RFC: virus handling

From: Thomas Zehetbauer (thomasz_at_hostmaster.org)
Date: 01/28/04

  • Next message: Donato Ferrante: "Denial Of Service in SurfNOW 2.2" 
    To: bugtraq@securityfocus.com
Date: Wed, 28 Jan 2004 16:45:39 +0100

    Looking at the current outbreak of the Mydoom.A worm I would like to
    share and discuss some thoughts:

    1.) Virus Detected Notifications
    After filtering out the messages generated by the worm itself there
    remain a lot of messages generated by automated e-mail scanning
    solutions.

    1.1.) Configuration
    Unless the virus scanner provides special handling for worms and virii
    which knowingly use a faked sender address it should not send out
    notification messages unless the administrator has been warned that
    these notification messages may not reach the intended recipient and has
    still enabled this feature.

    1.2.) Format
    These messages cannot be easily filtered because they come in many
    different formats and do often not contain any useful information at
    all.

    1.2.1.) Standardization
    To allow filtering of these messages they should always carry the text
    'possible virus found' in the subject optionally extended by the name of
    the virus or the test conducted (eg. heuristics).

    1.2.2.) Virus Information
    The message should always include the name of the virus found or the
    test conducted (eg. forbidden file type).

    1.1.2.) Original Message
    The notification should never include the original message sent as
    otherwise it may send the worm/virus to a previously unaffected third
    party or re-infect a system that has already been cleaned.

    1.2.) Notification
    Regarding wasted time and storage capacity the false notifications sent
    out to innocent third parties by many systems are already causing more
    damage than the actual worm or virus. Given the current situation of
    many unaware or ignorant administrators everyone capable to do so should
    tell these people to fix their badly configured e-mail scanners.

    2.) Non Delivery Notifications
    It seems that this worm is trying to avoid people getting treacherous
    non delivery notifications by using obviously faked but otherwise
    plausible e-mail addresses. This may cause double bounce messages or
    even message loops at badly configured sites.

    2.1.) Avoid
    Virus filters should therefore be designed and implemented before
    checking the legitimacy of the intended recipient. This would also avoid
    helping the virus spread by bouncing it to a previously unaffected third
    party.

    3.) ISPs
    It is worth to note that once again primarily individuals using a
    commercial provider have been affected by this worm.

    3.1.) Notification
    As these people do mostly not run a SMTP server on their system it is
    unfortunately almost impossible to contact them when only knowing their
    IP address.

    3.1.1.) Abuse Role Account
    Providers should provide an adequately stuffed abuse role account to
    allow the affected users beeing notified. To ease efficiency messages
    sent there should include the IP address, the exact time and date of the
    incident and the name of the virus on the subject line.

    3.1.2.) e-mail Alias and Web-Interface
    Additionally providers should provide e-mail aliases for the IP
    addresses of their customers (eg. customer at 127.0.0.1 can be reached
    via 127.0.0.1@provider.com) or a web interface with similiar
    functionality. The latter should be provided when dynamically assigned
    IP addresses are used for which an additional timestamp is required.

    3.2.) Disconnect
    Providers should grant their customers some grace period to clean their
    infection and should thereafter be disconnected entirely or filtered
    based on protocol (eg. outgoing SMTP) or content (eg. transparent
    smarthost with virus scanner) until they testify that they have cleaned
    their system.

    Regards
    Tom 

    -- 
  T h o m a s   Z e h e t b a u e r   ( TZ251 )
  PGP encrypted mail preferred - KeyID 96FFCB89
       mail pgp-key-request@hostmaster.org
Experience is what you get when you expected something else.

  • Next message: Donato Ferrante: "Denial Of Service in SurfNOW 2.2"

    Relevant Pages

    • RE: virus handling
      ... > Looking at the current outbreak of the Mydoom.A worm I would like to ... Virus Detected Notifications ... > these notification messages may not reach the intended ... > To allow filtering of these messages they should always carry the text ...
      (Bugtraq)
    • RFC: content-filter and AV notifications (Was: Re: RFC: virus handling)
      ... TZ> Looking at the current outbreak of the Mydoom.A worm I would like ... Virus Detected Notifications ... TZ> warned that these notification messages may not reach the intended ... TZ> To allow filtering of these messages they should always carry the ...
      (Bugtraq)
    • Re: RFC: virus handling
      ... > To allow filtering of these messages they should always carry the text ... > the virus or the test conducted. ... Delivery Status Notification has many disadvantages but IMHO it ... taking any steps to prevent future infections (at least reinfections by ...
      (Bugtraq)
    • Re: RFC: virus handling
      ... There is one standardized feature for virus and other bounce messages, ... > Looking at the current outbreak of the Mydoom.A worm I would like to ... > these notification messages may not reach the intended recipient and has ...
      (Bugtraq)
    • RE: virus handling
      ... Well to be quite honest I've had a lot of luck mitigating with an ISP to ... > Looking at the current outbreak of the Mydoom.A worm I would like to ... Virus Detected Notifications ... > these notification messages may not reach the intended recipient and ...
      (Bugtraq)