Viruses are usually forged email.

Discussion in 'malware problems & news' started by Peaches4U, Mar 30, 2004.

Thread Status:
Not open for further replies.
  1. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    This is how it was explained to me when someone receives a virus and it points to your computer. I had that happen to me just yesterday. My computer is 100% clean and I did not even have my computer turned on until supper time and a virus was supposedly sent from me that morning. So, I hope for all of you this explanation will be informative.

    The procedures followed in the transport of email over the Internet in theory allow for the origin and the progress of email to be traced.

    When an email leaves your PC it contains in its headers certain information derived from the settings on your email application. This includes the originator's, identity, address and date and time of creation.

    Emails are then handed off from one server to another as they move from source to destination. Each server adds in the header the IP Address of the server it received the email from, the server's name, and the date and time.

    Current virus writers are crafty SOBs who want to foul things up real good to foil tracking and seduce recipients into believing the forgery is genuine so they have dicked around with these procedures.

    The Bagle virus, for example, contains its own email application (called an SMTP engine) that allows it to write and send email without using its host's email application. It is possible for the virus to forge headers and to send it to servers of its choosing. The information it needs for its forgeries is gleaned from files it scans on its host. For example, it will create an email on A's machine that looks like it came from C and it is addressed to B. B gets the email observes that it is "from" C, blames C while A is oblivious to the whole thing and whose PC sends out a flurry of new forgeries every time A turns on his/her diseased PC.

    The deception goes very deep. The scumbags have located email servers that are not properly set up to scan for viruses, nor screen out unauthorized traffic, and accordingly written right into the virus instructions to send the email to one of these servers. I have seen examples of Bagle viruses that relay thier virus email through a server in Argentina.

    So if you see a virus email that looks like it came fom somebody called Peaches4Ul, it probably didn't. Furthermore, if you get an email with attachments from your mother do not click on it. Call her up and ask her about it first.
     
  2. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    And infected pc's not only send mails to others, they are also victom to the virus creators. The virus opens a backdoor, with a program listening to intercept commands from the virus creator. This way the victim's pc can be used as a host to send not only virusmails, but spam as well.

    One future solution to lots of spam and virus mail is to authenticate the server that you receive mail from. One such a solution is Sender Policy Framework . You can add your own server to the SPF list. Then when someone receives a message from you, the mailclient first checks the authenticity of the presumed mailserver. If the ip-address of the sending server in the mailheader is the same as the spf-registered ipaddress, the mailserver is valid, and the mail can be trusted.

    So there are developments that can offer a solution... Even Microsoft is moving this way.
     
  3. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    Hi Meneer - thanks you for responding. Have learned something new. More for me to study. Have you applied the Sender Policy Framework and if you did, does it work well??
     
  4. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    I'm planning to use it shortly. I have to get my mailserver registered. I'll just wait a while for my spamassassin (linux) server to be compatible (my current version is not). So, I can't report about the success rate.
    Besides, SPF is just like a fax machine: when you are the only one that has one, what's the point. But, I'll be registering soon :)
     
  5. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    Hi - when you are using/testing please keep us informed. I have SpamAssassin provided by my server as part of the software they instal. So, your experience will be most useful to me should I decide to take this route. Here is a tad more on the subject ....

    Internet security experts warned on Monday that the creators of some of the latest computer viruses are using computers infected by the bugs to run online scams to get
    credit card information from unsuspecting buyers.
    Fake online shops are running on infected home computers which are controlled by hackers or criminals, said Mikko Hyppoenen, head of anti-virus research at Finland's F-Secure.

    "There is an investigation going on and we are trying to find out which viruses they are using. It could be any of the latest viruses, such as Bagle and Mydoom."

    Many of the recent bugs open a so-called back door on infected computers, giving their creators access to the contaminated machines without the owners' knowledge.

    http://www.iol.co.za/index.php?click_id=115&art_id=vn20040330013238498C399793&set_id=1
     
  6. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    I was just deciding to upgrade my mailserver, when I stumbled over this article... now I'm in doubt about using SPF.
    Anyone any comments?
     
  7. Rita

    Rita Infrequent Poster

    Joined:
    Jun 28, 2004
    Posts:
    6,863
    Location:
    wilds of wv
    Hi Peaches
    thanks for the informative post!
    Rita
     
Loading...
Thread Status:
Not open for further replies.