Neil Turner's Blog

Blogging about technology and randomness since 2002

Killing Mytob

Once again, I’m getting a whole load of Mytob-infected emails from an ADSL customer using Energis. It’s the variant that, rather than using its own SMTP engine, uses that of the user’s ISP, making them look more like legitimate emails.
It’s the last part that annoys me, because surely Energis should have some anti-virus protection on outgoing messages sent via their servers. The SMTP server I use, provided by the university, checks outgoing messages for viruses and also runs SpamAssassin over them, too. There should be no excuse for ISP-owned SMTP servers letting through viruses like this; more to the point, ISPs shouldn’t be allowing infected customers to access the internet at all until they have disinfencted their machines.

3 Comments

  1. I think the idea of blocking infected users altogether is a good idea, but only if the ISP in question gives a free toolbox CD along with its service.
    There’s more than enough freeware and FOS software out there do clean up one’s computer. They could put stuff like Spybot, Ad-Aware, and even [AVG Free](http://www.grisoft.com/) or [ClamAV](http://www.clamwin.net/) for that matter. I believe [Symantec’s virus removal tools](http://securityresponse.symantec.com/avcenter/tools.list.html) are freeware as well, so I guess they could put some of that on too, as a backup.
    Of course, this CD must be distributed along with the whole bought package, because the user being cut off must be able to repair his computer ASAP.
    Still, there’d be another issue. How could the ISP possibly know whether a specific user is infected or not? As far as the ISP is concerned, there’s no difference between a sleeping virus and a non-existent one, and installing a Big-Brother style daemon isn’t a realist alternative, if only for the resource overhead.

  2. Dont need to block everything – just put a web page redirector in to redirect all pages to a portal that has links to the the homepages for all these products and don’t let them go anywhere else (or host the files themselves).
    We were hit pretty badly by this virus but I can’t work out who my parents in law know who is infected

  3. How could the ISP possibly know whether a specific user is infected or not? As far as the ISP is concerned, there’s no difference between a sleeping virus and a non-existent one, and installing a Big-Brother style daemon isn’t a realist alternative, if only for the resource overhead.
    As Neil pointed out in his post, the ISP could check at the SMTP server. For viruses like Mytob that use internal SMTP engines or those that spread through attempts to exploit vulnerabilities on other computers, the ISP could use Snort signatures or something similar to detect the traffic and use it to quarantine the infected user. Computing-wise, it would not be resource-intensive. For a support perspective (there would be less time spent fielding calls and emails from users and administrators on other networks complaining about spam and other malicious attacks), it might be a good idea. Most importantly, it would help secure the Internet, which, at some level, should be one of everyone’s goals.