Viruses by E-mail


THE SAFEST POLICIES TO FOLLOW:

  1. Use an anti-virus program with up-to-date virus data. Auto-updating software is very useful. Keep subscriptions up-to-date.
  2. Update system software to plug holes. Worms can enter your system and send e-mails from your machine. Be sure to download all critical updates and update promptly. Software companies do NOT EVER e-mail patches or updates. E-mailed "patches" are likely viruses.
  3. Run effective firewall protection. Worms can enter through certain sockets. By restricting access to your computer, you minimize opportunities for computers to be taken over. Do not allow your computer to act as a server.
  4. Periodically run disk scans of your hard drive(s) using your anti-virus software. Viruses may elude detection right after their release and using new virus definitions may catch them. This check may also locate viruses that enter your machine through exploits that your anti-virus program may not catch initially.
  5. Don't trust ANY attachment. You don't know what it can do. Know the attachment type before viewing it (see below). Icons associated with an attachment may be fake.
  6. Don't trust sender information. Anyone can masquerade as anyone using unsecured e-mail. Viruses frequently masquerade microsoft.com, trusted software companies or even your own network administrator.
  7. Viruses often come from friends. Many viruses hijack address books and send virus-laden messages to your friends and contacts.
  8. Virus warning messages should be checked. Many postmasters bounce messages from infected machines. If you are accused of a virus, check the name of the virus. Some viruses randomize both senders and recipients of e-mails from names in an address book and the most virulent load a mail server program to do so!
  9. Scrutinize e-mails warning you about viruses or accounts. Software companies will not send unsolicited software patches or link to someone else's site for updates.
  10. NEVER send account information by e-mail. E-mails are not secure and account information, usernames and passwords can be 'sniffed' easily. Watch for redirection when you are on a secure server site to be sure that you are not switched to another site. Log-off AND restart your browser after paying bills. Your encoded data will be erased only by restarting.
  11. Don't follow links on spam e-mails. TWO REASONS: (1) Links may be masqueraded. For instance https://www.paypal.com/cgi-bin/webscr?cmd=_login-run may be a masqueraded site that goes anywhere in the world, including a non-secure trojan site (look at the link below if you don't believe me). (2) Links may encode your e-mail address or unique user code so some sites can harvest your address and put you on lists for spam. (3) Links may have innocuous looking "escape" characters that create an executable redirect.
  12. Don't follow links on spam e-mails. MORE REASONS: (1) Redirects may be masqueraded. For instance, links to Google can have executed redirects that go to unanticipated pages that follow deep in the URL. (2) No one, especially banks, give out $20 to fill out surveys, and if they do, likely you get the short end of that stick. Compromised machines sometimes cannot be uncompromise without rewriting the hard drive. (3) You may not find out how the URL executes until you click on it and then it may be too late.


TRUST NO E-MAIL ATTACHMENTS

Attachments can now be launched that look like they are files of different types. In fact, Window's default condition is NOT to tell you the true three character extension! (To correct this on WIN machines, (1) go to "Windows Explorer" (the file utility, not the browser), (2) click on "Tools", then click on "Folder Options", (3) click on the "View" tab at the top, (4) UNCHECK the option that says "Hide extensions for known file types", (5) click "OK" at the bottom of the pop-up window.) Current file type extensions that can be executed as programs are .exe, .com, .pif, as well as a widening group of names. For a complete list, see Executable File Extensions, which also has much more complete cross-platform information about exposing extensions (but don't trust it totally, it may be old). Videos can execute code as well, as can various Windows products, including programs that execute 'macros' (Word, Excel, PowerPoint, for example can potentially trigger unwanted executions of viral code, for example, though modern versions are not so susceptible as they used to be.


LATEST DIRTY TRICKS

You cannot always trust the resolved URL of a web site. Just because your browsers says that you are at a given site (say, http://windowsupdate.microsoft.com/), does not necessarily mean you are there if your machine has been compromised! There is a file called "hosts" that overrides the Internet for resolving (i.e., decoding) domains. In this file, any listed domain can be mapped to any IP site. Your "hosts" file usually has an entry like "localhost   127.0.0.1" which means that the local computer is at that IP address (it is the so-called reserved loopback so that your own machine knows what to call itself in IP languge when you are on the Internet). If there is anything other set of IPs there, you can get spoofed. In fact, a pretty simple pop-up blocker is just to map the usual pop-up domains to your local machine (127.0.0.1) instead of letting it go to the Internet. Voila, no pop-ups. To check you machine, use a file search for a file named "hosts". In fairly recent Windows computers, it will be in a system directory (often i386). If it is clean, you have not been compromised. If there are a bunch of references to 127.0.0.1, it is being used to block spam. If it points elsewhere, you may have been compromised. (For website developers, this is a great tool for checking your server before going live with content as you can point it to the IP address of your server and if the machine is correctly configured, you will see the page, but no one else.)

©2003-2006 Scott Russell, University of Oklahoma. This may be may be linked without prior permission. The text may be copied freely and used in other forms with attribution. 42124