05.19.11
Reviewing digital badness and the exploitation of suckers
So increasingly, instead of hacking the browsers themselves, the bad guys try to hack the people using them. It’s called social engineering, and it’s a big problem these days. “The attackers have figured out that it’s not that hard to get users to download Trojans,” said Alex Stamos, a founding partner with Isec Partners, a security consultancy that’s often called in to clean up the mess after companies have been hacked.
Social engineering is how the Koobface virus spreads on Facebook. Users get a message from a friend telling them to go and view a video. When they click on the link, they’re then told that they need to download some sort of video playing software in order to watch. That software is actually a malicious program.
Me, from the Village Voice, recounting what was procedure in the early Nineties:
In 1992 I finished programming a computer virus called Heevahava using a colorful tool called the Virus Creation Lab. Heevahava was a Pennsylvania Dutch word for the person who held the bull’s johnson when it was time to collect semen. A heevahava was a dolt and a rube, someone to put at a disadvantage and the virus was published in the Crypt Newsletter, an e-zine I wrote devoted to probing the world of computer viruses …
For a few years in the early ’90s, the Crypt Newsletter published a stream of frequently brutish and malicious programs. Anyone could reconstitute them, easy as powdered milk. Through Crypt, I gathered experience in the applications of digitized badness and gained an ability to see it in the work of others, whether that of teenagers out for kicks or businessmen grasping at ways to retaliate against kids thought to be stealing the company’s music. Crypt knew the textures and flavors of rotten in the machine world. It published a virtual landmine based on a useful program, only overturned and corrupted to harshly prune the directory tree of a disk. Booby traps were written to show filth to moochers of porn while, in the background, the machine was being fouled. Viruses multiplied slowly and, when finished, either displayed vulgar quotes, logged keystrokes, or played idiotic music.
The Heevahava, dumb as it was, mocked the infected by associating them with its name. In one version, it obstructed efforts to unravel its instructions. In other words, it was managing its digital rights, a copy-protected Heevahava. Face-to-face, an anti-virus software programmer threatened to punch me in the mouth at a security convention because the protection had taken him hours to dissect, time he wished to spend with his family.
You could always gets people to run malicious programs by offering them free stuff. Back then the enticements were mostly pornography and pirated software.
Now it’s disguised as free video software player applications. Or bad code shoved at you when you’re surfing link aggregating sites looking for some rip of a CD you want for free.
Not that different from conning people with the lure of viewing free dirty pictures, which, by the way are still big.
One piece of malicious software I’d written for the Crypt Newsletter around ’93 or so searched through your applications and made copies of itself under the same name. When you typed or clicked on the name of the program to run, this was under MS-DOS, the malicious software ran first and went out looking for another one of your programs to turn into a zombie. Then it passed control to the program you actually had wanted to execute. This happened so fast users didn’t notice.
When the virus had mimicked every program on the disk it halted operation of all your legitimate programs and played the previously cited “idiotic music” over the PC speaker.
It was a diagnostic point, in a manner of speaking. An acquaintance of mine in the computer underground had been called to one local victim’s house and recognized the infection. He phoned and asked me to listen to the music playing in the background.
At which point he asked if I could tell him to remove it over the telephone. Fifteen minutes later the computer had been cleared.
Back then, the people who were actually getting infected were almost always boys and young men, often still living at home and using the family PC — a luxury. They were frequently reluctant to tell Dad or Mom just how the computer got crashed.
Good times, good times.