Mommy, where do viruses come from?

a real 'who done it mystery' :-)

Mike Barnett 6/2002

If you connect to the Internet at all, you know that today's viruses are becoming quite menacing.

Not only are the viruses totally disruptive and quite costly (including the time to rebuild machines, loss of productivity, and downtime of applications), but it seems the developers are no longer satisfied with just spreading malicious code. In fact, it appears that these developers will do everything possible within their code to disguise the message itself (and the virused payload) and even to try to throw off the recipient as to who is the real culprit.

One of the most recent viruses, W32.Klez.H@mm, does just that. It 'spoofs' the message by changing the sender of the message to make it appear that it arrived from a different source.

My theory is that, in one way, this is in an attempt to delay the cleanup of the virus itself - as well as create some enemies among the recipient's contacts and friends.

Have you noticed that more and more recipients of virused eMail are placing the blame on the wrong people? If that wasn't the goal of the attacker, it has definitely become a result in the aftermath.

Handling listservs for hundreds of real estate Associations and tens of thousands of subscribers has brought to the surface many interesting scenarios.

Here's an example of the most common situation we are seeing today: One of our customers (me) receives an eMail message that is virused. I become aware of the message in question because my virus protection identifies the virus upon downloading the message.

After examining the message, I notice that the "From:" on the message indicates an eMail address that I am quite familiar with… It is actually one of our own eMail addresses - CustomerSupport@InternetCrusade.com .

It is important at this point for you to know that this eMail address is located on a web-based server that is not running any eMail manager, nor does it contain any address book, or any Inbox, or any sent box, or any preview pane, or any other possible method of becoming virused. As a result, I know just by the From: field, that this message was 'spoofed' and probably contains a virus.

How did that eMail address (CustomerSupport@InternetCrusade.com) get inserted into the From: field?

It was the result of the virus code itself, by going into any one of a multitude of areas within the eMail client and inserting one of the eMail addresses it finds in the From: field. It also looks for another eMail address to send the virus to and in this case it picked on CustomerSupport@InternetCrusade.com, by inserting that eMail address in the To: field.

In this case, it was easy for me to spot that the message couldn't have come from a virused computer. Imagine, instead, that the virus inserted the eMail address of a client, or an association, or an Association Executive, or a co-worker.

The first reaction for most when we receive an eMail is to think that the sender - the one indicated in the From: field - has a virus in their computer. This is a reasonable assumption. In fact, as in the scenario described above (and will be examined below), the virus did not come from the From: field that was indicated in the message. If we did rely on the From: field, we would be pointing poisoned blow darts at the wrong party.

So, how do you research the message in an attempt to establish where it originated and possibly identify the culprit?

Here are a few steps to follow...

...First, you MUST be protected against getting infected, especially, if you are going to play and experiment with viruses. You need to own, and continuously update and run, anti-virus software.

Which is the best anti-virus software product? The one you will use ;-).

However, as many have discovered, just having anti-virus protection software on your computer is simply not enough. You must also update your virus protection all the time. Norton Anti-Virus refers to that as a "live update". I update every morning "before" I download my eMail. The live update only takes a couple of moments, but think about how much time it would cost you if a 'new' virus was to get into your computer (and possibly network).

Once you are protected, then you can begin to examine virused messages, so the next step is to locate and identify a virused message. This is easy enough if you have your anti-virus software set to alert you as a possible virus arrives in your Inbox.

Keep in mind that the default setting in anti-virus software (and some of the newer eMail client software) is to not allow any files with an ".exe", ".vbs" or similar extensions to be delivered to your Inbox, but instead will intercept all messages.

An interesting point is that this default setting can hamper software development in that programmers develop with "executables" and send them to one another for review and collaboration. And with the normal settings in the anti-virus software, you won't receive a message with these attachments. This is easy to work around. What programmers do is "zip" the ".exe" and ".vbs" and other files with questionable extensions before sending them to one another. This will allow the attachment to arrive, as ".zip" files are not blocked by the anti-virus software (by default) so the messages with attachments will arrive in your Inbox. Your anti-virus program will examine the file during the "unzipping" process for any potential viruses.

So now you receive an alert about a message that was 'virused'. The anti-virus program can be set to 'quarantine' the attachment and allow the message to enter your Inbox.

The next step is to examine the body of the message itself. After examining a few of the messages, you will see that most viruses are easy to identify as they contain similar messages.

Next, go to the properties of the message in question. I navigate there in Outlook by right clicking on the message and then clicking on "Options".

If you do this, the next window that opens up is the "Message Header"...

When reviewing a Message Header, it important to know that usually the destination is at the top of the Message Header and the origin is at the bottom. Every mail server that touches (handles) and forwards the message is listed in the Message Header. In addition, usually there is information about the mail client used to create the message along with a message ID.

NOTE: please see below for a copy of the Message Header being described here. We will review the Message Header section by section…

Breakdown of Message Header:

RETURN-PATH

"Return-Path: < CustomerSupport@InternetCrusade.com >"

When reading from top (destination) to bottom (origin), you might not want to rely on the first "Return Path" field, as it is likely spoofed (the virus can place whatever it wants in this field and not affect delivery of the message).

RECEIVED: FROM

"Received: from rly-ip01.mx.aol.com ([205.188.156.49])"

The next piece of information in this header is "Received: from" and it should indicate the name and IP address of the server that handled the eMail. The IP address is a number value for the machine.

Since we (humans) like to communicate with words, and the Internet likes to communicate with numbers, an addressing system was created known as DNS (Domain Name System) whereby Names are matched with IP addresses.

For instance, if you were looking to locate the web site for InternetCrusade, you would type InternetCrusade.com into your browser to find our company and the Domain Name System would convert that to an IP address (209.246.239.84) and then find our server. This information could also be 'spoofed".

RECEIVING SERVER INFORMATION

 by web3.icsandiego.com (Post.Office MTA v3.5.3 release 223
          ID# 0-72224U7100L900S0V35) with ESMTP id com
          for ;
          Fri, 7 Jun 2002 15:54:51 -0700

Next you should see the name and IP address of the eMail server that received the message. In addition, information about the application that processed the eMail along with the serial number of the mail server application is included. Last, the address of whom the message is "for" and the date and time are indicated

As you read down the Message Header (going closer to the origin), you will see any other mail server (ISP) that handled the message and their respective IP address.

ORIGIN INFORMATION

Received: from  logs-mtc-tf.proxy.aol.com 
(logs-mtc-tf.proxy.aol.com [64.12.103.5]) by
rly-ip01.mx.aol.com (v83.35) with ESMTP id 
RELAYIN7-0607185627; Fri, 07 Jun 2002 18:56:27 -0400
Received: from Sqq (ACA8E59D.ipt.aol.com [172.168.229.157])
 by logs-mtc-tf.proxy.aol.com (8.10.0/8.10.0) with SMTP id g57MsJw428851
 for ; Fri, 7 Jun 2002 
 18:54:19 -0400 (EDT)
Date: Fri, 7 Jun 2002 18:54:19 -0400 (EDT)
Message-Id: <200206072254.g57MsJw428851@logs-mtc-tf.proxy.aol.com>
From: CustomerSupport 
To: CustomerSupport@InternetCrusade.com
Subject: New roman, times new roman, times
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary=GmcDlww087Weds210AO
X-Apparently-From: xxxxxxxxxx@aol.com

At the bottom of the message, you will see information about the Origin.

You will see the From: (which can be spoofed by the virus)… the To: (which can also be spoofed by the virus) and the Subject (which can be spoofed as well).

You will also see the Message-Id: This ID can be used by the ISP to possibly identify the sender

Also, at the very end of the header (which is the origin) we see X-Apparently-From: xxxxxxxxxx@aol.com ….

So in summary….

..1. Own and regularly update virus protection software…
..2. Don't rely on the From: field to determine the sender of the virus…

See you online!!!

Mike Barnett
VP Technology
InternetCrusade.com
======================

EXAMPLE MESSAGE HEADER
Used for this Article

Return-Path: 
Received: from rly-ip01.mx.aol.com ([205.188.156.49])
          by web3.icsandiego.com (Post.Office MTA v3.5.3 release 223
          ID# 0-72224U7100L900S0V35) with ESMTP id com
          for ;
          Fri, 7 Jun 2002 15:54:51 -0700
Received: from  logs-mtc-tf.proxy.aol.com
(logs-mtc-tf.proxy.aol.com [64.12.103.5]) by 
rly-ip01.mx.aol.com (v83.35) with ESMTP id
RELAYIN7-0607185627; Fri, 07 Jun 2002 18:56:27 -0400
Received: from Sqq (ACA8E59D.ipt.aol.com [172.168.229.157])
 by logs-mtc-tf.proxy.aol.com (8.10.0/8.10.0) with SMTP id g57MsJw428851
 for ; Fri, 7 Jun 2002 
 18:54:19 -0400 (EDT)
Date: Fri, 7 Jun 2002 18:54:19 -0400 (EDT)
Message-Id: <200206072254.g57MsJw428851@logs-mtc-tf.proxy.aol.com>
From: CustomerSupport 
To: CustomerSupport@InternetCrusade.com
Subject: New roman, times new roman, times
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary=GmcDlww087Weds210AO
X-Apparently-From: Gerryg503@aol.com