"Love" variant could spawn targeted attacks

Today, the reason for alarm may have increased exponentially.

Security experts today warned that the new variant of the "I Love You" virus is a reason for concern, not so much for the damage it may cause but because of its potential to affect future attacks.

The variant, "VBS/LoveLetter.bd," which is passed via email using Microsoft Outlook, covertly downloads a secondary program that steals bank PIN numbers and sends them to three email addresses. For now, the virus affects only United Bank of Switzerland customers.

Some security companies have ranked the virus as a low risk, as the attack is limited to a small number of people. But the implications could be enormous. Virus experts warn that the variant could spawn copycat versions attacking other financial institutions. It could also be the first in a new breed of targeted viruses, which security experts say could be the most dangerous kind yet and the toughest to protect against.

"Unfortunately this has laid a road map for other virus writers," said Sal Viveros, a director with Network Associates' Antivirus Emergency Response Team (AVERT). "Typically, what we see is when someone lays the road map, other people copy that. So now people have the idea on how to access banking PIN codes within their (Windows) settings."

Consumers are particularly vulnerable to these kinds of viruses. Corporations beefed up security in the wake of the original Love bug outbreak, which in May crippled email systems worldwide. But many consumers are unprepared for the dangers--and viruses seeking to steal passwords to financial data would likely target consumers.

Copycat viruses could "steal specific information from someone's computer, such as passwords, PIN numbers to online banks, security certificates used to access Web sites, and online accounts to trading systems," said Bugtraq moderator and Security Focus analyst Elais Levy. "Once other people who write these tools figure there's money actually to be made doing this, these activities will increase."

The new variant of the Love virus comes as an email with "Resume" in the subject line. While it follows its originator's pattern of sending copies to the addressees in the victim's Microsoft Outlook address book, the new bug goes further. The variant downloads a password-stealing program, "hcheck.exe," that lifts USB PIN numbers and sends them to three email addresses: ct102356@excite.com, acch01@netscape.net and deroha@mailcity.com.

Password-stealing viruses are not limited to Love variants, according to AVERT's Viveros. For example, people could receive email sending them to a new Web site or urging them to download a cool screensaver or MP3 file that launches the attack.

Dataquest analyst Chris Le Tocq used the example of a program dubbed WinWhatWhere, which sits quietly on a PC collecting passwords and tracking other activities, such as to whom the victim sends email.

"Putting in a piece of software like that is not an insignificant chore, but there's no reason a Trojan like that couldn't get installed by the (virus)," Le Tocq said.

But because of the complexity of such an undertaking, Le Tocq questioned how prevalent such an activity would be. Many viruses are created by teenagers or inexperienced computer users who take readily available software tools that exploit vulnerabilities in Microsoft's VBScript language.

"As soon as you start having to put an application together that requires some sophistication," fewer people are going to do it, Le Tocq said. "But frankly, it's the kind of general-purpose item I wouldn't be surprised (to find) available for anyone to use or share. It could be done."

Security Focus' Levy said the real danger lies in targeted viruses, which potentially could hurt corporations more than consumers. When viruses spread quickly, antivirus makers are more likely to get copies of the viruses early and offer software updates that guard against the bugs.

"With a virus targeting just one corporation, the chance of someone at that corporation actually detecting that virus is much lower," he explained. "That's more dangerous. Instead of having one big Melissa virus, if you have hundreds of these targeted viruses, the workload on the antivirus vendors could be just too great."

Underscoring the seriousness of the new Love variant is government agencies' involvement in hunting the email addresses and Web servers involved in the attacks.

The National Infrastructure Protection Center (NIPC) today warned of the variant and said two infections had been reported in the United States. The agency is charged with protecting the security of the nation's computing infrastructure.

NIPC spokeswoman Debbie Weirerman said, "Since those two incidents focused on banking functions, that is the reason behind the action the NIPC took in issuing its warnings." She also confirmed that the FBI is investigating the virus outbreak.

Though security experts and law enforcement are taking this week's attack seriously, Levy said consumers should brace for more to come.

"You're going to see a lot more of these types of viruses or worms that, instead of being put in the wild to see how far they can distribute themselves or do malicious damage, we'll start to see them targeted for more specific purposes," he said.

Dataquest's Le Tocq said the challenges facing companies can only get worse. "It's not only firewalls as a user you have to be worried about. It's most certainly your email."

Le Tocq added that he has been recommending that Dataquest clients block third-party email packages, such as Hotmail and Yahoo. "They don't have sufficient control over what's coming in."

In today's virus attack, stolen passwords were dispatched to Excite, MailCity and Netscape Web-based email accounts.