TapHow email works (4) Viruses

Email viruses are another plague on the electronic utopia. To fulfil its definition a virus has to be able to replicate itself and pass on to another victim, preferably without manual intervention (else it is properly called a trojan, a subtle difference which can often be ignored). Because the email protocol is so simple, this is the easiest way for it to achieve its goal either via the native email client found on the machine or by a crude one built into the virus itself. As a result, once a machine has become infected it becomes the source for further infection. In the early days this involved attaching itself to legitimate outgoing mail and sending further infected mails to known addresses found on the source machine e.g. from the address book or a disk scan. Later this developed to the virus itself containing a database of potential targets which was shared out between victims in a cascade process. Ultimately it became more of a spam mechanism with the virus generating names semi-randomly using dictionary type techniques.

There are a number of places that viruses can be trapped and dealt with. All users are recommended to have a good anti-virus product installed. These are capable of scanning incoming and outgoing mail so attempting to deal with the symptoms as well as any potential infection. The better ones do this directly on the port drivers, between the applications and the outside world, so they can catch hidden email clients as well as the standard ones used by the owner. If your anti-virus tool reports outgoing infected mails then look to updating it and doing a major disk scan because you are probably infected.

Trapping infected emails on arrival is not really sufficient. Despite all the warnings, some people run without anti-virus software and can become infected increasing the problem. Also there is the cost involved with storing and distributing these emails. I said in part 3 that the mail servers only see the text stream and pass it though untouched. This is no longer true. Since the flood of malicious emails started there has grown, rather slowly in some places, a need to staunch it on the carriers rather than wait for the users. So now, most ISPs and company mail servers scan each email, decoding the MIME formats and checking each attachment before delivery. I believe that even some inter-network routers also do this.

This is a reasonably acceptable form of mail intercept—there are rarely false positive alerts with good mail being declared infected, and the better scanners just remove the attachment and pass the rest of the mail through with a note so that you know what has happened. The cruder ones strip off all attachments of certain types, such as .exe, which is less helpful and it becomes difficult to send legitimate files reliably. All sorts of subterfuge is used by good citizens to get their files though, the favourite being to change the file extension to something like .xex and give the recipient instructions how to restore it. The paranoid strip off all attachments reducing email to its basic text messaging form. This tends to only be short term at times of high risk.

Comments are closed.

^ Top