How an e-mail virus could cripple a nation

CNET Reviews ^ | Robert Vamosi

[Hal1950]

Security Watch : Don't get burned by viruses and hackers.

With a publicly available search engine, a few well-chosen e-mail addresses, and off-the-shelf viral code, anyone can commit an act of cyberterrorism--or so says Roelof Temmingh, technical director of SensePost, a South African computer security company.

Speaking at the recent Black Hat Briefings and Defcon 11 conferences, Temmingh explained that the current methods of assailing computer networks--denial-of-service attacks (DoS) or remote break-ins--inconvenience too few people to really affect a nation's information infrastructure. The sort of exploit that could really hurt a country, Temmingh suggests, would more likely be based on e-mail viruses, a concept he outlined in a recent paper. (Click here for the PDF version.)

Based on experience
Hopefully, learning about how the unthinkable could happen can help us prepare for and minimize the damage from such an event should it ever occur.

Temmingh and his associates got a chance to investigate his theory while working with a South African bank. They decided to see how easy it would be to infect a bank's computer systems, which presumably are pretty secure, with an e-mail-borne virus.

Since e-mail attachments are relatively easy for IT departments to detect, they started by embedding in an e-mail message a link to a Web site that could have contained malicious code (but didn't, because the team didn't want to actually infect the bank's computers). Of the 13 IT people working at the bank, 8 downloaded the executable file the e-mail message linked to, and 5 actually executed the code on their desktop systems.

This means, had the virus been real, the bank's entire network could have been infected.

Targeting e-mail
From this experiment, Temmingh extrapolated that a cyberterrorist could effectively deliver malicious code to any organization, anywhere in the world. If that individual sent the infected e-mail simultaneously to individuals in government agencies and the military, it could have devastating effects on a country's ability to communicate, carry out business, and defend itself.

The key to this attack is finding real e-mail addresses to target. For this, Temmingh wrote a few scripts that use Google to search for public references to e-mail addresses on the Web. The scripts allow him to search for e-mail addresses from a given country and to hunt in particular for individuals working for telecommunication and financial companies, energy providers, governmental departments, the military, the media, prominent local businesses, and hospitals.

There are plenty of addresses available, especially on bulletin boards and in discussion forums. If a malicious user could infect just one government system (even if it's the desktop machine of a low-ranking official), he could, in theory, infect larger government computer systems as well.

Black Hat demo
Within minutes of running the scripts at the Black Hat conference, hundreds of e-mail addresses belonging to U.S. military and government employees showed up on Temmingh's presentation screen. Judging from the collective gasp from the audience (composed mainly of U.S. government, military, and private computer-security experts), Temmingh made his point.

Some may not agree with me, but I don't think talking and writing about this sort of attack is a blueprint for disaster. Rather, becoming informed about how cyberterrorists could hurt us helps our security community learn how to protect us from these threats.

The U.S. government has long worried that a cyberattack could cripple our nation's infrastructure. Before September 11, it was one of the White House's key security concerns. But we were betting that cyberterrorists would have to be very clever to pull something like this off. It turns out that's not true. Now that we're aware of how easy it could be to carry out such an attack, we must turn our attention to making sure we're prepared for it.

[Mark17]

In the last few days, I think I have gotten 15 E mails, from someone I do not know, telling me to use this windows patch, to avoid a virus. I deleted all of them. I am sure Microsoft will send their patches in Windows updates, not in E mail, especially without even identifying themselves.

[EggsAckley]

" Of the 13 IT people working at the bank, 8 downloaded the executable file the e-mail message linked to, and 5 actually executed the code on their desktop systems."

Has no one in that bank thought to educate these employees?

[KarlInOhio]

The problem is that these were the IT people. They're the ones who are supposed to be telling the rest of the bank what to do.

I wonder how many of the 5 were using Outbreak or Outbreak Express which automatically ran the programs unlike any sensible email program.

[Lunatic Fringe]

I am sure Microsoft will send their patches in Windows updates, not in E mail, especially without even identifying themselves.

I worked for Microsoft in Dallas. Company policy is that absolutely NO attachmnets are to be sent to customers, and NO e-mails will ever come from support@microsoft.com

[dfrussell]

You're probably getting W32.Dumaru@mm, which is attachment type virus.

[jonalvy44]

Are we prepared?

http://www.chronwatch.com/content/contentDisplay.asp?aid=3909&catcode=13

[Rate_Determining_Step]

> Since e-mail attachments are relatively easy for IT departments to detect, they started by embedding in an e-mail message a link to a Web site that could have contained malicious code (but didn't, because the team didn't want to actually infect the bank's computers). Of the 13 IT people working at the bank, 8 downloaded the executable file the e-mail message linked to, and 5 actually executed the code on their desktop systems.

Idiot users.

+--------------------------------------+
| Zot U                                |
+--------------------------------------+
|                                      |
|                                      |
|Click here to format your hard drive  |
|                                      |
|                                      |
|         +-------------+              |
|         | I'm a moron |              |
|         +-------------+              |
|                                      |
+--------------------------------------+

I can't believe someone who draws a paycheck and is provided a PC to work on, would be so dumb as to run EXE, BAT, PIF or SCR file. By default, these things don't run.

That being said, all IT department should ASSUME that a certain percentage of their employees are too stupid to breath and viruses will get in. It's their job to track it back to the person who started it and fire them. Or restrict them to specific IP addresses.

I've been using a Windows based PC since Win 1.0 and have been on the net since 1994 and have never, ever, even once gotten a virus. Only recently did I get real serious and got all my patches for Win2K. For those who need something to help them, this is really cool and effective: http://www.bigfix.com

[MarkL]

I can't believe someone who draws a paycheck and is provided a PC to work on, would be so dumb as to run EXE, BAT, PIF or SCR file. By default, these things don't run.

Well, don't be too hard on them. Although Sobig wasn't "smart" enough to rename the file, other than a SRC or PIF extension, It's possible to hide the extension...

Mark

[taxcontrol]

The U.S. government has long worried that a cyberattack could cripple our nation's infrastructure. Before September 11, it was one of the White House's key security concerns

---

BS
I know it was NOT a high priortiy, 'cause I TRIED to get the National Security Council interested in a plan that would make cyberspace far more secure. But no dice.

[EBITDA]

I catch a lot of grief for my automatic virus repelling force-field. It's called a Macintosh.

Yeah, I know it isn't immune, but of the last count I saw, there oare over 45000 viruses, worms etc for the PC world. We have only a handful.

[samiam1972]

Bump to the mac user...no viruses here, either!! :-)