ietf-asrg
[Top] [All Lists]

[Asrg] Viruses

2003-06-24 11:07:44
Ironically, it may well be that a single company can stem the tide of
spam alone and, remarkably enough, it's Mr Gates' company.

OK, Barry, after sitting back on this one for a while, I'm going to pick up 
your 
bait.

Certainly there is a LOT they could do, but in practice probably little of that 
is at the OS level.

Apparently much of the spam is forwarded via computers which have been
infected by viruses turning them into unwaitting mail slaves for
spammers.

There's LITTLE excuse for allowing that to happen.

Reviewing the most common of these viruses, such as Jeem, sobig.a and
Proxy-guzu, indicates that they all target Microsoft's winows
operating system. Versions up to and including their latest XP and ME.

Of course.  If you were writing a virus, you'd also write it to propagate on 
the 
most likely systems you expected the code to land in.  OF COURSE virus authors 
target Outlook, Windows, Word, etc.  

There have been plenty of worms on other systems, but those are a minority of 
attackable systems so virus authors OF COURSE go for the more fertile ground.

There's a reason for this: Microsoft's operating systems are
vulnerable to viruses.

ALL operating systems are vulnerable to viruses, as long as the systems are 
user-programmable (or program-extensible).  OK, your digital watch, your 
microwave oven (probably), and your laser printer probably aren't vulnerable to 
viruses.  But that's because nobody else can much change their code, either.

Other operating systems, or at least late-releases (e.g., Max OSX),
are not susceptible to viruses.

And just what is the "magic bullet" that you think magically makes those 
systems 
"not susceptible"?  I don't believe that there IS such a magic bullet.

Any computer on which software can be installed could theoretically have BAD 
software installed.  I don't believe it's possible by any kind of automated 
means to determine absolutely that an arbitrary subject program is bug-free, or 
even that it will terminate.

And in particular, a WORD macro virus (for instance) which works on a 
Windows-based OS will probably work on a Mac-based OS too... since the level of 
abstraction provided by the macro facility SPECIFICALLY shields the executing 
macro from vagaries based on the underlying OS.

The technology for immunizing OS's against viruses has been known for
about 40 years (before viruses even existed!) It's been commonly used
in other OS's for about 20 years. 

What "immunizing technology" are you referring to?

The US military has spent many billions of dollars over the years in research 
trying to find "absolutely secure" operating systems, and although they have 
made some fairly impressive strides, I don't think that any of them has gotten 
anywhere near 100%.

And it's been available on consumer/desktop PC-class machines for at least 10 
years.

What "it" do you think "immunizes" OSes?  And even if "it" did, what makes you 
think that other vulnerabilities can't be opened by buggy or ill-conceived 
applications?

So why does Microsoft continue to provide opportunity for spammers
unnecessarily?

While I would never claim that Microsoft has done everything possible to 
prevent 
abuse (far from it, at times) a LOT of the problem is at the application level, 
and not at the OS level proper.

Buffer overflow exploits, in particular, (along with similar array subscript 
range or string boundary violations) are readily possible with processors which 
permit unconstrained address calculations, and (also in particular) C is pretty 
much totally undisciplined about such things (and that's just as much true of C 
on Mac or Unix systems as it is for C on Windows-based systems).

The better solution is really to put restrictions in place on incoming material 
(and E-mail is our focus here) such that potentially dangerous executable stuff 
(and in practice, this means ActiveX-type stuff, scripting, and potentially 
malicious attachments) simply aren't allowed to be delivered unless they come 
from pre-arranged (or post-permitted, maybe), _trusted_ people who we EXPECT 
such type of stuff to come from.

Just as nobody should ever be stupid enough to run an executable that arrives 
in 
an E-mail from someone they don't know, they similarly shouldn't run 
executables 
that arrive from someone they DO know unless they know what it's about, and 
have 
verified (separately) with the sender why it was sent and that it's legitimate. 
 There is no reason why such windows of vulnerability should be left open for 
no 
reason at all.

I got a spam just a day or two ago shilling for a porn site and crowing about 
how "no credit card required".  The link said, in essence, "to connect to this 
site directly using your modem, CLICK HERE."  Under the concealment of the 
HTML, 
the link pointed to a URL of .exe type.  Most lusers wouldn't realize (of 
course) the implication of the (truthful) prompt... that the executable was 
planning to hang up the person's Internet connection through their local ISP, 
then redial on the user's modem to a 900-type international telephone number at 
staggering per-minute charges, which will of course bill to the luser's phone 
bill to arrive a month later.  (And of course, if it's a business line at the 
person's employer, they'll probably never even notice...!  What employee ever 
sees and studies the monthly phone bill for your desk's/computer's phone line?)

Such scams, by the way, also tend to (besides the porn site itself) embody 
proxy 
servers so that even after the visitor tires of whatever porn is on offer, 
tends 
to stay connected to the Net and continue their other net surfing through the 
new, international premium pay-by-the-minute dialup connection, totally unaware 
that they're no longer connected through their own local ISP.

Anyhow, here's just another example of a case where the original deception that 
sets this whole mess up comes from the fact that the original message is 
HTML-burdened, permitting the spammer to hide the downloading of an executable 
inside an "invisible" link that just looks like any other "click here" 
hyperlink.  Of course, it would be nearly as easy to include an executable 
attachment (which is the way that most such stuff has been pulled in the past).

Notably, my permission-list idea would most likely squash BOTH of these 
deceptions... no unauthorized attachments, and forcing the user to 
copy-and-paste a more-likely-visibly-dubious URL into their browser before 
going 
to get it.

Of course, on my machine this particular scam wouldn't work, since I don't use 
a 
dialup internet connection to begin with.

Gordon Peterson                  http://personal.terabites.com/
1977-2002  Twenty-fifth anniversary year of Local Area Networking!
Support the Anti-SPAM Amendment!  Join at http://www.cauce.org/
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>