E-Mail Worms and Viruses

There are apparently many misunderstandings about how the recent e-mail "worms" work. The following are examples:

"My computer is protected and updated. I bought a new anti-virus software program 3 months ago and installed it right away."

That's a great start, but it doesn't necessarily mean that you have the latest protection. All anti-virus software needs to have periodic online, or "live updates" run in order for them to be able to detect new viruses or variants. This should be done at least on a weekly basis, if not a daily basis. See your software's documentation for info on how to do this.

Another important consideration is that many of these newer e-mail worms can be released and spawn so quickly that even mail server managers might not be able to obtain and install new anti-virus definitions before some infected files have gotten through. Even if your mail service has been good about filtering infected files out in the past, you can't always count on it to be 100% safe in the future.

"My machine seems to be running ok and I don't think that I've ever gotten an infected mail message. That means that I can't have a virus or worm, right?"

Not necessarily. There are two separate issues involved here, but both of them are very important.

The first is that some viruses will definitely affect your computer's performance, but mail worms very often won't do anything to make you suspect that they are there. It's very easy for someone to get an infected file without realizing it. Let's say that you get a mail message from a good friend who often sends you amusing file attachments. You see that the mail came from someone that you know, click on the attachment, and nothing happens. If you are busy, you might just assume that there was something wrong with the file and not give it any further thought. What you may have actually done is download an e-mail worm.

Second, it's important that people realize how mail worms work. Imagine that someone's machine is infected. The worm searches for, and finds, two e-mail addresses somewhere on that machine (more about this later). It then sends an infected message to one address--making it appear that it came from the other address (this is called "spoofing" an address). Once that's done, it searches for two more addresses, does the same thing, and continues doing this as long as the machine remains on and connected to the Internet. These messages can be sent at rates exceeding one message per second…and they are usually going to people who are family, friends and colleagues. That's why everyone should take this matter seriously.

Another good reason why everyone should take this seriously is related to the addresses that are being "spoofed". Sometimes the addresses that the worm finds on your machine might suggest, or reveal, friendships or behavior that you may prefer to remain private.

"I don't use Microsoft Outlook for mail. I'm safe, then, right?"

Not necessarily. While it is true that many of the earlier mail "worms" sent infected mail messages only to addresses found in MS products, like Outlook, newer variants are far more thorough. The newer worms look for e-mail addresses in quite a number of sources, including some that you may not even be aware are on your machine (such as cache folders for your browser and other software applications). They find addresses in HTML files, text files, Word documents … the list goes on. It's safest to assume that any e-mail address, anywhere on your computer, might be used to send an infected message if your own computer becomes infected.

"I don't use GW's mail that much, so I can't have the virus that you are talking about."

The infections don't have to come from GW's mail system. In fact, they probably have not come from GW's system. Overall, GW does an excellent job of stripping infected files from mail coming into their system. There are, however, times when a new variant spreads so quickly that a definition for it can not be written and circulated in time to prevent some infected files from getting through the system (as recently happened for a few hours). This same condition can exist with any ISP's service, however. You can potentially pick up an infected message on any mail system at all.

"I don't ever read mail on my computer, and I don't ever go to websites where I could pick up a virus."

When thinking about these issues we have to think about machine activity, rather than personal activity. You may not read mail on your computer, or visit websites, but does anyone else ever use it? For example, homes where the family shares a computer often have more problems with viruses and other sorts of "malware" that can potentially damage a machine, cause performance problems ("adware" and "spyware" are another issue), or generate nuisance e-mail. It's also important to know that nobody has to be actively using an infected machine for it to be sending out infected e-mail messages. As long as it is turned on and connected to a network, it will attempt to send infected messages to the addresses found on that machine. Some infected computers have generated literally millions of e-mail messages before they were discovered and cleaned. That type of "flooding" of network resources is the greatest kind of damage that these machines cause.

By the same token, an infected machine can send infected mail messages to "your" addresses, even if you no longer own that machine. If you sold, gave away, shared, or otherwise disposed of a computer without cleaning all of your information from it, a later infection would result in the addresses that you left on it being sent mail or "spoofed" as the sender of an infected message.

"How can someone find out the source of an infected message, then?"

It's not easy to do this, and can often be impossible, but we have an advantage in ETL that makes it possible for us to locate about half of the infected machines. It's a process of elimination, for the most part.

First of all, even though a worm will "spoof" an address as the sender, the routing of the message will reveal the actual server of origin. Sometimes that server can be identified as being at a specific company or school (making it easy). Other times, it only tells us that the message came from ISP X and that the server is located in a certain city and state (usually the infected machine is in that general area).

In addition to that, our course e-mail addresses are not available to the general public. If, for example, the address for EDUC 111, Section 3, is spoofed in a mail message to Joe GW Student, we know that the infected machine has both of those addresses on it. If we are lucky enough for this to be Joe GW Student's first semester, and luckier still that he's only taking EDUC 222, Section 1, the chances are very good that the infected machine belongs to someone in the same section of EDUC 222, and is also in (or was previously in) EDUC 111, Section 3. Let's say that the server of origin is in Juneau, Alaska. That would make it fairly easy to find the source of the infection, because we don't often have more than one person who would meet all three of those criteria. Unfortunately, they aren't always that easy to narrow down. Sometimes all of the clues that we have can apply to quite a few current, and former, students.

 

(TOP)