When "Love" hits your "Resume" and it isn't so "Funny"

Virus writers get poor marks from security experts for their packaging efforts. But occasionally they hit on an effective ruse.

Evan Hansen Staff Writer, CNET News.com
Department Editor Evan Hansen runs the Media section at CNET News.com. Before joining CNET he reported on business, technology and the law at American Lawyer Media.
Evan Hansen
3 min read
What's in a name? Everything, when it comes to computer viruses.

Virus writers get poor marks from security experts for their packaging efforts. But occasionally they hit on an effective ruse, as the "Stages" outbreak shows. Using simple email headers such as "Jokes" and an attachment disguised as a harmless text file, the virus gained sufficient momentum to shut down corporate email systems early this week.

"In most cases, viruses aren't carefully disguised," says Dan Schrader, chief security see CNET Software: Protect yourself from a virus attack analyst at Trend Micro, a security software company. "But every once in a while they manage to slip one by...The key themes (of successful viruses) are sex, greed and fear."

Manipulating the people who use computers rather than the computers themselves is known as "social engineering." In many cases, it is the key in a hacker's tool kit, figuring prominently in most damaging virus attacks.

In the Stages virus, for example, the author relied partly on a misconception that files ending in the extension ".txt" don't carry viruses because they are text files and therefore cannot execute commands.

File types can be disguised, however.

In this case, the author used a feature in Microsoft's Outlook Express email program that conceals the true nature of Windows Shell Script Object files. These executable files carry the extension ".shs," but under commonly used settings in Outlook, the extension doesn't show onscreen.

However, the concealed file type may have been less important in spreading the virus than simple human curiosity, according to Vincent Gullotto, director of Network Associates' Anti-Virus Response Team (AVERT).

"The fact is, not that many people are aware of what file extensions mean," he said. "This got people's attention because it appealed to them on some level."

One person who clicked on an infected Stages attachment said it looked like a joke from someone he knew who often sends similar messages, Gullotto said.

"It's about trying to find ways to tempt you to open the message," he said.

Viruses frequently rely on humor. Computer Associates, for example, recently reported a virus traveling in an animation clip of the popular "South Park" cartoon show.

Sex also sells.

"Trojan horse" viruses disguised as pornographic videos have circulated recently. One such virus, known as "Gnutella.worm" and targeting members of the Gnutella file-sharing network, used variations such as "collegesex.vbs" and videos with porn star names such as "Jenna Jameson movie listing.vbs."

In one of the most successful attacks to date, Melissa virus author David Smith posted a message on the "alt.sex" Internet message discussion group, offering a file that purported to provide passwords for pornographic Web sites. He asked readers not to share the file with anyone else.

Sometimes the pitches can be disarmingly simple, as in the case of the "I Love You" virus, which spread across the globe last month and forced some Fortune 100 companies to shut down their email servers.

"When I saw that, I thought nobody would be fooled," said Trend Micro's Schrader. "Apparently the virus writers had a better sense of human psychology than I do."

Money has proven a less successful means of enticing people into opening infected files.

"Sweepstakes messages are ignored," said Network Associates spokesman Sal Viveros, although he noted that copycat versions of the Love virus notifying recipients of charges to their credit cards for Mother's Day gifts did fool some.

"That might have done a lot better if it had come closer to Mother's Day," he said. "People are very concerned about things like privacy and Internet fraud."

Network Associates' Gullotto said companies are seeking to boost security to quickly halt viruses, by disabling executable files that can carry viruses into corporate email networks, for example.

But basic human nature may always give hackers a way around the most robust technological defenses.

"Unfortunately, people are curious," Gullotto said. "In many cases, they're deluged by email at work, and they want to read something different from the mundane. All it takes is to get one person to look."