The Net abuses and education

The Net abuses and educationMihai JalobeanuNational R&D Institute for Isotopic and Molecular TechnologyCluj-Napoca, Romania [email protected]

" Computer ethics is the basis of computer security.Education and justice, not arbitrary punishment, must bethe key to our efforts against computer infraction."

Abstract

The recent Love letter worm produces a lot of damages on the Net, and a lot of journalarticles and debates. It was a good occasion for administrations and party leaders tounderline the need of Cyberspace control, restrictive Internet access rules, and so on. Neithernewspapers, nor Radio or TV broadcastings marked that this worm was a battle in the globalWar between Unix users and Microsoft company The main idea is to send a worm by e-mailas an attachment file. A Melissa worm was included in a MS-Word doc file, infecting the wordprocessor at the file opening. Following the attempt last year with Melissa worm (a MS-Wordvirus), the Love letter worm is a Visual Basic script affecting only the MS-Windows platformswith Windows Scripting enabled. Of course, the design and distribution of such a dangerousworm is a Net abuse and must be judged by taking into account the produced damages. But,at the same time, such an event proved the Net vulnerability, especially in the case involvingan invasion of MS-Windows tools.

In our opinion, the current discussion of worms which highlights Internet vulnerability only inthe immediate circumstances, underlines the insufficient training of Internet users. In thebeginning, a lot of Internet volunteers and foundations paid attention to the education of newInternet users (newbies). Now, with an Internet population of 300 million, and due to thecontinuous simplification of Internet access, more than 50% of internet users thought that theyknew enough about the Internet. (****???)

Introduction

Computers have became a part of our life. People are spending an importantamount of their time in front of their PCs, looking for information, or games,searching, cooperating, amusing, or doing their job in education, science,administration, or in business. Through the Internet, joining 300 million users,and 6-800 million documents, the global Matrix connect schools, researchcenters, banks, government institutions, press agencies, travel companies,local communities and individuals. It has now become a normal occurrence tohave violation: computer infections or computer crimes. Consequently, newcomputer science fieldshave been developed, like computer ethics andcomputer/network security. These help to hinder the attempt of accessingprivate or secret information, or design and distribution of dangerousprograms, like computer viruses or worms. Unfortunately, for some people,due to an insufficient education, a computer violation (a network intrusion, or acomputer virus design) seems to have a glamorous attraction. This is visibleon a lot of Web sites dedicated to Kevin Mitnich, or to R.T. Morris and hisInternet worm.

On the other hand, media journalists are discussing Net abuses and computercrimes more than the benefits of the Internet. Quite frequently you may hear'we haven't laws to punish the network intrusion!', furthermore it is possiblethat computer crime prosecutions can be followed as models. There isliterature focused on computer crimes, for example [Stoll 1989, Littman 1997],Internet worms, and computer viruses. Journalists are writing more about anew computer virus, or about a new Net fraud than about the Internet accessrestrictions from Iraq or Cuba, about online education facilities, or aboutpossible e-business.

The fear of having a complete record of a person's life (preferences,performances, diseases, income) increasingly being compiled on computerdata bases has made people more aware of potential malfunction of thesecomputers, and possible violations of privacy through the Internet. But, usuallywithout objection, people accept spam, i.e. non-requested mail, or give theiraccount password to a colleague.

For a user or even for a server administrator, it is much easier to consider aworm or a virus as blameworthy for each malfunction of their own PCapplication, or for strange local server responses, instead of accepting theresponsibility for a mis-configuration, an erroneous security policy, or a badoperation.

Periodically, computer companies exaggerate the traditional computer(hardware and software) vulnerabilities to convince people to buy their newversions. This is the case for anti-virus producers, as well as for giantcompanies, like Microsoft. This way, for example, the Love Letter worm impactwas discussed by journalists as a danger for every computer connected to theInternet, even though this worm attacks with precision - MS Windows(95/98/NT/2000) platforms operating with Outlook mailer, with OutlookAddressbook loaded, and having WSH (*****????) enabled. Moreover, it actsonly at the intentional opening of the VBS (****???) script attachment file[Loss 2000, Grimes 2000].

There have been dozens of similar worms since Melissa - March 1999 1, andat least six different versions of Love Letter worm2, so why has there beensuch a lot of media attention given for this one? Of course, letters with "I loveyou" as a subject, with, or without a worm, has generated enough difficultiesin world history.

Computer viruses

Computer viruses are strongly connected with personal computers, so theirreal history began from 1985, even though the phrase was formulated earlier.1 SecurityPortal: The Focal Point for Security on the Net, Top 20 Virus, May 31, 2000 <http://www.securityportal.com/research/virus/virustom20.html> 2 Bradon Loss, VBS.LoveLetter Variants, SecurityPortal: The Focal Point for Security on the Net, <http://www.securityportal.com/research/virus/profiles/vbslovelettervariants.html>

Like other computer science words, the computer virus term was used firstly,in a science fiction story (David Gerrold "When Harlie was One", 1972). In1982, a scientist, Fred Cohen, through his PhD research, developed themathematical model of the computer virus' behaviour, using it to test varioushypotheses about the spread of viruses. He published the first book oncomputer viruses in 1984 [Cohen 1984].

Generally, a computer virus is a self-replicating program containing code thatexplicitly copies itself and that can infect other programs by modifying them ortheir environment such that a call to an infected program implies a call to apossibly evolved copy of the virus. Many people use the term virus to coverany sort of program that tries to hide its possibly malicious function, or tries tospread into as many computers as possible. These programs are called"Trojan Horses", respectively "worms" [Reymond 1991, Ivaner 1997, Virus-LFAQ], and can affect different computer systems, while viruses target PCs,only. A worm is also a self-replicated program, blocking the system throughthe execution of all its copies, or through sending exponentially growingnumbers of replicas into the network. Generally, the worm doesn't modifyother codes, like a virus. A Trojan Horse (or simply Trojan) is understood by aprogram doing something undocumented that the programmer intended, butthat some users would not approve of if they knew about it. In such a sense,the worms and viruses are Trojans. But there are people who consider aTrojan Horse to be only a non-replicating malware (*****???), in this way thesets of Trojans, worms, and viruses are separate [Virus-L FAQ].

Computer viruses classification

Generally, there are two main classes of viruses: File infectors, and System orBoot-record infectors.

A file infector virus attaches itself to ordinary program files, usually com and/orexe programs, though some can infect any file for which execution orinterpretation is requested, such as sys, ovl, prg, mnu, bat. There is also virusinfecting source code files by inserting code into C language source files thatreplicates the virus's function in any executable way that is produced from theinfected source code files.

File infectors can be either Direct-action (Non-resident) or Resident. A Direct-action virus selects one or more files to infect each time a program infected byit is executed. A Resident virus installs itself somewhere in memory (RAM) thefirst time an infected program is executed, and thereafter infects otherprograms when they are executed or when other conditions are fulfilled. Mostviruses are resident. Vienna virus is a direct-action one. As a special case,some file infector viruses are modifying the directory entrances. Instead ofmodifying an existing file, it creates a new program, which is executed insteadof the intended program. Creating, for example, an infected com file with the

same name as an existing exe file. The last one being not changed at all, thevirus detection is then more difficult.

System or Boot-record infector viruses infect executable code found in certainsystem areas on a disk (MS-Dos boot sector, or Master Boot Record on fixeddisks). Examples include Brain, Stoned, Empire, Michelangelo. All this virusesare resident.

Anti-Virus guardianship

Computer viruses have been around for more than fifteen years [Cohen 1984,Denning 1990, Vasarhelyi-Kasa 1996] and most PC users have got used tochecking suspect files. Such files come usually from floppy discs or CDs fromdubious origins, as well as from the Internet, and trained users can detectthem by scanning discs with a reliable virus scanner. Some of the newhardware includes devices for automatic virus detection. A lot of softwarecompanies are focusing on the development of virus scanners, so called 'anti-virus packages'. To sell their products more widely they exaggerate the rangeof the virus population, and the ratio of infected PCs. For many years therehas been continuous competition: with each new virus reported you will needa new virus scanner able to detect and to remove it from your infected disc (orat least an upgrade of the scanner virus table). There are huge generalantivirus packages, as well as specialist (for only one virus) scanners. Anexample of this is the Norton Antivirus package, produced by Symantec3,which now needs more than 20 Mbytes of your hard disc space, so it is betterto execute it from a CD-Rom. A virus scanner identifies a virus by itssignature, i.e. a specific code sequence, or by the modification it has made tofiles or to system records. As a result, developments have been made of othertypes of viruses which hide while "active" and make secret modifications tofiles or boot records. There are more, for example, polymorphic viruses thatproduce varied but operational copies of themselves [Vasarhelyi-Kasa 1996].A Bulgarian cracker (called himself Dark Avenger by his early virus)developed a Mutation Engine (MtE) has identified an object module able tomake any virus polymorphic. The advent of polymorphic viruses has renderedvirus scanning an ever more difficult and expensive attempt.

To prevent computer virus infections, in various local area networks,especially in schools, the floppy disc units are disabled on the PC work-stations, while on Unix platforms the usual copy commands in regard to floppydiscs and CD-Rom, are inhibited for a normal user. Accordingly, a networkadministrator must systematically download new scanner versions, to install itfor his users. Fortunately now, on the Internet, a lot of virus scanners arepublic (freely downloadable). But for a real protection against viruses,LAN/Internet users must be trained to dis-believe the unverified files, andmust be trained how to use the virus scanners.

3 http://www.symantec.com/avcenter/

However, the Internet has also brought new dangers. "Possibly the worstaspect is the almost unlimited sources of shareware and freewareapplications, any one of which could contain malicious code", considersRichard Grimes [Grimes 2000].

The shareware and freeware software libraries are great targets for virusauthors because distribution of the malicious code is done for them: the naïveuser invites the infected code onto their hard disc and worse, they actually runit. The newbie's first reaction is to download and to try to execute eachavailable file, before thinking if it is relevant to him or not. A circumspect userchecks any executable file before running it.

File associations

On the MS-DOS operating system, files are identified through their nameextension made from three characters after the dot. Only a file having exe orbat extensions can be executed, and can include an MS-DOS virus,accordingly. On a personal computer there is only one user, the owner.Consequently he has all the execution rights in the system. Even someWindows (95/98/2000) applications accept different users who have the samerights (from the e-mail sending, or document editing, to file removing, or todisk re-formatting!).

On the UNIX-type operating system, like Linux, installed on a PC, the filesystem structure is completely different, based on file attributes andownership. You must setup (change) the corresponding executable attribute tothe downloaded file, before being able to execute it. Moreover, the usual wayto include a new application to such a platform is to download the source files,configuring, and compiling it correctly. Therefore, the UNIX-type platforms aremore secure to computer viruses. More precisely, we can say that there arenot any (*****???) computer viruses acting on UNIX-type platforms, eventhough there are hundreds for MS DOS/Windows OS on the same hardware.But there were several UNIX worms, beginning with the Great Internet worm[Kehoe 1993], sparking off security bugs.

On the MS-Windows operating systems (Win'95, Win'98, Win'2000, WindowsNT) a main facility for the user seems to be the file associations. In the MS-DOS system, for the first time, the Norton Commander viewer used thisconcept. File associations are extremely useful because they allow you to bedocument centric and not application-centric. Thus, instead of opening MS-Word and then loading a Word document to view it, you merely double clickon a Word document in Explorer and it will start the associated applicationand inform it to load the document. This is fine when you know the origin of adocument, which is generally the case for files on your hard disc. If you do notknow the origin of a document then you have to be careful when viewing it.And this is the case for a file moved (downloaded) from another questionablecomputer.

The first Internet worm

In the short history of the Internet there are some detective stories concerningInternet worms and Internet abuses [Stoll 1988, Elmer-Dewitt 1994]. Thedamages produced in 1988 by what was later called the Great Internet worm,or Morris' Internet worm, proved the Net vulnerability, helped developers tofocus on the Net security and helped to avoid further intrusions and otherabuses.

It was on November 2, 1988, on the same year with the completion of NSFNet- the T1 data network that links academic and computing centers (June), butalso in the same year when Kevin Mitnich was charged with another computercrime spree.

On November 2, 1988, Robert Morris, Jr., a graduate student in ComputerScience at Cornell, wrote an experimental, self-replicating, self-propagatingprogram called a worm and injected it into the Internet. He chose to release itfrom MIT, to disguise the fact that the worm came from Cornell. Morris soondiscovered that the program was replicating and re-infecting machines at amuch faster rate than he had anticipated---there was a bug. Ultimately, manymachines at locations around the country either crashed or became``catatonic.'' When Morris realized what was happening, he contacted a friendat Harvard to discuss a solution. Eventually, they sent an anonymousmessage from Harvard over the network, instructing programmers how to killthe worm and prevent re-infection. However, because the network route wasclogged, this message did not get through until it was too late. Computerswere affected at many sites, including universities, military sites, and medicalresearch facilities. [Ornstein 1989]

The Morris' program took advantage of a hole in the debug mode of the Unixsendmail program, which runs on a system and waits for other systems toconnect to it and give it email, and a hole in the finger daemon fingerd, whichserves finger requests (see Finger). People at the University of California atBerkeley and MIT had copies of the program and were actively disassemblingit (returning the program back into its source form) to try to figure out how itworked.

Teams of programmers worked non-stop to come up with at least a temporaryfix, to prevent the continued spread of the worm. After about twelve hours, theteam at Berkeley came up with steps that would help delay the spread of thevirus. Another method was also discovered at Purdue and widely published.The information didn't get out as quickly as it could have, however, since thenmany sites have completely disconnected themselves from the network.

After a few days, things slowly began to return to normality and everyonewanted to know who had done it all.

Robert T. Morris was convicted of violating the computer Fraud and Abuse Act(Title 18), and sentenced to three years of probation, 400 hours of communityservice, a fine of $10,050, and the costs of his supervision. His appeal, filed inDecember 1990, was rejected the following March [Kehoe, 1993]. But theanalysis of this event and the replication mechanism of the Great Internetworm continue to attract programmers, nowadays.

The history of Internet abuses, and corresponding security development, hasintroduced in the Computer user's Dictionary, The New Hacker's Dictionary[Reimond 1991], or in the Jargon File [Ivaner 1997], the word 'cracker' to callthe person producing Net worms, Net abuses, credit card theft, etc. to dis-associate them from 'hackers'. Even mass-media generally continues toconsider hackers responsible for all cracker's actions. But there is at least onebook [Levy 1994], and several discussions about hacker ethic [Littman 1997,Peek 1998]. And Jonathan Littman states that without hackers there would beno Apple Computer, no IBM PC, no revolution in computing andcommunication.

Network Security issues

Over the years, different hardware protection devices have been developed,as well as software security tools, like the password encryption systems, thefirewalls, proxy systems, and so on. Now, there are available packages forhost or local network security testing, like Satan; the new Intranet concept isdefined as a local area network with at least a Web server and special outsideaccess protection policies. Several centres4, organisations, or companies5

provide security advice, and publish warning and research bulletinsconcerning new identified security holes. And the main duty of a networkadministrator is the control and validity of the security policy implementation.

Internet development, especially the exponential growing of the total usernumber, was possible due to strong educational support provided by differentorganisations like Electronic Frontier Foundation, Internet Society, etc. Theseorganisations assist and organise the preparation and availability of electronicuser's guides, textbooks, FAQs (Frequently Asked Questions), help files,standards (RFC's), and other Net documents. Since the inception period,newcomers equalled the existing Internet population - at least after sixmonths. Consequently, the educational task was very important, and the needfor trainers very high.

4 [CERT] CERT Coordination Center, Software Engineering Institute, Carnegie Mellon University, Pittsburgh PA http://www.cert.org 5 SecurityPortal: The Focal Point for Security on the Net <http://www.securityportal.com>

Other Net abuses

The increase of data and host security continues to be a very important taskin the Net [Mezgar et all 2000]. There are different types of Net abuses.Internet worms are only one of these. Even in the Net history, there areenough examples for a teacher. One of the starting points was the e-mailmessage distributed on a large list by Laurence Canter and Martha Siegel, inApril 1994 [Elmer-Dewitt 1994], offering their services for receiving a greencard. It caused a hurricane of messages and international disapproval. Butnow it seams that you may find on the Net a tool for printing yourself a quiteperfect green card (and many other kind of identification cards). A recent FBIsurvey argues that now 30% of falsifying cards are printed using Internetavailable tools. With 300 million Internauts, the Net abuses became more andmore a reality. Can censorship rules or access limitation laws be the solutionfor a healthy and clean Internet? There is the example of the USadministration attempt for censorship and restrictive access to pornographicsites rejected as unconstitutional by US Supreme Court.

Generally, when you connect your machine to the Internet your machinebecomes part of a network that extends the entire globe. Richard Grimes, in arecent ATL electronic publication [Grimes 2000] considers that: Windows isnotoriously insecure as far as the Internet is concerned, and when you aresurfing it can leave a gaping hole that a savvy attacker can exploit to gainaccess to your machine. Although the naïve user is not explicitly inviting avirus on their machine, unprotected connection to the Internet is an implicitinvitation.

It is the Internet Service Provider obligation to anticipate all damages yourunprotected connection can produce on their servers affecting their clients.Such a hole can be plugged with an ISP masquerading strategy or with apersonal firewall. As an Internet user you must read some tips on protectingyourself, understanding that your hole can affect other Internet users, also.Once more, placing of a virus infected file to your hard disc is quite simple foran attacker, but the code execution requires a bit more work for him, so heusually leaves it to you! Please take care executing an unknown file!

Having in mind web sites with sex or fanatical content, or hoping to catch Netfraud, some politicians and journalists are discussing access limitation laws,or special censorship rules, contrary to the principle of freedom ofcommunication. Instead of policemen, the Internet population needs moreeducation and better software, including protection/security tools.

Here in Romania we have enough experiences with censorship, controlledand restricted communication. A report produced last year by Reporters SansFrontieres (RSF) [Williams 1999] has named 45 nations the group considersenemies of the Internet for the blocking and filtering or all-out banning thenations impose on Internet access. Of the 45 nations, RSF said 20 can bedescribed as real enemies of the Internet for their actions. So we may look tothe Internet controlled access from Azerbaijan, Belarus, Burma, Cuba, China,

Iraq, Iran, Kazakhstan, Kirghizia, Libya, North Korea, Saudi Arabia, SierraLeone, Sudan, Syria, Tajikistan, Tunisia, Turkmenistan, Uzbekistan, Vietnam.It is time to remember the importance of human rights, of freedom ofcommunication, and free access to information. Within at least 45 countrieswhere there are governmental restrictions in someway of Internet access, atleast in 20 countries the administration is categorically against the electroniccommunication considering it very dangerous for the national security!

The Internet Demography

The Internet population changed from 40 million in 1996 to 300 million thisyear.

These days Internet access is a must in academic fields, in administration,public services, and business. But Internet access is, like other publicservices, a deal with a service provider (Internet Service provider), involvingany training period, any assessment or evaluation. If you already have adomestic PC, the Internet access is only a soft configuration question, with acorresponding modem set-up.

The explosion of the Internet was made possible because of the continuousdevelopment of personal computers, and the corresponding PC industry.Even the Internet was built with UNIX platforms, now, 90% of the terminals,and mainly the home computers are Microsoft Windows platforms, usingInternet Explorer as browser and Outlook Express as mailer. The integrationof MS software tools simplifies apparently the Net access, changing the UNIX-like command line strategy to the icon click, or double click. The result of thissimplicity is one of the interesting points from a recent Angus Reid study [Reid2000]: 65 million US Internet users (60%), and more than 100 million globalusers declared that they knew enough about the Internet. Is it possible?Could real knowledge of the Internet be so well distributed? Do they read atleast the 'Netiquette' rules? Do they understand the TCP/IP mechanism? Areso many people aware of elementary Net security rules?

Many organisations are now actively on the internet, like Computer AntivirusResearch Organisation (CARO), National Computer Security Association(NCSA), or CERT Coordination Centre, who are distributing securityinformation, virus and worm protection strategies.

Sending a virus by email?

By scanning files for viruses, using a firewall to prevent crackers gettingaccess to your machine, are you fully protected? It seems that you are not.The reason is that any time you get an email from your mail server you aredownloading a file from the Internet. Of course, you trust your ISP mail serverto provide you with your whole email, but can you trust your email? Anyonewho finds your email address can send you an email, sending you advertising,

jokes, or trying to convince you to buy something. Most people download allemail sent to them examining them by eye, reading the interesting ones anddeleting the junk mail (i.e. opening each email message).

Warnings about Internet worms circulate frequently on the Net. Messagessaying something like 'Do not open a message with a subject <so and so>… itis very dangerous; please forward this message to all your correspondents…'are blocking, from time to time, the mail servers by itself behaving as a realworm. Since December 1994, for example, periodically circulating on the Netis a warning email saying "If you get anything called 'Good Times', DON'Tread it or download it. It is a virus that will erase your hard drive…" Receivingsuch a warning message, and having any knowledge about potential worms,the normal reaction is to announce to friends, colleagues, and clients, thepossible danger. Even as a network administrator you may already filter/rejectsuch incriminating messages containing a worm, and reading a securitytextbook you may be clever.

But can a worm or a virus spread through an email message? Through astandard plain text message - categorically not! However, the email messagecan incorporate hidden dangers, because it can have attachments as MIME.An attachment could be executable, and if you extract the attachment and runit you are inviting a virus onto your machine. Indeed you may identify theattachment file by its extension, being careful with one having exe extension.But a doc attachment file, can that be dangerous?

At least with a MS Word macro-virus (like Concept, since1995, orWord.Macro.Alert, 1996) included in the attachment document, you certainlymay infect your MS Word (6.0 or newer) environment. MS Word (beginningfrom 6.0) permits the use of a user-defined template, a special dot file,including macros (Word Basic commands). The new or current document canbe formatted by execution of the template file macros, for exampleNormat.dot. Concept, and all subsequently macro-viruses, based of this MSWord facility, will transfer its macros to the current template file, this wayinfecting all later opened documents. Of course, the macro-virus acts onlywhen the document including it is opened by WinWord program.Consequently, such a macro-virus is a file infector.

But, on an MS Windows platform, there are other ways to run virus codebased on the file associations.

The Melissa Virus

Last year (1999) the virus called Melissa proved one way of doing this. It wascontained as a macro in a Word document. That means you have received anemail with a doc file attached, namely the Melissa document. At opening thedocument the email reader uses file associations to determine the applicationused to open the document. Normally this is not a problem because a Word

document is just a file, not a program. But, the Melissa document has a macro- a set of commands - and Word will run this sequence when it opens thedocument. Comparatively with other Word viruses (macro-viruses), likeConcept, Melissa is much more sophisticated and dangerous. Russ Mitchell(from U.S. News) said Melissa portends a "new plague of viruses that takeadvantage of the Net's open nature, eroding trust in computercommunications and e-commerce, just as the Internet economy is beginningto take shape."

The user invited a virus code onto his PC running MS Windows (with MSOffice), this time by opening a document received by email! The solution is toalert the user that a document containing macros is about to be opened,giving them the option to disable all macros. Or to open only trustedattachment documents.

In fact, the Melissa virus - which is essentially a very clever Word macro virus- points out a number of alarming new trends that are hitting the virus world.Most importantly, the speed and breadth with which Melissa hit wasunprecedented. But this was only because users have opened the attachmentfile. According to statistics from anti-virus software vendors NetworkAssociates and Symantec, nearly 80% of their corporate clients were infectedby Melissa and as many as 50% of those clients chose to or were forced toshut down their e-mail systems for a period of time while they worked oneradicating the virus.

Certainly other macro-viruses have spread via e-mail, but because of the wayMelissa was created, none have had as far-reaching or as fast an impact.Again, Melissa is a macro virus for Microsoft Word 97 or 2000, acting on a PCoperating in MS Win'95, or Win'98 through MS Outlook mailer, only.

The way Melissa works is it sends out an e-mail message with an infectedWord file attachment (namely the current document that you are working on inWord), and e-mails it to the first 50 addresses and as soon as anyone opensthe attachment, another 50 copies of the message are automatically sent outto 50 people in the recipient's Outlook (not Outlook Express) address book.Due to its intense e-mail activity, Melissa is called sometimes a worm, too.

Presently email servers have been patched to reject the Melissa virus!

Melissa virus author, David Smith from New Jersey, was arrested and judged.

Nowadays, a simple search on the www.alltheweb.com, with "Melissa virus"gives more then 14300 documents discussing the case.

The Love letter worm

The Love letter worm, or ILOVEYOU virus was not as sophisticated asMelissa. Again, the attacker wanted to get the code onto your machine andexecute it there. This time the attacker chose to distribute the virus as aVBScript file attached to an email. When the user 'opened' the attachmentusing the usual MS email reader (Outlook), mailer loaded the associatedprocess (Windows Scripting Host) which then executed the virus. Both theMelissa and ILOVEYOU viruses distributed themselves by using automationto access the Outlook address book and then emailing itself to all theaddresses it could find. Both are considered viruses as well as worms.ILOVEYOU virus is a file infector.

Another way to get code executed on your machine is to name it in such away that the email reader does not think that it is a program. You can do thisby camouflaging it as another type of file, for example, an executable could benamed:

"some_picture.jpg<many spaces>.exe"

where <many spaces> is enough spaces to disguise the .exe extension. Theunsuspecting user would then try to 'open' some_picture.jpg expecting it to bea cool picture (and hence loaded into a graphics viewer). Instead, the emailreader recognizes that the file is an executable and simply runs it.

The Love letter virus changes, in this way, all available jpeg images from thehard disc, installing themselves again as a VBScript, to be run again at theimage opening. The same for sound files mp3 and mp2 . As a very active fileinfector it overwrites also with copies of itself all vbs, vbe, js, jse, css, wsh,sct, and hta files. The worm actions of the Love Letter include messagesending through mIRC and Outlook, if these applications are already installed.On the mIRC existent channel will be sent the LOVE-LETTER-FOR-YOU.HTM, after a change of the script.ini file. Using Outlook and all theaddress in the Outlook Address Book, it will be send e-mails with subjectILOVEYOU, with the body: kindly check the attached LOVELETTERcorrespondence, and with virus itself copied as an attachment - a 10KB fileLOVE-LETTER-FOR-YOU.TXT.VBS.

Because of the ease in which the ILOVEYOU virus script is modified, thereare an increasing number of variants6 coded as:

1. vbs.LoveLetter.A (the original),

2. vbs.LoveLetter.B - Lithuanian Variant, Susutikim, Coffee

3. vbs.LoveLetter.C - Joke, Very funny

4. vbs.LoveLetter.D - Mother's Day

6 http://www.securityportal.com/research/research.vbsloveletter.html

5. vbs.LoveLetter.E - DoubleSpace

The Love letter worm and UNIX - Windows debate

In the Linux user community, in the network administrator community, andalso in the hacker ones, it can be observed, in general, that there is acommon hatred of MS software. The Microsoft leader position in the globalcomputer market, the product bugs, and the commercial software design is incomplete opposition to Free Software principles. Continuous increasinghardware requirements of the MS Windows versions and applications, arecommon aversions discussed frequently on the Net. Therefore, the reason forthe recent worms, like Melissa and Love letter, are quite natural. Especiallythat they infect only MS Windows platforms, and only by the opening of anattached file (which includes the worm).

Love Letter worm affects only the systems running Microsoft Windows withWindows Scripting Host enabled. When the worm executes, it attempts tosend copies of itself using MS Outlook Express to all the entries in all theaddress books. It will attempt also to create a file named script.ini in anydirectory containing files associated with IRC client mIRC. This script file willattempt to send a copy of the worm via DCC to other people in any IRCchannel. After that, it will replace with copies of the worm a lot of files on fixedor network drives. In a couple of days this worm affected million of PC's, andthere are several reports of sites suffering considerable network degradationas a result of mail, file, and web traffic generated by the "Love Letter" worm.

Security oriented electronic publications, like CERT Advisory CA-2000-04, orSecurityPortal, explained immediately the worm impact and solutions at 3-4May 2000, while BBC news reported, at 9 May, 4 billion USD damages, andmillions of affected Internet hosts (Windows NT, Win'98, etc.). And looking tothe e-mail traffic, even in the last week of May, you may observe a lot of"Reply read errors" naming already affected mail servers. Did all the victimsknow enough about Internet and security questions?

E-mail filtering through subject lines is quite facile, now each vigilant networkadministrator has already installed a filter for I_love_you on their mail server.Consequently, an improved version of the Love letter worm, in the sameVisual Basic Script form, escapes the easy recognisable form selectingdifferent subject lines, or adapting the subject line to the previous messagesubject found at the mailbox. This way the main protection rule will be 'Do notopen the attachment script file!'

Finaly, Steven Sinofsky, senior vice president of Microsoft Office. declared(Microsoft's Press Release): "Given the global impact of the I Love You virusand the growing threat of malicious hackers, we strongly believe we must takethe unprecedented step of limiting certain popular functionality in Outlook toprovide a significant, additional security option for our customers."

Instead of conclusions

There are clearly three problems that these virus writers are exploiting on MSWindows platforms:

file associations - when you 'execute' a data file, a process is automaticallyrun and loaded with the data file

email readers (namely Outlook Express) automatically openingattachments, even when the attachment is an executable

allowing any code to have access to mailer address books and the abilityto create and send emails

Microsoft has finally produced a patch to Outlook to address these potentiallydangerous areas. The patch can be downloaded from the Office Update Website from May 22, 2000. The main aspects of the patch is code to stop thenaïve user from executing email attachments and preventing code fromsending emails with something called Object Model Guard.

The Object Model Guard detects when code is attempting to send an emailand then presents a dialog to inform the user. So is this a god idea? Here youhave the Richard Grimes' doubts [Grimes 2000]:

"The Object Model Guard is reported to be unconfigurable and uninstallable,which means that once it is applied you cannot remove it. Not all code thataccesses the Outlook address book or generates email is malicious, andsome is positively useful (for example a MAPI enabled trigger in a databasecould send an email to a database administrator with details about thedatabase). As far as Outlook is concerned such code is not Outlook andhence the email has to be verified with a dialog. On a server machine lockedin a cupboard such a dialog is useless and potentially harmful because itcould cause a server process to hang.

So what can you do? First, execute nothing that you cannot verify to be from areputable source and preferably scan all files that you download. Second,don't execute any attachments sent to you. Third, save all attachments to yourhard disk first and then open the file from the document reader rather thanallowing your email reader to use file associations".

But don't forget! You can load Linux operating system to your PC instead of allMS-Windows stuff. This way you'll escape all virus difficulties, having at yourfinger a high speed, powerful, and specific networking system, without anyhardware change. And very important: it is free, and you'll find on the Net allthe program sources and all documentation, and a diversity of applications.Be prepared only to learn how to use it!

References

[Cohen 1984] Fred Cohen "Computer Viruses ­ Theory and Experiments, Computer Security: A Global Challenge", Elsevier Science Publisher (North ­ Holland), 1984

[Denning 1989] P.J. Denning "The Internet Worm", American Scientist,  March­April,  1989,pp.126­128

[Denning 1990] P.J. Denning "Computer under Attack: Intruders, Worms and Viruses", ACMPress 1990

[Elmer­Dewitt 1994] Philip Elmer­Dewitt, TIME, 25 July 1994

[Grimes 2000] Richard Grimes, "Microsoft Releases the ILOVEYOU Patch for Outlook", May 20, 2000, http://www.idevresource.com/com/library/bytesize/ilv.zip 

[Ivaner   1997]   L.   Ivaner   (1997),   "Lexiconul   Hackerilor:   Mica   enciclopedie   a   culturiiinformaticienilor", ProMedia Plus Seria PC Software 8

[Kehoe 1992] Brendan P. Kehoe Zen and the Art of the Internet: A Beginner's Guide to theInternet, 2nd ed., Prentice­Hall, Englewood Cliffs, NJ (8.1: The Internet Worm) 

[Levy 1994] Steven Levy "Hackers", New York, Delta Books, 1994

[Littman 1997] Jonathan Littman "The Watchman: The twisted life and crimes of serial hackerKevin Poulsen", Little, Brown and Company, New York, 1997

[Mezgar et all 2000] Istvan Mezgar, Tamas Szabo and Zsolt Kerecsen (2000), "IncreasingSecurity in Virtual Enterprise Communication for Mobile Environment", ERCIM News No.41,April 2000, pp.38­39

[Ornstein 1989] Severo M. Ornstein, Communications of the ACM, Vol 32 No 6, June 1989. 

[Peek 1998] Richard Peek "Perversion of the 'Hacker Ethic' ", <http://www.babe.net/giveup/ethic.html>

[Reid 2000] 'The Face of the Web: Internet population estimates at 300 millions', an Angus Reid Group http://www.angusreid.com study press release http://www.angusreid.com/media/content/Pre_Rel.cfm

[Reymond 1991] Eric Reymond "The New Hacker's Dictionary", MIT Press 1991

[Stoll 1988] Clifford Stoll "Stalking the Wily Hacker", Communication of the ACM, Vol 31 No 5,May 1988, p.14 (the article grew into the book "The Cuckoo' Egg", Doubleday, New York1989) 

[Vasarhelyi, Kasa 1996] Jozsef Vasarhelyi, Zoltan Kasa "Mit si adevar despre Virusii PC",Editura Albastra, Grupul Microinformatica, Seria PC 54, Cluj­Napoca, 1996

[Virus­L   FAQ]   Frequently   Asked   Questions   on   Virus­L,   The   Virus­L/comp.virus   FAQftp://CERT.ORG/pub/virus­l/FAQ.virus­l. 

[Williams   1999]   Martyn   Williams   "Reporters   Sans   Frontieres   Uncovers   Enemies   Of   TheInternet",   Newsbytes,   PARIS,   FRANCE,   1999   AUG   9,     and  http://www.infowar.com/8/26/1999

Apărut în RILW'2000 “Internet as a Vehicle for Teaching”, pg.117­131