Truth About Computer Security Hysteria
A simple filter rule stops ILoveYou
Thursday, 2 November 2000
HENRI DELGER WRITES TipWorld's popular "Virus Alert" newsletter. He recently covered the issue of double extensions. ILoveYou used this 4yr-old technique to destroy the Internet as you may recall. "You should view such a file with suspicion," he concluded, "because an extra (false) extension is a trick virus writers use to fool people into opening a file."
Graham Cluley (Sophos) covered the issue of double extensions in his speech at VB2000. I could run through a list of experts who feel the same way. I'm not exactly alone here, if you catch my drift.
Still, I took heat for a recent editorial where I blamed security managers for letting double extensions arrive in email. They should block attachments with two periods in the last eight characters of the filename, I insisted.
My opinion didn't exactly please everybody. Unix gurus like to send ".tar.gz" files to each other, for example. Others think we should blame Microsoft because Windows hides trailing extensions. Some people said--
No, waitaminit. Let's get over this "blame Windows for double extensions" thing right now. You might as well blame the financial industry for computerized money laundering. After all, they made it possible to launder money by computer. Capiche?
So where was I? (Oh.) Anyway, my critics cited "false alarms" most often. "Do you realize how many innocent emails will get quarantined because of your stupid little filter rule?" No problem, I said: just modify the filter to meet your needs. Simple, right? I withstood every critique — because no one could tell me how many false alarms would result from a simple ".???.???" filter rule.
But I didn't want to win this debate by default! My opinions should stand or fall based on evidence, not the lack thereof.
So I turned to Alex Shipp (MessageLabs). His company provides managed email security on three continents. I figured if anyone could prove me right or wrong, he could. MessageLabs conducted an experiment as a favor for me, and Shipp reported these results:
A simple ".???.???" filter rule could have stopped ILoveYou, NewLove, Serbian-Badman, and Stages before they existed. Today's popular antivirus software couldn't stop them until after they existed.
229,852 emails in the test
50,536 contained attachments
1,323 contained double extensions
A na´ve ".???.???" filter rule
- stopped 584 viruses/worms (100%)
- caused 739 false positives (127%)
My critics will berate me at this point. "Look at all those false positives!" Yeah — but my stupid little filter rule achieved 100% detection where it counts. It could have stopped ILoveYou, NewLove, Serbian-Badman, and Stages before they existed. Today's popular antivirus software couldn't stop them until after they existed.
Time to make a decision, kiddies. You can impact everyone in your firm because ILoveYou got through ... or you can impact one person who quietly sifts through false positives.
You can impact everyone in your firm because ILoveYou got through ... or you can impact one person who quietly sifts through false positives.
MESSAGELABS USES A more robust filter rule. Shipp summarized it as follows:
- strip white space from filename (and flag as suspect if it contains excessive white space)
- look for .
abcd = 2-4 characters, all alphabetic except last which may be a digit (e.g. mp3, html)
efgh = 2-4 characters, all alphabetic
- ignore if
efgh (e.g. .doc.doc, .bmp.bmp)
- ignore if
efgh is in whitelist (e.g. doc, gif, bmp, and about 20 others)
- flag as suspect if
efgh is in blacklist (e.g. exe, shs, vbs, js, gz, zip, tar) — this may result in it being stopped if other heuristics also ring warning bells
- flag as very suspect if
efgh is in blacklist and
abcd is in whitelist
- flag as interesting otherwise (the extension is logged for statistical analysis later)
This filter rule causes almost no false positives. And it can stop ILoveYou dead in its tracks.
Today's popular antivirus products bind themselves to desktop email software. They scan every incoming email for dangerous attachments. And they failed to detect ILoveYou. Do you see the problem here?
Time to make another decision, kiddies. You can buy into managed email security ... or you can buy a better antivirus product.
A more robust filter rule causes almost no false positives. And it can stop ILoveYou dead in its tracks.