Food for thought

Wed Mar 3 21:05:24 GMT 2004

On Wed, 2004-03-03 at 20:22, Marco Obaid wrote:
> Something I thought about this morning, since the protected-zip delimma
> ignited all over this list and that is:
> 
About a month ago a colleague and I were commenting on the virus in zip
files thing and speculating how long it would be before we saw password
protected zips being used (based on the principle that if you can trick
a user into opening a zip and running the attachment you can get them to
enter a password - after all it is there to protect them, right?).  We
weren't being entirely serious, so we were a little surprised when it
actually happened!

So the question is where next?  Despite all the viruses circulating
right now (or perhaps because of them) virus detection is getting better
and better, more people (especially large ISP's and corportations) are
implementing mail filtering.  I don't think theres a lot of mileage left
in the 'virus in attachment' issue - theres really only two other ways I
can think of (off the top of my head).

1) Encryption (to make messages unscannable).  It would be fairly easy
to target PGP users by grabbing public keys and email addresses from the
key servers.  But most PGP users are more sophisticated users who aren't
likely to fall for unsubtle social engineering tricks.  Anyway there
aren't (relatively speaking) very many PGP users around, so any virus
targeting this method is unlikely to reach the critical mass required
for a large scale outbreak.  I imagine similar problems for virus
writers attempting to use other encryption technologies.

2) Virus external to message.  In other words social engineer the user
into clicking a hyperlink in an html message.  The first time I
considered this I thought that it would be difficult because a website
spreading a virus would probably be quickly disabled.  Of course it
could attempt to infect running webservers it finds and use those.  But
would this be enough to gain critical mass?  We have already seen
viruses running their own SMTP engine, I wonder how long before we see
viruses with a built in HTTP server (trivial to code if you only want to
return one page).  We recently implemented HTTP filters and catch a few
viruses every week (mostly javascript stuff), I think effective http
filtering is likely to become increasingly important.  I think there may
be a sudden move back towards email as a primarily text only form of
communication (as companies find themselves needing to block or strip
html content in emails)

My other prediction is that there will be more convergence between virus
and spam traffic.  Viruses spread most effectively by fooling users into
thinking they are from someone they know, whereas spam is always from
complete strangers.  How long before the network of spam zombies starts
sending spam to contacts found on the unfortunate user's hard drive,
just as the virus that turned the machine into a zombie originally
spread. It concerns me that this could lead to a major breakdown in the
usefulness of email as a form of communication.

Just my thoughts, anyone care to join in?...
-- 
Kevin Spicer (kevin AT kevinspicer DOT co DOT uk)

This message is digitally signed using the GNU Privacy Guard.  
My public key may be obtained from http://www.keyserver.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040303/e547b768/attachment.bin