- Joined
- May 4, 2002
- Messages
- 6,674
- Reaction score
- 3
Klez.info is still available.
Klez: Hi Mom, We're No. 1
By Michelle Delio (Wired)
2:00 a.m. May 24, 2002 PDT
It's official. Klez is the most virulent e-mail virus of all time.
For close to a year, SirCam was the virus most likely to turn up in your e-mail box. But representatives from a half-dozen antivirus firms now believe that "Klez.H" is the most pervasive e-mail virus in cyberhistory, estimating that it has infected hundreds of thousands of computers within hours of first being spotted in mid-April.
And so far, Klez has shown no signs of going away.
"I don't even bother having Klez messages counted as they come in any more," confessed Rod Fewster, Australian representative of antiviral application NOD32. "The number of Klez-infected e-mails surpassed SirCam in sheer volume days ago, and that's not even counting all of the Klez-related e-mails."
More interesting than Klez's ability to entice vast numbers of users to open its infected e-mailed attachments is how the virus -- which is neither particularly clever nor cutting edge -- managed to turn some antiviral applications into spam-generating machines.
In many cases, network antiviral (AV) software filters are set to automatically respond to any incoming virus-infected messages with an e-mailed warning to the sender that a virus was detected in the received e-mail.
Klez's trick of spoofing senders' addresses resulted in floods of those warnings going out to the wrong people: people who did not send the virus and whose machines are not infected.
Many antiviral experts have been calling for all AV companies to advise their users to temporarily disable the auto-alert systems.
"Klez managed to triple its annoyance factor by using -- yes, using -- the AV industry," Fewster said. "AV companies have been exploiting those auto-replies as free advertising for years. Virus spreaders aren't stupid. They see what's going on around them and they work the system. Sometimes I think the antiviral industry is its own worst enemy."
Rob Rosenberger of virus-information site Vmyths said that Klez simply points out a problem that he has been ranting about for years.
"Warnings about viruses always equal the havoc created by the virus itself," Rosenberger said. "There's the flood of well-intentioned alerts from people, and then there's the automated alerts from antiviral applications. These alerts clog networks and inboxes in the exact same manner as most viruses do. I've yet to see any proof that alerts actually help solve the problem."
Some users were frustrated to discover that despite receiving alerts from trusted AV firms, their machines didn't actually harbor the Klez virus.
"I've spent several days trying to figure out how to rid my computer of Klez, after receiving several e-mails from Norton Antivirus applications warning me that Klez had been detected in e-mails that I had supposedly sent," New York graphics artist Sid Rubin said. "I can't believe I wasted all this time over nothing."
Spokespeople for several AV companies, while acknowledging the spam-spewing problem, said that one of the reasons that Klez has managed to spread so rapidly is that the standard alert systems were unable to work with Klez's bogus sender information, making it difficult to notify owners of infected PCs that they were unwittingly spreading the virus.
"This means the virus is likely to go undetected on people's PCs for longer, and so will spread further," Alex Shipp from Messagelabs said.
Other well-known viruses like Love Letter proliferated at a faster rate than Klez when they were first released; on April 5, 2000, one in every 24 e-mails scanned by Messagelabs contained a copy of the Love Bug virus, whereas only one in every 170 or so scanned e-mails now contains Klez.
But unlike the Love Bug, which peaked and faded within 48 hours of its initial release, Klez has continued to spread steadily and swiftly since it was first spotted in mid-April.
Klez employs a number of random actions that make it hard for many computer users to identify the virus when it arrives in their inboxes. The virus arrives in e-mails with varying subject lines, or sometimes appears to be a bounced e-mail or a tool that can purge Klez from an infected system.
None of these features is at all new in the virus world. Klez's creator simply managed to cobble together a successful combination of techniques used by other viruses that also appear on the all-time most prevalent pest charts.
"It doesn't take a brand new exploit or anything really clever to be No. 1," Steven Sundermeier, product manager at Central Command, said. "Klez isn't an exciting new recipe, it's just a slightly different combination of the same old ingredients."
Klez's creator (or creators) constantly tinkers with the Klez "recipe." Six versions of Klez have been released since October 2001. AV experts said they expect a new version of Klez to be released soon.
"Klez has been so successful that you can just about guarantee that someone will try to improve on it and beat it," Fewster said. "In fact, I'd be surprised if the original author isn't already working on a new and improved version."
Klez: Hi Mom, We're No. 1
By Michelle Delio (Wired)
2:00 a.m. May 24, 2002 PDT
It's official. Klez is the most virulent e-mail virus of all time.
For close to a year, SirCam was the virus most likely to turn up in your e-mail box. But representatives from a half-dozen antivirus firms now believe that "Klez.H" is the most pervasive e-mail virus in cyberhistory, estimating that it has infected hundreds of thousands of computers within hours of first being spotted in mid-April.
And so far, Klez has shown no signs of going away.
"I don't even bother having Klez messages counted as they come in any more," confessed Rod Fewster, Australian representative of antiviral application NOD32. "The number of Klez-infected e-mails surpassed SirCam in sheer volume days ago, and that's not even counting all of the Klez-related e-mails."
More interesting than Klez's ability to entice vast numbers of users to open its infected e-mailed attachments is how the virus -- which is neither particularly clever nor cutting edge -- managed to turn some antiviral applications into spam-generating machines.
In many cases, network antiviral (AV) software filters are set to automatically respond to any incoming virus-infected messages with an e-mailed warning to the sender that a virus was detected in the received e-mail.
Klez's trick of spoofing senders' addresses resulted in floods of those warnings going out to the wrong people: people who did not send the virus and whose machines are not infected.
Many antiviral experts have been calling for all AV companies to advise their users to temporarily disable the auto-alert systems.
"Klez managed to triple its annoyance factor by using -- yes, using -- the AV industry," Fewster said. "AV companies have been exploiting those auto-replies as free advertising for years. Virus spreaders aren't stupid. They see what's going on around them and they work the system. Sometimes I think the antiviral industry is its own worst enemy."
Rob Rosenberger of virus-information site Vmyths said that Klez simply points out a problem that he has been ranting about for years.
"Warnings about viruses always equal the havoc created by the virus itself," Rosenberger said. "There's the flood of well-intentioned alerts from people, and then there's the automated alerts from antiviral applications. These alerts clog networks and inboxes in the exact same manner as most viruses do. I've yet to see any proof that alerts actually help solve the problem."
Some users were frustrated to discover that despite receiving alerts from trusted AV firms, their machines didn't actually harbor the Klez virus.
"I've spent several days trying to figure out how to rid my computer of Klez, after receiving several e-mails from Norton Antivirus applications warning me that Klez had been detected in e-mails that I had supposedly sent," New York graphics artist Sid Rubin said. "I can't believe I wasted all this time over nothing."
Spokespeople for several AV companies, while acknowledging the spam-spewing problem, said that one of the reasons that Klez has managed to spread so rapidly is that the standard alert systems were unable to work with Klez's bogus sender information, making it difficult to notify owners of infected PCs that they were unwittingly spreading the virus.
"This means the virus is likely to go undetected on people's PCs for longer, and so will spread further," Alex Shipp from Messagelabs said.
Other well-known viruses like Love Letter proliferated at a faster rate than Klez when they were first released; on April 5, 2000, one in every 24 e-mails scanned by Messagelabs contained a copy of the Love Bug virus, whereas only one in every 170 or so scanned e-mails now contains Klez.
But unlike the Love Bug, which peaked and faded within 48 hours of its initial release, Klez has continued to spread steadily and swiftly since it was first spotted in mid-April.
Klez employs a number of random actions that make it hard for many computer users to identify the virus when it arrives in their inboxes. The virus arrives in e-mails with varying subject lines, or sometimes appears to be a bounced e-mail or a tool that can purge Klez from an infected system.
None of these features is at all new in the virus world. Klez's creator simply managed to cobble together a successful combination of techniques used by other viruses that also appear on the all-time most prevalent pest charts.
"It doesn't take a brand new exploit or anything really clever to be No. 1," Steven Sundermeier, product manager at Central Command, said. "Klez isn't an exciting new recipe, it's just a slightly different combination of the same old ingredients."
Klez's creator (or creators) constantly tinkers with the Klez "recipe." Six versions of Klez have been released since October 2001. AV experts said they expect a new version of Klez to be released soon.
"Klez has been so successful that you can just about guarantee that someone will try to improve on it and beat it," Fewster said. "In fact, I'd be surprised if the original author isn't already working on a new and improved version."
