E-mail virus info 'stolen'

[William Knowles <wk () C4I ORG>]

http://www.herald.co.nz/storydisplay.cfm?storyID=138622&thesection=technology&thesubsection=general

30.05.2000 - By GREGG WYCHERLEY

An Auckland software developer who found a security flaw in
Microsoft's e-mail software that he believes could secretly unleash a
"hell virus" says files on his discovery have been stolen from his
computer.

Phil Saleh, creative director of Arabesque Multimedia - who has a
back-up of his find - discovered the flaw in Microsoft's Outlook
Express program while designing Java script software that
automatically activates computer functions.

"We discovered we could write a program that will activate any type of
executable file on a computer through e-mail," says Mr Saleh.

"Which means if we have your e-mail address we can control your
computer - or attach a virus which could automatically send itself to
every name in your address book without you even being aware of it.

"Using what I have found out, I could make a virus much worse than the
'I love you' bug because you wouldn't have the option of deleting the
e-mail carrying the virus before it infected your computer - it would
activate automatically whether you read the message or not."

Mr Saleh alerted Microsoft's Security Response Centre in Redmond,
Washington, but it said it could not find any "security
vulnerability."

He e-mailed Government departments both in New Zealand and overseas,
even contacting the US Central Intelligence Agency. No one replied.

Somebody must have been interested, however. Two weeks ago Mr Saleh's
computer was hacked and all the files relating to his discovery
stolen, though he does maintain a back-up.

"My computer had been acting strangely, then I noticed the missing
files. The only other way they could disappear like that would be for
someone to break in here and delete the files off my computer."

He didn't bother going to the police because there was nothing he
could show them. "I think someone has been watching what I've been
doing and broken into my system to see what I know."

He is concerned hackers could work out how to use the program flaw to
create a "hell virus."

Computer forensics consultant John Thackray, director of Thackray
Forensics, who works with the police on computer crime, studied Mr
Saleh's findings.

"Even in this relatively harmless form this is a virus that would be
very unwelcome on anybody's system. If it was compiled with malicious
intent it could do catastrophic damage."

He said it was different to recent viruses like the "I love you" bug
because it could infect computers without the user having any delete
option.

Mr Thackray said Microsoft, which had so far refused to acknowledge
any security breach, should take Mr Saleh's claims seriously. "Anyone
who says this is not a security concern would be very naive. Mr Saleh
has made Microsoft aware of it and if they don't take it seriously
that's their problem."

Mr Thackray had the virus scanned by Trendmicro.com, one of the top
virus checking systems. The scan was unable to detect it.

One person who experienced the effects was Marie-Dominque Lennan, a
business acquaintance of Mr Saleh who had her computer disabled by an
e-mail.

"I got an e-mail message from Phil Saleh which completely froze my
computer. It started opening up windows, then it opened the Arabesque
Website. Even after shutting down the system it was still there. Mr
Saleh had to send me another e-mail which let me control my computer
again."

Security experts spoken to by the Herald acknowledged the feasibility
of Mr Saleh's claims, and said they would be intrigued to see what he
had discovered.

But Microsoft's security response centre e-mailed Mr Saleh to say it
had run his program and had not encountered any breach.

Mr Saleh is disappointed in their response.

"I have demonstrated this to a lot of experts, who all say it works. I
can't understand why Microsoft don't believe me.

"I am willing to prove what I say any time they ask."

Microsoft New Zealand spokeswoman Carolle Leishman said the company
never received the original warning message he said he sent.

"We have no record of any communication with Mr Saleh until now. We
still need to verify the situation and our security response team will
investigate and evaluate it."

PC users concerned about the threat have a simple solution: turn off
the Java Script feature, which can be disabled from "Internet Options"
in "Control Panel."

* This is an updated version of a story from earlier today in which we
stated that John Thackray "was not aware of any police operation
dealing with viruses but would investigate Mr Saleh's discovery."


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".