was using an old version of IE. Consequently, I now use an old version of IE, on the basis that viruses tend to attack the latest versions and vulnerabilities. It gives me some immunity but I cannot rely on it.

As viruses started to be written that would activate as soon as the e-mail carrier was seen in the preview pane I had to do something about it. The preview pane is quite useful to me. I keep a message in my draft folder which consists of web addresses that I want to visit next time I go online. When I log on, one of the first things I do is to collect my mail and then by displaying the web list in my preview pane I can click on the entries to visit. If I removed the preview pane I could not open the message and click the link because it would be in edit mode and the link does not operate.

Because of my need for the preview pane I tried to devise a routine where I would turn off the preview pane before going onto the Internet. Then I would collect my mail. After making sure there were no suspect messages I would turn the preview pane on, view my web list and start clicking. Unfortunately, there was a problem with this routine. However much I tried, I would sometimes forget to turn off the preview pane in time!

I now devised a new way of clicking my web links. Basically, I send the draft e-mail to myself. Now I can click on the links in the opened received e-mail because it does NOT go into edit mode but read mode. It does mean I have some extra tasks to do when I create the next draft but my main use of the preview pane is removed. Consequently I now keep it turned off!

The next problem to tackle was how to open suspect e-mails without infecting myself! I needed to do this so I could confirm I really had a virus in the e-mail and if so what type of virus.. I also open the e-mail to find the e-mail address of the sender and warn them they have a virus on their PC. The technique I use is not to open the e-mail within Outlook but to save it to the hard disk. I then use Explorer and shift right click the file. This gives a context menu with an 'Open with ...' option as well as the 'Open' option. I select the 'Open with ...' and use WordPad or Notepad to view the message. You can now see the text of the message, the names of the attachments, the senders e-mail address and the route the e-mail took to get to you. This is enough to analyse the situation. The fact that you cannot see the attachment itself is beneficial if you really do have a virus!

The next problem I discovered was that even when I knew a message was a virus I once accidentally opened one while trying to saving it! There is only one solution to this - be more careful and make sure you have virus remover software. This is where the anti-virus package can be useful, if it is an old virus. If not, it is worth looking at the Symantec web site where they often have online means of virus removal, although you may have to wait a few days from the first detection of the virus. It is worth giving a plug to the Symantec site. I find it gives the most comprehensive information on viruses, especially when new.

The one problem that still remains is how to define a suspect e-mail. Obviously, those with subjects that reflect what Symantec has told me are dodgy. I have now expanded the list of suspect messages to any message from someone I do not know. Finally, any message with an unsolicited attachment, even if from a friend, is subject to saving and checking before opening with Outlook.

There is one final story to tell. Earlier in this piece I mentioned that novices will open any e-mail. While promises of pictures of Anna Kournikova will not sway me to open an e-mail I found out during the course of writing this article that I can be tempted in other ways. I recently received an e-mail from user 'Mail Delivery Subsystem' and a subject of 'Returned mail: user unknown'. To all intents and purposes it looked as if I had got an error back that one of my e-mails was sent to an incorrect address. I wondered whether the address would be the fictitious one in my address book, which would indicate I had picked up a virus. I opened up the e-mail to find out which address was unknown. It turned out it was not my fictitious address. Neither was the e-mail a real Mail Delivery Subsystem e-mail. Fortunately it was not a virus either, but some tacky web site trying to tempt me to click through to it.

The moral of this story is that the writers are getting more clever every day. Almost every e-mail is becoming suspect! If that is the case then all would have to be saved and checked from outside of Outlook. Coupled with the fact I have already turned off two Outlook features, the Address Book and the Preview Pane, there would not be much point in having Outlook.

Perhaps the real solution is to avoid Microsoft products after all!

 

 

 

 


TOP