Virus alerts

Klez, Sobig, Netsky, Bagle... Besides being email worms, these bits of malware share another common denominator. Each worm spoofs the From address, making the email appear to be "from" someone it's not. Unfortunately, the most likely to be fooled by this petty trick is the very antivirus software designed to save us from the threat. In short, the antivirus software responds as if the "From" address is valid, promptly sending an alert to the alleged sender - and often attaching a copy of the infected attachment as 'proof'. Not only does this cause worry and confusion, the risk of infecting others is increased each time the worm is 'returned to sender'.

Adding to the mix are worms like MyDoom which not only spoof the From address, but also pretend to be virus or spam warning messages from the ISP, domain or system administrator. This masquerade magnifies the problem, forcing end users to try to differentiate between 'valid' alerts and alert messages created by email worms.

Not a new phenomenon
The problem of erroneous virus alerts might be understandable - even forgivable - if it were a recent phenomenon. However, since the Klez worm first popularized the technique of spoofing back in 2001, it's become standard fare for the vast majority of all email worms. The problem is so pervasive, that when Sobig.F reached epidemic proportions in August 2003, the resulting virus alert messages caused Denial of Service (DoS) attacks on many mail servers and clients. That situation repeated itself in January 2004, when the MyDoom worm spawned millions of infected email, effectively hijacking the antivirus scanners' alert mechanisms to participate in the flood of unwanted messages.

Whose fault is it?
While it's tempting to blame the antivirus vendors themselves, it's up to the system administrators who use the scanners to determine who does or doesn't get alerts. For individual reasons, many administrators and ISPs are reluctant to disable alerting the sender, even if it means that in the vast majority of cases those receiving the alerts are not the actual sender. Some administrators cite liability concerns if they fail to deliver an email without notification as to why. Others may feel the alerts are warranted, no matter how ineffective or dangerous they may be, because in a small number of cases the alert may be valid. Still others simply fail to grasp the significance of the problem they are creating with these erroneous and all-too-often infected alerts.

As has been the case in the past, the solution will likely fall on the shoulders of the antivirus industry. Rather than relying on administrators and users to make the right decisions, antivirus software could be advanced to disable alerting for mass-mailing email worms, or disable alerting for all email worms that are known to spoof the From address. Regardless, under no circumstances should copies of the infection be returned to the sender - whether that sender is valid or not. Doing so simply turns the alert mechanism into yet another vector of spread for the very malware it is supposed to stop.

Protect yourself
So what should you do if you're the recipient of one of these virus alert messages? In particular, don't open any attachment that might be included with the virus alert. Treat the email like you would spam or a virus - delete it. Of course, keeping your antivirus software up to date and performing regular scans of your entire system is also prudent. The few minutes taken to scan the system will alleviate any doubts you might have as to whether the virus alert was legitimate or not.