The Active Network
ActiveWin: Editorials Active NetworkFlink Ink | Reviews | FAQ | Mailing List | Forums


Bitten by the Love Bug? Expect Worse! ....Linux too!

May 4th, 2000 - Chuck Flink (Feedback Appreciated!)

Well wasn't that 'I LOVE YOU' virus/worm fun!  So a teen in the Philippines can bring down email systems world wide.  I can hear the rumble of thousands of other kids saying, "Heck, that was easy!  I bet I can do better!"  What a sad thought.  You may as well prepare because there will be lots of copy-cat email viruses in coming days!  Ok world, you've had your wake up call!  Now get busy doing what you SHOULD have done all along.... Protect yourself!  Here's how.  It does NOT take that much effort!

Note:  These recommendations are intended to protect against the entire class of email worms represented by today's virus.  Many other sites will tell you the facts about today's virus and how to clean up after it.  I am much more concerned about tomorrow's email virus!

My suggestions:  (Tested for Outlook 2000 and Outlook Express 5.5, but applicable in principle to most other mail readers.)

1)   Turn off instant mail delivery!

There is seldom a need to have email sent instantly upon clicking [Send].  Besides the very human reality of email regret ("I shouldn't have said that!"), the fact is that this virus propagated so quickly because 99.9% of mail programs are set to send instantly.  If  you had this featured turned off and you were tricked into loading an email worm like 'I LOVE YOU', your out-box would have filled up with an email message for every one of the addresses in your address book, but NONE would have been sent until you had a chance to notice the problem!  You would have seen your outbox folder fill up with new messages, you would have checked, discovered the Trojan's outgoing messages and deleted them!  As easy as that the worm would have died on your watch.  Wouldn't that have made you proud!  Good!  Go do this now:

Outlook:   Tools | Options.... | Mail Delivery:   Clear the "Send messages immediately when connected" check box.

Outlook Express:   Tools | Options.... | Send:   Clear the "send messages immediately" check box.

After doing this, messages will only be sent upon exiting (after asking your approval), by clicking the Send/Receive button, or the next time the mail reader checks for new messages.  There is a check box that allows you to disable this automatic checking for new mail.  If cleared, this will also disable the automating sending of mail in you out-box.  Leaving it set with a 10 or 20 minute interval defined will still periodically deliver your email but will give you some time to detect the worm before propagating it!  Certainly, the virus would have been MUCH slower in propagating if each PC had delayed it 10 minutes or more!  By then your corporate IT personnel would have been able to get the word out ahead of the virus.

If you're really paranoid about your mail reader doing things when you're not looking, clear the "Check for new messages every..." check box.  You'll have to periodically check for email yourself, but if you're like me, I suffer enough distractions already.  I only want my email when I'm ready.  This makes even more sense if you have some form of Internet Messenger sitting in your tray ready to alert you immediately when your buddies or bosses need your attention. 

(In Outlook, this option is directly below the one you just cleared, i.e. under the Mail Delivery tab.  In Outlook Express, this option is under the General tab.  Yes, Outlook Express should have had a true subset of the Outlook option tabs so all these features would be found in the same place.  It is not that way.  Dumb.  This is what comes of having an entirely different development team for what is supposedly just a "free subset" product.  You'll see even more of this type of incompatibility and confusion if the DoJ gets its way.)

Disabling instant mail delivery would be most valuable in the corporate setting where email server saturation could occur very quickly due to LAN speeds and address books full of addressees hosted on the same server.  I highly recommend this as the simplest and most general first step.  It will, however, take a bit of getting use to.  You may need to learn to actually think twice before blasting that message to your boss!

2)   Turn off the suppression of file extensions!

Windows 98 introduce this neat option to hide all those ".txt", ".jpg", ".exe", etc. extensions that clutter up our directory listings.  After all, they were redundant with the icon associated with the file, weren't they?  Well, while one set of Microsoft programmers were making the suppression of this "redundancy" the default, another set was happily extending the system to allow you to break the one-to-one association between icon and file extension.  (Ever wonder how some browser shortcuts have custom icons associated with them?)  But even if the icon was trustworthy, how many people would trust it over the familiar 3-letter extension?

Notice that the attachment had a file name that ended in ".TXT.vbs".  The author had deliberately disguised the file to appear to be a ".TXT" file, know by just about everyone as being a type that is "always safe to open".  By default, on many PCs, the ".vbs" part was not displayed, hiding the fact that the file was an executable file.  (This virus also copied itself in place of .jpg files (and others) on the infected PC to trick the user into launching the Trojan all over again when the user later tries to look at, for example, a favorite picture of the kids, etc.)

Many users (and all IT support personnel) would have recognized the files as NOT SAFE TO OPEN if it were not for the "convenience" of Windows 98 hiding the well-known file extensions!

Windows 98:   My Computer | View | Folder Options | View tab:  Clear the "Hide file extensions for know file types" check box, click [Apply], then click [Reset All Folders] to propagate this setting to all folder views.

3)   Turn off message preview!

An early rumor was that the virus spread merely through file preview.  Certainly this was a misunderstanding.  Someone simply clicked on the fake text attachment from the preview window and opened it that way.  They correctly reported they didn't "open" the message explicitly, but that didn't matter.  The message was open in the preview window automatically allowing the user to manually launch the Visual Basic script.  But even though the initial rumor was wrong, I highly recommend turning off the preview window.

The 3-pane layout was a key feature that attracted users to the mail-reader portion of Netscape Navigator back in the early days of the browser wars.  That format was later copied by Microsoft and others and has become near ubiquitous.  The left pane is the list of mail folders (inbox, outbox, sent, discarded, etc.), usually emphasizing the number of "new" messages in each folder.  The top right pane lists all the messages in the folder highlighted in the left pane, the inbox folder by default. The lower right pane is usually the "preview" pane, showing you a preview of the mail message highlighted in the top right pane.

It is perfectly possible to read all your email via the preview pane without ever explicitly "opening" one of the messages.  A single click in the header pane selects and highlights a new message in the list and immediately the message opens in the preview pane and you're reading what the message is about.  Many users do this as a matter of rote.  It certainly is neat to go through you email with so few clicks, but there is possible danger here!

If the message is one of the new rich text variety, with embedded GIFs and possible Java or VB scripts, you'll immediately see a mail message that looks like a web page, but unlike a web page, you don't know where it came from and there is no-one but yourself to blame if an embedded script does something bad to you!  Note:  "preview" panes are not suppose to launch embedded scripts, etc.  But until your mail-reader vendor certifies it is totally safe to use (about the time hell freezes over?) I suggest it is an undue risk to take to merely save yourself an extra mouse-click per email message!  Turn preview off:

Outlook:   View | Preview Pane:  Simply clicks on/off.

Outlook Express:   View | Layouts:  Clear the "Show preview pane" option.

Now you actually can select a mail message with a single click and delete it without opening it!  Before, merely selecting it for deletion would open it in the preview window!  I much prefer discarding junk mail without being forced to open it.

4)   Consider digital signatures!

The fundamental problem of all security is accountability.  If you can hold people responsible for their actions, they do not deliberately do bad things.  There is nothing weaker in Internet security today than the "From:" address on email.  The very first "spoof" attack in the history of computer security was committed when it was realized that the UNIX mail command took the user's name from the shell environment and stuck it in the "From:" string.  Thus it was trivial for a friend to send you mail and make it look like it came from the Big Boss!

Through out the years, this problem has not been fixed a) due to the ease with which hackers could get around any of the "easy" fixes, and b) because users objected to the added setup and mouse clicks required when a reasonably secure solution was used.  Maybe now is the time to get serious about finally instituting digital signatures so we can have some confidence in where a message came from!

Outlook Express and Outlook both support digital signatures and so do many other email readers.  The application of a digital signature requires you personal approval, preferably via some form of trusted path window (i.e. not faked or bypassed).  Choosing to "digitally sign" all of you outgoing email would mean that a window would pop up asking you to approve of adding your digital signature to the message.  In strong security environments, you would have to provide a password (at least) or insert your "signature card" into some form of reader.  For Outlook Express, this option merely requires you to click [OK] in a pop-up window for each outgoing message.

Isn't it worth an extra click to be sure that a Trojan isn't using your name in vain?

Now some organizations may well object to a feature that comes with digital signatures in most mail readers:  encrypted email.  If your users can sign their email with a personal certificate, their correspondents can reply with encrypted messages.  The corporate IT executive is then faced with a dilemma:  what is more valuable, being able to peek into a user's email to make sure it has to do with business (or is at least not broadcasting company secrets) or being able to trust that my user actually sent this message and knew who he/she received messages from?

The analysis of trust in the corporate and web environment goes well beyond this article, but it is worth considering as a mechanism for thwarting whole classes of email attacks and spoofs.  My opinion?  Suggestions 1 and 2 and a bit of user awareness (already provided by today's exercise) probably covers 99% of the copy-cat worms that will be launched.  Windows 98 cannot be a platform for serious security.  If you're not yet ready to switch to Windows 2000 or go back to "Terminal Services" hosted on a protected server, you might well choose to wait on promoting digital signatures and encrypted email.  I'm also waiting for the day when it takes a physical token to unlock my signature key.  Passwords are simply not secure enough by themselves to justify the degree of trust people put into digital signatures, encryption, etc.  But if mail viruses continue, I may change my mind!

Linux friends....

I noticed more than a few of you who tried to say this was yet another "Microsoft Bug".  It certainly was not.  I have complained (above) about poor decisions about default settings where Microsoft made things too easy for the attacker, but the sins were all those of ease of use and performance.  Sins of these types have existed from the earliest days of computing and will continue as long as consumers prefer "fast and easy" to secure.  As described above, Microsoft has provided multiple ways to configure their systems for greater security.  Users need merely to choose to use them.  And isn't "freedom to choose" what the Linux revolution is suppose to be all about?

I guess we certainly have to say that Windows no longer lacks a scripting language!  This little Visual Basic Script program, seemingly written by a teenager, demonstrated far more scripting power than any of the shells of the old UNIX world.  In fact, I'm seriously concerned that Microsoft has over-responded to the call for scripting support in Windows 2000, possibly providing too much power where once there was too little. 

Linux was not touched by the I LOVE YOU virus because Linux email does not support "preview" and "scripting" as a general rule.  Netscape Communicator may well be subject to a similar attack based on Javascript.  I suspect the fact that the author of the virus didn't write his attack using JS has more to do with his ignorance of Linux than any weakness in one OS over another.

Many years ago the Morris worm terrorized the UNIX world by propagating across the Arpanet.  It could not attack any of the AT&T 3B systems we sold, NOT because UNIX from AT&T was superior to UNIX from Sun, DEC or any of the other vendors brought to their knees.  We were immune simply because the "convention" in the WE32000 chip the 3B2 was based on was the opposite of that in the Sun and DEC systems.  A buffer overflow on a stack-resident buffer in Sun or DEC systems would step on the return address stored in the stack, allowing the worm to take over the machine by applying a long string argument to "finger" (I believe that was the command).  That string argument was then interpreted as executable code when the function returned and passed control based on the garbage in the call/return data structure.

On AT&T's WE32000 chip, instead of the stack growing down in address space, it grew up.  The result being that the overflow data could not step on the call/return structure; the stack simply grew to accommodate the excess data and the program completed normally, by pure accident.  (I am sure the architects of this chip will say this was not simply an accident!  They knew it was better to grow the call/return stack up rather than down!  But we all know about hindsight!)

There is always a trade-off between features and security. It's much easier to secure a brick.  Not to say that Linux is a dumb brick!  I grew up loving UNIX and like what I know of Linux, but it simply isn't cutting edge in delivering new functionality to end-users (yet).  Naturally, anything that does deliver on innovations will sometimes deliver "unintended consequences" as well.  Linux will surely have its turn.

Copyright 2000 Information Security Analysis LLC. All Rights Reserved.

Return To The Flink Ink Section


  *   *