Slashdot Mirror
Klez: a closer look
sheriff_p writes "Anyone recieving even a small amount of email is likely to have encountered Klez varients of some form in the last few months - Message Labs shows it as being the biggest email-transmitted virus of all time by some way. So just how boring is it? Virus Bulletin has an indepth look at what makes Klez tick." And today alone, Klez virus e-mails were 90% of my e-mail by bytecount. YAY Outlook!
Encryption doesn't solve anything if the method of opening the address book is the point of failure.
;-)
i.e. the virus doesn't raw-read the address file, it uses the Outlook API to look it up on it's behalf, just like any other program.
Hence, the fact the address book file is now encrypted does not stop the virus using it.
You dig?
Set up an E-Mail address at your domain, called something like:
ignoreme@example.net
and publish it on your webpage, as an address for UCE only, and ask people not to send correspondence to it.
Then, filter all E-Mail received in your other mail boxes, against all of the mail received by ignoreme, and any that matches, delete.
I mean, that the whole going through your contacts/sent items list and mailing them is all very well, but I can write some perl that does that with your Pine folders easily enough.
I posted an article a while ago on this but it was rejected. It's a Wired article entitled "The Great MS Patch Nobody Uses". Granted it is Microsoft's fault this stupid stupid exploit happened in the first place, but it's also interesting to note that the fix for 80% of these problems have been available for over a year virtually unnoticed.
And finally, if you're running procmail then:
* Content-Disposition: attachment
* name=.*\.(com|exe|pif|scr|bat|lnk|shf|vbs)
{
# Stick it somewhere
}
does a pretty good job of filtering out that sort of junk.
Avantslash - View Slashdot cleanly on your mobile phone.
Not all of the complaints about Outlook are "bs". Certainly, a lot of people seem to like the interface. This is one point that has probably kept it on users' desktops.
However, it will randomly refuse to work with perfectly functional IMAP servers. Some people have had it delete everything in their inbox. And many aspects of its design make it an easy target for virus writers. Up until recently, even if you knew what you were doing and wanted to, you couldn't prevent Outlook from displaying HTML (and everything associated with it, such as Javascript and Web bugs). It's gotten a bit more difficult to have it automatically execute attachments, but apparently not difficult enough. (In all fairness, it should be pointed out that a large section of the population would simply execute those attachments themselves anyway).
It's easy to say that you're safe at work. You're sitting behind various filters set up by competant administrators. But many people at home don't have that option. If an ISP started filtering out attachments by file type, many would doubtless scream bloody murder. Home users are the main problem here (not that it's necessarily their fault). In an unprotected environment, Outlook still makes it too easy for virus writers, and while I would love to be in a world where everyone was shielded by competent admins (hello big job market for me!), we currently aren't.
WMBC freeform/independent online radio.
Klez is not really such a smart virus, compared to some of the earlier Outlook scripts that would grab a real document off the luser's HD and send it. The thing that makes it a major PITA is the forgery.
The only way to track down a Klez sender is to follow the Received: headers back to the ISP, and ask them to search their RADIUS &/or DHCP logs to figure out which user was at that address at the time the message was sent. Most ISP's that I've contacted would rather not bother, so the infected PCs remain blissfully ignorant.
Alternately, the ISP could require authenticated SMTP, and attach the real user ID to every message in some way. Or install a virus filter on the outbound connection. But once again, they don't want to bother. It's the tragedy of the commons.
Maybe Hemos came up with the figure by checking his e-mail and watching as 90% of it was filtered into the bitbucket. Maybe he still filters it by hand - regardless, when a massive collection of your inbox is junk, you still have to watch it go through the filter. (Well, OK, not always - there are filter setups where you don't see it, but let's not get too technical, alright?)
The bottom line is this: they may filter it, but they still have to deal with the incoming bytes in some way. The "90%" figure probably comes from either a filter report, or from watching the data be filtered if they're using client-based filtering. Just because they know that 90% of their incoming e-mail is crap doesn't mean they manually sort it.
You are in a maze of twisty little relative jumps, all alike.
Your best bet is to look at the full headers of the message to see what IP address the virus came from. Next, use something like ARIN Whois (http://www.arin.net/whois/index.html) to find out what ISP that IP address belongs to. Then forward the original message to this ISP *as an attachment* (this preserves the headers with the IP address and timestamp) and ask that they contact their customer. Most ISPs can check to see what user was connected to a certain IP address at a specific time, thus telling them who is infected. Most ISPs won't actually tell you who the sender is (mostly for privacy reasons, but also to prevent people from getting in fistfights over a virus that probably wasn't sent on purpose to begin with!).
Well, the anti-virus companies won't tell you how to block Klez (except by buying their products) but I funnel all my mail through a custom filter and this is the algorithm I use to get rid of Klez-like messages, once and for all:
If message contains multipart/alternative entity, /etc/mime.types,
and entity has a part with a filename,
and the filename's extension doesn't match the entry in
then drop the message.
You could also, I think, send a "you're an idiot" bounce message to the envelope MAIL FROM: address (not the header From:, it's wrong). That one usually looks correct. Not sure though, probably best to just drop them.
There are other clues in the message, such as IFRAME code, etc., but this seems foolproof, and I can't imagine any normal email program generating multipart/alternative sub-parts with a filename.
Eudora, for instance, by default these days uses the Internet Explorer HTML rendering (even though it includes its own) including ActiveX and MIME vulnerabilities.
In the height of the Klez infections (about 2 1/2 months ago), I got 76 emails infected with Klez in one morning.
The trick with Klez is that it spoofs the "from" header, and chooses an address at random from the infected computer's address book and its web cache.
I got tons of infected emails from people who had only surfed into a page containing one of my email addresses. Since I have 25 or design clients, this can add up to quite a few "webmaster@" email addresses. While my busiest site gets about 700 unique visitors daily, overall, my email accounts are exposed to ca. 4500 uniques daily.
That's a lot of novice users who think that getting an email that has the subject:
"A Excite Game"
and a body message that runs something like:
This is a excite game I made. It is my first try at a game. I hope you like it!
is a legit email. I have personally gotten this one over and over again, with the adjective randomized (a FUNNY game, a NEW game, etc.).
I can't believe that people open it, but they do. And they get infected, and then I get mails from them, spoofed to appear to be coming someone in their address book, or their browser cache.
Which makes it a drag, because you can't easily track down the offending individual.
The reason I think this virus is so prevalent (aside from the fact that most users are so gullible) is simply because you can't email the infected party and say "hey, you are infected with Klez", but with other viruses, such as SirCam and what not, you could, therefore stopping the virus infection, eventually.
::.. check out some Cell Phone Reviews
Try this to get started.
--
Runnin' around, robbin' banks all whacked on the Scooby Snacks...