The Anti-Virus Software Myth Revisited

Do you really need it? – Dribble Snort

As you may remember from my first article, I absolutely REFUSE to load any sort of anti-virus protection software.

Why?

It’s bloated.

It uses too many system resources.

It is not 100% effective. Virus software is “reactionary” in nature so, by its very design, it CANNOT be 100% effective.

It costs money I could use for strippers and beer.

And now we can add, “Dumb as a stump”, to the list.

How was SoBig.F born? It was a multi-part, mime-formatted message packed in with a porn pic released to the newsgroups. Some user, probably using OE as their newsreader, downloaded it, got happy fingers, and executed it.

How many of you got infected in the latest SoBig.F outbreak? I would bet not many because of some inside information I acquired (see below).

In our community, we’re usually on top of things like this so we’re pretty up-to-date as far as loading security patches is concerned, but I know some of you reading this were compromised.

How many of you “received” a bunch of emails infected with the SoBig.F virus? Personally, I “received” over 1200 emails at my main yahoo account in one day, and a total of about 4000 over a 4-day period. I didn’t get infected, and I’m still not using anti-virus software. But I surmise that bunches of people are using virus protection software. How do I know? Because AV Tools made the problem worse, rather than helping, due, entirely, to their stupidity!

How do I know this? Because I received about 3000 freaking bounced email notifications sent to me by Anti-virus programs that “thought” I was infected. All because they were too “STOOPIT” to know worms forge email addresses in the “from” field!

We all know that worms harvest addresses from your address book in order to find targets with which to propagate. We also know they send the infected mail either by using your email program or, just as likely, a simple SMTP program the worm installs itself as part of its payload.

Because SoBig.F used this method, the IP address of the “truly infected” computer is in no way, shape, or form hidden!! It is in plain view in the header section. (Ed. note: You might want to look here to find out how to reveal all the headers in your email program.

It literally takes about 6 seconds for SpamCop to find the “truly infected” machine from the email headers.

Yet millions of messages were generated and sent by AV Tools identifying the wrong machines.

This caused major confusion among non-technical users who thought they were infected, and the bounces drained bandwidth and resources from ISPs fighting against the worm’s effects.

In addition, users sucked even more bandwidth as they downloaded updated virus definition files. To wit, “Users were busy shutting the barn doors after all the horses escaped!”

So… we have an easily identified computer out there spewing infected emails with forged “from” fields to AV users. There’s tons of poor slobs out there who have nothing to do with the situation getting hammered by bounce after bounce after freaking bounce(!) telling him he’s infected. This is actually tantamount to a poor man’s DDoS, except the “good guys” are the ones doing it!

So, in this game, SoBig vs AV, we have:

  • Infected emails bouncing all around the net using bandwidth
  • Incorrect virus notifications bouncing all around the net using bandwidth
  • Users downloading virus updates all over the net using bandwidth

    If this were a soccer match, the score would be SoBig.F 3, AV Tools 0, with AV putting the ball in their own net twice.

    What I Do Instead…

    Dribble Snort

    What I Do Instead

    I mentioned in my first article that behavior trumps all. I’ve stated that modifying your behavior will do more to prevent these problems than ANY software ever could. It’s because behavior is “proactive”, while AV Tools are “reactive”. In order for the virus definition files to be updated to reflect a new threat, that threat must actually “exist”; meaning a virus must have been released into the wild and propagating BEFORE they can find it and identify it to defend against “further” infections. Behavior prevents infection in the first place because you do not execute an email attachment that is a virus or worm.

    My recommendation is to use an email program that isn’t made by Microsoft(Outlook or Outlook Express). There are PLENTY of full-featured email programs out there that are invulnerable to worm and virus infection, and are free!

    If however, you are “forced” to use either MS Outlook or MS outlook Express…at a minimum, you should disable the preview pane. This prevents the virus/worm payload from executing when you single-click on the message for most virii.

    My other recommendation is to simply refuse all attachments that are of an executable nature because you can never guarantee that the person who sent you the email is virus-free.

    Some common examples of executables are:

    .exe, .com, .bat, .src, .pif, .js, .vbs

    If someone feels the need to send you something, ask him or her to send a link to the file instead. Hosting places such as tucows, download.com, and fileplanet get updated definitions before you can, and they scan their files regularly, so you can feel pretty secure that their files are clean.

    I use Spy Bot in conjunction with Ad Aware to spot spyware and malware, and Sygate serves as my firewall protection.

    I do NOT open email from users I don’t know.
    I do NOT use MS Outlook at home.
    I do NOT accept attachments. EVER.
    I DO use SpamCop to fight spam.

    I do NOT get infected.

    Do Unto Yourself Or It Will Be Done Unto You…

    Dribble Snort

    Do Unto Yourself Or It Will Be Done Unto You

    Some do not care to modify their behavior though. It’s probably because they do not foresee how the consequences of their actions will affect the internet as a whole in the future.

    “To each his/her own” is my motto, so you can do whatever you want. But, you’d better be cognizant of the fact MS is using this outbreak as an opportunity to push their agenda in the press to force you to allow them to automatically examine at your computer remotely to ensure you’re up to date on patches.

    That “gurgling” sound you just imagined was your personal privacy online taking a sucking chest wound.

    Of course, we in the community are partially at fault because we are too arrogant to properly educate ourselves and educate our non-technical brethren.

    How do I know we “in the community” are too arrogant to educate ourselves? Some of you guys/gals out there in overclockers.com forums got infected and sent me infected emails! When I traced the infected emails I received, some of the IPs matched the IPs from emails from “some” people who frequent the www.overclockers.com forums!

    Some will want to know, “Who was it?” (I cannot tell because I gave both people my word I’d not reveal their identities), and some will say, “Screw it. It doesn’t matter what he thinks. I’ll continue on doing what I’ve done all along”

    Hold on there Sparky, because if you won’t modify your behavior, some company will write a program to do it for you, and you’ll be left with no alternative except to live with it or use a fax instead of a computer.

    What To Do…

    Dribble Snort

    What To Do?

    For You

    I’ve said it before…

  • Do NOT use programs like Outlook and Outlook Express!
  • Do NOT open emails from people you do not know!
  • DO NOT OPEN ANY EXECUTABLE ATTACHMENTS (.pif .src, .exe, etc) from ANYONE!!!
  • Re-read sentences 1-3

    Just what part of those 4 sentences is so difficult for users to understand is beyond my knowledge, but if people do NOT start computing responsibly, your choice to do so will be “removed” by some company. If you value your privacy protect it, or you’ll be forced to rely on someone else with their own agenda to do it for you.

    For Others

    How can we stop worms like this, or more precisely, those who won’t act responsibly? As i stated before, I use SpamCop.

    You simply paste in the header information from your email program and press a button. It parses the REAL origination point for the email based on the IPs in the headers to determine where it came from. This takes anywhere from 2 – 15 seconds depending on how many users are using the system at the time.

    It displays all the contact information for the domain the email originated from, and also includes the header information for the email so [email protected] can to take action against the user. Since we already have the infected machine’s IP address, simply trace it and contact their ISP!

    Whether knowingly done or not, sending spam, or worse yet worms designed to infect machines and then send spam, is a direct violation of the TOS/AUP of damn near EVERY ISP in the world!

    AV Tools could easily add a routine to parse the IP of the incoming email, similar to the way SpamCop parses the original IP of incoming SPAM, and then pull the contact information for the ISP in question, then email the ISP of the person who “really” sent the infected email so the ISP can enforce their TOS/AUP.

    Once that is done, worms like this would be stopped in their tracks long before they reached the critical level of the last SoBig.F outbreak.

    ISPs would benefit because they would not be marked as spammers and blacklisted on Spam Black Lists (SBLs). I personally LART each and every infected email I receive because I did not ask to receive it so it “is” by the very definition of the word, spam.

    I researched nearly every infected email and found that the vast majority came from LESS than 50 computers.

    I also traced the emails without SpamCop to see if people who do not use the service could find the origination.

    Once the headers containing the IPs were obtained, a quick click of my favorites took me to www.arin.net where I entered the IP address and clicked a button to find the host’s contact information.

    Then I emailed them to report the worm’s victims to them so they could take action. It does not mean the person loses their Internet access…it just means that the ISP can block the email from re-sending itself to all of God’s green earth.

    As soon as they saw the headers from the emails, they blocked the worm’s traffic (email) and notified the users to clean their system. The entire process of stopping the 4000+ infected emails and 3000+ bounces took less than 4 hours over a period of 4 days. Not much time wasted considering the alternative of letting Microsoft or some unknown company out there determine my level of privacy online.

    The choice is yours to make. Do nothing, or get proactive to guard against the spread of worms and the like.

    Choose wisely while “you” still have a choice.

    Dribble Snort

  • Be the first to comment

    Leave a Reply