The Northern Spy
The Internet is replete with warnings
these days over the latest malware, a worm with an unlikely name and modus operandus, and of as yet undermined intention.
To date, the so-called cornflaker worm (aka "Herbert") has merely spread, exploiting vulnerabilities in memory sticks, firewalls and the W*nd*ws OS, and is estimated (in its several variants) to have compromised several million computers thus far. The worm infects at the root level, embedding itself deeply in the system, giving it the ability to open up ports, prevent OS updates, turn off virus checkers, and resist typical removal efforts. As always in such cases, neither UNIX/Linux nor MacOS systems are affected, unless they are running W*nd*ws under an emulator or alternate boot system. The original infection mode (there are now more) was via viewing a specially crafted web page using IE on a W*nd*ws machine.
Comment: Some with little imagination and an axe to grind claim that no one bothers to write viruses to attack MacOS because the number of potential victims (and hence the reward of acclaim from other slime in the viral community) is too small. On the contrary, asserts the Spy. The first person to succeed in compromising MacOS with a genuine piece of malware is likely to achieve infamy for a full eighteen minutes, some twenty percent longer than the norm in our short attention span society.
Whoever the Black Hat mastermind behind this operation, (s)he has already assembled one of the largest bot nets to date. Authorities do not know what cornflaker's ultimate purpose is, as the worm does not yet have its payload code. Infected machines run through a list of internet domains, contacting them for instructions on a daily basis. Presumably, on a day known only to Mother Black Hat, one of those domains will contain the payload and the bot net, instructions in metaphorical hand, will then set about its nefarious task under the direction of this CCC (command and control centre).
Speculation about what that unknown task could be has been rampant. Some think perennial favourite target MS may be in for another round of DNS attacks. Others cite the Pentagon as a likely target. Still others are convinced that this is the opening shot in a new war between old-time enemies Berserkistan and Acnestan (previously known as Ackackistan), citing possible revenge for the time the former hired a mixed group of pre-teen Bosnian and Bulgarian virus coders to take down the latter's national soccer team site.
Yet another theory is that this is a rental bot net, with potential clients including rival biker gangs shooting code bullets over the lucrative internet drug trade, a three way browser war among MS, FireFox, and Safari, or (from competing conspiracy theorists who before their split brought us 911 as a CBS and Girl Scout plot) either (i) a certain large bank or (ii) the US government. Supposedly in either of the latter cases the motivation is a desperate attempt to focus news attention away from executive bonuses by attracting a sympathy reaction from the public after it deliberately falls victim to its own malware.
The Spy's take? If a government is involved, itŐs a clever but essentially juvenile lot. He regards Internet vandals much as he does boys who pull wings off flies, girls who deface high school washrooms, gamblers and stock promoters whose next bet is a sure thing, politicians, lawyers, and car salesfolk whose opening line is "trust me", or competing wing-nut rent-a-crowd extremists who beat each other over the head during demonstrations for or against the latest trendy cause de jour. Grow up and get a life, why not?
In the practical, on-the-ground fight against cornflaker, various internet registration authorities have banded to create an informal information and strategy swapping agency named CEREAL (Centre for Emergency Registry Engagement, Alignment, and Laboratories). Spokesperson Brianna England is quoted as saying: "This is a nasty one, but we're going to shrink the black hats' headbands for sure this time. We have ways of spotting the CCC in its early stages, and promise to take down their CCC site before it can do much harm. When our code dukes it out with theirs, we'll make shredded wheat out of these flakes." Asked if she would speculate on cornflaker's ultimate target, or if she thought this iteration of the worm was only a dress rehearsal for something even bigger, England refused further comment.
The Spy notes that one spread vector appears to constitute an intelligence test of sorts, as it piggybacks on auto-run software situated on memory sticks, compromising any machine whose USB port it gets plugged into--neatly evading institutional firewalls. Anyone failing the test by leaving such software active can apparently be safely presumed also to have an unprotected W*nd*ws computer that is easy to compromise. A second issue of the same sort (see below) involved a wireless router vulnerability, and again, the Spy suggests that anyone so foolish as to leave a wireless router unprotected can rightly be regarded by the black hats as a sucker waiting to be taken to the electronic cleaners. He makes so bold as to refer readers to his second law.
In that last respect, the cornflaker worm is indeed named for its second, more unusual and innovative exploit vector, in which certain specially altered boxes of breakfast cereal have had microdot RFID chips baked into the contents. Opening the box activates an antenna and amplifier embedded in the cardboard, which is used by the chips as soon as they are activated by pouring milk on the cereal. If the infected flakes are within range of a susceptible and unprotected router, it becomes compromised and a number of ports are opened. Scanning software from an already infected machine on the same network class typically spots the vulnerability within seconds and is then able to bypass the now useless firewall and infect all the computers inside it.
At least there are easy avoidance strategies for this vector. First, if the box is opened at the bottom rather than the top, the first activation stage does not trigger. The box is then unable to amplify the signal from the flakes, cutting down their effective range substantially. Second, if one-percent milk is used, the second stage also will not activate, as tests in the CEREAL labs indicate the RFIDs appear to require at least two-and-a-half percent butterfat to bulk out their code. Not eating the cereal isn't an option, as the box is capable of calling your mother and complaining. Third, if the infected chips are consumed, their effective radius is small, and simply staying away from all wireless routers four meters or more (take a walk) until the chips have been digested will also do the trick. Finally, whatever you do, don't send in the box top with the offer of a free condo timeshare in Florida. It will take personal information scavenged from your computer and its local traffic along with it.
On-the-ballmer officials at MS have offered a substantial reward for anyone with information leading to the apprehension and conviction of cornflaker's author, but industry spokespeople have already noted that a thousand autographed copies of W*nd*ws, far from inducing anyone to come forward, is more likely to have the opposite effect. The Spy's preferred bottom line: Be alert. The world needs more lerts.
In other breaking news,
Della Michael announced today that she is winding up the generic box assembly company she founded and that bears her name. "We've been making trash all these years, and we knew it. Our customers have found us out and deserted us in droves. Our only alternative is to close our doors, sell everything off, and give the shareholders back their money", she lamented at a press conference held aboard the private jet well-known investment banker Stanley and Morgan recently purchased with bailout money. "I'm getting out of the computer business. Its too commoditized and the margins are low. Instead, I'm joining my friends at S&M here in a new project selling junk financial derivatives to gullible governments."
iSteve announced that he will not be returning to Apple Corp. "Now that Della has packed it in, I've decided instead to make animated Bible features for the Billy Graham organization," he said in an interview conducted on his back porch. Computers are nice, but they are, after all, just toys. He who dies with the most toys may win; the pertinent question is, what is the prize?"
Enough is enough
(an interesting tautology, that) from the ink-stained wretch. He needs to get home to a turkey dinner. It is, after all, fowls' day.
Rick Sutcliffe, (a.k.a. The Northern Spy) is professor of Computing Science and Mathematics at Trinity Western University. He's written two textbooks and several novels, one named best ePublished SF novel for 2003. His columns have appeared in numerous magazines and newspapers, and he's a regular speaker at churches, schools, academic meetings, and conferences. He and his wife Joyce have lived in the Aldergrove/Bradner area of BC since 1972.
Want to discuss this and other Northern Spy columns? Surf on over to ArjayBB.com. Participate and you could win free web hosting from the WebNameHost.net subsidiary of Arjay Web Services. Rick Sutcliffe's fiction can be purchased in various eBook formats from Fictionwise, and in dead tree form from Bowker's Booksurge.
The Northern Spy Home Page: http://www.TheNorthernSpy.com
The Spy's Laws collected: http://www.thenorthernspy.com/spyslaws.htm
The Spy's Shareware download site: http://downloads.thenorthernspy.com/
WebNameHost : http://www.WebNameHost.net
WebNameSource : http://www.WebNameSource.net
nameman : http://nameman.net
opundo : http://opundo.com
Sheaves Christian Resources : http://sheaves.org
Arjay Books: http://www.ArjayBooks.com