eMail chain letters, hoaxes and viruses

• Chain letters and Hoaxes
• Some usful notes on viruses
• Can you get infected just by browsing a web site?
• Should ISP's scan all email for viruses?

Chain Letters

I'm sure that everyone who has an email account has received emails similar to these:

" PLEASE READ THIS AND FORWARD: 
CBS will be forced to discontinue "Touched by an Angel" for using the word God in every program..."

"Dear Hotmail user: 
Because of the sudden rush of people signing up to Hotmail, it has come to our attention that we are vastly running out of resources… …"

"Malls on 10/31:
 I think you all know that I don't send out hoaxes and don't do the reactionary thing and send out anything that crosses my path. This one, however, is a friend of a friend and… …"

There is an enormous amount of disinformation around, and unfortunately the Internet has made it that much easier for people to spread it around. One of the problems is that the perpetrators choose subjects which tug at one's heart strings, or make one feel guilty for not contributing/ perpetuating/ replying etc. There are some useful web sites on this topic, and it turns out that the chain letter has been around a lot longer than one might have expected: The concept was used centuries ago, by the church, literally to put the fear of God into unbelievers. (I had a good reference to this but I seem to have lost it...)

Generally, you can quickly weed out the hoaxes: They look like they come from a reputable source (Eg: "Someone at Microsoft…", "A source at AOL", etc), but they will be short on specifics: Exactly when, where, who, how, who to contact, etc.  For example, an email has been circulating in South Africa recently with a photo of a little girl who has apparently been lost. There is no date, and absolutely no idea of what part of the country she was lost from! The email address given does not exist, and the person referred to at one of the consulting houses does not exist.

A good rule is to always go back to the (reputed) original source of the story: Generally you will find a note explaining it, or will discover that the reputed source does not exist. For example, in the case of the American Cancer Society ("For every new person that this is passed on to The American Cancer Society will donate 3 cents to cancer research. Please help us. Forward this to everyone you know. Thanks for helping!! "), go directly to the American Cancer Society to read their statement. The statement has recently been moved, and can be found at http://www.cancer.org/eprise/main/docroot/MED/content/MED_6_1_Chain_E-mail  

Just because someone has taken the trouble to create a web page and type up some information does NOT make it true. The accepted wisdom is similar to that in the legal or medical fields: Get a second opinion! 

Some useful web sites:

F Secure Hoax warnings:  http://www.datafellows.com/virus-info/hoax/ 

AFU and Urban Legends: http://www.urbanlegends.com/ 

Barbara and David P. Mikkelson's Urban Legends Reference Pages: http://www.snopes2.com/ 

US Dept of Energy - Computer Incident Advisory Capability: http://ciac.llnl.gov/ciac/CIACChainLetters.html 

Vmyths.com: (formerley the Computer Virus Myths homepage): http://www.vmyths.com/ 

A lovely anti-chain letter was compiled by John Perry in 1994, and may be found at http://www.perry.com/bizarre/antichn.html   Use at your own risk!

The Curse of a Thousand Chain Letters web site may be found at http://chainletters.org/ and contains some useful information.

Some Notes on Viruses

The computer world has spawned a host of dangerous creatures, with names such as virus, worm, hoax, spam, …. I will attempt to explain the various types of nasties which you may come across, and give you some rules for avoiding them. As with the traditional human diseases, an ounce of prevention is worth a ton of cure!

Virus is a general term used to describe a program which can spread from one computer to another. There are various different kinds of viruses, some more harmful than others. For example, some of them simply replicate all over the place doing relatively little damage, while others can cause you to lose all the data and programs on your computer. But even if a virus does no damage to your data, the very act of spreading can cause overloading of computer networks, and hence no virus can be considered completely harmless.

A worm is a special class of virus, which exists only in order to spread and multiply. Some of these are so successful that they completely overload email systems, causing them to shut down.

To be successful, a virus must be able to spread rapidly. It is no use if it simply destroys your computer before it has attempted to spread further: The purpose of all life must be to spread and multiply. Therefore, all viruses will first and foremost attempt to replicate themselves, and spread from one computer to another. Once this has been achieved, the virus may go on to do other things, such as destroy your data, or simply put up a message on your screen. The action that the virus takes is generally referred to as the payload. Often, a virus will simply sit and wait for a predetermined event, such as a specific date to be reached, before carrying on to the next step.

In the earlier days, viruses would spread by attaching themselves to programs, and waiting for the program to be copied to another computer and then run. Programs would be transported from computer to computer via floppy disks, so the speed of transmission would be relatively slow. Today, however, we are all connected to the internet, and there have already been cases of extremely virulent programs spreading widely through the internet within hours of original infection. It is interesting that new infections generally follow the sun around the earth: If the original infection occurs, for example in Australia, then it will appear in Africa and Europe a few hours later, and spread to the Americas within the next few hours.

In order for a virus to do anything at all, it must get each computer to execute a program of one sort or another. Again, in the earlier days, this would be a piece of machine language code. There are two basic ways in which the code fragment can get executed. First, it could simply be sent as a program from one machine to another. It then needs a mechanism to get it started: This could be by the user executing the program, or by having the name of the program inserted in an automatic script of some sort. Another way is for the code fragment to insert itself into an existing program, so that it is automatically executed every time that program is run.

So, this leads to the first rule for avoiding infection: Never execute a program if you are not absolutely certain that it is not infected.

There is one problem with this rule: How does one recognise a 'program'? In the earlier days, this meant any file with an extension of .exe or .com. However, nowadays there are many kinds of files which can contain executable code of one sort or another. For example, the following are all possible carriers of viruses: .arj, .bat, .cab, .dll, .htm, .ocx, .scr, .vbe, .vbs, to mention just a few.

So a better rule would be: Never open a file if you are not absolutely sure that it does not carry a virus.

Does this mean that I cannot read any of my email messages? In most cases simply reading an email message cannot execute a virus. There have been some exceptions to this rule, but these have occurred as a result of holes in the email programs, and software companies have been careful to repair these as soon as they appear. So we can add another rule to our list: Make sure that you keep your software up to date, either with the latest versions, or by applying the patches or updates provided by the software company.

There are a few types of email messages which can contain viruses within the actual text of the email message, but these are unusual. Generally your email program should have these types disabled, particularly if you have followed the rule immediately above.

This still leaves us with a problem: We routinely send attachments of various kinds via the email system. How is it possible to be sure that we are not opening a file which could contain a virus? If you are a real computer fundi, (fundus?) then you may be able to distinguish which files can contain viruses from those that cannot… However, for most of us it is a rather hit-or-miss affair.

For example, I could assume that email messages I receive from people I know are safe, and simply delete or ignore messages which are received from people I don't know (or don't know well). The problem with this rule is that some viruses can take control of your email program, and will send out copies to everyone in your address book. So the recipients will think it is a normal message from you, will open the attachment, and bingo! Another virus pops out.

I could go a step further, and only open messages which I receive from people whom I really trust, ie: people who run up to date anti-virus programs. But even this is no guarantee.

These days, the only really reliable solution is to install a good anti-virus program on your computer. There are some good ones available at reasonable prices. (Keep away from any which are free; These are generally worthless!) It is important to remember that new viruses come out every day, and can spread extremely rapidly. So, just installing an anti-virus program is not enough - You must update it regularly. For example, the program I use automatically checks for updates every time I connect to the internet, and if there are any new viruses then it updates itself automatically. For other anti-virus programs you may have to initiate the update yourself, in which case I would recommend doing so every week or two. Usually it is not the program itself which is changed, but the table of virus signatures used by the program to detect viruses.

It is worthwhile to also have an early-warning system, to draw your attention to any really bad new viruses which might arise. Many corporates now obtain this information, and distribute it on their internal email system. You can also subscribe to various free early-warning services, mostly run by the anti-virus vendors, and receive emails of significant new viruses as soon as they occur.

So, to summarise the rules:

• Never execute a program if you are not absolutely certain that it is not infected.
• Never open a file if you are not absolutely sure that it does not carry a virus.
• Keep your software up to date, either with the latest versions, or by applying the patches or updates provided by the software company.
• Install a good anti-virus program on your computer.
• Update your anti-virus program and/or signatures regularly.
• Subscribe to free early-warning services.

Can you get infected with a virus just by browsing a web site?

Until recently this was not considered likely, but the Nimda virus changed all that. This virus was found on 18th September 2001, and was the first virus to modify existing web sites to start offering infected files for download. Nimda made use of a known vulnerability to get a foothold on a web site, and added a short script to random web pages which opened a new window and attempted to download a copy of the virus onto the user's computer. The vulnerability is easily fixed, but can occur where the operator of the web server does not maintain all recommended software updates.

The real danger on the web is that you can download all sorts of software and other documents from any web site, and that there is no guarantee that these are clean. So once again the good advice is to follow the rules above, and you have a good chance of avoiding problems. Be vigilant above all else!

Should Service Providers scan all email for viruses?

In the past, Internet Service Providers did not see this as their responsibility. As it is impossible to guarantee that no viruses will slip through, ISP's may have wanted to avoid the possibility of any litigation or criticism, and so did not make any promises. Also, what if they blocked an infected document which you urgently required? Again, they could run the risk of litigation through the very action of blocking a virus, real or assumed.

Nowadays however, it makes good sense for your ISP to scan all email coming through their servers. I notice that some ISP's have introduced this recently, and I fully support it. Generally you receive a warning message, so you know who sent the original infected email and can contact the sender to find out what it was about.

However, as with all things, there are some potential problems with this approach:

1. If it is not done properly then you may assume that the ISP is dealing with it on your behalf, and not be as vigilant as you should be … and still get hit by a virus. 
2. New viruses can spread extremely rapidly. It is always possible for a new virus to spread through the system before the anti-virus tool writers have time to update the signature files to detect it.
3. If you have encrypted your email message or attachments then the anti-virus scanning program will not be able to see within it, and will be unable to detect any viruses. If your messages or data are important enough to encrypt, then you MUST follow this through by having good quality anti-virus tools for use after decryption.

So, if your ISP provides this service, you still need to follow the rules set out above, and continue to be vigilant.  If your ISP does not provide such a service, lobby them until they do, or change service providers!