FW: [TSMalcode] e-card follow-up no 6

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 11/11/02 

Date:         Sun, 10 Nov 2002 18:56:06 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

While not directly related to MS security, I figure its about time I put something out on this issue. TruSecure's TSMalcode mailing list has been tracking this for a couple of weeks now.

Below are a list of URLs which are being presented in emails sent to you from someone you know. The email indicates you have received an on-line greeting from that person and you should click on the link to check it out.

Here's the twist. This isn't malcode in the strictest sense. The authors of this thing provide you with proper install and de-install tools, and don't do anything they don't tell you they're going to do. The trick is in the End-User License Agreement (EULA) that you must accept to install the thing. The EULA explicitly outlines that it will use your email client to resend itself to everyone you know.

Clearly, a great number of people never bother to read the EULA, or read it in its entirety. One can easily argue that you were told what this tool would do, and choose to install it and let it do its thing. I'd like to be sitting face to face with any of the 100+ people who have installed this on their systems and subsequently sent an email to NTBugtraq telling us they have a greeting for us...doh!

I'd love to create one that simply says, "By clicking on the Ok button you agree to pay Russ Cooper $1000 for the experience", and give them an Ok and Cancel button. The email it would be contained in would be a legal agreement binding them to the execution of the Ok click. Upon the click, have a copy sent to me, and my lawyers, and the police. You get charged $1000 for me showing you how stupid you are...;-]

While blocking the links below will help minimize the effects of this thing, nothing will improve the grey cells of your users who do click on such a link better than beating them over the head with a bill. Try sending a message to your users along the lines of that outlined above and copy their boss' (in the case of the CEO, copy the Chairman of the Board of Directors or your PR firm).

These things are bad enough when they fool you, but one that tells you up front everything about it and still gets traction just goes to show that patches and security devices are, by and large, virtually useless in an environment full of uneducated users. Policy and Education are the key...;-]

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

URLs found in this thing;

>www.friend-g"RemoveThis"reeting.com
>www.friend-g"RemoveThis"reeting.net
>www.friend-c"RemoveThis"ards.net
>www.friendg"RemoveThis"reetings.com
>www.friend-g"RemoveThis"reetings.com
>www.friend-g"RemoveThis"reetings.net
>www.cool-d"RemoveThis"ownloads.net

the string "RemoveThis" is not part of the real url.