Digg this story   Add to del.icio.us  
The worm that spreads secrets
Shane Coursen, 2001-08-20

The SirCam virus seemed to have an affinity for confidential documents.

WildList Organization International receives hundreds of infected files each month of many different viruses that are found "In the Wild" (ItW). Virus samples are submitted to us primarily by our network of 64 participants, but we also see reports from the average person who just wants to let us know they have found a virus.

Valid ItW samples of some viruses, like the recent Code Red worm (officially known as W32/Bady.C) are hard to come by in their early stages. But the SirCam virus, which debuted at about the same time as Code Red, is a very different story. In the case of SirCam, I myself have personally received many emails from unwitting victims.

Arriving from a variety of exotic locations around the world, at last count we had as many samples of SirCam as we had received of all other viruses combined. Ranging in format from Word documents to executables, it was apparent early-on that SirCam is not finicky in the type of file it infects.

SirCam couldn't care less about the contents of the file to which it attaches. A common executable found in a system's Windows folder? No problem. A .PIF, .LNK, or even .BAT files? No problem. A Word or Excel document containing highly confidential pieces of information? Definitely no problem. In fact, I'm beginning to wonder if SirCam doesn't have an affinity for classified documents.

Very soon after the discovery of SirCam, a plethora of news stories hit the press. An article that immediately caught my attention involved the "ForUm" news web site, as reported by CNN.com:

"ForUm said one of the documents it received was Kuchma's itinerary on Ukraine's 10th anniversary of independence later this month -- information that is usually not released."

While I have not personally received documents of such high confidentiality, I've received some that clearly were not intended for public consumption.

Virus mating
SirCam appeared with a vengeance around the time of the release of the original Code Red exploit. While it started off slower than usual for a mass-mailer, it quickly gained momentum, and, by some accounts, is now seen with greater prevalence than many other computer viruses.

Theorizing for a moment about what the side effects of this type of virus might have on businesses, governments and people, should we expect an increase in security practices among those who rely on email in their day to day practices? Looking back at the second round of the LoveLetter virus, I would have to conclude that it will not result in higher levels of security. For even if the IT heads increase security, there are many workers who will not follow through with new practices.

SirCam isn't the first virus to attach itself to, or include, confidential information in the body of an infection. There is a Word macro virus in the "Thus" family that stores potentially confidential information in the body of its code. While there were several cases of the virus being found in the wild, procuring a sample turned out to be exceedingly difficult. And of course, without a sample, it is difficult for an antivirus researcher to devise protective measures.

From an antivirus researcher's point of view, having received so many varied types of samples of SirCam, there is something possibly even more disturbing: some of the samples contained not only the SirCam virus, but also contained a second virus infection.

FunLove.4099, another mass mailing computer virus, relatively old now but still prevalent in the wild, seems to be a common companion to SirCam. As of yet, I am unsure if the accompanying FunLove virus is the only file virus that can work with SirCam in such a manner, or if the mating was purposely engineered.

Whatever the case may be, as the use of computers and computer software gain a foothold in our daily personal and business lives, those who write computer viruses, worms, Trojans, et al, will no doubt continue to exploit known and unknown weaknesses in our operating system and office productivity software.

While it is much easier said than done, we must keep a constant vigil, in how we use computers, in where we store our software and in what information we place in our documents.

Shane Coursen has worked in the field of antivirus research since 1992. He is currently CEO of WildList Organization International.
    Digg this story   Add to del.icio.us  
Comments Mode:


Privacy Statement
Copyright 2010, SecurityFocus