Computer Crime Research Center

Greeting card virus licensed to spread
(By Robert Lemos)

The FriendGreetings electronic greeting card has all the hallmarks of a mass-mailing computer virus.

The e-mail misleads a victim into downloading an application--ostensibly to view a Web card--and then sends itself to every e-mail address in the victim's Outlook contacts file. At least a few systems administrators have complained in Usenet postings that the mass-mailing e-card was to blame for swamping their network.

Yet the creators--Permissioned Media, a company apparently based in Panama--will be hard to prosecute: The viral card is protected by a license agreement that tricks unsuspecting users into clicking "Yes" and consenting to have the program send itself to all their e-mail contacts.

"They are deliberately trying to hide something in a wrapping that they know people won't read," said Vincent Gullotto, vice president of security company Network Associates' antivirus emergency response team.

Without the license agreement, the program would be considered a virus, but with the code wrapped in what could be a prosecution-proof vest, Gullotto is careful to avoid the term. "The unofficial name we have for it is a 'fishy program,'" he said.

The power of a button-click to transform a virus into a legal--albeit questionable--program has some attorneys worried that future Internet attackers could get protection using one of the software industry's best weapons: the click-wrap license.

"This is a legal hack," said Jennifer Granick, a lawyer and clinical director for the Stanford University Center for Internet and Society. "It really raises the problems of online licensing and contracting. Companies haven't wanted to admit (that problems exist), because they get to write the licenses and it benefits them."

The viral e-card is just the latest example of questionable software. In April, Kazaa users inundated Brilliant Digital Entertainment with complaints when they discovered that the most recent version of the company's 3D ad technology software, which is bundled with the Kazaa file-sharing program, contained licensing terms that allowed the company to claim "unused computing power and space" on a person's PC.

Another program, Gator, which tracks users and tailors ads to them, had been roundly criticized by users and advertisers alike.

Is it illegal?
However, if protected by a properly crafted license, such applications aren't actually doing anything that's legally considered wrong. In the precedent-setting case Specht et al. v. Netscape Communications, the court found that two tests must be satisfied for a license to be binding: The user must be aware of the license, and the user must be required to accept it in some way.

The license included in Permissioned Media's FriendGreetings e-card passes both tests.

The viral Web greeting card attracts users with an e-mail masquerading as a message from an acquaintance and stating that an e-card awaits at a Web site, such as "Friendgreetings.com" or "Friend-card.com." The e-mail contains a link that, when clicked, will begin to download the infectious program. A dialog box says the program is necessary to view the e-card.

The installer requires that the user accept two end-user agreements that contain the following text, among other legalese: "As part of the installation process, Permissioned Media will access your MicroSoft(r) (sic) Outlook(r) Contacts list and send an e-mail to persons on your Contacts list inviting them to download FriendGreetings or related products."

Many companies have already blocked access to Friendgreetings.com, but Permissioned Media has repeatedly changed the site's address and sent out a new batch of unsolicited e-mail to users.

"It's getting sneakier," said Alex Shipp, senior antivirus technologist for U.K.-based e-mail service provider MessageLabs. The latest iteration of the e-mail--the fifth, said Shipp--caused a spike in the number of messages blocked by the company's anti-spam filter this past weekend.

Yet, the license gave Shipp pause. "It's a very difficult call," he said. "It behaves exactly like a virus but because it has this disclaimer, some companies think they could get sued if they stop it like a virus."

In 1998, some antivirus companies started blocking a utility called NetBus, which allowed an administrator to control a remote system. Like BackOrifice, the utility soon became a favorite way for hackers to send commands to systems over which they had gained control. However, when the program's creator decided to start a company to sell the product, he hired a lawyer to go after any company that blocked the tool.

"Antivirus companies learned that they have to be careful what they block," Shipp said.

This time the lesson may be different, however; click-wrapped viruses may spotlight the flaws in the system.

The laws under which online vandals and cybercriminals are prosecuted specify that intrusions into computer systems have to be unauthorized. Yet, a Trojan horse or virus wrapped in a click-accept license could make the access authorized, and therefore not a crime.

"The question is that, when most people admit they don't read them, can licenses really give authorization?" said Stanford's Granick. "If you are a prosecutor in a cybercrime case, you argue not."

But courts may have a tough time justifying that what goes for Microsoft and Brilliant Digital shouldn't also go for any other programmer, including a virus writer, Granick points out.

Not everyone is so sure, however. Network Associates' Gullotto wouldn't bet just yet that the laws are what will be altered. Users might just have to adapt instead, he said.

"Times are changing," Gullotto said. "People have to know what they are opening up in e-mail."

Source: theMezz.com

Home | What's New | Articles | Links
Library | Staff | Contact Us

Copyright Computer Crime Research Center 2001, 2002 All Rights Reserved.
Contact the CCRC Office at 380-612-735-907
contacts@crime-research.org

Rambler's Top100 Rambler's Top100