When "Love" hits your "Resume" and it isn't so "Funny"

[InfoSec News <isn () C4I ORG>]

http://news.cnet.com/news/0-1005-200-2122854.html?tag=st.ne.1002.bgif.ni

By Evan Hansen
Staff Writer, CNET News.com
June 21, 2000, 1:25 p.m. PT

What's in a name? Everything, when it comes to computer viruses.

Virus writers get poor marks from security experts for their packaging
efforts. But occasionally they hit on an effective ruse, as the
"Stages" outbreak shows. Using simple email headers such as "Jokes"
and an attachment disguised as a harmless text file, the virus gained
sufficient momentum to shut down corporate email systems early this
week.

"In most cases, viruses aren't carefully disguised," says Dan
Schrader, chief security analyst at Trend Micro, a security software
company. "But every once in a while they manage to slip one by...The
key themes (of successful viruses) are sex, greed and fear."

Manipulating the people who use computers rather than the computers
themselves is known as "social engineering." In many cases, it is the
key in a hacker's tool kit, figuring prominently in most damaging
virus attacks.

In the Stages virus, for example, the author relied partly on a
misconception that files ending in the extension ".txt" don't carry
viruses because they are text files and therefore cannot execute
commands.

File types can be disguised, however.

In this case, the author used a feature in Microsoft's Outlook Express
email program that conceals the true nature of Windows Shell Script
Object files. These executable files carry the extension ".shs," but
under commonly used settings in Outlook, the extension doesn't show
onscreen.

However, the concealed file type may have been less important in
spreading the virus than simple human curiosity, according to Vincent
Gullotto, director of Network Associates' Anti-Virus Response Team
(AVERT).

"The fact is, not that many people are aware of what file extensions
mean," he said. "This got people's attention because it appealed to
them on some level."

One person who clicked on an infected Stages attachment said it looked
like a joke from someone he knew who often sends similar messages,
Gullotto said.

"It's about trying to find ways to tempt you to open the message," he
said.

Viruses frequently rely on humor. Computer Associates, for example,
recently reported a virus traveling in an animation clip of the
popular "South Park" cartoon show.

Sex also sells.

"Trojan horse" viruses disguised as pornographic videos have
circulated recently. One such virus, known as "Gnutella.worm" and
targeting members of the Gnutella file-sharing network, used
variations such as "collegesex.vbs" and videos with porn star names
such as "Jenna Jameson movie listing.vbs."

In one of the most successful attacks to date, Melissa virus author
David Smith posted a message on the "alt.sex" Internet message
discussion group, offering a file that purported to provide passwords
for pornographic Web sites. He asked readers not to share the file
with anyone else.

Sometimes the pitches can be disarmingly simple, as in the case of the
"I Love You" virus, which spread across the globe last month and
forced some Fortune 100 companies to shut down their email servers.

"When I saw that, I thought nobody would be fooled," said Trend
Micro's Schrader. "Apparently the virus writers had a better sense of
human psychology than I do."

Money has proven a less successful means of enticing people into
opening infected files.

"Sweepstakes messages are ignored," said Network Associates spokesman
Sal Viveros, although he noted that copycat versions of the Love virus
notifying recipients of charges to their credit cards for Mother's Day
gifts did fool some.

"That might have done a lot better if it had come closer to Mother's
Day," he said. "People are very concerned about things like privacy
and Internet fraud."

Network Associates' Gullotto said companies are seeking to boost
security to quickly halt viruses, by disabling executable files that
can carry viruses into corporate email networks, for example.

But basic human nature may always give hackers a way around the most
robust technological defenses.

"Unfortunately, people are curious," Gullotto said. "In many cases,
they're deluged by email at work, and they want to read something
different from the mundane. All it takes is to get one person to
look."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".