Malicious Software: Recognizing Fake E-mail
Malicious software can be generally classed into two different types: "worms" that take advantage of system bugs and exploits to propagate themselves automatically, and "trojan horses" that use psychological tricks to try and fool you into opening the software and infecting the computer.
To protect yourself from worms, you need to apply current updates and security patches to your computer. See the companion documents Protection Advice for Windows PCs and Protection Advice for Macs & UNIX Systems for specific details.
Protection from psychological exploits is not a simple matter of installing an update. Although antivirus software can provide some measure of protection from trojan horses, there are many "Day Zero" infections that get into the wild before antivirus software companies can react. Your antivirus software may fall out of date if your computer is off the Internet for awhile (for example, with a laptop that you use occasionally). So you need to exercise safe computing principles to identify malicious software before you open it.
E-mail Viruses
Some malicious software propagates by generating e-mail with faked From, To, and Subject headers. These e-mails will usually have manufactured From addresses and the trojan horse software as an attachment. If you open the attachment, you get infected.
The headers and form of the e-mail vary greatly depending on which malicious software was responsible for the forged e-mail. However, there are some common traits that you can look for:
- Forged e-mail may use a generic From address, like support@rice.edu or security@microsoft.com. The malicious software uses these addresses because it knows that e-mail addresses with words like "support" and "security" will sound official.
- Since the trojan horse is not really intelligent, it will manufacture Subject lines or message bodies
that sound official, but that are generic and non-personal in nature. For example,
Subject: Account Termination
A genuine e-mail from Rice's Information Technology department will contain clear information outlining the nature of the problem and the personal name and contact information of a Rice IT staff member. It will also specify where you can go to get more information or to request additional help.
Dear Rice.edu User,
Your account was terminated for improper use... - In order to propagate to new computers, most malicious software will attach a copy of the trojan horse
to the e-mail. The goal is to trick you into opening the infectious software. Fortunately, these malicious
attachments are fairly easy to recognize. If the attachment file name includes one of the following file
extensions, it's probably a virus:
.BAS .BAT .CHM .CMD .COM .CRT .EXE .HLP
Also watch for file names with extra file extensions designed to trick you, such as MYFILE.TXT.PIF or THISFILE.DOC.EXE. Although we scan all incoming and outgoing e-mail here at Rice, sometimes a new virus will slip through the net for a few hours before we catch it.
.INF .INS .ISP .LNK .MSI .MTX .PCD .PIF
.SCR .SHS .VBS .WSF .WSH
Misdirected Error Messages
Another common type of e-mail resulting from malicious software is a misdirected error message. If you receive a message indicating that you sent an e-mail containing a virus, don't panic! These messages are usually the result of e-mail forgery. For example,
Date: Thu, 19 May 2005 08:36:08 -0500 (CDT)
To: <you@rice.edu>
From: <postmaster@metc.state.us>
Subject: Warning: Virus Detected in Your E-mail
Original-Recipient: <simprry@metc.state.us>
Action: failed
Diagnostic-Code: smtp; 550 Virus Detected in E-mail Attachment
This ominous-looking error message does not mean that your computer is infected. Since all e-mail viruses will forge the From field, mail servers may send warnings back to the forged address. These messages are harmless and may be ignored.
Hoaxes
A hoax e-mail may contain a virus warning or error message, but it's just a lie designed to confuse you. The hoax may even include instructions to "remove the virus". At best these instructions are worthless, and at worst they may cause your computer to stop working correctly if you follow them. Here is an example:
The objective of this e-mail is to warn all Hotmail users about a new virus that is spreading by MSN Messenger. The name of this virus is jdbgmgr.exe and it is sent automatically by the Messenger and by the address book too. The virus is not detected by McAfee or Norton and it stays quiet for 14 days before damaging the system.
In order to eliminate it, it is just necessary to do the following steps:
1. Open C:, Windows, System32
2.- If the virus is there (it has a little bear-like icon with the name of jdbgmgr.exe) DO NOT OPEN IT FOR ANY REASON
3.- Right click and delete it (it will go to the Recycle bin)
IF YOU FIND THE VIRUS IN ALL OF YOUR SYSTEMS SEND THIS MESSAGE TO ALL OF YOUR CONTACTS LOCATED IN YOUR ADDRESS BOOK BEFORE IT CAN CAUSE ANY DAMAGE.
This warning is entirely fictitious. Here are some common features that will help you identify a hoax:
- Hoaxes often drop the names of big, important-sounding corporations (MSN, McAfee, Norton, Hotmail) to give the message an air of authority.
- Hoaxes usually promise that irrevocable computer damage will result if you fail to immediately comply.
- Hoaxes never tell you where to go for more information, since any legitimate information source will reveal that the hoax is a lie.
- Hoaxes often suggest that there is a ticking time limit, expressed in relative time ("this virus was released 8 days ago", "it will lie in wait for 14 days", etc). This time limit is designed to induce fear in the recipient without giving a specific absolute date.
- Hoaxes always encourage you to forward the e-mail to everbody you know.
If you need help with a questionable e-mail or file, call xHELP (x4357) or see the other documents in this series:
