Vorsicht vor dieser Rechnung

by Volker Weber

Falsche 1&1 Rechnung

Sieht ziemlich überzeugend aus, enthält aber Malware. Gute Idee von Microsoft, bekannte Dateiextensionen zu verstecken, nicht wahr?

Update: Heise Security schreibt dazu:

Hinter der als Rechnungs-PDF getarnten ausführbaren Datei steckt der Trojaner Backdoor.Win32.agent.abf, der nach Tests von 1&1 erst von der Hälfte der aktuellen Virenscanner erkannt werde. Tests von heise Security ergaben ein ähnliches Ergebnis.

Was bin ich froh, dass ich in der Verwandschaft Windows durch Ubuntu ersetzt habe.


It is not about the "hiding of extensions" but:
1) email (attachment-) policies and
2) user discipline
The car analogy: The maximum speed of your car is not limited. If you do not comply to the maximum speed (discipline) the police can issue a speed ticket (policy).

Boudewijn Kiljan, 2007-01-07


Well, I don't think vowe thinks about the hiding of extensions itself, but more about the effect this hiding buisness has: People are no longer aware, what an extension in a windows bases system is for. Otherwise more people would know, that an pdf-exe is a nonsense designation and hence a strong hint, that the attachement is not legit. I regularily unhide the extensions on all my systems and usually recommend that to customers too, even if they at first begin to ask, what that should be ...... which shows, that people have forgotten about the working structure of windows ..... which makes life pretty easy for the bad guys.

Jens-B. Augustiny, 2007-01-07


"...which shows, that people have forgotten about the working structure of windows..."

How many people do know:”the working structure of Windows"? I don't! And with me, 99.9% of the world population does not. Do I know the working structure of the combustion engine? No, but I can drive my car.

My point is that the end user must be protected by policies (who prevent the transmission or receiving this kind of emails) and must have a certain discipline with the email handling (although we cannot enforce that).

Boudewijn Kiljan, 2007-01-07

Boudewijn, I guess you had to get a driving licence before you were allowed to use you car on the streets. In Germany you learn the basic working structure of your car in the lessons for your driving licence.
Unfortunatelly nobody has to make a surfing licence before using the internet and nobody has to learn the basic working structure of an operating system or the WWW.

Martin Hiegl, 2007-01-07

Boudewijn, car analogies are dangerous. Germans indeed teach how the combustion engine works. ;-)

Your point is very valid from an IT manager's point of view. But how does this translate to the individual home user? I think that hiding the extension was a bad idea. In Windows the extension determines how a file is executed. Of course it also determines which icon is displayed and the icon should give the user an indication for the type of file. Unfortunately executables can contain any icon they want and therefore hide as documents.

My point is, that if Windows would still show the file extension by default, a user could see that somebody is cheating.

Volker Weber, 2007-01-07

OK, the car analogy does not work here...

"...a user could see that somebody is cheating. "
IMHO we all overestimate the capabilities of endusers (the 99.9%). We cannot expect that the enduser understands all the information which is presented to him/her. E.g. the responses on a Yes/No button.

E.g. I have a customer who, in the early days, clicked on every email and every attachment he received. The result was repeated reinstalls of all his PC's (4pcs.). Only the bills he received from this has changed his behaviour. The symptoms are suppressed but not cured! First: he (still) don't know what extensions are or what will happen when he activates an attachment (now he assumes bad things happen, a Pavlov reaction) and second: emails with harmful attachment still arrive. The all or not hiding of the extensions has not much to do with this.

In this case a simple email filter would have blocked this attachment/email. No rocket science but a good policy.

Boudewijn Kiljan, 2007-01-07

No rocket science but a good policy.

Indeed. But who set the policy and who allows exceptions? We have to learn that it is unsafe to put our hands on the kitchen stove, and we will also need to learn what is unsafe when using a computer. Darwin at work.

Volker Weber, 2007-01-07

"But who set the policy..."

We (the 0.1%) do. E.g. the implementation of the firewall in XP or only allowing ASCII email and no attachments.

"...and who allows exceptions?"

That's the tricky part. "Allowing" is a decision. "Exception" is a risk. A good decision must be based on knowledge or experience. If I do not have one or both, I am not able to make the right decision. To protect that, strict policies and controls must be active. But we do not like that. We are limited in our information gathering, so we take the risk. We learn on the way. Empirical, Darwin at work.

Boudewijn Kiljan, 2007-01-07

We cannot expect that the enduser understands all the information which is presented to him/her.
Why not? I think we shouldn't create a dumb user by making everything so easy that he only has one button - that's the wrong way. We have to educate our users. Most problems come from the stupidity in front of the display, and that's what we'd support, therefor we'd create more problems instead of solving them. Ok, that may secure our jobs, but I still dont think that's right.
More and more people lose the ability to think literally outside the box and just believe what the computer says even when it's bullshit. We shouldn't be surprised when this development accelerates, if we hold the endusers ignorant.

Martin Hiegl, 2007-01-07

I think the discussion misses the point. The fake mail states that the invoice comes as a "pdf-exe" file so it could be read without installing new software. This sounds reasonable, even for a medium skilled user who had been told that a .exe might be harmfull. And the outer appearance of the mail is great.

For a medium (or lower) skilled user, a computer should make life easy. No hassle. No "I have pressed one button and killed my system". No frightening "YOU are responsible for this mess". No. Not the user is responsible, the system is responsible.

I think it is great to train the users. But a wrong user decision should never ever be able to harm the system itself. It may wipe out the user space, but if we allow a system to install back door programs once a user clicks the wrong button, we have an operating system design problem and not a user problem.

Michael Obenland, 2007-01-08

Oh! it was a malware - how suprising. I've got about 8 of them in my inbox (including for some spamcatcher email accounts), I have deleted them in one go. Ok, it was a clue that I am not and never have been an 1&1 customer.

Gregory Engels, 2007-01-08

Old vowe.net archive pages

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.


Paypal vowe