The Word Trojan: Anatomy of an Online Story

Lately I've been blogging quite a bit on the state of on-line journalism.  One aspect of that topic that I haven't touched on for awhile is the way in which a story breaks, builds, morphs and spreads electronically.  The recent announcement of the Backdoor.Ginwui virus provides an interesting opportunity to do this once again, in order to see who addressed the story and how (including by me), and what, if anything, it all means. Cutting to the bottom line: it doesn't matter how little impact a virus may have, if it targets Microsoft (a/ka/ the world's desktop), its likely that every conceivable and theoretical angle of the story will get poked and prodded, whether it deserves to be or not. The reasons are two fold: first the threat of a really bad virus is akin to an IT bird flu epidemic, so the mere possibility of a massive break out captures the mind. And second, it offers an opportunity for authors to explore other current issues in the market place that are directly, or tangentially related. Taking a look at how stories are written on line is also illuminating. In fact, it's been my consistent experience when I've conducted a survey like this that only a small percentage of the on-line articles that are written on any story are the product of any actual first hand research by the author. The vast majority are either short rehashes of information taken from other peoples' stories (and research) and/or from readily-available on-line alerts, press releases and public statements.

Confirming this for yourseslf is quite easy, through the good graces of the kind folks at Google, because that company’s technology not only crawls and indexes new pages amazingly quickly, but allows you to restrict your search to news articles, or open it to find  everything that’s available on the Web.  When you look just for news hits, you can sort them by date or by relevance to boot.

The sorting algorithm is reasonably good at pulling this feat off, too. For example, a search of “word AND ginwui” yesterday found 77 News stories, and 61,300 Web-wide hits.   Almost all of the former will take you to mainstream news channels, with only the occasional capture of a more outré site (such as Playfuls.com, a Romanian Website with a green Cyclops on it’s masthead, and postings by reporters with names like CyberLord).

It doesn’t take that long to skim 77 largely derivative stories — so I did. And that’s what I’ll write about today.

The Virus: The best place to begin, of course, is with the facts. The first word of the virus appeared as an alert at the Symantec Website on May 19. That posting named the virus “Trojan.Mdropper.H,” and described it as a “Trojan horse that drops a file on the compromised computer”, and exploits a “zero day” undocumented vulnerability in Microsoft Word to “drop a Backdoor.Ginwui or Backdoor.Ginwui.B.” The alert identified the OSs at risk as Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, and Windows XP.  This first alert also gave detailed instructions for avoiding infection, as well as how to remove the virus if infected.

Detailed technical reports soon followed at other sites, such as this one by  F-Secure.

The Microsoft Response:  Microsoft posted its Microsoft posted its first public notice on the same day as Symantec went public with its alert.  The Microsoft note appears at Microsoft’s Security Response Center Blog, and was (like those that followed on May 20 and May 23 and  posted by Stephen Toulouse.  In the May 20 entry, Toulouse fairly summarizes the situation as follows:

So far, this is a *very* limited attack, and most of our antivirus partners are rating this as “low”.  But we’re working to investigate any variants we might see to make sure detection is out there, as well as working on the update to address the vulnerability.

A formal alert from Microsoft was posted on May 22 to provide “stronger work arounds.”  It also includes the following paragraph, along with the expected technical details and recommendations:

Microsoft is concerned that this new report of a vulnerability in Word was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone’s best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

I have no personal knowledge whether posting a public alert of a security flaw is unusual or not.  Suffice it to say that while some in the blogosphere picked up on this (and assigned various motivations, plausible and otherwise) to Symantec’s action, I did not find a single journalist that followed through on this clear lead to see whether there was a story to be had. The closest anyone came was David Utter, who may or may not have been thinking of this paragraph (he didn’t mention it if he did) when he wrote at SecurityProNews.com:

In an amazing coincidence, Symantec’s discovery of the Word 2003 vulnerability and exploit came a day after Symantec sued Microsoft over Windows Vista and the inclusion of Veritas Storage Manager technology. Microsoft responded to that action by noting it had bought all applicable intellectual property rights. from Veritas in 2004. The Microsoft postings also stated that a patch to close the security flaw would be included in an already-scheduled release on June 13.

The Threat:  There are, of course, run of the mill as well as devastating virus attacks.  Symantec’s summary rating of this virus was pretty low bore:  Wild/low; Damage/low; and Distribution/low. In fact, the Symantec site shows that only two infections had been reported.  Stories that came out the same day added the following facts: the virus seemed to be coming from China and Taiwan, was written in Chinese, and was targeted at discrete companies, instead of being loosed on the Internet generally.

So for starters, there would not seem to be much of a story here as regards the actual virus in question.  The real story, to the extent that there was one, would relate to the nature of the situation: that the virus affects those that use Microsoft products (lots of those around), that it affects the most commonly used of all email attachments — Word documents, and it involves a security flaw that would seemingly remain available to imitaters until at least June 13.  Certainly of note to IT directors, but not a barn-burner to Joe laptop, at least as measured by likelihood of infection, at least unless and until someone figured out how to exploit the same backdoor in order to target the world.

On line response:  There was only a small handful of stories out of the 77 posted online that were based on actual research: two stories posted the same day at the Washington Post site and an InfoWorld (US Online) story that can be found at  ITWorld Canada had quite a bit of useful detail, with each having more information than any subsequent story I found.  Of the 75 that appeared in the week that followed, only a small number contained any new information, in part because there was probably little to be found.

That did not mean that the stories didn’t continue, however.  The journalists that were willing to put some effort in were largely left to contact experts at security companies such as Sophos to get comments and context, and to rely on tangential stories.  Many of these were of the “what if?” variety, relating to the existence of the security flaw, rather than the currently (marginally active) virus. Almost all of the rest were simply brief derivative summaries or simply electronic reprints of stories by affiliated sites, or sites that repurchase material. Still, the story lines adopted by individual authors in these stories varied widely.

Story lines:  Since there weren’t many infections to report (and therefore presumably not much of a real threat), journalists didn’t have a lot  of facts to work with.  Two journalists who did their homework quickly and professionally pretty well exhausted those in articles printed the same day as the Symantec alert.  Given that the attack was limited and the threat ranked as “low,” that didn’t yield much a story line.  In consequence, Brian Krebs at the Washington Post expanded on the threat in a generic way after a thorough review of the facts available:

We are starting to see a lot more of these targeted attacks, mainly because they are very successful. Most businesses now block executable programs as e-mail attachments, but for business reasons very few will nix Microsoft Word documents that arrive in e-mail.

The contemporaneous story by Paul Roberts, to be found at ITWorld Canada is the most detailed of all that have appeared to date, despite the fact that it was issued the same day as the Symantec alert.  For extra interest, it focused on the fact that the virus exploited a Microsoft security flaw:

Antivirus companies and the SANS Internet Storm Center (ISC) issued a warning Friday about sophisticated e-mail attacks that are using a previously unknown hole in Microsoft Word to infiltrate corporate networks.  On Friday, Symantec raised its Internet threat rating, citing confirmation of attacks using an unknown hole in Microsoft Word were being used to compromise computers on the Internet Symantec warned subscribers to its DeepSight Threat Management Service that it had confirmed reports of active exploitation of a hole in Microsoft Word 2003. The attacks use Word document attachments in e-mail messages to trigger the security hole and run code that gives attackers control over vulnerable systems, Symantec said. The hole caused Microsoft Word 2000 to crash but did not allow remote attackers to run “shell code” that can be used to control the machine following exploitation, Symantec said. Few other details were available about the hole Friday, however.

Stories written in the days ahead probed for additional insights.  CIOToday.com’s Jay Wrolstad contacted and quoted a security expert on May 22 as follows:

“What is particularly interesting about this Trojan is that it is a zero-day exploit, with attacks launched prior to the announcement of the flaw, and that it is targeting a specific set of large organizations,” said Forrester Research analyst Paul Stamp. He pointed out that because all Microsoft Office applications are extremely complicated, they are particularly vulnerable to exploits.

“Complexity is the enemy of security, he said. “The more things you can do with an application, the more holes there are for hackers to find.”

RedHerring.com took a similar approach, focusing on the theoretical in the absence of the actual:

[S]ecurity experts agreed that despite the limited spread of the attack, it is dangerous because of its focused nature. From what we have seen so far, it is only targeted at government organizations and not the public at large,” said Johannes Ullrich, chief research officer at the SANS Institute. “This is the high end of all attacks.”

But experts like Mr. Ullrich now fear that hackers could sell the information to spyware programmers who could use the vulnerability to exploit more computers. The nature of the attack could signal a further escalation in the trend of ‘business worms,’ or highly targeted attacks on corporate users that seek to steal proprietary information. The Zotob worm attack in August last year was regarded by experts as the first of these kinds of attacks (see Zotob Heralds Business Worm).

Of course, not everyone felt constrained to stick to facts and technical points.  ComputerWorld compiled third party posts at its Blogwatch page.  Most were short technical outtakes, except for this one:

Don’t you feel better that Microsoft will fix this in a few weeks? There’s no mention that this particular nasty won’t effect Macs at all. But it’s still a good idea not to ever use MS Word, just to be safe and prevent any accidental loss of rational faculties that may be caused by bad software

CyberLord at Playfuls.com was more charitable (and also aware of the Symantec legal action), deciding in wonderfully quirky language reminiscent of the Wild and Crazy Guys of long ago Saturday Night skits that:

Although from last week Symantec and Microsoft are at war, concerning Microsoft’s misuse of intellectual property owned by Symantec, which led to trial, yet Symantec still continues to thoroughly investigate the products of the Redmond based company.

But if CyberLord was feeling charitable, The Inquirer.com was not, titling a short, throwaway piece Word 2003 gets back doors kicked in  Inquirer.com

The commercial security sector, of course, was also willing to take advantage of the news opportunities.  Several vendors issued press releases; BitDefender issued two on successive days, the latter titled BitDefender Customers Need No Additional Patches to Defend Against Zero Day Word Trojan Attack.

And those that run security tests, of course, ran stories about the security tests they ran, such as this, titled Virus scanners do not always detect Word Trojan

According to a test on various virus scanners conducted by Andreas Marx for publication in AV-Test Monday morning, a lot of virus scanners only detect parts of the Trojan dropper Ginwui detected last Saturday — if at all. Ginwui exploits a previously unknown security leak in Microsoft Word

By May 25, the mainstream press were on the story, including the BBC, and the story line was extending now to the individual end-users that read the mainstream press.  The Beeb’s article began “If users get infected by the virus, attackers could open up a backdoor on the PC and take over the machine to use it for their own ends” and the caption below a picture of fingers busily tapping a keyboard read ” Users are being warned to watch out for booby-trapped documents.”

In Australia, the threat to the average bloke also appealed, as in this by TheAge.com.au, who decided that home users were most in danger, offering an article alarmingly titled Word flaw threatens home PCs:

“Home users are most at risk from this vulnerability and it is definitely worth double checking any source sending you a word document attachment,” said MacLeonard Starkey, a security analyst at Auscert.  Sean Richmond, a senior technology consultant at Sophos said: “Without more research on what the flaw is it is hard to block other trojans targeting the vulnerability.”

I picked up on the story on May 22, when a journalist called me for my take on the Trojan (given that it affected Word).  I said that it brought to mind the warnings that security expert Dan Geer has been offering for years regarding the dangers of “IT monocultures,” with Microsoft products being the prime example.  Dan’s theory is that, as in biological systems, diversity breeds safety and resiliance against viral attackers.  With diversity, some systems will suffer and others will survive, while with a monoculture, entire species, if you will, of systems will go down like dominoes, perhaps to disastrous societal, as well as individual, effect

Only last November, Dan had applauded Massachusetts at CNN.com for mandating use of  software that supports the OpenDocument Format (ODF) standard, as it would help protect vital government documents from the increased vulnerability that it would otherwise suffer under in an Office-only world.  The Trojan Ginwui seemed (to me) to provide an apt canary in the proprietary document coalmine.  My piece was called Monocultures and Document Formats:  Dan’s Bomb Goes Off, and included this quote from Dan’s own article:

As a matter of logic alone: If you care about the security of the commonwealth, then you care about the risk of a computing monoculture. If you care about the risk of a computing monoculture, then you care about barriers to diversification. If you care about barriers to diversification, then you care about user-level lock-in. And if you care about user-level lock-in, then you must break the proprietary format stranglehold on the commonwealth. Until that is done, the user-level lock-in will preclude diversification and the monoculture bomb keeps ticking.

My posting was early enough that it got picked up by Slashdot, OSNews.com, Groklaw.com and LinuxToday.com, among other community sites, so it shows up as the third hit in the all-Web search.

Summary:  Today, a Google search yielded 155,000 Web hits, as blogs continue to run wild, but the News count has risen by only 1, indicating that journalism has wrung all it could, and probably more than it should, out of a minor virus attack.   Curiously, the one story that might have been intriguing (did Symantec do anything out of the ordinary in announcing that there was a security flaw in a Microsoft product – thereby exposing it for all of the hackers of the world to exploit – or was Microsoft just saying the same thing it always does when a programming mistake comes to light?)

So there you have it:  a story that was small in impact, but (perhaps) more significant in what it implied, and what people made of it.  The sum total after a week of words written around the world was a small amount of genuine reporting, a cloud of rehashes, some hand-wringing, and a small herd of hobby horse articles — such as mine — in which people saddled the story up to ride to make one point or another.

And a fair picture of the current state of online journalism, warts and all.

For further blog entries on ODF, click here

subscribe to the free Consortium Standards Bulletin
(and remember to Buy Your Books at Biff’s)