I was working at my desk in the Advanced Network Computing Laboratory at the University of Hawaii 15 years ago when something struck me as very odd. My email inbox showed a series of emails, all with the subject line, “I Love You.” I glanced over my shoulder at my colleague, Oliver Rist, who was finishing up our test plan for some enterprise Gigabit Ethernet switches for a review that would later appear in the now vanished CommunicationsWeek newspaper.
“Nobody,” I said to Oliver, “loves me that much.”
Oliver turned around and looked at my screen. “Something is going on,” he said. We discussed it for a couple of minutes, and I noticed that each email had an attachment that said it was a love letter. I immediately erased all of those emails, then checked for it online. It turned out that the “I Love You” virus, as it was becoming known, was wreaking havoc worldwide.
Oliver then checked his email, and sure enough, he also had a string of similar messages. One thing we noticed was that each message appeared to be sent by someone we knew, at least slightly. Obviously, someone’s contact list had been pilfered.
Now we know that what was actually going on was the first really successful Internet email worm that depended on social engineering to make its impact. And it had quite an impact when it erased files, scrambled data and then raided the Windows contact list to send out more emails. But we’d dodged the bullet, primarily because we both were too cynical to believe that many assertions of love.
Social engineering has remained an effective means of spreading malware, but malware now is aimed at more than destruction; it’s now part of a global effort by organized crime to steal money or information. Carefully designed defenses proved to be effective when they were used. But now the effort has come full circle, this time with malware that is proving undetectable by antivirus software.
On Monday, a couple of emails appeared in my inbox, each one appearing to be from a legitimate Internet fax delivery service, InterFAX, and each with an attachment with the file name of a scanned document.
But my previously mentioned cynicism hadn’t diminished over the years, so I examined the attachments in more detail and noticed the “.js” extension after the “.doc” in the file name. So, being cautious in addition to being cynical, I copied the extension to a flash drive and took it to a different computer, this one running Linux Mint from a DVD. That way, no matter how virulent the malware might be, it wouldn’t be able to install itself and spread.
As I expected from the extra file extension, the supposed fax scans were actually JavaScript programs. Further examination of the files suggested they were intended to download remote files and then execute them.
New Malware Emphasizes Need to Train Employees to Be Cynical
Next, I asked Norton Internet Security to scan the files. It reported no malware being present. Then I contacted Jerome Segura, a senior security researcher at Malwarebytes Labs, and asked him to take a look. His immediate response: “This is really bad.”
Calling the delivery of malware through a JavaScript file an unusual means of delivery, Segura said, “This file is not a typical malware binary such as an executable that we would normally see. For this reason it may evade detection from traditional antivirus but also may fool users into thinking it is harmless.”
Segura said that the script file would download three files disguised as GIF image files, but which when run would combine to become a serious malware infection. “This threat is interesting from many angles, and users should pay close attention to all kinds of files regardless of their extensions,” he said.
This particular attack, despite the fact that it was unsuccessful this time, could have been effective elsewhere. The attackers spoofed a legitimate site that normally would be expected to send out emails with file attachments. The attachment took advantage of the default settings in Windows that suppress the display of extensions. The malware payload was simply a text file, so it wouldn’t alert most antivirus software.
It might be impossible to prevent such an attack in every instance, but the impact of the threat can be reduced. But to reduce the impact of that threat, your employees must be trained, and you might need to retune your security software.
First, it’s critical to train employees to be suspicious of all attachments, no matter how benign they might appear. What appears to be an amusing cat video might actually be disguising malware. Likewise, what appears to be a scanned fax could really be something sinister.
Second, it’s important that you set up your mail system to block potentially harmful attachments. One problem with this is that many email systems (including Microsoft Outlook) will not block compressed files, and many won’t block text files. The JavaScript file I received was presented as a text file within a compressed file, and neither my antivirus software nor Outlook detected it. However, I can set my mail server to block all attachments, and only allow them to be viewed online.
Finally, a good dose of cynicism, coupled with a certain level of thinking about what’s appropriate for the office, will certainly help. Employees need to know that lots of messages professing undying love delivered to the company email are probably not work related. Filtering attachments at the server and helping employees detect threats are both necessary steps.