Sneakwrapping a virus

READERS HAVE OFTEN joked that we’ll really be in trouble when the viruses start coming with sneakwrap license agreements. But now that it has happened, it turns out the real joke is how many people seem to think that the existence of the license means it’s not a virus.

Starting on Oct. 24, 2002, thousands of people received an e-mail in which a friend or business associate asked them to pick up an “e-card” left for them at a site called FriendGreetings.com. Those who followed their acquaintances’ supposed instructions discovered they would need to download a program to view the e-card, and they were presented with standard digital certificate authentication and installation software to do so. Adding credibility to the process was the fact that they then had to click OK on two EULAs (End-User License Agreements) in order to download the viewer software.

We don’t know how many people took the time to read both EULAs, but we can be pretty certain that none who proceeded to click their approval had read the second one. If they had, they would have seen the bald statement that the supposedly Panamanian company that owned FriendGreetings.com would be accessing the licensee’s Outlook contact list and sending everyone on that list a similar invitation to download FriendGreetings.

And that’s exactly what the software did when installed, with serious results at some hard-hit companies. Along with spamming many of their co-workers, those credulous enough to download the FriendGreetings software often had problems with Outlook errors and changes made to some of their Windows settings. The install also apparently deposited several spyware/adware agents that needed to be sought out and eradicated before they caused trouble. “We’ll be cleaning up the mess at least through the weekend,” one IT manager said. “The worst part though is having to explain it to the clients and vendors our people sent this thing out to.”

Dealing with it was made all the more difficult by the seeming reluctance of the anti-virus software vendors to treat the FriendGreetings outbreak as they would any other virus. “Unbelievable — Network Associates is saying they can’t respond because of ‘legal’ issues,” wrote one reader shortly after the attack began. “They say it’s not a virus because one of our users granted permission for it to occur by accepting the EULA.”

To its credit, however, Network Associates shortly changed its mind. Although still not officially classifying it as a virus due to the EULA, Network Associates posted details about the files FriendGreetings downloaded on victims’ computers and said detection capabilities would be included in its next anti-virus update file.

In contrast, Symantec Security Response posted an advisory that it was aware “of a widespread e-card” with worm-like characteristics but did not classify it as a malicious threat. (At the same time, Symantec was treating the Cytron or Ortyc trojan — another e-card virus that FriendGreetings was probably imitating — as a serious security threat, even though the Cytron adware was downloaded in a very similar fashion but with no EULAs or spamming of Outlook contacts.) Because the second EULA “explicitly states that by accepting the agreement, you are authorizing the software to send an e-mail to all contacts,” Symantec saw no reason to offer its customers the ability to detect files associated with the FriendGreetings download. Customers who wanted to remove those files were directed to a FriendGreetings page which, like the rest of the FriendGreetings.com site, was soon inaccessible. Only after the problem was dying down the next week did Symantec tell me they would respond to customer complaints and post information about how to deal with the virus.

Much of the discussion on the Internet about the attack reflected the same notion that the warning in the EULA meant that FriendGreetings was guilty of nothing more than a somewhat unethical type of viral marketing. People I know to be otherwise quite sane expressed the idea that this just shows you have to read all the EULAs carefully.

What? Wake up, folks. Call it a virus, worm, trojan, or whatever; the FriendGreetings e-mail was a sinister, deceptive attack in clear violation of federal computer fraud and data security laws. It was still not clear at press time what the real purpose behind FriendGreetings was — perhaps it was an attempt to plant pop-up ads for porn sites similar to the Cytron virus, or maybe it was just harvesting e-mail addresses for spammers. Whatever the intent, the e-card was a false pretense.

Reading all EULAs carefully isn’t the answer. The essential idea of sneakwrap, be it from spammers or Symantec, is to get this stuff past you, and they’ll do whatever it takes(see ” Can you really click no ,” April 22). If you’ll read one EULA, they’ll start giving you two. If you’ll read two EULAs, they’ll give you three, or render them in 2-point type or Latin or whatever.

Stating in a license agreement that you’re going to commit a crime doesn’t give you the right to do so. Yet it seems that’s what some software companies would have us believe. Why else would Symantec seem to care more about upholding the sanctity of some fly-by-night operation’s EULA than helping its customers deal with a real security threat? What if the FriendGreetings’ EULA had said they were going to erase your hard drive too? Would Symantec still say that’s not a security threat? Hey, you agreed to it.

The real lesson of the FriendGreetings attack has to be that sneakwrap is no way to run a railroad. We can’t let license agreements that no one has the time to read be the basis of Internet commerce. If we do, it will mean only those with something to hide will ever feel safe and secure.