McAfee Manufactures Virus Threat

The sleaze has gotten out of hand; it's time to roast a group of 20 or so companies whose profits are directly linked to creating fear in their customers, who have to keep discovering new sources of fear to improve their bottom line - or in the absence of new discoveries, keep inventing new sources of fear. Yes, it's time to take on the anti-virus software vendors.

The latest "news" to come out of the AV industry is New Virus Infects Picture Files. McAfee put up their description and made sure to issue a wide-spread press release to stir up some interest. McAfee's spokesdrone fans the flames:

• "Potentially no file type could be safe."
  
  That evolution should make computer users think twice about sending pictures or any other media over the Internet, Gullotto said.
  
  "Going forward, we may have to rethink about distributing JPGs."

Now, if you know much about computing, you may be a little suspicious of this. JPEGs are compressed image files that only contain data representing an image to be displayed, not code to be executed. A modification of that data might screw up the picture of your cat dangling from the edge of the kitchen table you like so much, but it won't turn the image into a potential virus transmitter, because the programs that display JPEGs don't read them with an eye toward executing the code. An image file is just data to be displayed. The line between "data" and "code" is a little bit fuzzy - often particular characters or a particular file can be both data and code, depending on the context of how other code handles it. Or a particular file can include both data and code separately, like a Microsoft Word file that includes data (your text) and code (some macro designed to be executed by Word when the document is opened).

But for JPEGs there's a well-designed standard, and it doesn't include executing code of any sort. If a JPEG-handling program doesn't like the data it sees, it should just stop trying to display the image, not decide to start executing code from the image. JPEGs are mostly harmless.

McAfee's claim of a virus spread through JPEGs requires one essential element: you have to have already been infected by ANOTHER virus transmitted by some actual executable code. What it comes down to is:

Once you're infected with a virus, the virus can set you up to be infected by other viruses.

No shit, Sherlock. Once you have enemy code running on your system, you're toast. A virus could alter Microsoft Word so that opening any Word document at all would erase every file on your hard drive, making every single Word document in existence a deadly threat -- to you, and to you alone. But this isn't a new virus threat of any sort. It isn't a breakthrough. It's a consequence of being infected, not a new method of being infected.

Two weeks ago, we ran a story about a cross-platform virus. Like this one, it didn't really exist in the wild. Like this one, it was mainly a PR ploy (by Symantec, in that case). But we thought it had at least some minimal technical interest as a bit of code that would run under Windows or Linux.

McAfee and Symantec (and all the other AV vendors out there) are waging a PR war to "discover" ever more news-worthy viruses to defend against. To get maximum coverage, your new virus needs to do something unique or different -- make your computer turn green, or infect something previously uninfectable, or whatever it might be. Compare this to Klez, a very basic virus similar in most ways to viruses that have gone before, which is still out there looting and pillaging tens of thousands of computers every day, but isn't ideal for AV vendors because they don't have a monopoly on the cure.

The press is catching on, to some tiny extent at least, that most virus alerts are fictitious and just designed to drum up business for the vendors. But it's far easier to repurpose a vendor's press release and call it a story than to dig into real threats that exist on the Internet, and the causes of those threats. Today, like last year and the year before and five years ago, there are major email-borne virus threats out there. (There are still old-school viruses out there too, transmitted by sneaker-net or by downloading suspicious software, but email is clearly the way to go for the discriminating virus creator.) All the real email virus threats share a few distinguishing characteristics:

• They only affect Microsoft Windows. If you aren't running Windows, you are safe.
• They're usually transmitted by email. If you know enough on your own, or you've had a half-hour class in "Email 101", you should be able to avoid executing random files received by email.
• They auto-execute in Microsoft Outlook or Outlook Express. Microsoft has finally made some progress, after many years, in reducing the vulnerability of their flagship email programs. So if you have a recent or fully-updated version of these programs, you may not be as vulnerable as people running older versions. Nevertheless, this was (and still is, since so many people don't have recent or fully-updated versions) a primary vector.

And that's really it. If you don't run Windows, you're safe. If you have basic email skills, you're safe. If you don't run Outlook, you're safe. That's the story of modern viruses, and fortunately or un-, it's a pretty boring one.

McAfee, and Symantec, and everyone else involved in the anti-virus FUD business: lay off. I mean that literally, as in, "Lay off the people you employ for the purpose of drumming up new virus threats." Lay off the public relations people you employ to say things like, "We may have to rethink about distributing JPGs." Lay off the BS. There's a real market for your product, people who (for whatever reason) are using Windows and/or Outlook, and haven't received the half-hour training course necessary to avoid viruses. You can market to them based on your fast responses to real virus threats - you don't need to manufacture any more.

Simple Virus Protection Schemes

[ThrasherTT]

1) Stop doing stupid things that can cause you to get infected!
2) Trust no one!
3) Throw your computer out the window!

You mean . . .

[vegetablespork]

. . . that all this time, the satire about the virus development divisions of anti-virus software companies actually contained a kernel of truth? Who woulda thunk it?

Malicious Code In Pictures?

[spudwiser]

I guess I better not scan in my poster of the kernal tree rendered as Tux. Thanks, thinkgeek!

Re:Simple Virus Protection Schemes

[egg troll]

4) Profit!!

Get With the Program!

[Sloppy]

JPEGs are compressed image files that only contain data representing an image to be displayed, not code to be executed.

Shows what you know. You Linux lusers don't even have Microsoft ActiveJPEG Technology yet?!?

Re:wrong assumption...

[Anonymous Coward]

Because as everybody knows, giving out you SSN and credit card numbers is the number one cause of computer viruses.

Re:Simple Virus Protection Schemes

[GreatErdrick]

3) Throw your computer out the window!

I would rather throw out Windows out of the computer...

Even spammers are catching on

[artemis67]

Check out this spam email a bunch of people in my office got yesterday:

-=-=-=-=-
Return-Path: postmaster@salisbury.net
Received: from salisbury.net (12.152.4.9) by myoffice.com with ESMTP (Eudora
Internet Mail Server 3.0.3); Wed, 12 Jun 2002 23:08:21 -0400
Date: Wed, 12 Jun 2002 23:09:46 -0400
Message-Id: 200206122309.AA2564817116@salisbury.net
Mime-Vers ion: 1.0
Content-Type: text/plain; charset=us-ascii
From: "postmaster " postmaster@salisbury.net
Reply-To: postmaster@salisbury.net
To: people in my office
Subject: WARNING: YOU WERE SENT A VIRUS
X-Mailer:
X-Mozilla-Status2: 00000000

On 06/12/2002 at 23:09:45 Our special virus software on our servers at salisbury.net
reported that your were sent an Email Virus containing the Unknown Virus in the Unknown File attachment.
The subject of the E-mail was "L Specifies the length". The E-mail containing the virus from kbndl@salisbury.net has been quarantined on our servers to prevent further damage. The virus never made it to your mailbox. (emphasis mine)

Internet Of Salisbury, Inc. provides this service free to our customers while other providers charge
a monthly fee. Though this software should catch up to 99 percent of viruses, a new virus could make it in.
If you are not running Anti-Virus software you should ASAP!

Please Contact N-Techsolutions @ 704-638-2422 or visit their website at:
http://www.n-techsolutions.com Look for the Norton Anti Virus Special! (emphasis mine)

Please do not call Internet Of Salisbury, Inc.
-=-=-=-=-

Not that there was ever any question about sleazy spammers being out there, but this one takes the cake.

Re:bah

[Anonymous Coward]

"MY WIFE NUDE.JPG.exe" probably isn't something I want to open.

Speak for yourself. And send me a copy of it, too, please!

Half hour class?

[jayhawk88]

BS. Lusers are called lusers for a reason. I'm not talking about every Windows user here, but all it takes is one to be a problem.

With some people, You can tell them to their face "Do not open emails from people you do not know", print it out in 124 point font banners hung over their cubicles, show them pict-o-grams of evil viruses destroying their data, bring Special Guest Star Burt Lancaster to reinforce the point, and drop by daily with the message written in icing on delicious chocolate cake. The minute you turn your back, they're off checking out the cool new Shakira screen saver someone sent them. The point is, it's still a problem, and it's not a problem you can completely solve with "30 minute training courses".

And please don't lay this all on Windows and Outlook either. Yes, there are some questionable design decisions in these programs. But if the whole world was running Linux or something similar, people would be causing problems running everything as root, or whatever other stupid things you can do to get yourself in trouble.

Do McAfee and Symantec sometimes go overboard with their warnings to sell more copies of their software? Of course they do. What company doesn't? Or did you think it was absolutely, positively necessary to see your doctor about Prilosec?

In fact...

[Midnight Ryder]

In fact, if the file name say "MY WIFE NUDE.JPG", I don't recommend opening it. (Well, ok, if it was MY wife, no problem. Quite the cutie. But I know some people's wife who.... *SHUDDER*)

Re:Get With the Program!

[llamalicious]

I'm afraid that you too, sir, are behind the times.

Our current initiative is Jpeg.NET, replacing the aging ActiveJPEG APIs for a faster, more stable virus replicating platform.

-BillG

Re:Conspiracy?

[corian]

Ever hear of calligraphy? Its a process of hiding data into pictures, and lots of it.

Calligraphy? I thought it involved writing fancy-shmancy letters with a special pen or brush.

Do you mean, perhaps, "steganography"?

Re:Virus Authors?

[Anonymous Coward]

WARNING there is a virus present on your hardrive.....you must delete win.com immediately!!!!

Jump on the spin doctor bandwagon

[Anonymous Coward]

Now if they were really smart, they'd start sending alerts about the "credible, non-specific threats" of various potential viruses and play off the whole "sometime in the near future, something bad could happen" trend that seems to have taken America by storm. I'm sure convincing the "Homeland defence" department to fund AV companies wouldn't be too difficult. After all, we know that all viruses come out of China, right?

Aww crap

[lokki]

I give it 45 minutes before the storm of emails from family, friends, etc., arrives warning about this one.

All caps, of course.

::sigh::

Re:Even spammers are catching on

[Sorklin]

Now that is some good spam! Not only did you stop and read it (and even add emphasis), but you respammed all of us!

Wow! I'm impressed.

Re:Simple Virus Protection Schemes

[linefeed0]

Now that you mention it, RMS agrees!

"The best way to protect yourself from this virus is to defenestrate your computer and install GNU/Linux.

If you can't throw the Windows out of your computer, throw your computer out the window!" - from here [hnt.com].

(This came from an internal MIT mailing list and was forwarded all over academia about a year ago.)

[*]Anti-Virus software pop-ups worse than virus?

[tenzig_112]

This onion-like story may have been prescient:

Anti-Virus Software Pop-Up Reminders Behave Much Like Virus [ridiculopathy.com]

Re:Virus programs are worse than the virus

[thefluxster]

What's your IP again? :)

Re:Virus programs are worse than the virus

[Capt_Troy]

No problem, it's 208.47.125.33

Re:virus writers on payroll.

[samfreed]

The country is called Bulgaria.

Yet another example of /. beeing US-centric, and is US-people being out of touch with the rest of the world.

Sigh.

Actually, if you serach the web for "Bulgravia" you come up with some Scientology.

Double sigh.

Halitosis

[PicassoJones]

Be sure to look out for the new halitosis worm!

In case you don't get the allusion, listerine invented a disease called halitosis and claimed that Listerine cured it--very much like what today's anti-virus industry is doing.

Now, they use it as a scientific-sounding term for bad breath

Re:Simple Virus Protection Schemes

[KC7GR]

>>3) Throw your computer out the window!

Alternatively, let a moving truck do it for you. ;-)

A while back, I read this story (don't remember where -- I think it may have been 'Computer Stupidities' on rinkworks.com or some such place) about a fellow who wanted to network his PC with that of a friend who lived in an apartment directly across the street from his window.

They ran a regular 10Base-T crossover cable from one computer, out the window and across the street, straight into the friend's window and then into their computer. I guess they thought they were high enough up, floor-wise, that vehicle traffic in the street below would not be a problem.

They were soon proved very wrong. The setup worked just fine until, one day, this guy's computer literally flew straight out the window in mid-type (his friend's computer was saved when the network cable snapped). It seems that a good-sized truck, with a nice tall exhaust stack, had passed by and snagged the network cable as neatly as any fighter jet's arresting hook would snag the braking cable on an aircraft carrier.

Is that taking 'mobile computing' just a bit far, or what? ;-)

Memo to Bill: Jpeg.NET now called MyPicture (tm)

[Anonymous Coward]

Bill, the marketing group got together this morning and decided that JPEG is to technical a term for the sheep... I mean "consumers" (haha right?) so we're going with "MyPicture" instead. We feel it will put this action item to bed going forward with our value-added best practice methodologies.

The Maketing Team.

Re:Ever heard of a buffer overflow?

[zbuffered]

Also, Your list of things not to do to catch a virus reminds me like avoiding pregnancy via the 'pull out' method. Sure it might improve your chances, but it won't 'protect' you in any real sense.

I think this is a bad analogy. His list reminds me of avoiding pregnancy via the "if it looks like a vagina, don't put your penis in it" method, which is significantly more effective.

New virus discovered

[superpeach]

A new virus has been released which is spreading through a network of cats. When your cat goes out hunting it is likely to be infected. The virus rewrites part of the cats brain to add a 'trgger' which will force the cat, when it spots a computer, to attempt to delete information from the computer. Within seconds most of the text on the screen will be deleted, and if the cat is not removed it may eventually erase all data from your hard drive, network drive, and any other drive currently accessible. It is also possible for the keyboard to become damaged beyond repair.

This could be a bad thing...

[CONTROL_ALT_F4]

Now you can catch *real* viruses from looking at internet pr0n!

Duh!

[FFNieko]

All the real email virus threats share a few distinguishing characteristics:

• They're usually transmitted by email .

No shit!

Is Windows a virus?

[Lord_Slepnir]

".... you have to have already been infected by ANOTHER virus..."

"They only affect Microsoft Windows. If you aren't running Windows, you are safe. "

This speaks for itself....

The download version of Mandrake 8.2 is cheaper

[leonbrooks]

...and much more effective than any certification.