twitter facebook rss

Social Engineering v. Malware: Remembering VBS/Loveletter

Posted by on February 20, 2017.

There is a tradition among security bloggers, at any rate those with a long history in the anti-malware industry: every so often, some feel the need to revisit the malware of yesteryear, such as Brain, the AIDS Trojan, and so on. Recently, I was asked for input on an article on VBS/Loveletter (a.k.a. ILOVEYOU, Lovebug etc.). (It was timed, inevitably, to appear on February 14th.) And, almost as inevitably, most of my commentary wasn’t used. 🙂 So, while I don’t generally lean on my long and weary years in the security business for blog fodder, I thought maybe there was a thought or two there worth repeating. Or not.

So, with a few edits and additions….

Sophistication? Innovation?

The key to its success is not that VBS/Loveletter was technically impressive or innovative. It wasn’t the first malicious Visual Basic Script (that was probably VBS/First). Infection-wise, it was a primitive overwriter: in most instances, it replaced files with extensions including (among others) .VBS, .JS, .HTA, and .JPG with copies of itself, though it did for some reason preserve hidden copies of overwritten MPEGs.

It may have been an early user of the ‘double filename extension’ trick, calling itself LOVE-LETTER-FOR-YOU.TXT.vbs, taking advantage of an unfortunate quirk in Windows to conceal the fact that it was a script, not a .TXT file. I honestly can’t remember when I first saw that trick used, but I would have thought it was earlier than 2000. (And, of course, we’re still seeing it used today.)

It didn’t even have the primitive encryption of VBS/Luser, which was fortunate, since the first I knew of it was when one of my ‘customers’ sent me a copy of the attachment because it showed up as ‘gibberish’ on their machine. I suspect it was a Mac, as a good many of my customers were scientists and tended to prefer Macs (or Unix, if they were computer-savvy or needed heavy-duty processing power). Since Macs didn’t have the Windows Scripting Host, the script didn’t execute, and since it wasn’t encrypted, it could be read as text.

Infection by Proxy

On the other hand, I also remember later instances with VBS malware where Mac users received a script they couldn’t read so passed it on to their secretaries or colleagues to open for them. At one time I used to refer to this as Wormhausen-By-Proxy (drawing a very rough analogy with this condition) since there was at least one instance where the luckless secretary’s unprotected PC became infected. 😉 (You can lead a PC user to water, but you can’t always force them to wear a raincoat.)

Well, back to VBS/Loveletter: it only took a quick look to establish that it was code rather than gibberish, and about a nanosecond longer to ascertain its malicious intent. It was also easy to filter out the infective messages at the mail gateway while I was cleaning up machines already compromised and ensuring that our corporate desktop AV was updating correctly.

Social Engineering

However, the author(s), intentionally or not, did hit upon an unusually successful social engineering gimmick. Apart from appealing to vanity and/or the natural desire to be loved, it was unusual enough to persuade a victim to open it out of curiosity or in the expectation of reading some kind of joke.

At the organization I worked for, the event did give me some leverage for persuading users to disable the Windows Scripting Host where it wasn’t actually necessary. (And one or two other generic countermeasures.) It also provided me with some minor opportunities for educating the few users I got to talk to directly (or who were actually reading my internal articles and documentation) about social engineering and malware. (Sadly, the organization didn’t offer me the resources for a serious training and education programme.)

However, those meagre countermeasures didn’t stop people a few breaches down the line from opening files with interesting names like F*ING_WITH_DOGS.SCR (one of the filenames used by MTX). And that, I guess, is the main point of publishing this article. In so many cases over the years, clever (or just lucky) social engineering has been more successful than coding, even geeky, supersmart coding.

Which once again makes the point that however many people claim that we need to focus on technology because ‘education doesn’t work’, it’s worth remembering that technology hasn’t worked either. Don’t technology and training together stand a better chance of reducing the attack surface than technology or training on their own?

Keeping a Balance

Here’s a post flagged by Heimdal Security during RSA 2017. Phishme COO Jim Hansen asserts that:

…it isn’t about throwing more technology at the problem, and it certainly isn’t about blaming the users for being duped by fraudsters…Instead, it’s about training the users to be your first – and most effective – line of defense.

It won’t surprise you that I agree that education and training are underused and underestimated. Nonetheless, if there were no technological measures in place, the problem would be a great deal worse. I don’t doubt the usefulness of Phishme’s ‘human-focused’ approach. However, training in organizations will not, by itself, ‘stop’ phishing. But it certainly has an impact on it, in my experience.

Still, in the end RSA is mostly about selling to big business, rather than to everyone who needs to be taught about self-protection from phishing and other exercises in social engineering. Education – whether it’s the teaching of self-protection or of ethical and moral behaviour – is something that has to be applied early and everywhere before there’s the slightest chance of eliminating IT-related criminality altogether. And that isn’t going to happen anytime soon.

David Harley


Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: David Harley | Tags: , , , , ,