|
![]()
|
Social
Implications of Computer Viruses
[Virus Writers] [Script Kiddies] [Social Engineering] [Sources] So Who is the Generic Virus Writer Anyway? [Top]In 1994, Sarah Gordon published a groundbreaking paper entitled The Generic Virus Writer.[1] In this paper Gordon attempted to delineate the different categories of virus writers and also apply ethical models to their actions. According to the author, the four main types of virus writers at the time were:
Gordon worked with one actual virus writer from each of the above categories, measuring their reasoning skills as well as their reactions to common ethical dilemmas. Her study used the ethical models prepared by Lawrence Kohlberg, a former Harvard University professor who committed suicide in 1987 under extremely strange circumstances. The Kohlberg system separated moral development into three levels with two stages at each level. Ethical growth proceeds from Stage 1, Level 1, where decisions about right and wrong are based primarily on punishment and obedience to avoid punishment, to Stage 6, Level 3, where individuals make decisions about right and wrong based on their own formulated ethical principles. In order to determine the virus writers' position in the ethical spectrum, Gordon presented them with Kohlberg's classical ethical dilemma, defined as follows:
The motivation for Gordon's 1994 study was to see if virus writers could accurately be lumped into a single, well-defined group. It was clear then and is still clear now that this is not possible. For one thing, the results of the Kohlberg dilemma placed the younger virus writers approximately in the ethical norm for their respective ages. Most believed that malicious code was wrong and claimed to begin writing viruses out of curiosity. On the contrary, Kohlberg's own work with criminals categorized many known criminals as consistently falling below the ethical average. For the adult virus writers, Gordon did not find any admitted virus writers who fell within the ethical norm for their age, and confirmed this deficit by comparing with a control group.[4] What sort of conclusions can we draw from this work? Are all virus writers ethical crusaders trying to enhance their knowledge of computer intricacies, and the media intentionally mislabels them as criminals? Are standard ethical models appropriate measures for electronic acts of mischief such as virus creation and distribution? Whatever questions arise from Gordon's study, it is important to note that seven years have passed since the initial publication of the results. We are now in the new millennium, facing new viruses with greater destructive capabilities. Welcome to the generation of the script kiddies. The Age of the
Script Kiddies [Top]
The Jargon Dictionary has a similar definition:
Whatever they're called, one thing is common among all script kiddies: "true" hackers hate them.[9] The "real" hackers despise the lazy maliciousness employed by such script kiddies and time and again try to separate themselves from being placed into the same category.[10] Script kiddies are important to mention because most of the major computer attacks over the past two years have been caused by these new members of the hacking community. The recent Anna Kournikova virus is a good example. The virus was released into the wild on February 11th, and by February 14th, hundreds of thousands of copies were circulating the Internet, jumping from computer to computer as curious users clicked on an attachment purporting to be a photograph of the famous Russian tennis star. So who was the skilled programmer who crafted such an effective virus? Surely it was the work of a veteran hacker, perhaps a disgruntled tennis player with a PhD in Computer Science? In reality, the author of the virus was a twenty-year-old Dutch man who goes by the alias "OnTheFly." After posting an anonymous letter on a Dutch Web Site and turning himself in to his local police, authorities began questioning the man to his motives. Fitting perfectly to the script kiddie stereotype, his own letter claimed that he did not actually know how to program a computer.[11] Instead, the man used a popular "virus toolkit" called the VBS Worm Generator to make his mass-mailer in a simple point and click fashion. Such toolkits have been around since 1990[12] , but in recent years their power and ease of use has risen dramatically. This particular toolkit requires almost no technical know-how beyond the ability to use a mouse and allows the user to customize the type and severity of attack associated with his virus. Here is a screenshot from the toolkit, courtesy of ZDNet: [13]
Anna Kournikova: When she's not modeling or playing tennis, she's spawning mass-mailing email worms like the VBS/OnTheFly virus that recently swept the world in a fashion nearly identical to that of the LoveLetter disaster of 2000.[15] Social Engineering:
The Hack of the Future? [Top]
Basically, social engineering is "people hacking" - getting people to comply with your wishes even though they would normally not do such things. The major virus attacks of the past two years have all been successful because of some element of social engineering. The ILoveYou virus came with the three most powerful words of all time - who doesn't want to be loved? Apparently members of the British House of Commons and the US Congress had enough interest to click on the attachment and unleash the virus in their respective establishments.[17] PrettyPark, a virus that circulated in 1999, included a picture of a character from the popular Comedy Central cartoon South Park. Of course we cannot overlook the Anna Kournikova virus - would people have clicked on the attachment if, say, it was named BobDole.jpg.vbs? Ken Dunham, a writer for securityportal.com, pondered that exact question in a piece written shortly after the Kournikova incident. Some of his thoughts are included below:[18] Imagine if the attachment was named something else: perhaps the name of another person. Would that have made a difference? What if Anna was. . . Ken? Here are some initial thoughts on the matter.
Surely, the fact that the virus was named after an international sex symbol helped galvanize its spread throughout the Internet. This leads to a dilemma that anti-virus teams and virus writers alike are aware of - anti-virus software is not human and is not yet capable of detecting "human weaknesses." Virus writers have discovered a socially engineered portal into a world where paranoia disappears if you say the right words. Until people become better educated about how to spot suspicious emails and questionable file attachments, social engineering will continue to fuel the spread of viruses. Sources [Top] 2. Ibid. 3. Ibid. 4. http://www.research.ibm.com/antivirus/SciPapers/Gordon/GenericVirusWriter.html#CONCLUSION 5. http://www.cnn.com/2000/TECH/computing/02/08/yahoo.assault.idg/index.html 6. http://www.cnn.com/2000/TECH/computing/02/09/cyber.attacks.01/index.html 7. http://www.syngress.com/book_catalog/95_hack/chapter_one.htm 8. http://info.astrian.net/jargon/terms/s.html#script_kiddies 9. http://www.infowar.com/hacker/00/hack_021800c_j.shtml 10. http://www.infowar.com/hacker/00/hack_021800c_j.shtml 11. http://www.cnn.com/2001/TECH/internet/02/14/kournikova.virus/index.html 12. http://www.net-security.sk/doc/e-zine/40hex/40hex-10.001.html 13. http://www.zdnet.com/zdnn/stories/news/0,4586,2684736,00.html 14. Ibid. 15. Anna Kournikova Pictures Site 16. http://info.astrian.net/jargon/terms/s/social_engineering.html 17. http://www.newsbytes.com/pubNews/00/148508.html 18. http://securityportal.com/articles/sstwhatif20010213.html |