Viruses 101

Anti-Virus Software

The Role of CERT

Legal Implications

Social Impact
  Social Implications

The Future

Social Implications of Computer Viruses

[Virus Writers]  [Script Kiddies]  [Social Engineering]  [Sources]

So Who is the Generic Virus Writer Anyway?  [Top]
In 1994, Sarah Gordon published a groundbreaking paper entitled The Generic Virus Writer.[1] In this paper Gordon attempted to delineate the different categories of virus writers and also apply ethical models to their actions. According to the author, the four main types of virus writers at the time were:

  • The Adolescent
    Virus writer aged 13-17; has written at least one computer virus; has distributed at least one computer virus into the wild.
  • The College Student
    Virus writer aged 18-24; has written at least one computer virus; has distributed at least one computer virus into the wild. Student in university or university level classes.
  • The Adult/Professionally Employed
    Post-college or adult, professionally employed; has written at least one virus; has distributed at least one virus into the wild.
  • The Ex-Virus Writer
    Virus writer who has written and distributed one or more computer viruses. The viruses must have been found in the wild; the author must have supplied sufficient proof to enable determination that he did indeed write the virus; there must be no evidence that he has written or continued to write viruses for a period of at least 6 months prior to commencement of this research.[2]

Gordon worked with one actual virus writer from each of the above categories, measuring their reasoning skills as well as their reactions to common ethical dilemmas. Her study used the ethical models prepared by Lawrence Kohlberg, a former Harvard University professor who committed suicide in 1987 under extremely strange circumstances. The Kohlberg system separated moral development into three levels with two stages at each level. Ethical growth proceeds from Stage 1, Level 1, where decisions about right and wrong are based primarily on punishment and obedience to avoid punishment, to Stage 6, Level 3, where individuals make decisions about right and wrong based on their own formulated ethical principles. In order to determine the virus writers' position in the ethical spectrum, Gordon presented them with Kohlberg's classical ethical dilemma, defined as follows:

Read and consider carefully the following scenario.

In Europe, a woman was near death from a special kind of cancer. There was one drug that the doctors thought might save her. It was a form of radium that a pharmacist in the same town had recently discovered. The drug was expensive to make, but the pharmacist was charging $2000, or 10 times the cost of the drug, for a small possibly life-saving) dose. Heinz, the sick woman's husband, borrowed all the money he could, about $1000, or half of what he needed. He told the pharmacist that his wife was dying and asked him to sell the drug cheaper, or to let him pay later. The pharmacist replied, 'No, I discovered the drug and I'm going to make money from it.' Heinz then became desperate and broke into the store to steal the drug for his wife.

Should Heinz have done that?

Now that you have read it, and considered it, please resolve the moral dilemma. That is, what are the problems in the story? What problems does each person have to deal with? Who is wrong, right, and why?

When you write your response, please include the following points:

Should Heinz be punished for stealing the drug? Did the pharmacist have the right to charge so much? Would it be proper to charge the pharmacist with murder? If so, should his punishment be greater if the woman who died was an important person? What would you have done if you were Heinz? [3]

The motivation for Gordon's 1994 study was to see if virus writers could accurately be lumped into a single, well-defined group. It was clear then and is still clear now that this is not possible. For one thing, the results of the Kohlberg dilemma placed the younger virus writers approximately in the ethical norm for their respective ages. Most believed that malicious code was wrong and claimed to begin writing viruses out of curiosity. On the contrary, Kohlberg's own work with criminals categorized many known criminals as consistently falling below the ethical average. For the adult virus writers, Gordon did not find any admitted virus writers who fell within the ethical norm for their age, and confirmed this deficit by comparing with a control group.[4] What sort of conclusions can we draw from this work? Are all virus writers ethical crusaders trying to enhance their knowledge of computer intricacies, and the media intentionally mislabels them as criminals? Are standard ethical models appropriate measures for electronic acts of mischief such as virus creation and distribution? Whatever questions arise from Gordon's study, it is important to note that seven years have passed since the initial publication of the results. We are now in the new millennium, facing new viruses with greater destructive capabilities. Welcome to the generation of the script kiddies.

The Age of the Script Kiddies  [Top]
The year 2000 was the year that the so-called "script kiddies" left an indelible mark on the history of the Internet. On February 7 of that year, a coordinated denial of service attack launched from various locations around the Internet brought down the Yahoo web site for approximately three hours.[5] Two days later, other major websites were hit with similar attacks, including eBay, CNN, Amazon.com, and Buy.com.[6] May saw the release of the ILoveYou virus which crippled millions of computers worldwide and caused tens of millions of dollars worth of damage. Although the attacks differed in their methods and their perpetrators, one thing held in common - all of the suspects can safely be placed into the category of "script kiddies," the new age of Internet hackers. A 1995 book entitled "Hack Proofing Your Internetwork" contains the following entry for "script kiddies":

"The term script kiddie has come into vogue in recent years. The term refers to crackers who use scripts and programs written by others to perform their intrusions. If one is labeled a "script kiddie," then he or she is assumed to be incapable of producing his or her own tools and exploits, and lacks proper understanding of exactly how the tools he or she uses work. As will be apparent by the end of this chapter, skill and knowledge (and secondarily, ethics) are the essential ingredients to achieving status in the minds of hackers. By definition, a script kiddie has no skills, no knowledge, and no ethics." [7]

The Jargon Dictionary has a similar definition:

script kiddies pl.n. 1. The lowest form of cracker; script kiddies do mischief with scripts and programs written by others, often without understanding the exploit. 2. People who cannot program, but who create tacky HTML pages by copying JavaScript routines from other tacky HTML pages. More generally, a script kiddie writes (or more likely cuts and pastes) code without either having or desiring to have a mental model of what the code does; someone who thinks of code as magical incantations and asks only "what do I need to type to make this happen?" [8]

Whatever they're called, one thing is common among all script kiddies: "true" hackers hate them.[9] The "real" hackers despise the lazy maliciousness employed by such script kiddies and time and again try to separate themselves from being placed into the same category.[10]

Script kiddies are important to mention because most of the major computer attacks over the past two years have been caused by these new members of the hacking community. The recent Anna Kournikova virus is a good example. The virus was released into the wild on February 11th, and by February 14th, hundreds of thousands of copies were circulating the Internet, jumping from computer to computer as curious users clicked on an attachment purporting to be a photograph of the famous Russian tennis star. So who was the skilled programmer who crafted such an effective virus? Surely it was the work of a veteran hacker, perhaps a disgruntled tennis player with a PhD in Computer Science? In reality, the author of the virus was a twenty-year-old Dutch man who goes by the alias "OnTheFly." After posting an anonymous letter on a Dutch Web Site and turning himself in to his local police, authorities began questioning the man to his motives. Fitting perfectly to the script kiddie stereotype, his own letter claimed that he did not actually know how to program a computer.[11]

Instead, the man used a popular "virus toolkit" called the VBS Worm Generator to make his mass-mailer in a simple point and click fashion. Such toolkits have been around since 1990[12] , but in recent years their power and ease of use has risen dramatically. This particular toolkit requires almost no technical know-how beyond the ability to use a mouse and allows the user to customize the type and severity of attack associated with his virus. Here is a screenshot from the toolkit, courtesy of ZDNet: [13]

Four different flavors of "payloads" are available, ranging from the display of an innocuous message to a complete system crash. Additionally, the user can customize when the payload is executed, effectively creating a virus "time bomb". The Anna Kournikova virus was triggered to connect to a certain Dutch web site on January 26th and perhaps send information, but other than that, no malicious code existed. In actuality, the author wrote that he "never wanted to harm the people who opened the attachment. But after all: it's their own fault they got infected."[14] OnTheFly also claimed in his online admission that he wrote the virus to demonstrate that people had not learned their lessons from the LoveBug virus. Judging from the extent of the Anna Kournikova worm, it appears that this script kiddie was right on the money.

Anna Kournikova: When she's not modeling or playing tennis, she's spawning mass-mailing email worms like the VBS/OnTheFly virus that recently swept the world in a fashion nearly identical to that of the LoveLetter disaster of 2000.[15]

Social Engineering: The Hack of the Future?  [Top]
The Jargon Dictionary defines social engineering as the following:

social engineering n. Term used among crackers and samurai for cracking techniques that rely on weaknesses in wetware rather than software; the aim is to trick people into revealing passwords or other information that compromises a target system's security. Classic scams include phoning up a mark who has the required information and posing as a field service tech or a fellow employee with an urgent access problem. See also the tiger team story in the patch entry.[16]

Basically, social engineering is "people hacking" - getting people to comply with your wishes even though they would normally not do such things. The major virus attacks of the past two years have all been successful because of some element of social engineering. The ILoveYou virus came with the three most powerful words of all time - who doesn't want to be loved? Apparently members of the British House of Commons and the US Congress had enough interest to click on the attachment and unleash the virus in their respective establishments.[17] PrettyPark, a virus that circulated in 1999, included a picture of a character from the popular Comedy Central cartoon South Park. Of course we cannot overlook the Anna Kournikova virus - would people have clicked on the attachment if, say, it was named BobDole.jpg.vbs? Ken Dunham, a writer for securityportal.com, pondered that exact question in a piece written shortly after the Kournikova incident. Some of his thoughts are included below:[18]

Imagine if the attachment was named something else: perhaps the name of another person. Would that have made a difference? What if Anna was. . . Ken? Here are some initial thoughts on the matter.

Attachment Name
Possible Response
Definitely a sexy tennis star, worthy of the massive proliferation that took place on 2/12/01. MessageLabs VirusEye alone shows over 8,500 detections to date!
Well, he is a guy, but according to what women tell me, he's sexy. He might get 40% of Anna's share on the market if he were to go public with this attachment name.
Named by some America's Sweetheart, she might be able to compete with Anna. But I don't know - she smiles a lot and wears more clothes than Anna
Mr. James Bond, 007! He's so full of charm I think the name of the attachment might need to be updated a bit to be more provocative. Perhaps something like PierceBrosnanBaresItAll.jpg.vbs might work better?
Elvis is truly the king of music. If he was sighted in an email it could be big news worldwide. Rumor has it he was seen pumping gas in Idaho just the other day.
This, by far, has the greatest potential. It has everything the average employee is looking for when reading email. Contrary to popular opinion, attachments such as TasksToComplete.jpg.vbs are not popular with employees.

Surely, the fact that the virus was named after an international sex symbol helped galvanize its spread throughout the Internet. This leads to a dilemma that anti-virus teams and virus writers alike are aware of - anti-virus software is not human and is not yet capable of detecting "human weaknesses." Virus writers have discovered a socially engineered portal into a world where paranoia disappears if you say the right words. Until people become better educated about how to spot suspicious emails and questionable file attachments, social engineering will continue to fuel the spread of viruses.

Sources  [Top]
1. http://www.research.ibm.com/antivirus/SciPapers/Gordon/GenericVirusWriter.html

2. Ibid.

3. Ibid.

4. http://www.research.ibm.com/antivirus/SciPapers/Gordon/GenericVirusWriter.html#CONCLUSION

5. http://www.cnn.com/2000/TECH/computing/02/08/yahoo.assault.idg/index.html

6. http://www.cnn.com/2000/TECH/computing/02/09/cyber.attacks.01/index.html

7. http://www.syngress.com/book_catalog/95_hack/chapter_one.htm

8. http://info.astrian.net/jargon/terms/s.html#script_kiddies

9. http://www.infowar.com/hacker/00/hack_021800c_j.shtml

10. http://www.infowar.com/hacker/00/hack_021800c_j.shtml

11. http://www.cnn.com/2001/TECH/internet/02/14/kournikova.virus/index.html

12. http://www.net-security.sk/doc/e-zine/40hex/40hex-10.001.html

13. http://www.zdnet.com/zdnn/stories/news/0,4586,2684736,00.html

14. Ibid.

15. Anna Kournikova Pictures Site

16. http://info.astrian.net/jargon/terms/s/social_engineering.html

17. http://www.newsbytes.com/pubNews/00/148508.html

18. http://securityportal.com/articles/sstwhatif20010213.html