Trojan horses at the gallop

By CHRIS BARTON

When news of Badtrans. B broke last week I didn't pay too much attention. Just another virus/worm with a silly name heading our way: Nimda, Sircam, Hybris, Apology, Kakworm and Navidad to name a few.

Like tropical cyclones, virus outbreaks are so regular that we notice only when serious damage occurs.

Badtrans cut a fairly wide swathe worldwide and among New Zealand Windows PC users. Interestingly, the news came to light here through local auction site trademe - a testament to the site's growing popularity.

But testament also to how slack home users are about keeping their anti-virus software up to date.

The site's 66,000 registered users were a perfect virus breeding ground - an online community actively trading in e-mails and adding new users to their contact lists.

The tale of woe on trademe's message board showed how users had not patched the security hole in versions 5.01 and 5.5 of Internet Explorer and hadn't been regularly downloading the latest virus definitions.

Slack, because Microsoft had published a fix for the vulnerability at the end of March.

But with new and more complicated viruses emerging all the time, it's hard to keep safe.

Despite having my antivirus software set to automatically update every time I go online, plus having a firewall and updates automatically sent from Microsoft, I know I'm still vulnerable. Sooner or later my virus scanner will be one step behind the virus makers and some nasty is going to break my defences.

Several readers have pointed out that most internet providers aren't pulling their weight in dealing with this scourge.

As ihug's i-spy service shows, internet providers could be scanning for viruses too - stopping the blighters midway on their journey and alerting users of a threat.

Too often, large providers like Xtra start scanning only after the outbreak is in full swing.

You have to ask also whether Microsoft, with its ample resources, has really done everything it could to publicise this current flaw. Judging by the Badtrans outbreak, obviously not.

This isn't the first time Microsoft e-mail software has been found wanting, and you might wonder why the company continues to make such recklessly unsafe software.

For savvy internet users, the answer - and a way to avoid most virus attacks - is to use alternative e-mail software.

Badtrans exploited a Microsoft flaw that allows an attached file to be run through the message preview pane in Outlook e-mail.

Unlike most viruses carried in e-mail attachments this one could do its thing just by landing in your inbox. That's right - no clicking on the attachment required. Dastardly.

But Badtrans was badder. Not because it copied itself and found e-mail addresses on your computer with which to go forth and multiply, but because it also dropped a password-stealing Trojan horse on to the computers it infected.

The program - Troj/PWS-AV also known as Hooker.24.H - logs the infected user's keystrokes to gain private information such as passwords. And it is not a bad technique for getting users' encryption keys.

Like all Rats (remote access Trojans), Badtrans has a backdoor port through which the cracked information can be accessed.

Sinister.

The motivation of virus makers has always been hard to fathom. It is said these purveyors of the dark internet arts do so for a variety of reasons - to steal, to pry, to show off, to make a point, to protest, because they can.

But what if it's none of the above? What if Badtrans was created as a "proof of concept" by the FBI?

Far fetched, I know. But to really get your "dataveillance" paranoia pumping, type "Magic Lantern" Trojan into any search engine.

The web is rife with stories about an FBI project code-named Magic Lantern - a piece of software masquerading as an innocent e-mail attachment that will insert FBI spyware inside your computer.

More disturbing is speculation that if such a keystroke logging tool was being used by the FBI, large antivirus vendors such as Symantec and McAfee would avoid updating their antivirus tools to detect such a Trojan. Shudder.

Couple the speculation with the events of September 11 leading governments to bring in anti-terrorist legislation to sanction Magic Lantern-like dataveillance and suddenly the paranoia seems justified.

In such a world, Magic Lantern is like an electronic panopticon - a means to invisibly watch via the web. Like prisoners under the gaze of a supervisor in central tower, internet users know Magic Lantern is always there - but do not know if its all-seeing eye is focused on them. A perfect means to find and punish net deliquents and terrorists, but also an ideal threat to control an unruly net population.

In such a light Badtrans is not bad, it's a warning - a harbinger of a new disciplinary surveillance that, if it's not already here now, will be soon.

* chris_barton@nzherald.co.nz

trade me

trade me's message board

Microsoft

ihug's ispy