Anti-Virus Companies: Tenacious Spammers Wed Jan 28 04:46:28 EST 2004 Brian Martin [jericho@attrition.org] No one can argue that the spam problem is getting better. Despite advances in anti-spam technology and legislation against spam, unwanted junk mail is flowing into our inboxes at an increased rate. Stock tips, enhancement drugs, Nigerian scams, DVD copy software and hundreds of other products or services get shoved in our face. For roughly three years, the Internet has seen worms that spread via e-mail, often taking addresses out of the infected machine's web cache, user addressbook or other sources. Some of these worms will also forge/spoof the "From:" line so the mail appears to be from someone else, in an attempt to make the mail more 'trusted'. To be clear, here is a sample timeline of how these work: EvilGuy01 writes and releases a new worm. Fred is a moron and clicks on an attachment from a stranger, infecting his machine. The worm mails a copy of itself to everyone in Fred's addressbook. The mail sent out spoofs the headers of the mail so it may be "From: George" or "From: Sally". Tom gets a copy of the mail "From: Sally" and clicks on the attachment, infecting himself. Tom sends mail to Sally complaining about her evil shenanigans. Sally replies to Tom with "d00d WTF?! lol" since she never sent the mail. The concept is very simple, and extremely effective. Anti-Virus companies are well aware of this trait present in many "mm" (Mass Mailing) worms. Reading through their descriptions, they document each worm that spreads itself in this fashion. Looking at one example on the McAfee site: W32/Mydoom@MM generates emails with a spoofed From: field, so incoming messages may appear to be from people you know. Furthermore, the subject line and message body are both randomly generated by the worm. Each of these Anti-Virus or mail gateway companies tend to configure their products to do the same thing. If a piece of mail comes in with a known virus, trojan, worm or taboo attachment, it will stop the mail from reaching the intended recipient, notify the administrator, and either quarantine or delete the hostile content. Simple and effective. However, each of these companies also has their product mail the person who sent in the hostile content saying "You are infected" in so many words. While such intentions are noble, think about the reality of what is happening. For over three years, these worms that forge the "From:" address have been sending out millions of mail attempting to propogate themselves. For each of these mails that reach an Anti-Virus product or gateway, they get blocked and replied to.. based on that forged "From:" line. Result? Millions more e-mails are sent out to innocent people that never sent the mail in the first place. Spam Spam is basically defined as "unsolicited junk e-mail". Unsolicited, as in you did not request the person/company to send you mail. Junk, as in it contains no valuable content or information. When an anti-virus program from a remote system mails you out of the blue, tells you that it blocked a virus YOU sent, tells you that you are likely infected with a virus and advertises itself, the remote site is sending you spam. In the case of the latest worm, I and others have received more spam from Anti-Virus products than the worm itself! As you read this, Anti-Virus companies are responsible for products that are sending out more unwanted mail than the worm itself. The most damning mail from these products not only purport to "warn you of infection", but they go so far as to advertise the product to you. This is unsolicited commercial e-mail (UCE, aka "spam") in its purest form. Justification Spammers often try to justify their actions and excuse their unsolicited e-mail. Some will say "you can just delete it", or "some of the people we mail may want to read it". Many will go so far as to say you mailed them or you "opted in" to their e-mail lists. I'm sure that if you ask the Anti-Virus companies why their products send this unsolicited mail, you will get this type of answer or something equally asinine. With these worms sending out millions of spoofed mail, the anti-virus products are also sending out millions of mail, most of which never mailed in the first place. Intent Some may argue that the Anti-Virus companies don't intend to spam innocent users, but this argument is completely without merit. It's a fact that they know which worms propogate by spoofing mail. It's a fact that when their customers download updates they include an ID or name so the product can identify the incoming hostile code. Add these two facts together and you get Anti-Virus products that intentionally and knowingly respond to mail addresses it knows is forged, that didn't really send the infected message, and has not asked to be mailed. The bottom line, Anti-Virus companies sell products that are designed to spam innocent users, to the tune of millions of mail a year. Solution The solution is simple: when infected mail comes into a network, the message should be quarantined, the administrator notified, and nothing else. No mail should be sent back to the spoofed "From:" address. If Anti-Virus companies think this is a bad choice, at the very least they could configure the products not to mail back on worms that they know to spoof headers during propogation. Any of the "@MM" named worms should be responded to differently. This ends the nice section. It isn't enough that these products send out millions of spam a year. Anti-Virus programs are guilty of several other crimes against the Internet and they need to be stopped. The following section will look at some of these products, their spam and observations about their behavior. The Name Game What virus did I supposedly send to Joe User on your network? In the wake of the latest worm outbreak (aka W32.Novarg.A@mm), many people were reminded of the horrid state of the Anti-Virus industry when it comes to naming worms and viruses. Based on the spam I received from these companies, we have at least eight different names for the same worm, probably a lot more. Norton AntiVirus - W32.Novarg.A@mm RAV AntiVirus - Win32/Mydoom.A@mm GroupShield for Exchange - W32/Mydoom@MM BorderWare MXtreme Mail Firewall - I-Worm.Novarg InterScan - WORM_MIMAIL.R Antigen - MyDoom.A@m (Norman) worm McAfee - W32/Mydoom@MM Novarg? MyDoom? Worm Mimail? Worm SCO? Which is it? If the Anti-Virus industry truly had the Internet's interest in mind, they would designate a board to apply a standard name to all viruses. Failing this, maintaining some channel of communication during the initial discovery phase, they could at least agree on a common overall name (Novarg vs MyDoom) before applying their own designations (A@m, @MM, .A, etc). While some people argue that giving worms media attention only encourages such behavior, there is a positive side. The worms that garnered a high amount of media attention received a very standard name since each Anti-Virus company wanted to be able to say they too scanned for it. I am grounded in reality though, and I understand this can't happen for every worm or virus lest they sacrifice a little bit and lose their "edge" in the business. Their notions of customer interest are second to their bottom line and perceived dominance of the industry. Technical Wonders Some of the mail these products send out are nothing short of pathetic. In some cases, the remote site doesn't include any details as to the original mail, who supposedly sent it, who the intended recipient was, or include the headers so you have an idea where it was really sent from. Other warnings tell you that your machine is infected, suggest you scan for viruses and contact your administrator. If hundreds of employees in a company receive these, they may be diligent and report the mail to their administrator. This will cause an increaesd work load on your IT staff, all over events that never occured. Examples and Offenders In case you have disabled e-mail or deleted your entire inbox before viewing the contents, here are some examples of the offending spam being sent out by Anti-Virus companies. AMaViS (http://amavis.org/) sends a very dramatic "V I R U S A L E R T" warning that they found a VIRUS and stopped delivery of your email! THANKS GUYS, YOU ARE SAVING THE INTERNET ONE COMPUTER AT A TIME. V I R U S A L E R T Our viruschecker found a VIRUS in your email to "pingcat01@yahoo.com". We stopped delivery of this email! Please check your system for viruses. For more details contact your local System Administrator or MIS staff. While I am contacting my MIS staff (oh wait..), Norton words their mail so definitively. Norton is sure that I sent the mail to poor Tony. If we assume the administrator of the remote system received a copy of this, as well as Tony and myself, at what point does this cross into the bounds of libel? Norton is accusing me of a crime that I did not commit. Thanks guys. Norton AntiVirus found a virus in an attachment you (jericho@attrition.org) sent to Tony LaScola. To ensure the recipient(s) are able to use the files you sent, perform a virus scan on your computer, clean any infected files, then resend this attachment. Attachment: readme.pif Virus name: W32.Novarg.A@mm Action taken: Clean failed : Quarantine succeeded : File status: Infected RAV AntiVirus (http://www.ravantivirus.com) is nice enough to tell me details of the remote system that are often classified as an "information disclosure" vulnerability. Not only do I learn the remote system's architecture, they blatantly advertise their product to me. This is pure commercial spam. RAV AntiVirus for Linux i686 version: 8.3.1 (snapshot-20011106) Copyright (c) 1996-2001 GeCAD The Software Company. All rights reserved. 12 more days to evaluate. Running on host: RMnet.it The file (part0002:body.zip)->body.scr attached to mail (with subject: Server Report) sent by jericho@attrition.org to tna@rmnet.it, is infected with virus: Win32/Mydoom.A@mm. Cannot clean this file. Cannot delete this file (most probably it's in an archive). The mail was not delivered because it contained dangerous code. Scan engine 8.11 for i386. Last update: Tue Jan 27 04:03:51 2004 Scanning for 89279 malwares (viruses, trojans and worms). To get a free 60-days evaluation version of RAV AntiVirus v8 (yet fully functional) please visit: http://www.ravantivirus.com MailScanner (http://www.mailscanner.info) warns me that I sent Sandra a virus! Oh gnoez! After blatantly advertising their product to me, the real ignorance comes in the subsequent mail. Our virus detector has just been triggered by a message you sent:- To: sandra@redoakdesigns.com Subject: TEST Date: Tue Jan 27 10:45:38 2004 Any infected parts of the message (message.pif) have not been delivered. This message is simply to warn you that your computer system may have a virus present and should be checked. The virus detector said this about the message: Report: message.pif contains Worm.SCO.A Shortcuts to MS-Dos programs are very dangerous in email (message.pif) No programs allowed (message.pif) -- MailScanner Email Virus Scanner www.mailscanner.info Mailscanner thanks transtec Computers for their support This is where I learn that I mailed a user that doesn't exist on the remote system. They are also kind enough to actually attach a copy of the virus to this mail. If an average user received this and was curious what was supposedly sent in their name, they might open it and infect themselves. Good going MailScanner, you block the mail from reaching the person (that doesn't exist), but you don't delete or quarantine the harmful content. Stellar. From: Mail Delivery Subsystem (MAILER-DAEMON@host.countystart.org) To: jericho@attrition.org Date: Tue, 27 Jan 2004 10:45:44 -0500 Subject: Returned mail: see transcript for details Parts/Attachments: 1 Shown 12 lines Text 2 Shown 302 bytes Message, "Delivery Status" 3 Shown 2.3 KB Message, "{Virus?} TEST" 3.1 Shown 6 lines Text (charset: Windows-1252) 3.2 Shown ~21 lines Text ---------------------------------------- The original message was received at Tue, 27 Jan 2004 10:12:30 -0500 from ool-43533db7.dyn.optonline.net [67.83.61.183] ----- The following addresses had permanent fatal errors ----- (sandra@redoakdesigns.com) (reason: 550 5.1.1 (sandra@redoakdesigns.com)... User unknown) Symantec is short and to the point, leaving out when I sent the message, and to what e-mail address. Thanks for the details! From: AVAdmin@ecs.com Subject: Symantec AVF detected an unrepairable virus in a message you sent Subject of the message: test Recipient of the message: Jon Baratta In some cases, Symantec doesn't even want to tell you who you supposedly mailed. Great. From: Administrator@polyformus.com To: jericho@attrition.org Date: Tue, 27 Jan 2004 20:16:40 -0800 Subject: Symantec AVF detected an unrepairable virus in a message you sent Subject of the message: Error Recipient of the message: Unknown Recipient(s) GroupShield for Exchange wins the award for the largest spam. I've also removed some extra space to make this mail bearable. They also let me know the easy to remember trouble ticket number, just in case I need to reference it in the future when dealing with their company. On top of all this, they warn me that this mail is confidential. If that were the case, spammers would be in heaven as they sent out millions of spam protected by a CONFIDENTIALITY NOTICE that prevented people from sharing the contents with anti-spam organizations or law enforcement. Nice try GroupShield! From: "GroupShield for Exchange (FBOWEXC001)" (NAICENTRALFBOWEXC001@bowne.com) To: "'jericho@attrition.org'" (jericho@attrition.org) Date: Tue, 27 Jan 2004 09:20:32 -0500 Subject: ALERT - GroupShield ticket number OA14_1075213232_FBOWEXC001_1 w as generated Action Taken: The attachment was quarantined from the message and replaced with a text file informing the recipient of the action taken. To: gary.willis@bowne.com (gary.willis@bowne.com) From: jericho@attrition.org (jericho@attrition.org) Sent: 1329686912,29615328 Subject: test Attachment Details:- Attachment Name: text.zip File: text.zip Infected? Yes Repaired? No Blocked? No Deleted? No Virus Name: W32/Mydoom@MM CONFIDENTIALITY NOTICE: The information in this Internet email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. MailMarshal gives me the option of contacting them and asking them to let the mail through. If I was feeling a little saucy I might mail them asking just that. Wonder if I could infect them via a polite request. MailMarshal (an automated content monitoring gateway) has not delivered the following message: Message: B000035b6e.00000000.mml From: bmartin@attrition.org To: SMcCullough@ORMILA.com Subject: TEST This is due to automatic rules that have determined that the intended recipient is not authorized to receive messages with Executable file(s) attached. If you believe the message was business related please send a message to exchad@ORMILA.com and request that the message be released to its intended recipient. If no contact is made within 5 days the message will automatically be deleted. MailMarshal Rule: Inbound : Block EXECUTABLE Files Email security by MailMarshal from Marshal Software. BorderWare MXtreme Mail Firewall has a really clever name using "MXtreme" (tech geeks are rolling i bet), and provide me the valuable information such as the Queue ID number. Very helpful. This is an automated message from baxter.com A mail from you (bmartin@attrition.org) to (adalberto_maldonado@baxter.com) was stopped and Rejected because it contains one or more viruses. Summary of email contents: Queue ID: E0A7E6CF67 Attachment: file.zip Found virus I-Worm.Novarg /file.txt InterScan's nice summary makes it easy for me to figure out what I did. On Tuesday I used "Mail" to send a virus to Peter and InterScan deleted it. That's how it went down, yep. Sender, InterScan has detected virus(es) in your e-mail attachment. Date: Tue, 27 Jan 2004 22:45:20 +0100 Method: Mail From: (jericho@attrition.org) To: peter.metrowich@au.bosch.com File: message.zip Action: deleted Virus: WORM_MIMAIL.R Antigen gets the award for the most convoluted warning. Antigen for Exchange found readme.zip->readme.txt .exe infected with VIRUS= MyDoom.A@m (Norman) worm. The message is currently Purged. The message, "Server Report", was sent from jericho@attrition.org and was discovered in IMC Queues\Inbound located at DoubleClick/Thornton/THN-EX10. McAfee, aka Captain Obvious warns me that a HARMFUL virus was sent, not one of those nice huggly viruses. They are also sincere in their warning to me as they advertise their product and web site. McAfee Security has detected that the e-mail message you have sent below contains a harmful virus. The message has been quarantined. The infected message's properties are: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sender: jericho@forced.attrition.org Receiver: sfromm@energy.state.ca.us Virus Name: W32/Mydoom@MM (ED) Original Attachment Name: test.zip Transmission Date Time: 01/27/2004 17:27:47 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The intended recipient's System Administrator(s) has been notified. They may choose to delete this message or request receipt at their own risk. Sincerely, McAfee Security Customer Care ----------------------------------------------- McAfee Security http://www.McAfeeASaP.com ----------------------------------------------- No clue who to blame for this one! Some anti-virus product out there sends this type of gem. Due to the way they send their warning, it appears in my inbox as such, appearing as if I BCC'd myself on the e-mail or something. Mail should not arrive in my inbox addressed from me. Spoofing mail headers like this is the same thing the worms are doing! From: jericho@attrition.org To: ldainc@coqui.net Date: Tue, 27 Jan 2004 11:23:25 -0600 Subject: Returned due to virus; was: Mail transaction failed. Partial message is available. Network Associates, Inc. Webshield SMTP "Cleans and Quarantines" (is that some trademark? Why the caps?) the mail I supposedly sent. Varian Inc. virus shield detected virus W32/Mydoom@MM (ED) in an e-mail sent from to with the subject test. This e-mail was Cleaned and Quarantined. If you have any questions please call 650-424-5151. The Real Solution Since I have little hope for the Anti-Virus industry and really doubt they will take the logical course of action and reconfigure their inferior products, it's probably best if I recommend another course of action. Every time you receive a piece of mail from an Anti-Virus company product, treat it like any other spam. Forward it to the appropriate abuse/postmaster contacts of the remote system. Make sure you also send a copy to their upstream provider and any law enforcement that is appropriate. Be sure to send a copy to the offending spammer/Anti-Virus company so they are aware you don't like their practice. Finally, since this spam doesn't give you a method for opting out of future mail, this violates the "CAN-SPAM Act of 2003" and should be reported accordingly. If our government is serious about spam, they will be aggressive in their pursuit of these million dollar companies that send out millions of spam a year. Update 1/29/04 - It has been brought to my attention that MailScanner is a) freeware, b) receives its virus naming from other software and c) defaults to not sending such warnings. Kudos to the MailScanner devs for recognizing the problem and reconfiguring long before this article appeared. Update 1/30/04 - Reader feedback has alerted me that MIMEDefange, ClamAV, Exiscan and Amavis default to not sending such warnings in general, or for a specific list of worms known to spoof. Admins, ditch the high priced junkware and learn to love these products that put quality and common sense before bottom line. I have also received several links to others that wrote about this topic, but the best one has to be this Open Letter from Fridrik Skulason of FRISK Software (F-Prot AV). I have received almost 100 replies to this article and I appreciate the feedback. A few comments related to the feedback. * I realize that admins can configure the products in many cases, but the AV products ship with this feature on by default. I personally don't think we can hold every beleagured admin responsible for knowing hundreds of products any more than we expect users to quit double clicking every .exe that crosses their inbox. * Tim Jackson has sent in an excellent SpamAssassin filter to handle these bogus virus warnings. Many people suggested I write one, but Tim is way ahead of us! * If anyone has SpamAssassin or other mail filters that can help reduce the load of the "infected warning" mail, send it over and i'll add it to this page. Update 1/30/04 - The ultimate in irony. I received blatant spam from McAfee advertising their product as a solution to this worm. This is not the first mail I have received from McAfee during a worm outbreak. Full spam with headers. Update 1/30/04 - Anecdote from a reader: "I just had a nice little chat session with someone from McAfee. I received an email with the virus attached that claimed to be returned by Webshield e500. I was trying to figure out whether the virus was doing this or Webshield e500. The guy from McAfee said that none of their products send autoresponders. So I sent a link to your article, at which time guy experienced technical difficulties and was disconnected." Another reader sent in the auto-bounce from Declude (not the default) which gets a little snippy with you as they spam you with virus warnings: "If your mail server had better virus protection, it would have caused less work for our server and could have prevented one of your users from getting a virus." Copyright 2004 by Brian Martin. Permission is granted to quote, reprint or redistribute provided the text is not altered, and appropriate credit is given. --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- Yes, (some) antivirus companies are spammers. A response to Brian Martin. In an article titled “Anti-Virus Companies: Tenacious Spammers” Brian Martin criticises the antivirus industry. Given that I have been an active member of that industry for 15 years, I consider myself to have a right to respond. Guess what - Brian Martin is right! (well, for the most part) The practice of sending out mail alerts, possibly both to the recipient and to the (assumed) sender of the message made sense back in 1998. If a virus was found in a mail message at that time it would typically be an infected Word document, and informing the sender (and possibly the recipient) would help to track down and eliminate the infection. The appearance of mass-mailing worms like Melissa changed the situation. Instead of a single copy, there could be thousands of copies sent to people all over the globe. Informing the recipients that a virus destined for their mailbox had been stopped was utterly pointless. Still, some antivirus companies continued doing this - probably thinking of this as a way to get some free “Our product protected you!” advertising - a way to get more name recognition I guess. Later we got worms like Klez that forged the sender's address, and that is now the standard practice - after all, the benefits to the worm are obvious - it makes it harder to track down the source. Forged sender addresses should have made it obvious that sending mail to the (assumed) sender when a worm is found is not a good idea. Still, some antivirus companies persist in this practice. I have argued before that this practice should be abandoned, see for example my public letter of 10 September last year, at the time of the Sobig.F outbreak, titled “Why (some) antivirus companies are to blame for the recent e-mail flood” Some of those companies are still to blame. No competent antivirus company should offer a feature in their mail filtering product allowing a notification to be sent to the recipient when a mass-mailing worm is found - or to the assumed sender, at least not when the worm is known to forge the sender's address. I can only repeat what I said back in September: Acceptable behaviour would be one of the following: Have the mail filter properly distinguish between worms that falsify the “From:” address and ones that do not and only send a warning message when the “From:” address is likely to be genuine. Do not send the alerts at all. In fact, sending an alert automatically to the “From:” address for every virus or worm received by e-mail should not even be a selectable option, and for any mass-mailing worm, no mail should ever be sent to the recipient. The products which do not conform to the “acceptable behaviour” I have described are a part of the problem, not the solution. However, even though we at FRISK Software are fundamentally against this practice and do not offer this functionality in our mail-filter products, someone could abuse our product in this way, for example by writing his own mail filter using, e.g., our Linux/UNIX “daemon” virus scanner. What this means is that merely getting the antivirus companies to stop offering this functionality is not sufficient. There are a few other things in the article by Brian Martin that deserve comment. He mentions the potential confusion when different antivirus companies select different names for the same thing. I couldn't agree more. The antivirus industry has a mechanism in place that is meant to reduce this problem. There is a naming standard, describing what makes an acceptable name. There is also a “sample and description”-sharing process, so antivirus companies can share samples of any new threat appearing “in the wild”, hopefully before they start sending out press releases. If companies choose to ignore this mechanism and select an unacceptable name, either due to ignorance or incompetence, there is just not much the rest of the antivirus industry can do. The real problem arises when multiple companies discover a new worm at the same time, and rush out detection, web description and a press release about it before checking whether a different name has already been proposed for the same thing. This is what happened recently - one company named the worm Mydoom.A and another picked Novarg.A. These choices are understandable. But there is no excuse for the other names. The name Mimail.R was fundamentally wrong as the worm is wholly unrelated to the other members of the Mimail family. The name Worm.SCO is also unacceptable as it violated one of the naming rules, as it included a company name, presumably trademarked. Some of the companies using Novarg.A initially switched to Mydoom.A, which is right now used by 17 of the 21 products I just checked. This is not a perfect situation, but it could have been worse. Fridrik Skulason ( frisk@f-prot.com ) Founder of FRISK Software International