Information Security News mailing list archives
E-mail virus info 'stolen'
From: William Knowles <wk () C4I ORG>
Date: Tue, 30 May 2000 08:34:09 -0500
http://www.herald.co.nz/storydisplay.cfm?storyID=138622&thesection=technology&thesubsection=general 30.05.2000 - By GREGG WYCHERLEY An Auckland software developer who found a security flaw in Microsoft's e-mail software that he believes could secretly unleash a "hell virus" says files on his discovery have been stolen from his computer. Phil Saleh, creative director of Arabesque Multimedia - who has a back-up of his find - discovered the flaw in Microsoft's Outlook Express program while designing Java script software that automatically activates computer functions. "We discovered we could write a program that will activate any type of executable file on a computer through e-mail," says Mr Saleh. "Which means if we have your e-mail address we can control your computer - or attach a virus which could automatically send itself to every name in your address book without you even being aware of it. "Using what I have found out, I could make a virus much worse than the 'I love you' bug because you wouldn't have the option of deleting the e-mail carrying the virus before it infected your computer - it would activate automatically whether you read the message or not." Mr Saleh alerted Microsoft's Security Response Centre in Redmond, Washington, but it said it could not find any "security vulnerability." He e-mailed Government departments both in New Zealand and overseas, even contacting the US Central Intelligence Agency. No one replied. Somebody must have been interested, however. Two weeks ago Mr Saleh's computer was hacked and all the files relating to his discovery stolen, though he does maintain a back-up. "My computer had been acting strangely, then I noticed the missing files. The only other way they could disappear like that would be for someone to break in here and delete the files off my computer." He didn't bother going to the police because there was nothing he could show them. "I think someone has been watching what I've been doing and broken into my system to see what I know." He is concerned hackers could work out how to use the program flaw to create a "hell virus." Computer forensics consultant John Thackray, director of Thackray Forensics, who works with the police on computer crime, studied Mr Saleh's findings. "Even in this relatively harmless form this is a virus that would be very unwelcome on anybody's system. If it was compiled with malicious intent it could do catastrophic damage." He said it was different to recent viruses like the "I love you" bug because it could infect computers without the user having any delete option. Mr Thackray said Microsoft, which had so far refused to acknowledge any security breach, should take Mr Saleh's claims seriously. "Anyone who says this is not a security concern would be very naive. Mr Saleh has made Microsoft aware of it and if they don't take it seriously that's their problem." Mr Thackray had the virus scanned by Trendmicro.com, one of the top virus checking systems. The scan was unable to detect it. One person who experienced the effects was Marie-Dominque Lennan, a business acquaintance of Mr Saleh who had her computer disabled by an e-mail. "I got an e-mail message from Phil Saleh which completely froze my computer. It started opening up windows, then it opened the Arabesque Website. Even after shutting down the system it was still there. Mr Saleh had to send me another e-mail which let me control my computer again." Security experts spoken to by the Herald acknowledged the feasibility of Mr Saleh's claims, and said they would be intrigued to see what he had discovered. But Microsoft's security response centre e-mailed Mr Saleh to say it had run his program and had not encountered any breach. Mr Saleh is disappointed in their response. "I have demonstrated this to a lot of experts, who all say it works. I can't understand why Microsoft don't believe me. "I am willing to prove what I say any time they ask." Microsoft New Zealand spokeswoman Carolle Leishman said the company never received the original warning message he said he sent. "We have no record of any communication with Mr Saleh until now. We still need to verify the situation and our security response team will investigate and evaluate it." PC users concerned about the threat have a simple solution: turn off the Java Script feature, which can be disabled from "Internet Options" in "Control Panel." * This is an updated version of a story from earlier today in which we stated that John Thackray "was not aware of any police operation dealing with viruses but would investigate Mr Saleh's discovery." *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- E-mail virus info 'stolen' William Knowles (May 30)
- <Possible follow-ups>
- Re: E-mail virus info 'stolen' William Knowles (May 30)