Fog Creek Software
Discussion Board




The Swen Virus, and a new harsh reality of Securit

It is interesting how many years ago Bill Gates in Byte magazine for told of a future where programs like Excel, Word etc would actually be come programmable components. Without question, the office suite of the last few years has realized this goal.

I done a good deal of paid work writing software in office. The VB (well, ok, VBA) is really a super glue that ties the whole office suite together. Anyone who has whacked alt-f11 in Word, or Excel will be greeted with the VB IDE. Truly a remarkable development tool. I mean, what office applications can’t use Word and Excel. Further, with VBA they are completely programmable objects. What wonderful world we live in!

Of course, with such incredible power there does lie the a dark side. Of course, many of business applications go like:

    I want to press a button while looking at the customer name and have a email “quotation”  generated and sent to the customer.

Well, of course with office and Outlook this is a snap. Of course, after the Melissa virus, MS had to do a serous about face. Now, when any appcltions tries to send a email, the user is greeted with an annoying message about another application trying to send a email. While many could argue that stupid users should be more careful with their computers, the little VBA scripts like the Melissa virus to send emails could written by anyone in a matter of minutes. As corporations threatened to stop using Outlook, the ONLY solution was to build in this annoying message. It does seem to worked very well. However, us developers hate it! The result of the Melissa is that is it now much harder to deliver applications to clients that need to “email” something.

Now comes along the Swen 32. Without question, this is the worst virus I have seen. I can only say that the good part about the virus is that it is not a destructive virus. However, it does cause havoc, and the people it is causing havoc to are those who have VALID EMAIL address in their return address.

To give you an idea, since Thursday, I have been receiving over 1500 emails per day from that virus. The size of the attachments means I am receiving in excess of 200 megs of data per day. I never experienced anything remotely even close to this. In talking to a number of people I know, they are suffering the same fate. Basically, this means that my favorite email address that I like to use for my business is useless. It is rather sad, but like the Melissa virus, there will have to a fundamental change in software. I know of several people who are suffering my exact fate, and the result is that we going to have to give up our main email address. The one we use on our business cards etc.

This virus is quite smart, and actually has it own email client. It is not really a problem of Outlook scripts (like Melissa was). In fact, it is not even Outlook express fault. This time, simply someone write some software that can generate its own emails. It really don’t need OE to run. Hence, the only way to prevent this problem is if the virus software was updated BEFORE the virus spread. In fact, that is too late.

In fact, what REALLY is needed is a secure authorizing system to use ports on the computer. Unfortunately, this is going be a step much like what happened with Outlook/Melissa. Once again, the only solution is to going to be a reduction in the flexibility of the computers we use.  In other words, no more writing of software that can use socket connections without some authorizing system to allow this. (you can for example get a secure certificate from MS, and then eliminate the Outlook prompt).

It looks like our freedoms and ease of use of computers is going to become a thing of past.

Albert D. Kallal
Edmonton, Alberta Canada
kallal@msn.com
http://www.attcanada.net/~kallal.msn

Albert D. kallal
Tuesday, September 23, 2003

One SMTP proxy with content vectoring support, and an up-to-date CVP server has prevented me from ever receiving a virus infected email.

Applications will always be buggy. Organizations and individuals have to learn the tools that already exist to properly secure their networks.

SG
Tuesday, September 23, 2003

Albert is right,

Modern virusses often do not need any software security holes to exploit. They can live quite confortably just running of the biggest gaping unpatched ball of security problems in the system: the user.
I'm convinced no tech only solution that is acceptable to the general public exitsts. e.g. Those same users will quite happily install a trusted root certificate for ViriiAreUs when promted, no matter what "doing this will kill your wife and children" dialog warns them a bazillion times.

Just me (Sir to you)
Tuesday, September 23, 2003

For a start, every computer should come with a statefull firewall, so that users are either prompted, or not allowed to run a software that makes outgoing connections besides those specifically allowed to do this.

I just re-installed a friend's computer, with a firewall this time, and he can't believe the number of programs that connects to the Net, unbeknownst to the user (unrequested incoming connections are business as usual...)

Frederic Faure
Tuesday, September 23, 2003

A simpler solution to the problem of junk eMail is to change the mail protocol.

The idea of delivering mail to a destination address was necessary in the days when computers were only occasionally connected. Files were passed from computer to computer, until they reached the user's account.

Now that the vast majority of servers are always connected, and always on, the solution is to leave the mail on the ORIGINATING server, and only pass a reference to the message to the addressee.

HeWhoMustBeConfused
Tuesday, September 23, 2003

>>the solution is to leave the mail on the ORIGINATING server, and only pass a reference to the message to the addressee.


Gee, you know, that is brilliant suggestion I have not herd of. Excellent! While it would not stop Spam, it would certainly give one a lot more control over filtering. And further, I would NOT get the email unless I request it.

Right now, if I was using a straight pop3 account, I would gab one of the many programs out there that lets me JUST download the email headers. Unfortunately, I access my MSN account via high speed using SPA. (two different providers involved). In my current setup, I don’t know of any software what will JUST let me grab the email headings. If I could even just grab the headings, then I would least eliminate “downloading” my 200 megs of Spam a day. The bandwidth I wasting right now is appalling.

I could actually live with just deleting headers, but with MSN I have to use spa, and don’t know of 3rd party tools that lets me just browse my inbox headers.

Albert D. Kallal
Edmonton, Alberta Canada
kallal@msn.com
http://www.attcanada.net/~kallal.msn

Albert D. kallal
Tuesday, September 23, 2003

Albert, can you get the same result by using IMAP, instead of POP3?  I use a Web-based email provider (Oddpost.com), but on my regular machine I connect to through Outlook Express via IMAP. 

As far as I know, it only downloads the headers unless you open up a message to read it.

Robert Jacobson
Tuesday, September 23, 2003

IMAP would at lest clog up only the server!. It would be a very reasonable solution for me.

Unfortunately, as far as I can tell, I can’t use IMAP. IMAP would very much help my situation.

While my email address is kallal@msn, that id is NOT a hotmail paid account. It is actually  a real paid msn account in Canada. However, Microsoft then changed their mind, and decided it was too much of a pain to become an actual internet provider. So, they then dropped out of Canada (and MANY MANY other areas of the world). Not wanting to anger all the customers, thus In Canada, they thus gave all the internet access to Att Canada. I actually pay att Canada to keep my MSN account! In fact, I CAN NOT even change the password on my MSN account! The attcanada package is supposed to only give me 5 email addresses, but I actually get 6, since the we got to keep the MSN id in the transitions to attcanada. Futher, my server setting for MSN is STILL pop3.email.msn, so I should still dig around and see if IMAP can be used.

Note that a few years later Microsoft purchased HOTMAIL. I believe that new MSN accounts are actually web based “PAID” email accounts that can also be accessed via pop3, and ALSO IMAP. (However there is NO internet access provided with these NEW paid MSN accounts).

As far as I can tell, my old MSN account can’t use IMAP, but I should check again.

Albert D. Kallal
Edmonton, Alberta Canada
kallal@msn.com
http://www.attcanada.net/~kallal.msn

Albert D. kallal
Wednesday, September 24, 2003

"the solution is to leave the mail on the ORIGINATING server, and only pass a reference to the message to the addressee"

That wouldn't help with the current worm problem. Reasons:

1. Virus scanners can't recognize a virus without scanning the entire e-mail.  Since the e-mail is not sent, the receiving system has no way to identify a virus or worm, except by guessing based on the headers which could be anything.

2. The biggest issue with the current Swen infection is the fact that our e-mail inboxes are completely clogged up with headers.  My ISP already strips the worm attachments but that doesn't help me when I still have to sift through 2,000+ fake mails *per day*.  I have to rely on Eudora's junk mail filter, and using delayed sending wouldn't change that one bit.

No, what we need is reliable authentification to track each and every e-mail to its originator.  That way infected systems could be isolated and we'd have a better chance to catch virus authors.  Any uncertified e-mail would be rejected by every server and would never show up in anyone's inbox.

As I understand it, the existing SSL (secure sockets) system does just that, and I already use it for my own outgoing e-mail. The problem is, I can't require it for incoming mail because so few people are using it.  All major ISPs would have to require its use before it could take off.

Chris Nahr
Wednesday, September 24, 2003

>That wouldn't help with the current worm problem. Reasons:

>1. Virus scanners can't recognize a virus without scanning the entire e-mail. Since the e-mail is not sent, the receiving system has no way to identify a virus or worm, except by guessing based on the headers which could be anything.

Well, right now, the problem is that the virus scanners did not do their job anyway. Further more, now that the virus alert has been raised to level 3 by Symantcin since last Thursday, I have NOT SEEN ANY NOTICEABLE  reduction in the number of mails I am receiving. (not ONE BIT). In other words, we are almost a week old, the virus software HAS DONE very little.

I have to say again, that this virus to going to cause a change in the computing industry like the Mesllia virus did.

This virus is unprecedented, and now 1 week later, it SHOWS NO SIGN of reduction. In fact, it is getting worse!

And I certainly agree that some type of SSL email system is the answer.

The problem her is not so much virus scanners (since as mentioned, that done nothing to help this situation anyway). However, the headers idea is not so bad either. If  I only got the headers, and then upon READING the email, the other server HAS TO SEND the email, then I have a complete legitimate trace to that server. There fore I WOULD BE able to trace who the email did come from. I could then inform that provider and user.

Right now what is appalling is that huge numbers peoples computers are cranking out these emails with no end in sight.

Right now, how, or when can we expect to seen a reduction in the number of emails being sent out? There are people surfing the web, and their computer is just flooding out emails without their knowledge. How are those computers going to be stopped?

What is different here is that this virus does not give any warnings, nor does it tell the user about some problem with their computer (like most virus do!). In fact, the virus does NOT damage the infected computers! (it would be GREAT if the virus damaged the computer!) In other words, this virus is smart NOT TO DISABLE the computer it lives in!

This virus just keeps trucking along. I don’t see how this virus is going to be stopped unless the ISP’s start disabling accounts that are sending it out. The users  HAVE NO IDEA that they are sending out these emails.

How is this virus going to be stopped? Anyone?

Like I said...this virus is different, and going to cause a change in our industry.

Albert D. Kallal
Edmonton, Alberta Canada
kallal@msn.com
http://www.attcanada.net/~kallal.msn

Albert D. kallal
Wednesday, September 24, 2003

I have to say that I have not received one copy of this virus. Not privately, not at work, not on any of the mailing lists I am on.


Wednesday, September 24, 2003

My free yahoo accounts are absolutely sunk under it.  They have spam filtering, but 'trash' and 'bulk' folders still count against your limit.  My 6mb fills up in just hours, and is a real pain.  Yahoo ought to just kill all this virus mail when it reaches them.

Aside, I think the internet would be a lot healthier if all isps did egress filtering to zap spoofed packets.  No help with an email worm, but a good idea none the less.

i like i
Wednesday, September 24, 2003

Receiving that many virus emails on a standard account more than hurts. If your email address is important to you, you probably want control over the server side. Mailscanner, Clam Anti-Virus and Spamassassin (all free) deleted 50,000+ Sobig viruses before they could reach my mailboxes. In Mailscanner you can specify which viruses you want deleted on the server.

If you are running a business you might consider getting your own server. You can do that already under $100 per month these days (eg www.ev1servers.com, formerly named rackshack.net and highly recommended). Or at least find a host that supports MailScanner with spamassassin and user configurable server side anti-virus software.

In addition:
www.kallal.net
www.albertkallal.com
www.HCSConsultingGroup.com

are all still available and might give your business a more professional look than
http://www.attcanada.net/~kallal.msn/

jan Derk
Wednesday, September 24, 2003

"Well, right now, the problem is that the virus scanners did not do their job anyway."

Mine do -- my ISP's filter deletes all virus attachments, and Eudora's junk filter trashes the remaining text stubs. But all such filters can only do their job once they see the mail (header or body, whatever). Leaving e-mail on the originating server wouldn't change that -- you'd still see at least the headers.

"In other words, we are almost a week old, the virus software HAS DONE very little."

Virus software works great, even for the new worm. The problem isn't the software, the problem are the knuckleheads who don't apply it to their leaking systems! Virus software on YOUR end can't protect you from incoming mail -- unless you want it to delete mail without ever telling you. Are you sure you'd want to take that risk?

"This virus is unprecedented, and now 1 week later, it SHOWS NO SIGN of reduction. In fact, it is getting worse!"

I think it has topped out now at about 2,000 worm mails per day for me... but that's absolutely not a tolerable level.

"If  I only got the headers, and then upon READING the email, the other server HAS TO SEND the email, then I have a complete legitimate trace to that server. There fore I WOULD BE able to trace who the email did come from. I could then inform that provider and user."

Good point, I didn't think of that. If the receiving ISP could/would trace the origin while fetching the body it could check for viruses and log the originator in one go. Yeah, that might be a good idea.

"Right now what is appalling is that huge numbers peoples computers are cranking out these emails with no end in sight."

I just don't understand who is managing these systems. Are there thousands of completely unattended computers out there, plugged into the Internet without any kind of firewall or virus scanners, 24 hours a day? Apparently that's exactly the case, judging from the sad state of our inboxes.

"This virus just keeps trucking along. I don’t see how this virus is going to be stopped unless the ISP’s start disabling accounts that are sending it out. The users  HAVE NO IDEA that they are sending out these emails."

I actually hope this will be the one good thing that comes from this disaster -- that ISPs finally take an active role in preventing junk email.  They've shrugged off that responsibility for far too long.

Chris Nahr
Wednesday, September 24, 2003

>>that ISPs finally take an active role in preventing junk email. They've shrugged off that responsibility for far too long.

You could not have said it better. I think just little bit of effort on the ISP’s would go a long way on this one.

Those ISP’s are now paying right now for the wasted bandwidth, and I would think that this increased traffic should mean something. (I am at 200 megs per day right now since last Thursday).

However, part of the problem is that the majority of people are NOT experiencing a increase in volume. Perhaps this increased volume is “under” the radar of most ISP’s

Most major Cites have a crew of people that check unusual water usage. I recall a story about the crew going into one neighborhood to find a leak. Turns out there was no leak, but 10 people living in a small house who took showers every day! Never the less, the City did notice a unusual amount of water use, and checked it out.

The problem is that I am receiving 200 megs of emails per day, but since those emails come from a distributed bunch of users, then THOSE ISP’s probably don’t really see much of a problem, or barely even a increase in traffic!

If the above is the case, then the above is simply a problem we will have to live with.

Albert D. Kallal
Edmonton, Alberta Canada
kallal@msn.com
http://www.attcanada.net/~kallal.msn

Albert D. kallal
Wednesday, September 24, 2003

There's a problem with ISPs doing filtering of mail. Actually there are quite a few, but a biggy is whether you really want them to throw away mail that you want, which is always a possibility with automatic scanning. Is a mail with a subject of "Increase your penis size" spam? Probably, but it might alternatively be an absolute must see cartoon from your best friend. I could make the judgement, but I would not trust anyone else to do so in my place for my email.


Wednesday, September 24, 2003

>>There's a problem with ISPs doing filtering of mail. Actually there are quite a few, but a biggy is whether you really want them to throw away mail


Yes, but after a certain amount of the EXACTLY SAME virus being sent, you would think the providers would do something. I am now at 15,000 virus emails in about 10 days. They are all exactly the same. So, I do think that after a few 1000, (say 2, or 3000 of the EXACT SAME email, and that email has a known virus attachment, I do think the ISP’s should take more action. It is not a question of throwing out the odd email, but after receiving the SAME ATTACHMENT for 15,000 times, I do think that the providers should start to take some action.

Chris in this thread said this correctly:

>that ISPs finally take an active role in preventing junk email. They've shrugged off that responsibility for far too long.

They are doing nothing right now to solve this problem I have. Basically, all my business emails have been shut down for over a week. We are now one week into this virus, and the amount of virus emails I am receiving HAS NOT been reduced one bit. Since I use email for a lot of clients, this has been a major inconvenience for me.

My only solution here is to dump my old email address, reprint my all my letter heads (business cards etc), and inform all people that my existing email address of 8 years is no longer going to be of any use. I mean, this is not a huge deal, but I do think the ISP’s have done a poor job. It is a question of degree.

A few Spam’s here and there is no big deal. I have been used to 50 to 75 Spam’s emails a day for years...I really don’t mind that that all,and I would be silly to expect my ISP’s to try an mange Spam.

I also have zero problems with receiving some emails with virus attachments. Again, this is no big deal. However, 15,000 emails of the exact same virus attachment is a different matter, and the ISP’s are not being responsible here. Worse, is there has been NO REDUCTION after a week.

This is just miss-management of their networks, plain and simple.

Albert D. Kallal
Edmonton, Alberta Canada
kallal@msn.com
http://www.attcanada.net/~kallal.msn

Albert D. kallal
Friday, September 26, 2003

*  Recent Topics

*  Fog Creek Home