Sunday, October 31, 2004

Did You Send That Virus?

If you've recently gotten a notification that you sent a virus to someone in email - you probably haven't.

I regularly run into people who are convinced that they must have a virus - even though their own antivirus software indicates that their machine is clean - because they keep getting email that claims they've sent a virus to someone else. In fact, they're being needlessly annoyed (and panicked) by email administrators who have not adjusted the behavior of their antivirus software to match the behavior of today's viruses and worms.

At one time, it was reasonable and helpful to send a message back to the sender's address when a virus was found in email - so that the sending user had some idea that all was not right with their machine, and could take steps to clean it up.

But many of today's viruses and worms propagate (spread) by using spoofed email addresses, and chances are good that the apparent sender's [From:] address has nothing to do with the infected machine.

(A computer virus makes copies of itself when a user performs an action - such as launching a program, or opening a file. It may have a relatively harmless or extremely malicious payload, or no payload at all. A worm is able to make copies on its own, and spread from computer to computer with no user interaction. A trojan is harmful software which the user is tricked into installing, but does not make copies of itself.)


Both Simple Mail Transport Protocol [SMTP] and the Internet Protocol [IP, or TCP/IP] it runs on are vulnerable to spoofing. Both are designed to route messages to a destination address, even under less than ideal conditions - but in the innocence of the Internet's early years, security was not a design concern, and so neither protocol normally does anything to verify the sender's address.

It's not unlike a postcard - you can make up anything you like as the return address, and the card will still be delivered. You might be able to convince your victim that they are inexplicably being deluged with postcards from Weird Al Yankovic, unless they notice the cards are postmarked Camden, New Jersey - not Hollywood, California.

But on a postcard, the postmark is easy to see, and easy to understand. With email, the equivalent of a postmark is the SMTP headers, which are generally hidden from the user, and not so easy to interpret. (Selecting Properties from the File menu in Outlook Express, and then selecting the Details tab, will display the headers. In Outlook, viewing the message Options will show the headers. In Gmail, select more options and then show original. If you'd like a Gmail account, I probably have an invite for you.)

SMTP headers look like this:

Received: by with SMTP id t67cs379rnb;
Fri, 10 Sep 2004 09:12:27 -0700 (PDT)
Received: by with SMTP id 80mr991326rnk;
Fri, 10 Sep 2004 09:12:26 -0700 (PDT)
Received: from ([])
by with ESMTP id 61si136445rnb;
Fri, 10 Sep 2004 09:12:26 -0700 (PDT)
Received-SPF: none
Received: from localhost.localdomain ( [])
by (8.9.3p3/8.9.3/+ALEVE) with ESMTP id MAA31517
for ; Fri, 10 Sep 2004 12:12:26 -0400 (EDT)
Date: Fri, 10 Sep 2004 12:12:26 -0400 (EDT)
Message-Id: <>
Subject: blogdex verification for

The important bits are the 'Received:' entries, including the IP addresses. Even these can be forged - but they can't all be forged, and an expert will be able to identify spoofed and/or forged email, and the point where it really entered the mail stream.

But the vast majority of email users are not experts, and will never look at their headers, or be able to interpret what they would see.

And it doesn't take sophisticated hacker tools to send a spoofed email. Outlook Express works just fine. Simply lie to the configuration wizard about your name and email address. You won't be able to receive email for the spoofed address; you can only send it - but that's all we're trying to do.

Spoofing works because the only address that must be correct is the recipient address. The sender's address can be forged and the email will still be delivered.


In 1999, the Melissa virus was the first to harvest email addresses from the victim's own computer. It sent copies of itself to up to 50 addresses it found in the Outlook address book. Because it appeared to be from someone they knew, many people were fooled into opening the email and infected attachment, and Melissa spread faster than any previously known virus.

After the 'success' of Melissa, more address-harvesting worms and viruses followed, including "Anna Kournikova," Sircam, Nimda, Klez, and Bugbear - all of which achieved widespread and rapid infection rates.

But all of them used the email address of the infected victim, making it possible to identify the sender, and (hopefully) get them to clean up their machine. Antivirus software automatically sent infection notices back to the sender's address.

This January, the MyDoom (or Novarg) worm took the next logical step in deception, and used the addresses it harvested from the infected machine as spoofed senders, as well as targets. Sally's infected computer now sent email to Jane from Bob, and identifying the actual source became essentially impossible for the vast majority of computer users. It worked - MyDoom spread faster than any previous worm, sending more than 100 million emails in the first 36 hours of infection, and infecting more than one million computers. The Sasser worm and Bagle variants followed, also using forged sender addresses.

Today, only an expert has much of a chance to identify the actual source of an infected email. Notifying the 'sender,' either with an automated response from an antivirus program, or by reply email, is at best useless, and often worse.

I recently had to intervene on behalf of a client who was being accused of repeatedly sending viruses to someone she didn't know. The virus turned out to be Bagle.Z, which, of course, spoofs the sender's address.

The tone of the emails began with:
I'm going to ask you one more time to quit sending me viruses and to take me off of your email list. If this does not happen and I get one more email from you, I am going to contact your internet provider and have them take care of you.

And got progressively angrier, with an obscenity or two:
This is a quarantine report from my internet service. Do you see your name under the forbidden attachment report? Now are you going to try to tell me that you have never sent me anything???????
Sorry, these reports don't lie. You obviously have something wrong with your computer such as a virus that you are unaware of. All I know is that I am getting sick and tired of you sending me this shit. Get something done with your computer or if you don't know what you are doing, quit using the damn thing.

It took both an email from me, explaining what was happening (and spoofed to appear to be from the hothead in question as a proof-of-concept) and an email from their own ISP to finally provide this person with a clue.

If you receive a notification (or an accusation!) that you sent someone a virus, you should simply delete it. And if your antivirus software automatically sends notifications as replies to infected email, consider turning that feature off. It is, unfortunately, no longer helpful.

Run antivirus software, keep it up to date, and keep your operating system and software updated. The folks in your address book will appreciate it.

No comments: