Oh, Those Clumsy Anna Copycats

[InfoSec News <isn () C4I ORG>]

http://www.wired.com/news/culture/0,1284,41947,00.html

by Michelle Delio
2:00 a.m. Feb. 23, 2001 PST

The Anna Kournikova worm may have infected more people than it did
computers.

Since Anna made the rounds, it certainly seems as if a lot of humans'
hard drives have been attacked by some kind of brain-sucking ailment.

Novice crackers are frantically trying their hands at copycat virus
creation and failing miserably -- but that was to be expected. Other
people - politicians, public relations pros, pundits, and yes - even a
certain tennis player, are all reacting to the Anna virus in
increasingly odd and silly ways.

Take the mayor of the town where Anna's creator lives -- Sneek,
Holland -- alsjeblieft.

According to local papers, Mayor Sieboldt Hartkamp was so pleased with
the attention the virus brought that he told Onthefly, the virus
writer promptly arrested for his actions, to come in for "a serious
interview" once he has completed college.

Hartkamp thinks that Onthefly would be the perfect person to put in
charge of the town's computer systems.

Kournikova wants in on the action, too. Her official website is
plastered with perky mentions of the virus, and a banner declares that
the site offers the "best Kournikova photos available without trashing
your hard drive."

Kournikova's site also shared all the juicy details of the virus, in a
story rather gleefully titled, "Many People Want To See Anna -- How
Anna Kournikova Photos Are Destroying The World's Computers!"

Some wonder whether paying so much attention to viruses and their
writers will encourage other kids to write viruses.

Australian Internet users were spammed last weekend with a copycat
worm that was created using the same kit that Onthefly used to cobble
together Anna.

The e-mail's headers -- cleverly titled "virus warning!!!" -- were
carefully faked to look as if the warning came from antiviral software
maker Symantec. The e-mail contained an official-sounding warning and
an attachment that claimed to be the fix for the virus.

But the virus writer stumbled and somehow sent out only the raw virus
code in the attachment, instead of compiling it into an active Visual
Basic Script that could have spewed the worm merrily across worldwide
networks.

Another wannabe cracker posted a file purported to be an interview
with Onthefly in the alt.comp.virus.source.code newsgroup on Tuesday.

The file was actually a VBS script containing a virus, something that
the members of the newsgroup -- many of whom seriously study viruses
-- didn't have a hard time figuring out.

"We are going to be pelted now with these little baby efforts to bring
down the Internet," one regular poster said to the group.

"Kids who think they are elite hackers are gonna be crawling out of
the woodwork for the next few weeks and annoying the hell out of
everyone with their cute little stunts. But we'll whack them with our
Onthefly swatter."

Seemingly ripe for a firm swatting is "Disturbing The Peace," an
obscure band from St. Louis that sent out e-mail messages from a fake
security firm last week.

The e-mails blared the news that an unknown group of terrorists had
snagged something called "the New Ice Age virus" from the U.S.
government's "information warfare laboratory."

The only way to stop the virus was to visit a Web page that turned out
to contain information about the band's new album. The stunt failed,
though, as virus-weary users failed to pass the frantic e-mail along
to everyone in their address book.

Rob Rosenberger, webmaster of the Virus Myths site, said that only 25
people received the Ice Age e-mail.

But some crackers who have caused real problems by distributing actual
viruses have been richly rewarded for their efforts.

Onel de Guzman, the writer of the LoveBug, a worm that ravaged
networks last year, has become a national celebrity in the Philippines
and received many job offers from security firms. So did Chen Ing-hau,
the author of the data-munching Chernobyl virus, who also has been
deluged with job offers from software and security firms.

But none of the recent worms are examples of sophisticated
programming, say many security experts who believe that the worm's
authors were more skilled at psychology than they were at programming.

"Most users are impressed by virus writers because they don't know
anything about it," said Ken Dunham of Security Portal.

Sneek's mayor was quoted by the press as saying, "It is obvious that
the young man is very capable and it is in our interest to employ
people like him in our IT department."

"How is Onthefly very capable?" wondered Dunham.

"All he managed to do was to find a virus site, download a program,
and use his mouse to create a worm in a matter of minutes. Seems to me
that I can find a lot of 10-year-olds with better ethics and
upbringing to do the same thing."

Some security experts urge harsh sentences and a ban on hiring
crackers.

"Hiring authors of malware that have been distributed into the wild is
a bad idea," Dunham said.

"The mayor of Sneek has disgraced his community with his public
remarks, expressing an interest in hiring Onthefly. It appears that
some people, including the mayor of Sneek, will do anything for media
exposure."

Others agree that most virus writers should not be lauded, but say
that exceptions should be made in some cases.

Rosenberger believes that anyone who ever released a virus into the
wild -- hoping it would spread and do harm -- should never be hired to
do computer work.

"It only encourages others who suffer from narcissistic personality
disorder," said Rosenberger. "End of discussion."

But Rosenberger believes that those who work on "unsupervised
research" in their spare time to "advance the state of the art," and
who "might distribute copies to others who also seek to advance the
state of the art, even if they perhaps distribute their experiments
via open-access websites," should not automatically be assumed to be
evil.

And Rosenberger wonders -- since some antiviral firms "publicly
divulge security flaws and even occasionally release proof-of-concept
exploits for publicity purposes" then why aren't individuals
encouraged to do this as well?

"Why do we accept this kind of behavior at the corporate level if we
don't accept it at the personal level?" Rosenberger asked. "And if we
do accept it at the corporate level, do we accept it simply because
the company sells a product we want? The answer to these questions
should guide your hiring decisions."

Rosenberger is himself no stranger when it comes to advancing the
"state of the art."

He once spent two years on a pet project documenting ways to attack
corporate networks by exploiting flaws in antiviral software.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".