Traditional distinctions are becoming increasingly blurred between different kinds of malicious code or 'malware' (viruses, worms, spam, trojans, adware and spyware). Recent developments challenge anti-virus companies both to counter new technical obstacles and to navigate potential legal minefields. Malware writers are turning to new 'social engineering' tricks to entice unwary users to assist unwittingly in the spread of their delinquent handiwork.
Evolving boundaries of spam
The spam nuisance - unsolicited, sometimes commercial, often fraudulent email (the electronic equivalent of paper junk mail) - continues to grow relentlessly. Virus writers have come to recognize the advantages spamming techniques can offer in the release or 'seeding' of new worms, and with increasing regularity use such techniques to get them off to a flying start. Not only have they adopted the technical ploys of the spammer to hide their tracks, they have started to disguise their wares as relatively harmless spam.
Conversely, the spammers have also learned from the virus writers. For example, the 'FriendGreetings' scam evolved from spam to internet worm, using exactly the same technical mass mailing method as the Melissa virus (but more of that later).
Beware the seasonal electronic greetings card
Electronic greetings cards have been used in novel ways recently as an adjunct to spam, spreading in a worm-like fashion, and also as a means of infiltrating trojans (named after the hollow wooden horse concealing Greek warriors carried into the gates of Troy) onto the desktop. E-cards are becoming the latest preferred social engineering trick, especially at times of year when people expect to receive cards, and they should be treated with caution: a few nasty surprise gifts may be in store.
The first malicious use of the e-card approach has been dubbed 'Cytron,' after the Canadian-based pornographers Cytron Communication Ltd. who pioneered the trick. Cytron arrives as spammed email, ostensibly as an electronic greetings card with a fake return address - e-greetings at yahoo.com. A smiley face and the promise of a personal e-greeting, often entices the recipient to click on an envelope graphic which takes them to surprisecards.net. The user then has to agree to download software in order to be able to read the card.
The victim never gets to read their greeting card.
Later comes the surprise, and a rather nasty one at that - a Trojan horse. As well as a harmless card reader, they also download a browser helper object (BHO). In the ThreatLab, we researched the malware potential of BHOs in early 2001 and reported our serious concerns to Microsoft Security. The BHO problem has finally arrived in the real world with Cytron.
Your browser's little helper
What, the reader may ask, is a BHO? A browser helper object is software that may be 'registered' in Windows as an extension to Microsoft Internet Explorer. Once registered as a BHO, it can intercept all of IE's events and access most of the properties of IE's 'document' object model. Translating into layman's terms, it can watch over your shoulder as you browse the web, so as to enhance the surfing experience in any number of interesting ways.
Cytron enhances your browsing experience in a very specific way: it scans web pages you visit for keywords. It is designed to identify people who are possibly in the market for pornography. The idea is to boost market share by drawing customers away from the competition.
Automated keyword filtering software must be designed with great care, if crude false positives are to be avoided. Recent research suggests that perhaps Cytron Communications are less than diligent about false positives. Browsing a report in USA Today about the constitutional issues relating to pornography triggered a pop-up graphic advertising a gay men's adult site. Similarly, a visit to a Christian site promoting a video entitled "Pornography: The Tragedy Exposed" caused the BHO to spawn another of Cytron's graphic ads, this time for a site featuring the "nets [sic] youngest women online."
Apart from the potential unwanted intrusion of such unsavory material into the home, in the workplace, this could result in an unfortunate victim appearing to persistently flout company policy on Internet usage, possibly leading to disciplinary action. It would be an astute technical sleuth who could correctly pinpoint the cause to an insidious BHO.
Your browser's little thief?
Cytron has been categorized variously as spam, Trojan horse, spyware and pornography adware. The real import lies in the debut of not only the e-card scam, but more so the BHO. No longer does the attacker depend on well-known techniques to launch automatically when Windows starts. Instead, the BHO springs into operation whenever Internet Explorer runs. Malware writers can be expected to learn from Cytron and apply this new technique. BHOs can be deployed in stealth malware to assist in mounting a number of pernicious kinds of attacks. Most notably, a BHO can identify, with relative ease, any passwords as these are input to web pages, and grab copies. The future scope for fraud is very significant and certain web security measures may need to be reconsidered, particularly with regard to financial applications and Internet banking.
The CEO of Cytron Communications Ltd reportedly defended their e-card scam by pointing out that he could name "a hundred different companies, publicly-traded companies, that are doing far worse." Perhaps so, but their days may be numbered, if an ongoing class action succeeds against Netscape and AOL, in connection with the Real Networks spyware. On October 1, 2001, Netscape/AOL lost an important appeal before the New York Second Circuit court, paving the way for a judgment on the question of their spyware violating the Electronic Communications and Computer Fraud and Abuse Acts. On the other hand, the unscrupulous would simply move their operations to an unaffected jurisdiction.
Spam evolves into worm
Another recent e-card scam has been labeled FriendGreetings, after one of the web sites belonging to Permissioned Media Inc. "Permission" is the operative word, because failure to read the small print can make all the difference. Initially, distribution involved spamming, but for the main part the e-card has been propagated widely with the unwitting sanction of ordinary users. A user receives the greeting card announcement, usually from someone they know and possibly trust. It arrives as apparently personalized email with the subject "[Recipient] you have received a greeting card from [Sender]."
The potential victim is invited to one of the FriendGreetings web sites to download a reader program in order to accept the greeting card. In the process of doing so the user has to supposedly read and confirm consent to the conditions of not one, but two, end user license agreements. In reality the vast majority of hapless users click through this without a second thought. The card reader presents their greeting card and silently emails the same announcement they received initially to everyone in the Outlook Address Book. But they agreed to the small print of the EULA (twice). Furthermore, the chances are high that some of the members listed in the address book may conclude that they have been sent a virus.
Some anti-virus companies fight shy
Unlike the Cytron, which is clearly a Trojan and detected as such, FriendGreetings has received a mixed reception amongst the anti-virus community. Despite the fact that it mass mails using the same method as the Melissa worm, some anti-virus vendors allow it to pass unmolested. Why? Such reticence stems from the fact that the scam, although employing unscrupulous social engineering, rests arguably just on the right side of the law. And then there's the small matter of, which law? Failure to read the small print means the user has also agreed implicitly to be bound by the software laws of the Republic of Panama and any dispute "shall be settled by binding arbitration in accordance with the rules of the Panamanian Arbitration Association." Caveat emptor!
The mother of all spyware
A third recent variation on the e-card approach has been deployed by Email P.I., an unashamed example of commercial trojan spyware. This, boasts marketing material at the Email P.I. site, is "the mother of all spy programs."
The site offers a selection of five different e-cards - romantic, joke and others - with which to ensnare your victim. The main purpose of the spyware is to maintain a suspected unfaithful spouse under close surveillance. It is claimed that all that is needed to install the spyware is the email address of the target and that the e-card will achieve this "100 percent invisibly." The breadth of spy functionality is impressive if it all works: email, chatroom, keylogger, password grabber, webcam, and much more. The idea is that almost every action taken on the victim's PC can be snooped remotely and logged.
Although the marketing material concentrates almost exclusively on the cheating spouse scenario, the scope for industrial espionage deserves some consideration. Would you accept a joke e-card from someone you know, or even in good humor from a competitor? We may have more than one good reason to distrust e-greetings cards - take care.
No single panacea exists to protect against the spectrum of email-borne threats today. The solution lies in defense in depth or 'belt and braces.' Anti-spam measures come in many forms: some suitable for the home user, others designed to protect the corporate network. Anti-virus software is now a must in all environments, although it will not address all threats and signature updates should be applied as frequently as possible. Content filtering can be highly effective at the corporate email gateway, providing flexible, configurable and layered defense mechanisms. Regardless of complementary and overlapping security measures, at the end of the line stand users and their credulity. Many users have learned the painful lesson of distrusting unsolicited attachments. Soon they may need to cast a very wary eye over seemingly friendly greetings e-cards.
Pete Simpson is ThreatLab Manager for Clearswift Ltd (www.clearswift.com).