"The subject line says 'Hi' and will be from someone you know," Symantec security response group manager Kevin Haley said. "The text will say 'How are you? I saw this screensaver and immediately
thought of you.' That's a giveaway."<< Authors, How can you put so much effort into writing cool virii and do such an amateur job on the social engineering? Include a hundred different, likely sounding subject lines (encrypted of course, but you knew that). A single constant subject line is *so* easy to warn against. You are defeated by word of mouth and a little medium-term memory. Exceed the human memory requirements, gentlemen. You'll have a better chance of a truly inspiring piece of electronic performance art. ------- "Forget cyberterrorists (tm) in distant lands; a few daisycutters on Redmond and your virus problems disappear."
-----BEGIN PGP SIGNED MESSAGE----- I want to tell you what Alfred Qaeda <cypherpunks@ssz.com> said about "CDR: A note to virus authors" on 5 Dec 2001 at 14:31
"The subject line says 'Hi' [...]
Authors, How can you put so much effort into writing cool virii and do such an amateur job on the social engineering?
Include a hundred different, likely sounding subject lines (encrypted of course, but you knew that). A single constant subject line is *so* easy to warn against.
But a short, simple and commonly used subject line is almost impossible to filter automatically without triggering a large volume of false positives. Yes, there are better ways to filter out this stuff, but if that was so easy why is this piece of e-performance art so widespread? The social engineering lies in the interminable curiosity of the human beast, in spite of Management's best warnings. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 -- QDPGP 2.65 Comment: Ensure confidentiality, authenticity, non-repudiability iQCVAwUBPA/mvqLoCveuM+mJAQFB2gP+MdMfl+A+4isr14EnpvmAAnU5PLW7nAeP 0joJ6HcSBrhFUjVebXzcgGQa2NyVrRX6ZIHrkc66upp0Pv76/O07yPvrgPoN5HSj XPNvRoZlnmyXtsQOKvaSMPW16VcIMeS2DiUbKMsFqxf5efCBNAZhjCyPRV91/uJR S/FYd+eT3+Y= =Cp75 -----END PGP SIGNATURE-----
At 02:31 PM 12/05/2001 -0800, Alfred Qaeda wrote:
"The subject line says 'Hi' and will be from someone you know," Symantec security response group manager Kevin Haley said. "The text will say 'How are you? I saw this screensaver and immediately thought of you.' That's a giveaway."<<
Authors, How can you put so much effort into writing cool virii and do such an amateur job on the social engineering?
I was surprised how effective such an amateur job was; my corporate email system was pounded into the ground for a couple of days. Unless I'm misunderstanding the descriptions of this thing, it didn't fire up automagically just from opening the message or using the MSOutlook Preview Pane function - it had to convince a sucker to actually run the file, either by clicking on it or by saving it and running it. Perhaps the descriptions have been incorrect? Of course, one of the problems of Outlook-style mail systems is that they often have mailing lists that hit the whole company, or at least sets of tens of thousands of people, and this does seem to do a good job of trolling for those lists, and continually pounding once it starts, so it only takes a small number of suckers for it to explode. I received a few thousand copies that I was aware of; after I put a mail filter on my machine, there were probably a few thousand more. Of course, the quickly installed filters that our mail admins used trashed all messages with "hi" in the Subject line, even if it was in the middle of words like "behind" or "chief" :-)
On Wed, 2001-12-05 at 22:31, Alfred Qaeda wrote:
Include a hundred different, likely sounding subject lines (encrypted of course, but you knew that). A single constant subject line is *so* easy to warn against. You are defeated by word of mouth and a little medium-term memory. Exceed the human memory requirements, gentlemen. You'll have a better chance of a truly inspiring piece of electronic performance art.
I always thought that the best strategy would be to look through all mail folders, find the last email received from the target, and use the subject from that, adding 'Re: ' at the start. Delete the body of the mail and replace it with one of several variations along the lines of 'I thought this might be helpful: <Insert macro-trojaned .doc> Just click 'OK' when the dialog box pops up.' That would get most PHBs I know... I'm not a VB programmer, but I assume that sort of functionality is available from the Outlook COM object (or ActiveX object, or .NET Web Service, or whatever the hell it's called now :>) W -- "Sometimes the Eloi really get on my nerves" [demime 0.97c removed an attachment of type application/pgp-signature]
On Fri, Dec 07, 2001 at 02:09:31PM +0000, Will Morton wrote:
I always thought that the best strategy would be to look through all mail folders, find the last email received from the target, and use the subject from that, adding 'Re: ' at the start. Delete the body of the mail and replace it with one of several variations along the lines of 'I thought this might be helpful: <Insert macro-trojaned .doc> Just click 'OK' when the dialog box pops up.'
That would get most PHBs I know...
One of the recent worms did exactly this. I can't remember which one, but it also set the From_ line to _victim@host.com, i.e. it added a leading '_' character. I'm still getting them (but on linux they don't do anything). This is the same worm that installed a keyboard sniffer. The log was emailed to an account somewhere and of course that account was quickly shut down. The worm author should have encrypted the logs and posted them to alt.anonymous.messages or some other newsfroup instead. That would have been truly dangerous, especially if the worm was stealthy.
I'm not a VB programmer, but I assume that sort of functionality is available from the Outlook COM object (or ActiveX object, or .NET Web Service, or whatever the hell it's called now :>)
It's properly called the Email Worm Author's Toolkit. Eric
participants (5)
-
Alfred Qaeda
-
Bill Stewart
-
Bob Jonkman
-
Eric Murray
-
Will Morton