Cellphone Virus Boogie Man

Back in 2001, as PC shipments slowed, the anti-viral industry tried to hype up PDA and cellphone viruses - selling software to those billions of phones had them salivating. Of course, no real threats appeared and (luckily for them) by 2003 Internet worms started to impact consumer and enterprise PCs and sales went up. Of course, desktop antiviral hasn't been saving anybody from anything, but since it has been on our PCs since before the Internet, everyone assumes it has to be there.

Fast forward to 2004 - worms and viruses aren't making the new lately. Magically, the cell phone virus hype kicks up again.

It looks to me like 2006 is the earliers possible time that cellphone viruses or worms could be a meaningful threat - and the answer is not repeating the mistakes of the PC and trying to rely on client side software.

The cellular companies should learn from the AOL's of the world and announce they will remove viruses before they get to your phone. Let's only go to expensive, ineffective anti-viral client software if that approach doesn't work. On the Internet, we are doing the reverse - ISPs are starting to block attacks as we've realized client side software is expensive and doesn't really work.

Phollowing the Phishers

More and more phishing emails can be traced back to compromised home PCs. For example, one that purported to be from CitiBank used the URL https://web.da-us.citibank.com/cgi-bin/citifi/scripts/login2/login.jsp?, but if you looked at the source it was really sending you to 68.72.96.25, which resolves to adsl-68-72-96-25.dsl.chcgil.ameritech.net  - probably a home user of Ameritech's DSL service whose PC has been compromised.

Even the simplest NAT firewall turned on at the DSL modem would stop this from working, the firewall in XP SP2 might as well. So, two easy steps to make it harder at that end.

But what really needs to change is the browser. There has to be a warning that the displayed destination is not where the browser is really going. Imagine if telephones allowed you to dial 800 BUY BOOK and it didn't take you to 900 280-2665, instead it took you to a credit hackers telephone. You'd be screaming at whoever sold you that phone. Unfortunately, the browser world has stagnated since Netscreen went down the dumper - maybe a bit of Firefox adoption will stir some innovation.

Viruses and Search Engines

This latest my.doom variant used an interesting trick - when it hit a PC, it scanned that PC looking for domain names. It then went to Google, Yahoo, Altavista and Lycos and searched for email addresses from that domain name. This had several effects:

1. The virus tended to be harder on business PCs than consumer PCs, since more business email addresses seem to be found by the search engines.

2. It appeared to force Google to its knees. The way it worked acted as nice pseudo-randomizer - each new infected PC would search for different domain names, making it harder to recoginize (or stop) as a denial of service attack.

This is just another example of how the bad guys can use the good stuff to attack the good guys, and how we are inexorably being drawn towards email "white lists", where we trusted authenticated email senders but for everyone else we heavily spam filter and block all attachments. If you send me a virus, you are off the trusted list and get heavily filtered.

Between smarter viruses, phishing and other identity theft scams, the way we use and trust email is just going to have to change - it is inevitable. Today's email will go the way of the blinking URL tag.