The Social Psychology of Computer Viruses and Worms, Hacking and IT E-Book Dump Release
[ Pobierz całość w formacie PDF ]
The Social Psychology of Computer Viruses and Worms
*
Jonathan J. Rusch
Georgetown University Law Center
United States of America
Jonathan.Rusch@worldnet.att.net
Paper Presented at INET 2002, Crystal Gateway Marriott, Crystal City, Virginia, June 21, 2002
Introduction
When the defenders of Troy first saw the Trojan Horse outside their walls,
legend has it, the gods on Mount Olympus did not compel them to bring it inside the
city. The Trojans’ decision to do so, though wholly voluntary, was strongly influenced
by the Greek army’s clever manipulations of their perceptions. The Greeks not only
hauled the horse by night to the gates of Troy, but spread a rumor that the horse had a
benign purpose: appeasement of the war goddess Minerva to ensure a safe return
home. They also sailed all of their warships away from Troy to a hidden anchorage.
They chose, however, to leave behind one Greek, named Sinon. Situating himself
where he would be found easily by Trojan forces, Sinon pretended to have escaped
wrongful imprisonment after being designated for sacrifice by his own people.
While a few Trojans presciently warned against the horse, most accepted Sinon’s
solemn confirmation that its purpose was benign. Many even participated in breaching
the city walls to ensure that the outsized horse could be hauled inside.
1
The bitter
remarks of Aeneas, who survived the fall of Troy, suggest that the Trojans were, in
effect, the earliest known victims of “social engineering”:
This fraud of Sinon, his accomplished lying,
Won us over; a tall tale and fake tears
Had captured us, whom neither Diomedes
Nor Larisaean Achilles overpowered,
Nor ten long years, nor all their thousand ships.
2
The “Trojan horses” we encounter today, along with the computer viruses and
worms that bear them,
3
seem far more complex and sophisticated than the Trojan horse
of legend. Yet virus and worm makers often show that they are as capable as the
ancient Greeks of influencing people to open their computers and networks to
malicious code or even mistakenly to destroy their own data.
The Social Psychology of Computer Viruses and Worms - INET 2002
Jonathan J. Rusch © 2002. All rights reserved.
Since February 2001, a spate of reports indicate that “social engineering”
techniques – some more sophisticated than others – are becoming increasingly popular
in virus and worm writing. Here are a dozen of the more widely reported viruses,
worms, Trojan horses, and virus-related hoaxes during that period, listed in
approximate chronological order:
!
February 2001
The now-famous “Anna Kournikova” virus was one of the
pioneering uses of social engineering in virus propagation. It accompanied e-
mails with the subject line, “Here you have,;0)”. The attachment bore the
filename AnnaKournikova.jpg.vbs, to make it appear that the attachment was a
jpg picture of the tennis player Anna Kournikova. In fact, the attachment was a
Visual Basic Script that infected Outlook and mailed itself to contacts in the
target computer’s address book.
4
!
May 2001
In the “sulfnbk.exe” hoax, an e-mail told recipients that the sender,
without knowing it, had a file on his computer that proved to be a virus
undetectable by anti-virus software. The sender then provided recipients with
instructions on how to find and delete the file on their own computers. In fact,
sulfnbk.exe was a standard executable Microsoft Windows file that serves as a
utility to restore long file names. Many recipients of the e-mail who looked for
the file and found it on their computers apparently concluded that the sender’s
information was accurate and deleted the file in the mistaken belief that it was
malicious code.
5
!
July 2001
The “W32.LeaveB” worm appeared as an attachment to an e-mail that
purported to be a Microsoft security bulletin. The spurious bulletin informed
recipients that a “serious virus” was aimed at Windows computers and that they
should protect their computers by downloading and installing an attached
“security patch.” The bulletin also reported that the virus had the “complexity
to destroy data like none seen before.” The worm in fact downloaded
components from Websites and contained code to accept commands from
Internet Relay Chat programs. The worm’s purpose was unclear, as it
apparently was not damaging computers or facilitate the theft of data from
target computers. One leading computer security expert speculated that it was
intended to use target computers “to click ad banners and other sites as part of a
money-making scheme.”
6
!
December 2001
The “Reezak” worm appeared during the 2001 holiday season.
The subject line of the e-mail transporting it was “Happy New Year” and the
message text “Hi i can’t describe my feelings But all i can say is Happy New
Year :) bye.” A recipient who clicked on the attachment saw a Flashmedia
Christmas greeting card, with Santa and a reindeer against a background of
snow. What the recipient did not see was Reezak’s efforts to delete the target
The Social Psychology of Computer Viruses and Worms - INET 2002
Jonathan J. Rusch © 2002. All rights reserved.
2
computer’s Windows System directory and to disable antivirus software.
Reezak also attempted to redirect the Internet Explorer home page to an infected
Website with a message that declared both “Sharoon” [
sic
] and Bush a “war
criminel” [
sic
]. The infected Webpage included an infected script called
Outlook.vbs. This script sent a second message to contacts in the Outlook
address book that urged people to visit the infected Webpage themselves.
7
!
January 2002
The “Gigger” worm (actually a self-propagating virus) circulated
as an attachment to e-mails. The e-mails bore the subject line “Outlook Express
Update,” and the attachment bore the name “mmsn_offline.htm,” to encourage
the impression that the e-mails were from Microsoft. If opened, the attachment
could infect the target computer and delete all files on its hard drive.
8
!
January 2002
The “MyParty” worm appeared as a purported link in an e-mail
message. The e-mail, which bore the subject line “new photos from my party!,”
told recipients, “Hello! My party ... It was absolutely amazing! I have attached
my web page with new photos! If you can please make color prints of my
photos. Thanks!” The message also contained the link to what appeared to be a
Yahoo! website,
www.myparty.yahoo.com
or
myparty.photos.yahoo.com
. In
fact, clicking on the purported link caused a virus to copy itself to
C:\Recycled\regctrl.exe and execute that file. The virus then retrieves the
default SMTP server of the user’s infected computer from the registry and
launches itself to solicited addresses in the target computer‘s Outlook
directory.
9
Some reports also indicated that the virus also left Trojan horses on
infected machines before mailing itself to others.
10
!
March 2002
According to the Computer Emergency Response Team (CERT) at
Carnegie Mellon University, intruders are using Internet Relay Chat (IRC) and
Instant Messaging (IM) to send messages that appear to come from the IRC or IM
network. These messages are crafted to make the recipients believe that they
already have a virus and must download an attached program to clean their
computers or risk being banned from the network. For example:
You are infected with a virus that lets hackers get into your machine and
read ur files, etc. I suggest you to [
sic
] download
[malicious url]
and clean
ur infected machine. Otherwise you will be banned from
[IRC network]
.
11
CERT reported that tens of thousands of systems reportedly have been
compromised in this way.
12
!
March 2002
The “W32/Gibe@mm” virus circulated as an attachment to an e-
mail purportedly from the “Microsoft Corporation Security Center.” The e-mail
warned recipients of vulnerabilities in Internet Explorer, Outlook, and Outlook
Express programs, and noted that the attached security-update program would
fix those vulnerabilities. In fact, the “Gibe” virus would attach itself to the target
The Social Psychology of Computer Viruses and Worms - INET 2002
Jonathan J. Rusch © 2002. All rights reserved.
3
computer’s registry, e-mail copies of itself to addresses it could find, and open a
port on the target computer for malicious code to enter.
13
!
April 2002
In the latest variants of the MyLife virus, e-mails invited the viewer
to click on an attachment that purports to be a screensaver. The screensaver
allegedly poked fun as such prominent political figures as former President
Clinton and Israeli Premier Ariel Sharon. Clicking on the attachment released a
worm that spread from the victim’s computer to addresses in the victim’s
Outlook address book or MSN Messenger contact list.
14
!
April 2002
The “Jenna Jameson” virus, named for a well-known porn star, was
attached to an e-mail with the subject line “Jenna Jameson pornostar free
superfuck+photo addresses.” The attachment bore the filename “JENNA-
JAMESON-FREE-SUPERFUCK.TXT.vbs.” To the hasty reader, this filename
made it appear that the file was a text file; closer inspection showed that it was a
malicious Visual Basic Script. Executing the attachment allowed the recipient to
see a text document with a list of links to porn sites, but also launched the virus,
which infected the target computer. The virus first sent itself to all names in the
target’s Windows address book and was set to display a message on May 12,
2002: “Your PC has been hacked by KaGra[ATZI virus ver 2.1].” On May 13, it
was also set to delete the Windows folder on the target’s C drive or, if the target
is running Windows NT, the Winnt folder.
15
!
April 2002
The most virulent e-mail virus, according to various sources, is the
Klez.H virus.
16
The latest variants of Klez, particularly Klez.H, use a large
number of subject lines and texts that present a wide range of messages. Klez.H
is attached to e-mail whose subject line may contains any one of approximately
120 phrases, such as “Re: A Win XP patch,” “Undeliverable mail–(random),”
“Returned mail–(random),” “(random) (random) game,” and “darling.” Klez.H
also spoofs an e-mail address found on the target computer, to make it appear
that it has been sent from a familiar person or entity.
17
The e-mail text, which has
numerous variations, consists of messages that may include “This is a special
humour game“or “(virus name) is a dangerous virus that spread through email.
(Antivirus vendor) give you the (virus name) removal tools. For more
clicks on the attachment, Klez.H uses its own Simple Mail Transfer Protocol
(SMTP) server to send infected copies of itself to the target computer, bypassing
e-mail software on that computer. It can copy itself to remote disk drives by
creating random filenames and adding random suffixes such as .exe, .com, .bat,
or .scr. It also contains an upgraded version of the Elkern virus, Elkern.c, which
adds a hidden file to the Registry entry and can corrupt files without changing
their size.
18
The Social Psychology of Computer Viruses and Worms - INET 2002
Jonathan J. Rusch © 2002. All rights reserved.
4
!
May 2002
The “cute.exe” Trojan horse program is an attachment to an e-mail
with the subject line “Thoughts” and the text “I just found this program, and, i
don’t know why . . . but it reminded me of you. check it out.” The attachment
uses a standard JPG icon, but is an executable file. If the recipient clicks on
cute.exe, it will unpack itself and make various changes to system files “to
ensure that the program (‘kernel32.exe’) will execute after a reboot.”
19
In a
variation of a standard “Floodnet” bot, cute.exe also contacts an Internet Relay
Chat (IRC) server and joins a predefined IRC channel. The allows the attacker to
obtain information about the target computer, to launch various denial of
service attacks, and to instruct the program to update or remove itself.
20
The increasing use of social influence techniques should be of great concern to
computer security specialists. Greater use of these techniques can greatly complicate
the tasks of preventing or reducing the spread of viruses, worms, and “blended
threats” (i.e., code combining elements of worms and viruses) just when they are
becoming increasingly ubiquitous on the Internet. According to a survey by ICSA
Labs, in 2001 corporations were hit with a monthly average of 113 virus infections for
every 1,000 computers they owned. The majority of the viruses identified in the survey
were spread through e-mail, and mass mailers accounted for 80 percent of the viruses.
21
Another survey by Information Security Magazine found that 90 percent of the
companies surveyed had been infected with worms or viruses.
22
Antivirus specialists have tended to explain the success of social engineering
viruses, in part, by casting aspersions on the intelligence of the victims, calling them
“ignorant”
23
or suggesting that they needed to apply “common sense.”
24
One
researcher expressed surprise that variants of the MyLife virus were spreading
“because the tricks used by the virus to fool people into double clicking on the
attachment, and becoming infected, were crude.”
25
These comments reflect a significant gap in our understanding of viruses and
worms. We know a fair amount about the technical operations of viruses and worms,
thanks to the efforts of many computer security researchers around the world. We are
taking tentative steps toward understanding the thinking of malicious code writers,
through the work of antivirus researchers like Sarah Gordon.
26
In contrast, there has
been no systematic analysis of the effectiveness of social engineering techniques in
spreading viruses and worms.
One source of insight for such an analysis is the field of social psychology -- “the
scientific study of how people think about, influence, and relate to one another.”
27
Social psychology has developed a number of behavioral principles and concepts that
The Social Psychology of Computer Viruses and Worms - INET 2002
Jonathan J. Rusch © 2002. All rights reserved.
5
[ Pobierz całość w formacie PDF ]