[Dixielandjazz] Antivirus trick

Rob Perry ke6jqh at ke6jqh.net
Tue Feb 11 16:45:26 PST 2003


I don't usually, but it's time to say my piece on this. Unfortunately, 
this trick is still circulating and it's given a lot of people a false 
sense of security. Once upon a time, it was moderately effective. No 
longer. Kak and its relatives were fairly unsophisticated worms, there 
was a high degree of probability that this trick would alert the owner 
of a system that something was wrong.

I run a centrally managed anti-virus at work for nearly 2000 users. The 
number one worm that we see a day is Klez and its variants. Of 15 to 20 
alerts for Klez a day, our users only find out about it because I have 
the anti-virus server set to tell them.

Modern worms now use a technique that not only randomly pulls email 
addresses from the address book, but also from the inbox and in some 
cases other mail folders that may be on your system. In addition they 
will also masquerade the sender.

For instance, Alice, Bob, and Charlie are all friends. Alice gets hit 
with Klez, and it emails Charlie. The email that it sends to Charlie 
claims to be from Bob. Because of the way it alters the message, if the 
message to Charlie bounces, Bob will get the non-delivery report instead 
of Alice.

True, it doesn't hurt anything to have a bogus email address. 
Unfortunately, don't believe that it will actually alert you to 
anything. If you have questions about how a worm or virus operates, 
Symantec's Library is the best place to start.

http://securityresponse.symantec.com/

Rob Perry
ke6jqh at ke6jqh.net



Phil O'Rourke wrote:
> John and others
> 
> The method you stated has been talked about before. I am not sure which
> listmate gave the explanation why this does not work as it "logically" would
> seem to but I can remember the thread.
> 
> It does seem like a good idea though.
> 
> Phil O'Rourke
> Australia
> 
> 
> _______________________________________________
> Dixielandjazz mailing list
> Dixielandjazz at ml.islandnet.com
> http://ml.islandnet.com/mailman/listinfo/dixielandjazz
> 




More information about the Dixielandjazz mailing list