HOME
TOPICS
ABOUT ME
MAIL

 
The Klez Worm's contribution to social engineering is devastatingly simple: It fakes the return address of mail you desperately want to avoid getting. That way, you'll blame your friends for something they didn't do.
  technofile
Al Fasoldt's reviews and commentaries, continuously available online since 1983

How the Klez Worm left us socially defenseless

Who sent you a virus? How can you tell if what you 'know' is actually the truth?


May 12, 2002


By Al Fasoldt
Copyright © 2002, Al Fasoldt
Copyright © 2002, The Post-Standard

   Life changed a few weeks ago. Things are no longer what they seem.
   Mail you get might not be from the person who think it's from. It might be from anybody. The name at the top of the letter no longer has the same kind of surety it had a month ago. Suddenly, we are facing a problem of authenticity we've never faced before.
   This is happening to you and me and the family down the street. Although the source of this radical shift in the way we identify e-mail is a Windows computer worm, and even through it is spread only by Microsoft's unsafe operating systems and mail software, we have all been turned into victims. Whether you use a Windows PC, an Apple Macintosh or a Linux computer, untrustworthy e-mail is a new fact of your existence. The letter you get from your sister-in-law tomorrow might indeed be from your sister-in-law or it might be from a 12-year-old whose family PC is infected with the Klez Worm.
   THIS IS the Klez Worm's contribution to social engineering. It has forced us to stop trusting one of the main instruments of modern communication.
   Modern life has long been a system of complicated compromises. The voice on the phone sounds like your brother's voice, so you assume he is the one calling you. You have no proof, and you don't ask for confirmation. You simply "know" it is your brother on the line. A package arrives via Federal Express. Without even looking at the return address on the package, you assume that you've received the shipment you ordered a few days ago. You "know" it is the replacement part for the dishwasher.
   We don't actually know these things, of course. But we learned long ago to trust our daily experiences. The guy in a uniform who shows up at your door with your runaway dog in tow might not show you a badge that proves he's the dog warden, but no one would doubt his authenticity. We just "know" these things without actually knowing them for real.
   Life has a continuity, a pattern we can depend on. We trust that what we sense is what we know, and we're almost always certain that what we know is what we see and feel.
   But by a single brutal technique, the Klez Worm, a specialized form of computer virus, has changed all that. The Klez Worm's contribution to social engineering is devastatingly simple: It grabs e-mail addresses from the Windows address book -- a list of names and e-mail addresses stored without any security on nearly all Windows computers -- and sends itself out to as many of these addresses as it can manage. But instead of using YOUR return address, it fakes the sender's address by putting one of its stolen addresses into the e-mail's "From:" field.
   AS SOON AS the latest infestation started spreading on a weekend in late April, I began getting messages from people I didn't know. Some of the messages were Klez Worm payloads, blocked by my antivirus software. But others were, at first, mystifying. I got angry letters from people telling me I had sent them a virus, when, of course, I hadn't. One letter writer was angry and bitter. How, he asked, could someone who claims to be an expert on Windows' security send him a virus?
   But, to all these e-mail recipients, I had indeed sent them a virus. They were receiving the Klez Worm through the mail and I was sending it to them. Or, rather, they were receiving the Klez Worm through the mail and they "knew" I was sending it to them because the mail they received had my e-mail fingerprints on it.
   Please note that it does not matter whether I actually was sending the Klez Worm to all these recipients. Life has changed.
   If your Windows PC gets a virus infection and the virus came from a source that carries my name and my e-mail address, that's all you need to know. Isn't that the way things are? You might even be an old friend. You might even be my sister-in-law. It wouldn't matter. You'd blame me because the mail came into your computer with my name on it, with my return address.
   I'd love to be wrong about this. I'd like to think we are all better people than that. I'd love to find out that we are all sophisticated enough to know that things might not be what they seem, whether in e-mail or in life itself.
   But as long as we are naive, we are doomed. As long as we trust what cannot be trusted any longer, we are asking virus writers to run our lives. I'd like to think we won't let that happen, but I have to be honest. What I see every day frightens me.
   Think about this. Your mom isn't ever going to sit down and write to you about a new game she wrote. You know that better than I do. Yet when "your mom" (the Klez Worm, faking your mom's identity in the return address) sends a letter to you with a subject line written in pidgin English, I know what's going to happen. You're going to open that letter, and you're going to spread the Klez Worm to everyone you share your e-mail with. And, like so many others, you're going to complain that someone ought to do something about those viruses that are going around.
   I believe the Klez Worm spreads not because the programmer who devised this evil virus was clever but because too many of us are the opposite. If I am right, we should all realize that we have some work to do to pull our lives back into order.