NEWS ANALYSIS: Cyber-criminals have found a way around perimeter security using JavaScript sent in text files and depending on social engineering. However, there are ways to reduce the impact of such threats.
I was working at my desk in the Advanced Network Computing Laboratory at the University of Hawaii 15 years ago when something struck me as very odd. My email inbox showed a series of emails, all with the subject line, “I Love You.” I glanced over my shoulder at my colleague, Oliver Rist, who was finishing up our test plan for some enterprise Gigabit Ethernet switches for a review that would later appear in the now vanished CommunicationsWeek newspaper.
“Nobody,” I said to Oliver, “loves me that much.”
Oliver turned around and looked at my screen. “Something is going on,” he said. We discussed it for a couple of minutes, and I noticed that each email had an attachment that said it was a love letter. I immediately erased all of those emails, then checked for it online. It turned out that the “I Love You” virus, as it was becoming known, was wreaking havoc worldwide.
Oliver then checked his email, and sure enough, he also had a string of similar messages. One thing we noticed was that each message appeared to be sent by someone we knew, at least slightly. Obviously, someone’s contact list had been pilfered.

Now we know that what was actually going on was the first really successful Internet email worm that depended on social engineering to make its impact. And it had quite an impact when it erased files, scrambled data and then raided the Windows contact list to send out more emails. But we’d dodged the bullet, primarily because we both were too cynical to believe that many assertions of love.

Social engineering has remained an effective means of spreading malware, but malware now is aimed at more than destruction; it’s now part of a global effort by organized crime to steal money or information. Carefully designed defenses proved to be effective when they were used. But now the effort has come full circle, this time with malware that is proving undetectable by antivirus software.
On Monday, a couple of emails appeared in my inbox, each one appearing to be from a legitimate Internet fax delivery service, InterFAX, and each with an attachment with the file name of a scanned document.
But my previously mentioned cynicism hadn’t diminished over the years, so I examined the attachments in more detail and noticed the “.js” extension after the “.doc” in the file name. So, being cautious in addition to being cynical, I copied the extension to a flash drive and took it to a different computer, this one running Linux Mint from a DVD. That way, no matter how virulent the malware might be, it wouldn’t be able to install itself and spread.
As I expected from the extra file extension, the supposed fax scans were actually JavaScript programs. Further examination of the files suggested they were intended to download remote files and then execute them.

Leave a Reply