A cure that's worse than the disease

One in 12 e-mails were infected by MyDoom. But commercial antivirus software stopped the rot, didn't it? Quite the reverse, says Charles Arthur
Click to follow
The Independent Online

The tide seems to be turning: the other night my personal inbox was only half filled with e-mails that were the result of MyDoom. At some stages last week, more than eight in 10 of the e-mails I received were rubbish related to that infernal virus.

The tide seems to be turning: the other night my personal inbox was only half filled with e-mails that were the result of MyDoom. At some stages last week, more than eight in 10 of the e-mails I received were rubbish related to that infernal virus.

Some commentators were happy to blame the MyDoom phenomenon on "dumb users" who would click on any old attachment without thinking about the possible outcome. I think that's unfair. MyDoom's author was smart. The message appeared to come from someone you might know. It often had the subject line "Test"; and it said you'd have to click on the attachment to view it, because it used Unicode (a text-encoding method far superior to ASCII, because it can represent characters from all sorts of languages). A test message, from a friend, that can't be displayed? What's so obviously dangerous about that? Other versions came as "Server error", with a similar "can't be displayed" message. All are reasonable, feasible messages in an e-mail (unless you happen to know that your machine can already display Unicode, and since most people don't know what it is, they wouldn't). So I'm not willing to blame those who got infected. MyDoom contained a brilliant piece of social engineering. The gobbledygook was no more dense than a Windows Help file.

Whenthey clicked on the attachment, the infectees' computers should have protected them. The e-mail program itself, and any antivirus software they had, should have come to their rescue. But it didn't. Windows doesn't separate the authorities required to install new software from those required just to view attachments; so you can get infected by an executable program when you thought you were looking at a file. That's because Windows started life as MS-DOS, which was always intended to be a single-user product, not shared among users with different levels of authority over the machine. The antivirus companies couldn't protect people because in general they can only ward off programs they already know about.

At one stage MyDoom-laden viruses made up one in 12 of all e-mails travelling over the internet. But it's a safe bet that an equal number - perhaps more - were copies of those e-mails bouncing off mail servers protected by antivirus companies, or triumphant messages from those companies to their clients proclaiming that they'd protected them from harm.

This is what really annoys me about the whole internet-virus problem. The bouncing isn't necessary. The triumphalism isn't necessary either. Yet badly written software and a group of people who frankly don't care about the harm that they cause are making the virus problem worse. I'm talking about postmasters and the antivirus companies themselves. It's time for them to clean up their act.

Many of the e-mails I received came from mail servers and antivirus "shields", blaming me for sending MyDoom to someone. Obviously wrong: the virus fakes the "From:" in its message. And this is hardly a modern trend. Since December 2001, when the Klez virus appeared, this "spoofing" of the origin of the address has been a feature of mass-mailing viruses. Yet more than two years on, we're still getting snotty messages from automated systems accusing us of spreading havoc.

Now, I am certain that I've never sent any viruses, because I'm using Mac OSX, and there are no viruses on that platform. So I was confident that I wasn't a culprit when I e-mailed one site that claimed I had sent it a virus, asking it to stop increasing the amount of pointless e-mail traffic. "Your virus software is making the virus problem worse, increasing the e-mail load by sending messages to people who have not sent viruses, because as you know, all mass-mailer worms now spoof the 'From:' address," I wrote.

I got the reply: "IMHO it is better to reply and warn people that they may be virus-infected than to ignore the problem and hope it goes away. If you do not want your e-mail address used as a spoof, educate the people to whom you send e-mails to not run viruses." It's a nice idea that we could stop all our internet neighbours getting virus-infected; the same approach to petty offences in real life would bring the crime rate down to zero overnight. Assuming that it were possible - which it isn't, in real life or online. Still, I did manage to persuade the site - Applserv of Brighton - to change its policy.

But millions of sites are still sending warnings to innocent people, causing more worry for those whose machines might be prone to infection. All the antivirus companies I spoke to last week were contrite. "It's not helping, it's hindering," admitted Graham Cluley of Sophos. At McAfee, the senior consultant Jack Clark said: "Once it was a feature that was incredibly useful to tell someone they had a virus infection. But now every mass-mailer spoofs."

Odd, then, that these products, or their implementation, have stood still. Antivirus companies began appearing in 1986. Windows 3.1 appeared in 1992. The first mass-mailer virus, Melissa, appeared in 1999. Since then viruses have improved hugely, carrying their own e-mail-sending program, able to choose from addresses on the machine. Antivirus products struggle to keep up; Windows struggles to protect you (and it) from yourself (and itself). It's a big win for the virus writers. In software, it seems the devil has the best coders.

network@independent.co.uk

Comments