12.1 When Good Browsers Go Bad

12.1 When Good Browsers Go Bad

A program that you download and run on your computer can fundamentally change how your computer behaves. After all, web browsers, email programs, and operating systems are nothing more than programs themselves. These programs can be subtly modified or changed by other programs that you download.

This plasticity of modern operating systems and the flexibility created by mobile code is one of the reasons for the great success of the Internet. At the start of the web revolution, early adopters were given copies of web browsers such as Mosaic and Netscape Navigator 0.9 on floppy disks. As newer, better browsers came out, users simply downloaded upgraded programs. Overall, this scheme worked pretty well.

Unfortunately, this plasticity is easy for an attacker to exploit. Code is opaque: it is frequently impossible to understand what a program will do without actually running the program. What's possibly even more frightening is the fact that it's frequently impossible to determine what a program has done even after you have run it. Many programs have many ways of hiding their operations, and few computer systems have sufficiently powerful auditing tools.

The goal of many attacks is to be able to run an arbitrary program on the target computer. Once the attacker can specify a program to run, the attacker can use that program to search through the target computer's files, to steal information, and to plant viruses or other programs that will effectively hide the attacker's tracks.

Surprisingly, it isn't hard to get at least a few victims to run a program. Traditionally, one of the easiest ways to get a victim to run a program is to simply email it to a few thousand victims; one of them will surely run it. Another approach is to post the program on a web page and email out the URLs. What's harder is to have a program be run by a specific target, or to arrange for millions of users to run a program, or to have a hostile program in circulation for a long time before someone notices the damage that the program is doing. But as time passes, even these challenges have been conquered.

History is on the side of the attackers. Internet users have been taught to download programs and run them without question. Web browsers, including Netscape Navigator and Internet Explorer, were initially distributed by downloads. And systems that extend the capabilities of these web browsers, such as the RealAudio player and the Adobe Acrobat Reader, are distributed by downloads as well.

As the examples in this section will show, there can be grave consequences to blindly trusting code that you download off the Internet.

12.1.1 Card Shark

In January 1996, a digital payments company called First Virtual Holdings demonstrated a program that was designed to show how easy it is to compromise a consumer's computer system. First Virtual's scientists had created the program to prove that home computers were not sufficiently secure to be trusted with credit card numbers. Instead, the program demonstrated the danger of running untrusted code.

Affectionately called "Card Shark," First Virtual's program was designed to look like a conventional screensaver. But screensavers are interesting programs: on Windows at the time, screensavers had the ability to monitor every keystroke that the user made.

The Card Shark program took advantage of the Windows built-in monitoring ability. Normally, Card Shark would run silently in the background of your computer. If you didn't type on your computer's keyboard for a while, the screen would blank. You could make the screen reappear by typing a few characters. But Card Shark's real purpose was to sniff and capture credit card numbers. While Card Shark was running, the program was silently scanning the computer's keyboard and waiting for a user to type a credit card number.^[1] When the user typed one of these numbers, Card Shark played ominous music, displayed a window on the screen, and informed the user that he or she had been "sharked."

^[1] Because of their structure, credit card numbers are exceedingly easy to recognize. For information about this structure, see Section 25.1.3.1 in Chapter 25.

The program's designers at First Virtual said that while Card Shark made its intention clear, another program could be far more subtle. Instead of playing music, the hostile program could encrypt the captured credit card numbers and post them anonymously to a Usenet newsgroup. The program could then be bundled in a popular screensaver and distributed widely on the Internet. The result would be tens of thousands of compromised credit card numbers, with no readily apparent connection. Issuing banks could lose tens of millions of dollars over a weekend to credit card fraud. First Virtual wrote Card Shark to demonstrate the danger of typing credit card numbers into a web browser. Even if the web browser was using SSL to send the encrypted credit card numbers over the Internet, the company argued, the PC computing platform was fundamentally unsecure and unsecurable. A better alternative, claimed the company, was First Virtual's patented payment system that had users register their credit cards by dialing an 800 number with a touch-tone telephone and typing the card's number into a remote computer that was properly secured. Anything else was too risky.

Alas, despite the risks, neither banks nor consumers accepted the First Virtual Payment System, and First Virtual ended up morphing into an email marketing company. Consumers now routinely type credit card numbers into unsecured computers safe with the knowledge that their liability in the event of fraud is limited to $50 without ever stopping to consider that they could be readily sharked.

12.1.2 David.exe

In January 1997, a scam surfaced involving long distance telephone calls, pornography, and the Internet. The scam involved a web site called sexygirls.com that promised subscribers "free pornography." There was just one catch; to view the pornography, a user first had to download and run a special "viewer" program called david.exe.

When the viewer program was downloaded and run, the program disconnected the user's computer from its local dialup Internet service provider, turned off the modem's speaker, and placed an international telephone call to Moldova. Once connected overseas, the user's computer was then reconnected to the Internet and the pornography could be seen.

It turns out that the "free" pornography was actually paid for by the $2 per minute long distance telephone charges, charges that were split between the American telephone company, the Moldovan phone company, and the operators of the sexygirls.com web site. Some victims ran up phone bills totaling thousands of dollars money that they needed to pay to their local phone company or else risk losing telephone service. (A spokesperson for AT&T insisted that the telephone charges would have to be paid, because the calls had in fact been placed. It was later revealed that the phone calls had actually been terminated in Canada, rather than Moldova.)^[2]

^[2] Eric Greenberg notes that this kind of attack does not require the Internet. A fairly common telephone scam in 1996 was for companies operating phone sex services in the Caribbean to call 800 numbers associated with digital pagers, in an attempt to get the pagers' owners to return calls to the telephone number on the islands. These islands are part of the North American Numbering Plan, so they have regular area codes, similar to telephone numbers in the United States and Canada. But calling these numbers costs many dollars per minute a charge that is shared between the telephone company and the phone sex operator.

The U.S. Federal Trade Commission opened an investigation. A month later, on February 13, 1997, the Federal Trade Commission filed suit against two companies Audiotex Connection, Inc., Promo Line, Inc., and three individuals in connection with the scam.^[3] The FTC charged the defendants with violating Section 5(a) of the FTC Act, 15 U.S.C. 45(a), which outlaws "unfair or deceptive acts or practices in or affecting commerce." That spring the FTC filed a second suit against a company called Beylen Telecom, Ltd., in conjunction with a similar web site called erotical2000.com.

^[3] http://www.ftc.gov/os/1997/9702/audiotex.htm

The Sexygirls.com case was the FTC's first case of prosecuting online fraud against consumers, and it went extraordinarily well. That November the defendants in the Sexygirls.com case settled with the FTC. Among the terms of the settlements were these:

• The defendants were prohibited from further representing that consumers could use their software to view "computer images for free," and from offering calls "without posting specific disclosures."

• In all future dealings with phone companies, the defendants were required to receive written or contractual assurance from third parties that the consumers' calls would actually go through to the country indicated.

• The defendants would pay approximately $760,000 to AT&T and MCI, which would then issue credits to their customers who had been victimized by the scam.

• The defendants would further pay the FTC $40,000, to refund losses of customers who did not use AT&T or MCI.

The Erotica2000.com case was settled a few months later. Ultimately, all of the 27,000 victims who were defrauded in the two cases received full restitution a total of $2.14 million dollars.

12.1.3 The Chaos Quicken Checkout

In February 1997, Lutz Donnerhacke, a member of Germany's Chaos Computer Club, demonstrated an ActiveX control that could initiate wire transfers using the European version of the Quicken home banking program. The program worked by starting up a copy of Quicken on the user's computer and recording such a transfer in the user's checking account ledger.

Written in Visual Basic as a demonstration for a television station, the ActiveX control did not attempt to hide its actions. But Donnerhacke said if he had actually been interested in stealing money, he could have made the program much more stealthy.

Unlike credit card charges, there is no $50 liability limit on wire transfers.

12.1.4 ILOVEYOU

On May 4, 2000, a computer worm started spreading like wildfire in corporate and government email systems all over the world. Written in Visual Basic, the program arrived by email usually sent by a friend with the subject line "ILOVEYOU". The email consisted of a one-line message, "kindly check the attached LOVELETTER coming from me," and an attachment called LOVE-LETTER-FOR-YOU.TXT.vbs (see Figure 12-1). As most Windows systems are configured not to display file extensions, most of the recipients of this message saw only the LOVE-LETTER-FOR-YOU.TXT and they opened the attachment.

Figure 12-1. Falling in love was never easier than it was on May 4, 2000.

The attachment was a 292-line Visual Basic Script file (the first lines are shown in Example 12-1). When run, the worm installed itself in the system registery (so that it would rerun every time the computer was booted), sent a copy of itself to every address in the user's Microsoft Outlook address book, and then proceeded to delete every JPEG and MP3 file on the victim's disk drives.

It is difficult to calculate the damage done by the Love Bug. Organizations that had standardized on Microsoft Exchange and Outlook were particularly hard hit, with dozens or hundreds of copies of the worm being sent to every person in their organizations. Email systems were overloaded and crashed. Millions of computers had to be disinfected. And the program, widely distributed, was soon being used as the basis for many copycat worms and viruses.

Example 12-1. The first 20 lines of the ILOVEYOU virus

rem barok -loveletter(vbe) <i hate go to school> rem by: spyder  /  ispyder@mail.com  /  @GRAMMERSoft Group  /  = Manila,Philippines On Error Resume Next dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow eq=3D"" ctr=3D0 Set fso =3D CreateObject("Scripting.FileSystemObject") set file =3D fso.OpenTextFile(WScript.ScriptFullname,1) vbscopy=3Dfile.ReadAll main(  ) sub main(  ) On Error Resume Next dim wscr,rr set wscr=3DCreateObject("WScript.Shell") rr=3Dwscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows = Scripting Host\Settings\Timeout") if (rr>=3D1) then wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting = Host\Settings\Timeout",0,"REG_DWORD"

It could have been much worse. After all, most of the computers could be disinfected without manually reinstalling the operating system. If the ILOVEYOU worm had deleted EXE files instead of MP3 files, the cost of recovery would have run into billions of dollars. And if the ILOVEYOU worm had initialized the erasable BIOS that is stored in the EEPROM on many computers, the worm could have caused thousands of companies to fail.

Perhaps most troubling about the ILOVEYOU worm and its copycats is that most of the people who ran the program had not made a conscious choice to run a program that they had downloaded from the Internet. Most of the victims thought that they were merely opening a letter that had been sent to them by a friend or officemate. For years, office workers had been warned about the danger of "opening attachments" from strangers. In the end, those warnings turned out to be worthless.