[Asrg] Viruses
gep2@terabites.com Tue, 24 June 2003 18:07 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA28475 for <asrg-archive@odin.ietf.org>; Tue, 24 Jun 2003 14:07:44 -0400 (EDT)
Received: (from exim@localhost) by www1.ietf.org (8.11.6/8.11.6) id h5OI7GM26000 for asrg-archive@odin.ietf.org; Tue, 24 Jun 2003 14:07:16 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19UsCK-0006lH-K7 for asrg-web-archive@optimus.ietf.org; Tue, 24 Jun 2003 14:07:16 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA28464; Tue, 24 Jun 2003 14:07:13 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19UsCG-0005Kv-00; Tue, 24 Jun 2003 14:07:12 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19UsCB-0005Ks-00; Tue, 24 Jun 2003 14:07:07 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19UsC5-0006fY-I0; Tue, 24 Jun 2003 14:07:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19UsBq-0006eX-83 for asrg@optimus.ietf.org; Tue, 24 Jun 2003 14:06:46 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA28397 for <asrg@ietf.org>; Tue, 24 Jun 2003 14:06:28 -0400 (EDT)
From: gep2@terabites.com
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19UsBY-0005Ih-00 for asrg@ietf.org; Tue, 24 Jun 2003 14:06:28 -0400
Received: from h001.c000.snv.cp.net ([209.228.32.65] helo=c000.snv.cp.net) by ietf-mx with smtp (Exim 4.12) id 19UsBE-0005GO-00 for asrg@ietf.org; Tue, 24 Jun 2003 14:06:09 -0400
Received: (cpmta 11812 invoked from network); 24 Jun 2003 11:05:13 -0700
Received: from 12.239.18.238 (HELO WinProxy.anywhere) by smtp.terabites.com (209.228.32.65) with SMTP; 24 Jun 2003 11:05:13 -0700
X-Sent: 24 Jun 2003 18:05:13 GMT
Received: from 192.168.0.30 by 192.168.0.1 (WinProxy); Tue, 24 Jun 2003 13:05:01 -0600
Received: from 192.168.0.240 (unverified [192.168.0.240]) by nts1.terabites.com (EMWAC SMTPRS 0.83) with SMTP id <B0000024222@nts1.terabites.com>; Tue, 24 Jun 2003 13:32:22 -0500
Message-ID: <B0000024222@nts1.terabites.com>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
To: asrg@ietf.org
X-Mailer: SPRY Mail Version: 04.00.06.17
Content-Transfer-Encoding: 7bit
Subject: [Asrg] Viruses
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Tue, 24 Jun 2003 13:32:22 -0500
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
> Ironically, it may well be that a single company can stem the tide of spam alone and, remarkably enough, it's Mr Gates' company. OK, Barry, after sitting back on this one for a while, I'm going to pick up your bait. Certainly there is a LOT they could do, but in practice probably little of that is at the OS level. > Apparently much of the spam is forwarded via computers which have been infected by viruses turning them into unwaitting mail slaves for spammers. There's LITTLE excuse for allowing that to happen. > Reviewing the most common of these viruses, such as Jeem, sobig.a and Proxy-guzu, indicates that they all target Microsoft's winows operating system. Versions up to and including their latest XP and ME. Of course. If you were writing a virus, you'd also write it to propagate on the most likely systems you expected the code to land in. OF COURSE virus authors target Outlook, Windows, Word, etc. There have been plenty of worms on other systems, but those are a minority of attackable systems so virus authors OF COURSE go for the more fertile ground. > There's a reason for this: Microsoft's operating systems are vulnerable to viruses. ALL operating systems are vulnerable to viruses, as long as the systems are user-programmable (or program-extensible). OK, your digital watch, your microwave oven (probably), and your laser printer probably aren't vulnerable to viruses. But that's because nobody else can much change their code, either. > Other operating systems, or at least late-releases (e.g., Max OSX), are not susceptible to viruses. And just what is the "magic bullet" that you think magically makes those systems "not susceptible"? I don't believe that there IS such a magic bullet. Any computer on which software can be installed could theoretically have BAD software installed. I don't believe it's possible by any kind of automated means to determine absolutely that an arbitrary subject program is bug-free, or even that it will terminate. And in particular, a WORD macro virus (for instance) which works on a Windows-based OS will probably work on a Mac-based OS too... since the level of abstraction provided by the macro facility SPECIFICALLY shields the executing macro from vagaries based on the underlying OS. > The technology for immunizing OS's against viruses has been known for about 40 years (before viruses even existed!) It's been commonly used in other OS's for about 20 years. What "immunizing technology" are you referring to? The US military has spent many billions of dollars over the years in research trying to find "absolutely secure" operating systems, and although they have made some fairly impressive strides, I don't think that any of them has gotten anywhere near 100%. > And it's been available on consumer/desktop PC-class machines for at least 10 years. What "it" do you think "immunizes" OSes? And even if "it" did, what makes you think that other vulnerabilities can't be opened by buggy or ill-conceived applications? > So why does Microsoft continue to provide opportunity for spammers unnecessarily? While I would never claim that Microsoft has done everything possible to prevent abuse (far from it, at times) a LOT of the problem is at the application level, and not at the OS level proper. Buffer overflow exploits, in particular, (along with similar array subscript range or string boundary violations) are readily possible with processors which permit unconstrained address calculations, and (also in particular) C is pretty much totally undisciplined about such things (and that's just as much true of C on Mac or Unix systems as it is for C on Windows-based systems). The better solution is really to put restrictions in place on incoming material (and E-mail is our focus here) such that potentially dangerous executable stuff (and in practice, this means ActiveX-type stuff, scripting, and potentially malicious attachments) simply aren't allowed to be delivered unless they come from pre-arranged (or post-permitted, maybe), _trusted_ people who we EXPECT such type of stuff to come from. Just as nobody should ever be stupid enough to run an executable that arrives in an E-mail from someone they don't know, they similarly shouldn't run executables that arrive from someone they DO know unless they know what it's about, and have verified (separately) with the sender why it was sent and that it's legitimate. There is no reason why such windows of vulnerability should be left open for no reason at all. I got a spam just a day or two ago shilling for a porn site and crowing about how "no credit card required". The link said, in essence, "to connect to this site directly using your modem, CLICK HERE." Under the concealment of the HTML, the link pointed to a URL of .exe type. Most lusers wouldn't realize (of course) the implication of the (truthful) prompt... that the executable was planning to hang up the person's Internet connection through their local ISP, then redial on the user's modem to a 900-type international telephone number at staggering per-minute charges, which will of course bill to the luser's phone bill to arrive a month later. (And of course, if it's a business line at the person's employer, they'll probably never even notice...! What employee ever sees and studies the monthly phone bill for your desk's/computer's phone line?) Such scams, by the way, also tend to (besides the porn site itself) embody proxy servers so that even after the visitor tires of whatever porn is on offer, tends to stay connected to the Net and continue their other net surfing through the new, international premium pay-by-the-minute dialup connection, totally unaware that they're no longer connected through their own local ISP. Anyhow, here's just another example of a case where the original deception that sets this whole mess up comes from the fact that the original message is HTML-burdened, permitting the spammer to hide the downloading of an executable inside an "invisible" link that just looks like any other "click here" hyperlink. Of course, it would be nearly as easy to include an executable attachment (which is the way that most such stuff has been pulled in the past). Notably, my permission-list idea would most likely squash BOTH of these deceptions... no unauthorized attachments, and forcing the user to copy-and-paste a more-likely-visibly-dubious URL into their browser before going to get it. Of course, on my machine this particular scam wouldn't work, since I don't use a dialup internet connection to begin with. Gordon Peterson http://personal.terabites.com/ 1977-2002 Twenty-fifth anniversary year of Local Area Networking! Support the Anti-SPAM Amendment! Join at http://www.cauce.org/ 12/19/98: Partisan Republicans scornfully ignore the voters they "represent". 12/09/00: the date the Republican Party took down democracy in America. _______________________________________________ Asrg mailing list Asrg@ietf.org https://www1.ietf.org/mailman/listinfo/asrg
- RE: [Asrg] Viruses Tom Thomson
- [Asrg] Viruses gep2
- Re: [Asrg] Viruses Vernon Schryver
- [Asrg] Re: Viruses wayne
- Re: [Asrg] Re: Viruses Steven F Siirila
- RE: [Asrg] Viruses Hallam-Baker, Phillip
- RE: [Asrg] Viruses Bob Wyman
- RE: [Asrg] Viruses Vernon Schryver
- RE: [Asrg] Viruses Barry Shein
- Re: [Asrg] Viruses Barry Shein
- [Asrg] Re: Viruses Bruce Stephens
- Re: [Asrg] Viruses gep2
- RE: [Asrg] Viruses Bob Wyman
- Re: [Asrg] Viruses Walter Dnes
- Re: [Asrg] Viruses Mark McCarron
- RE: [Asrg] Viruses Barry Shein
- RE: [Asrg] Viruses Barry Shein