[Elfsea] virus alert

Sluggy slugmusk at linuxlegend.com
Sun Sep 22 06:08:08 PDT 2002


CE Huse/Lady Maria Cabeca de Vaca wrote:

> So, does this mean that someone else is using his e-mail address? Could you
> enlighten those of us not so gifted with the technicalities of e-mail and in
> plain simple english?

I hope to do just that! :)

Somewhere in the bowels of your email client is a piece of the program
that assembles each message that you send. It puts together the header,
body and any attachments into a standard form. The header, sort of like
a cover page for a letter, contains information such who the email
*claims* to be from, who it is to, the subject line, etc. When you click
send, your mail client takes this standardized stack of information and
sends it to your outgoing mail server, which takes the first step in
delivering it to the recipients.

Many (in fact, most) mail servers do not require any authorization *to
send mail* if the client is a member of its domain and is thus
considered trusted. Furthermore, almost none of them take the time to
check the header information to see if the mail is "from" a trusted
member. It's job is to send mail, not to read it or question it :)

KLEZ and similar bad boys are just programs (sometimes clever, sometimes
just lucky) that assemble their own messages and use the vitim's
internet connection and mail server to send them out. It builds its
header from addresses and subject lines in the victim's address book and
mail folders, then attaches a copy of itself like it were any other
attachment. The attachment is often named like an attachment the victim
received. Since the victim is "trusted" by his mail server, the message
goes out. Usually, they will send out at least one email to every
address in the address book, using a different from/reply to for each
message.

This is why if I had a KLEZ infection, my computer might send an email
to you that looks like it's from Crandall. Crandall would have no record
of it because he didn't send it. I would have no record of it because my
mail program didn't send it. If you were not aware and tried to open the
attachment (without the proper settings in your client to protect you),
you could quietly become infected and start sending messages, too.

<SOAPBOX> Every mail client and operating system is vulnerable in
varying degrees to such infections, but Windows and Outlook/Outlook
Express were *designed* to be infected. Well, that probably wasn't the
intent. I think the intent was to make it very easy for someone to email
a program to a buddy and have it work or click on a program on a website
and have it install automatically but the effect is the same. I think
that if a user doesn't know how to safely install a program, they should
learn. Just because a toddler might be able to work the controls of a
helicopter doesn't mean they should be flying it before they've had some
lessons.

Antivirus software (an industry that thrives only by having new viruses
every day... think about that one for a minute) is useful, though
someone is always the first victim of a new one that none of the virus
scanners know how to detect yet. The only sure way to protect the system
is to disable the feature and in Windows and Outlook, it's so heavily
embedded and intertwined that it's not easy to do, from a programmer's
viewpoint.

In short, we shouldn't have to jump through hoops to disable a feature
that really shouldn't have been there to begin with. </SOAPBOX>

Maybe I should go eat breakfast now... :)

Sluggy!



More information about the Elfsea mailing list