Vmyths.com



Hoaxes, myths,
urban legends

Columnists

Newsletter
signup


Addictive
Update
Model

False
Authority
Syndrome


About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

A simple filter rule stops ILoveYou

Rob Rosenberger, Vmyths co-founder
Thursday, 2 November 2000 HENRI DELGER WRITES TipWorld's popular "Virus Alert" newsletter. He recently covered the issue of double extensions. ILoveYou used this 4yr-old technique to destroy the Internet as you may recall. "You should view such a file with suspicion," he concluded, "because an extra (false) extension is a trick virus writers use to fool people into opening a file."
A simple ".???.???" filter rule could have stopped ILoveYou, NewLove, Serbian-Badman, and Stages before they existed. Today's popular antivirus software couldn't stop them until after they existed.
Graham Cluley (Sophos) covered the issue of double extensions in his speech at VB2000. I could run through a list of experts who feel the same way. I'm not exactly alone here, if you catch my drift. Still, I took heat for a recent editorial where I blamed security managers for letting double extensions arrive in email. They should block attachments with two periods in the last eight characters of the filename, I insisted. My opinion didn't exactly please everybody. Unix gurus like to send ".tar.gz" files to each other, for example. Others think we should blame Microsoft because Windows hides trailing extensions. Some people said-- No, waitaminit. Let's get over this "blame Windows for double extensions" thing right now. You might as well blame the financial industry for computerized money laundering. After all, they made it possible to launder money by computer. Capiche? So where was I? (Oh.) Anyway, my critics cited "false alarms" most often. "Do you realize how many innocent emails will get quarantined because of your stupid little filter rule?" No problem, I said: just modify the filter to meet your needs. Simple, right? I withstood every critique — because no one could tell me how many false alarms would result from a simple ".???.???" filter rule. But I didn't want to win this debate by default! My opinions should stand or fall based on evidence, not the lack thereof. So I turned to Alex Shipp (MessageLabs). His company provides managed email security on three continents. I figured if anyone could prove me right or wrong, he could. MessageLabs conducted an experiment as a favor for me, and Shipp reported these results:
229,852 emails in the test
50,536 contained attachments
1,323 contained double extensions A na´ve ".???.???" filter rule
  • stopped 584 viruses/worms (100%)
  • caused 739 false positives (127%)
You can impact everyone in your firm because ILoveYou got through ... or you can impact one person who quietly sifts through false positives.
My critics will berate me at this point. "Look at all those false positives!" Yeah — but my stupid little filter rule achieved 100% detection where it counts. It could have stopped ILoveYou, NewLove, Serbian-Badman, and Stages before they existed. Today's popular antivirus software couldn't stop them until after they existed. Time to make a decision, kiddies. You can impact everyone in your firm because ILoveYou got through ... or you can impact one person who quietly sifts through false positives.
MESSAGELABS USES A more robust filter rule. Shipp summarized it as follows:
  • strip white space from filename (and flag as suspect if it contains excessive white space)
  • look for .abcd.efgh where
    • abcd = 2-4 characters, all alphabetic except last which may be a digit (e.g. mp3, html)
    • efgh = 2-4 characters, all alphabetic
  • ignore if abcd = efgh (e.g. .doc.doc, .bmp.bmp)
  • ignore if efgh is in whitelist (e.g. doc, gif, bmp, and about 20 others)
  • flag as suspect if efgh is in blacklist (e.g. exe, shs, vbs, js, gz, zip, tar) — this may result in it being stopped if other heuristics also ring warning bells
  • flag as very suspect if efgh is in blacklist and abcd is in whitelist
  • flag as interesting otherwise (the extension is logged for statistical analysis later)
A more robust filter rule causes almost no false positives. And it can stop ILoveYou dead in its tracks.
This filter rule causes almost no false positives. And it can stop ILoveYou dead in its tracks. Today's popular antivirus products bind themselves to desktop email software. They scan every incoming email for dangerous attachments. And they failed to detect ILoveYou. Do you see the problem here? Time to make another decision, kiddies. You can buy into managed email security ... or you can buy a better antivirus product.