Sometimes these bugs try to effect political change by targeting a specific group with messages that seemingly come from real people but are actually propagated by the virus itself. At other times, the virus may try to cause damage to specific Web sites for political reasons. Then there are those that feed upon the world’s current fixation with terrorism and the situation in Iraq. NEWSWEEK’s Laura Fording spoke about this phenomenon with Chris Wraight, technology consultant at Sophos, a company that specializes in antivirus protection. Excerpts:
NEWSWEEK: Will you elaborate on some of the so-called “politically active” viruses you’ve encountered?
Chris Wraight: The injustice worm [first identified in March 2001] puts up a big message that says, “Please accept my apologies for disturbing you.” It then describes the alleged murder of a 12-year-old Palestinian child by Israeli soldiers in a Windows dialog box. To spread, it sends itself to the first 50 contacts in a person’s Outlook address book, and then sends members of the Israeli government protest petitions.
So when the Israelis received the e-mails, it looked as if a bunch of random people e-mailed them in protest?
That’s right. The injustice worm is also interesting in that the virus creators tried to be “kind” to the user … At the end of the code, there was a message that said, “Don’t worry, this is a harmless virus. It will not do anything to your system.” Well, in our viewpoint, every virus is harmful because it changes the state of your machine without your permission.
Do you think the Israelis knew it was some sort of worm or virus?
Yes. It died a pretty quick death. One of the things that has happened with these viruses is that a lot of people have become smart about the possible repercussions of launching a VBS [Visual Basic Script] file. [They’re aware of] the havoc it can cause.
How about the Yaha worm?
The Yaha worm [first identified in June 2002], is really a sandbox fight between some Pakistanis and Indians who have been going back and forth on issues affecting their countries. They’ve just chosen to involve lots of innocent end-users.
Can you describe how the Yaha worm works?
It comes as a file attachment to an e-mail. We call whatever is contained in the virus or worm a payload. The Yaha has three different payloads. One tries to terminate the antivirus program on the computer. It also modifies the Internet Explorer homepage. Then it launches a denial-of-service attack on five different Pakistani sites and tries to slow down those particular sites by flooding them with messages. The Yaha worm also spoofs the address, titles and subjects in the e-mails it sends out so that it looks like it came from someone other than from whom it really did.
Can you explain the difference between a worm and a virus?
A virus can infect your computer and can destroy data as well as many other things. But a virus itself needs a carrier to get from one computer to the other … These days, with computers connected to the Internet, a worm can travel from one machine to another. When it infects, it can find the user’s e-mail addresses and use them to send the virus on. The user may not even be aware of what is going on. A virus, once you activate it, is just resident on your system. A worm can spread.
Will you also describe the September 11 worm?
The September 11 worm [first identified in September 2002] was an e-mail that said it did not contain viruses and was not spam. It said it contained classified information, a set of documents and photos [that tried to establish that George W. Bush and Al Qaeda were connected]. Education in the past few years has centered on telling people not to open file attachments. The worm tried to get around this by saying, “Trust us, these are just photos and word documents.”
Are these viruses still in circulation?
Yes. The September 11 worm is an older one … But we still come across it, and we still find others as well.
Have the people responsible for these particular viruses been caught?
No, they haven’t been.
Is the profile for political virus writers different from those who typically write viruses?
The typical profile for virus writers is that of a 14-to-24 year-old adolescent male who writes code for entertainment or amusement. A lot of them, we feel, don’t write these viruses to be malicious. Some do, but many do it as an intellectual challenge, perhaps to show Microsoft that there’s a hole in their operating system or to see how quickly they can make a virus spread. We still think the people who write these [political-type] viruses are on the young side … but their motivation is, pure and simple, political.
Are they American or are they from other parts of the world?
We’ve seen them predominately come out of Central Europe and the Far East.
Are some viruses created by political groups? Or do more come from the alienated adolescent-type person?
Right now I’d say it’s the latter.
But could they conceivably come from political groups?
I think it’s conceivable, yes.
Do you see these as having a possible link to terrorist groups? Or is that farfetched?
At this point I’d have to say that’s a little bit farfetched. I think if terrorist groups were trying to do electronic damage, they’d try to do it in a more direct manner, something that had more of an impact. Perhaps they might target the ATM network, rather than counting on a virus to wreak havoc. [With a virus] there are too many intangibles.
Do you think these viruses accomplish politically what they set out to do?
I don’t. I think that, as a virus, not only are people annoyed when they are infected by it, but they tend to discount the message because of the way it came in.
So you think that people are usually aware that what they’re seeing is not legitimate.
Yes.
How do people best protect themselves?
Don’t click on unsolicited e-mail attachments, even if they are from friends, because worms can send stuff out under someone’s name without them even being aware of it. So ask people if they sent you the file before opening it. Also, when people buy a computer with a pre-installed antivirus solution they think they are all set. But that virus solution was probably installed at the factory a month or two before the computer was purchased, so it’s already out of date. People should sign up for a subscription service so they can constantly update their virus software. Out of the virus realm, people should make sure they have a firewall on their system, even at home.
