OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Changed subject (was Re: reg. virus named ...)
From: Alan J Rosenthal (flapsdgp.toronto.edu)
Date: Thu May 04 2000 - 14:57:46 CDT

Lars Hecking <lheckingnmrc.ucc.ie> writes, about blocking based on "Subject:
ILOVEYOU":
>Considering how easily email subjects are changed, this creates a FALSE
>SENSE OF SECURITY.
...
>Install a virus checker.

A virus checker is much more similar to the Subject: line checking than I
think you realize.

A virus checker recognizes the malware file by checking that it has a
certain sequence of bytes. The blocking based on the "Subject: ILOVEYOU"
recognizes the malware file (mail message) by checking that it has a certain
sequence of bytes.

The Subject: line can easily be changed. You'll have to update your mailer
config files, and some worm messages will already have got through.

The VB code can easily be changed. You'll have to update your virus
signature files, and some worm messages will already have got through.

At least updating the mailer config files is something you can do without
the help of a virus vendor... and this is the only difference I can see.

Either kind of check will create a false sense of security if you're not
careful, because neither one of them is a security measure by any means.
An actual security measure involves not executing "active content" from
untrusted e-mail messages (which, as far as I can see, is ALL e-mail
messages). Fortunately this is easily accomplished. Blocking the subject
line ILOVEYOU is an interim measure until you complete your organization's
move away from the use of the vulnerable software.

regards,
ajr