VINE SOFTWARE - TECHNICAL NOTES
VINE SOFTWARE - TECHNICAL NOTES
Return to list of technical notes
This document gives some background information about spam, viruses and the other things which can attack your computer via the Internet (colloquially know as malware). For a comprehensive description go to the CERT advice for home networks site.
This is any email which you do not want but in general it is, or appears to be, messages trying to sell you products or lure you onto a web site.
Although spam is associated with pornography and other scams if any organisation sends a batch of emails to people who have not asked for them they are guilty of spamming (and possibly breaking the Data Protection Act). In an attempt to reduce spam there are many organisations within the Internet which look out for and report spamming. Their reports are used by spam filters to block all email from spammers and the computers they use,. The fact that you are advertising a legitimate product will not stop you from being added to their lists!
Spam is difficult to catch because what looks like spam to one person looks like a legitimate message to another. There are two basic techniques and most spam filters use both. These techniques involve applying a large number of tests and the results of these tests are scored and added to create an overall value for the message. A judgement is then made on the basis of that score whether the message is spam or non-spam (or ham). It is obvious that this technique will produce some false-positives (good messages marked as spam) and false-negatives (spam marked as not spam), so the trick is to set a threshold which reduces these errors. This can only be done by analysing the pattern of messages and adjusting the thresholds as they change. That said, a reasonable default should catch perhaps 90% of spam whilst only very rarely giving a false-positive.
One technique for identifying spam is to use the lists generated by the various bodies which monitor the Internet email traffic. In general they rely on people notifying them that an address or computer is sending spam. Other lists are generated of computers which are acting as open relays.
The other main technique is to analyse the contents of the message itself. This is not easy and it uses a vast array of tests. To illustrate the problem imagine an email that referred to studs, stallions and teenage girls. For most people this would be a strong indication of a pornographic message, but if you are running a riding school there is a good chance that it is perfectly legitimate! Luckily the tests are much more sophisticated than that but it shows the problems involved in identifying spam.
Some spam messages will get through. If they are infected with viruses, the dangers of popups and other things then see those sections. However to stop signalling back to the spammer that you have read the message do not display the HTML version of the email or, probably more practically, configure your email reader so it does not display images when an HTML message is received.
At first sight the only problem with spam is the annoyance of getting messages which are not wanted and the distaste of the content of many of them. However they do contain a more serious threat. Many of the nasties described below rely on human intervention to trigger them, and for many the act of opening a spam message or following a link from one is enough to enable them. At the very least they may send a message to the sender so they know that your address is active and thus a profitable place to send even more spam!
These are various scams designed to trick you into revealing personal information such as credit card details. This is then used to buy products or to empty out your bank account. The common way of doing this is to send an email directing you to a web site which looks like the genuine web site of say the bank or whatever and persaude you to resubmit your credit card or online bank login details.
Note that some of these sites behave exactly like the real thing, even sending you to the correct place in the genuine site; but by then they have your login details.
In the past these details were usualy sold on, but in 2007 a new type of phishing site was detected which uses the details immediately to spend your money.
If you are asked by an email to go to a web site check the URL you end up with that in the email. If they are different then there is probably a problem. If there is any doubt ignore the link and go to the web site in the normal way.
Some web browsers have anti-phishing add-ons which can reduce the risk but it is not possible to totally eliminate it.
A computer virus is something which infects a Windows computer so it can then reproduce. Some are benign and just reproduce and do no harm to their host computer but most also do something unpleasant to their host or another computer as well. They used to be passed by infecting floppy disks and spread by corrupting all floppy disks which were written on the infected computer. Nowadays they are spread using email.
The payload is a program hidden in the email which is run when you open the attachment or sometimes when you display an image. It usually deposits a program which either immediately or at some time in the future will do something unpleasant on your computer. It also looks for suitable new recipients by looking in your email folders or address book and then sends emails containing copies of the virus to its new victims.
If you must use Windows then viruses are relatively easy to block. There are many programs which when told the signature of a virus will detect it in an email and flag it as infected. There is always the chance that you will receive an infected message before the new signature is distributed but you would be unlucky.
All email-borne viruses rely on the attachment in which they are hidden to be opened. On most Windows mail readers this will cause any embedded programs to run. It is usually possible to turn this option off, or just use an email reader from somebody other than MicroSoft which will probably make it difficult, but not impossible, to run an executable attachment. The rule is do not open a message about which you are suspicious and never open an attachment from within a Windows email reader.
Note that the only computers a virus can only infect are those running Windows (they can also infect mobile phones and some other simple appliances). This is not because they only target Windows computers or because there are so many Windows computers out there: they exploit a number of fundamental flaws in the design of the Operating System. As such other types of computer are immune and there is no prospect of there ever being a Linux or Apple virus. So the simple solution is not to use Windows, at least for reading email. However all operating system are susceptible to all of the other nasties described here so avoiding Windows is of limited benefit.
These are programs that replace a legitimate program to do some nefarious deed (see the CERT description and advice). To further confuse things they often also do the job of the original program they replace. For example it might mimic the login program. As well as letting you log onto the computer it also notes your user name and password which it sends over the Internet to its base.
The Trojan Horse must get onto the computer somehow. One way is for a virus to go out onto the Internet and copy the program onto the host computer or for the program to be carried as part of the virus payload. A more common method is to masquerade as a browser plugin. A spam email is sent which directs the user to a web site which displays a popup suggesting you load the plugin. The user falls for the con, loads the plug in and the Trojan Horse is installed.
There is no need to block these explicitly. They are spread using viruses or by human folly. The former is described above, there is no cure for the latter. Some Operating Systems periodically take a signature of the system If the system changes then the System Administrator is informed on the assumption that they know whether the change is legitimate and how to back it out if it is not.
These are programs that traverse the Internet exploiting weaknesses in the servers to propagate further. Unlike viruses they do not rely on human intervention. Sometimes they can recognise a misconfigured or buggy server and cause damage to the service or the computer itself.
There is nothing a normal user need to do about
worms because they
only attack through servers. The best that System Administrators can
do is ensure that the servers have the latest patches, are configured
correctly and the firewalls block unauthorized ports. In particular,
by blocking unauthorised outgoing ports it is possible that the worm
might be stopped from propagating.
Some Myths Exploded
This section is just of general interest, going over what people say about spam, viruses etc. Obviously all of them have their own axe to grind so here are some facts:
This is simply not true. Although the rest of the attacks described above can attack any type of computer, viruses are specific to Windows computers. This is because the exploit a combination of weaknesses.
All other Operating Systems, such as Linux & Apple, use the hardware of the computer to ensure that if a program goes out of control (as they often do) it only affects the program itself; it does not affect other programs nor the Operating System (which is the part which directly controls the hardware such disks and modems). Although this has been standard practice for 30 years Windows did not use it and allowed a program unrestricted read and write access to all of the computer itself. This allowed for fast graphics and other good things but also meant that a rogue program could do what it wanted, such as deposit a copy of itself within the memory of the Operating System itself. More recent – NT based – versions of Windows do impose some controls but the principle is still basically true. So a virus when it is run on a Windows computer can do more or less what it wants to do; whereas on any other computer its scope for damage would be severely restricted.
Also the virus must be run. When MicroSoft finally started to use the Internet they introduced the ability for email readers to run programs when messages were opened. Although it was explicitly pointed out to MicroSoft the dangers of this, in particular for Windows with its weak protection, they carried on. Other systems might allow the attachment to be copied and then run, or to be used as data for an existing program but, in general, they will not allow it to be run as the email message is read.
Whilst there is a more than a grain of truth in the statement, the truth is that Windows programs are attacked because they are particularly vulnerable. The Open Source Apache web server is the most common web server on the Internet, probably running more web sites then every other type of web server combined, but the majority of attacks are still on the MicroSoft IIS server because it is so vulnerable.
Similarly the Internet Explorer browser is so intrinsically flawed that a recent CERT recommendation after offering a long list of ways of making it more secure, concludes that the only real solution is to use a different browser.
This is your first visit
This page has been viewed 3438 times since 16 June 2005
Vine Software
Hughes Alley, Barton Street, Tewkesbury, Gloucestershire, UK
GL20 5QB
Tel: +44 (0)1684 291326 Fax: +44 (0)1684 290284 Email:
info@vine.co.uk
Wednesday, 25-Jul-2007 14:21:32 BST