advertising information

CNN.com
 MAIN PAGE
 WORLD
 ASIANOW
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
 TECHNOLOGY
   computing
   personal technology
   space
 NATURE
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 HEALTH
 STYLE
 IN-DEPTH

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

  CNN WEB SITES:
CNN Websites
 TIME INC. SITES:
 MORE SERVICES:
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines
 pointcast
 pagenet

 DISCUSSION:
 message boards
 chat
 feedback

 SITE GUIDES:
 help
 contents
 search

 FASTER ACCESS:
 europe
 japan

 WEB SERVICES:
COMPUTING

From...
Computerworld

E-mail doesn't have to be opened to release virus

virus graphic

May 13, 1999
Web posted at: 12:13 p.m. EDT (1613 GMT)

by Deborah Radcliff

(IDG) -- "Suppose it's possible to send an e-mail containing a hidden construct," said an information security director. "And when the user opens that e-mail, the construct will run without the user ever knowing anything."

Imagine those constructs can do anything their creator wants them to: Secretly copy and download proprietary information, delete the BIOS or reformat your machine.

It's real. The security director, who asked for anonymity, was talking about Russian New Year with a twist.

Discovered in January, Russian New Year exploits the Microsoft Excel CALL functions used to call other Excel functions such as create, write, close, execute and sum.

So what's the twist? Originally, the only way to contract the virus was to visit a Web page and click an HTML link. Now, Russian New Year can be sent via mass mail programs, with the link embedded or as an attachment. Newer browser programs will automatically execute CALL to fetch the embedded document or prepare to open the attachment -- so the e-mail recipient needn't even open the e-mail to get infected.
MORE COMPUTING INTELLIGENCE
IDG.net   IDG.net home page
  Computerworld's home page
  Computerworld Year 2000 resource center
  Computerworld's online subscription center
 Reviews & in-depth info at IDG.net
  IDG.net's personal news page
  Year 2000 World
  Questions about computers? Let IDG.net's editors help you
  Subscribe to IDG.net's free daily newsletter for IT leaders
  Search IDG.net in 12 languages
 News Radio
 * Computerworld Minute
 * Fusion audio primers
   

"Russian New Year is a way of attacking you without you knowing you've been attacked. It really does this," said Ira Winkler, president of Severna Park, Md.-based Information Security Advisors Group and author of Corporate Espionage (Prima Publishing, 1997).

The good news: There are no known reports of Russian New Year attacks on enterprises. And that's why most folks just don't want to talk about it -- they're afraid of letting the cat out of the bag. "If Russian New Year wasn't publicized, people might not exploit it. On the other hand, there are a lot of users who are vulnerable," Winkler said.

Now the bad news. The hack is so subtle, it's likely that if they have been hit, security administrators don't know it. Excel spreadsheets, for example, could be easily and secretly copied to a browser, according to an April 17 alert issued by Finjan Software Ltd., an Israel-based maker of mobile code security software (www.finjan.com/rny/rny1.cfm).

Sneak attack

Under certain conditions, users wouldn't have to manually open HTML attachments or click on embedded links to let the attack in.

"Russian New Year gives attackers the ability to deliver any payload they want," said Penny Leavy, Finjan's senior vice president of global marketing. "Your antivirus software won't catch this. Your firewall won't catch this."

More bad news: The attack is difficult to prevent. Microsoft Corp. has patches, but only for Excel 97. If your users are running Excel 95, you must first upgrade them to Office 97, then load service releases 1 and 2, then load the patch -- which pretty much kills the CALL function altogether.

"Until vendors configure Web browsers to not allow embedded Excel CALL functions, this problem really can't be fixed unless you cancel your Excel CALL functions," Winkler said. Unfortunately, "some people ... use the CALL function all the time," he added.

Financial services firms, for example, rely on CALL to import data from their enterprise resource planning software databases into spreadsheets, Leavy said.

The simplest fix is education. Remind users not to open HTML attachments or click embedded links in e-mail files unless they explicitly trust the source, Winkler said. But there's another possible diabolical twist, he adds: If New Year is teamed up with the mass-mailing technology behind the recent Melissa virus, the e-mail will appear to come from a trusted source.

Leavy suggests raising browser-security levels and configuring dialog boxes to send alerts when a program or a Web site is set to call other functions.

Because there's no simple way to block Russian New Year, Winkler advises information technology managers to ask, "Is the benefit of using CALL functions worth more than the potential risk of using them?"

Radcliff is a freelance writer in the San Francisco area. Her Internet address is derad@aol.com.


SPECIAL:
Insurgency on the Internet

RELATED STORIES:
White House Web site back online
May 12, 1999
DOD overhauls network to thwart hackers
May 4, 1999
Chernobyl virus wreaks havoc in parts of Asia
April 27, 1999

RELATED IDG.net STORIES:
Disgruntled employees: The newest kind of hacker
(Computerworld)
NATO reinforces against Net attacks from Serbs
(Computerworld)
Y2K may mask hacker attacks
(Computerworld)
Why Melissa virus was good for IT
(Computerworld)
Cyberterrorism is a serious threat
(Computerworld)

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


RELATED SITES:
Finjan Software: Russian New Year Attack

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

 LATEST HEADLINES:
SEARCH CNN.com
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.