U-M Virus Buster Interview

Exclusive E-mail Interview with Bruce P. Burrell

Bruce P. Burrell is the AntiVirus Team Leader at the University of Michigan, and is the technical member of their Virus Busters group. He has been active in virus control since 1988, is a long-time participant in comp.virus/VIRUS-L and alt.comp.virus, and is a contributor to the FAQs for both those newsgroups. He is probably best known for his Quixotic crusade against removal of viruses by using an undocumented switch of FDISK.EXE.

Bruce's other interests include power volleyball, close-up conjuring, and ballroom dance.

Jan (Jansan) Hurych asks:

Can one get virus from reading one's mail?

B. P. Burrell:

One must be careful answering this, since "reading one's mail" means different things to different people. The short answer, however, is "No." So what is the long answer?

Well, it's still "no", but it requires some explanation:

1. First of all, it is impossible to *contract* a virus by reading 7-bit text in email.
2. It *is* possible to include a virus in the body text of 7-bit email, BUT NOT IN AN INFECTIVE FORM. For instance, one might receive a uuencoded or BinHexed virus—but it would be sterile until it was decoded, and it couldn't infect anything else until is was both decoded and then executed.
3. Of course, it would be *possible* to make an email product that looks within the text of email, finds and decodes anything it might encounter, and then launches it. With the existence of over 20,000 viruses and other malware out there, though, it would be foolish to allow one's email product to do this.

How about from attachment?

B. P. Burrell:

What a lovely segue!

4. An attachment can contain a virus, certainly. Merely receiving email that contains an attachment, however, poses no threat—AS LONG AS THE ATTACHMENT IS NOT EXECUTED.
5. As in point 3 above, it would be possible to have an email product that can launch attachments—and such products exist. It remains equally, if not even more, foolhardy to allow this configuration to be in use for you or your colleagues. In my opinion, any product that permits launching attachments as its *default* configuration is woefully ill-informed, and should be avoided at all costs: they are obviously unaware of the threat posed by Word Macro viruses, which are far too often send inadvertently as an email attachment.
6. The problem about saying "You can't get a virus just by reading your email" is that with some products nowadays, launching an attachment is just "one mouse click away"—I believe MS-Mail and cc:Mail have a button to save attachments, and possibly launch them directly. If you are unlucky enough to receive an file that contains a virus and you don't have adequate antivirus measures in force (see below), you may be in for a nasty surprise.
7. Surely soon we'll see some email product that eliminates that one click; this kind of "making it easy for users" without considering their safety seems to be prevalent in the computer industry. [I don't want to mention any names, but the company of which I'm thinking has the initials "Microsoft".] This is NOT "getting a virus from reading your email." It is instead "getting a virus by having a reckless email program launch an infected attachment or encoded embedded text." In case you're dubious, consider this: would there be any security compromise if I received the same attachment on my unix system, where I read email with pine? No. So while you might be able to create a scenario where someone got a virus via email, it can be attributed to poor computer security, not to merely reading the email.

As far as viruses in attachments: what is the best way to prevent the infection (especially to prevent infection by mistake)?

B.P.Burrell:

"Best" may be a matter of personal preference. Here are several possibilities:

1. Invoke Richards' Laws of Computer Security:
   1. Don't buy a computer.
   2. If you do buy a computer, don't turn it on.

   That's too draconian for most folks, so here are some other options, listed in decreasing order of security:
2. Use a text-only email program, like unix's mh, elm, or pine. This has several advantages:
   1. It's running on a unix box, so it won't be affected by PC or Mac viruses.
   2. If you get a virus as an attachment in, say, pine, there isn't a button to click that makes it launch the attachment automatically.
   3. Even if you could run the attachment, it would be running on the unix box. To execute it locally, you must first save to the unix box, download, and only then can you access it on your workstation. This give local antivirus software a chance to intercept any malware.

3. Obtain quality antivirus software; install it; *keep it current*. In particular, it's very important to have a strong on-access scanner (checks all files whenever they are accessed by a program or the operating system) Everyone's needs are different, but it may help to consider -independent-, *competent* reviews like those found at...
   http://www.virusbtn.com/ _Virus Bulletin_
   http://www.westcoast.com/ _Secure Computing_
   http://www.uta.fi/laitokset/virus/ University of Tampere
   ftp://ftp.informatik.uni-hamburg.de/pub/virus/ Virus Test Center
   and http://agn-www.informatik.uni-hamburg.de/vtc/naveng.htm

   ...in order to determine what products are worthy, and which are more advertizing hype than substance.

   Plug: Feel free to visit the site I help maintain: the University of Michigan Virus Busters web page (http://www.umich.edu/~virus-busters/)

4. NEVER configure your email program to execute attachments automatically. If you find an email program that launches attachments by default, consider it garbage from the security point-of-view. Personally, I would never consider using or recommending any package that launches attachments by default, no matter how excellent it is otherwise—but this is my right, as a curmudgeon. You must make your own choices and live by them.

   N.B.: Having a top quality, up-to-date on-access scanner running makes launching attachments safer, but not foolproof.

   Corollaries to point 4:

5. Don't accept unsolicited attachments.
6. Scan all attachments you -do- accept with a top quality current *on-demand* scanner—particularly those you accepted in step 5, contrary to my suggestions.
7. If you use graphical web browsers, disable ActiveX—in fact, just throw away Internet Explorer and use Netscape or something else. Also disable JavaScript (except, perhaps, if you're browsing at a very well trusted site, like your own home page) and Java. In order of importance: Always avoid ActiveX. Avoid JavaScript as much as you can. If you're cautious, avoid Java (applets) as well.
8. Not exactly email, but while I'm at it: Configure your web browser to launch WordPad (Win95 and NT) or WordViewer (available from www.microsoft.com for Mac and PC) instead of Word when it encounters Word documents or templates. Then you won't inadvertently get a Word macro virus when reading a Word doc on a web page.

I hope that answers your questions carefully, correctly, and understandably. I would be happy to discuss this further with you or your readers, if they are interested.

- BPB

[I usually don't use a .sigfile, but since I suspect I'll be unknown to most this audience, I'm including here some of my credentials.]

University of Michigan AntiVirus Team Leader
University of Michigan Data Recovery Team Leader
PGP 2.6.2 key fingerprint = 0D A5 98 3C 91 DA E0 DD 9C 6D FA 8F 4D 34 95 ED

Jansan: Thank you very much in the name of our readers; and for letting us print this interview in AmberZine first.

Jan B. Hurych, AmberZine

virus.busters@umich.edu

ITCS | University of Michigan
Copyright © 1996-2008 The Regents of The University of Michigan

visits since this site was redesigned 5/21/04

This page last updated April 27, 2004