Tuesday, February 08, 2005

Puff the Magic Lantern

Virus Invasion

Badtrans is the name of the virus that is making the rounds currently and grinding email servers to a halt worldwide. There is much speculation by respectable theorists that this may be the much-talked about keylogging virus the FBI is threatening to release on the public known by the name Magic Lantern. Operationally, it fits the profile, logging keystrokes to a temp-file and when the temp-file reaches a certain size, mailing the log file to a pre-specified recipient. The Badtrans virus has had a couple modifications made to it over the last couple weeks, making it's transmission and operations more smooth, and therefore more infections and effective, however it is reported that most commercially available anti-virus software still picks it up prior to infection.

The new version of the Badtrans virus activates embedded HTML in the email and automatically informs Microsoft email programs to activate the attached virus program. The virus also appears to activate the MP3 player.

There are three scenarios within possibility which would explain the origin of the Badtrans virus. The first, most obvious, and most widely accepted is that it is a simple keylogging virus put out by a random hacker to get user's usernames and passwords. The second theory is more of an addendum to the first, in that it's a virus putout by a random hacker at this time to try to create a buzz and make it look as if the FBI is targeting certain groups or demographics (this theory has been posited by many members of the OSINT group RM News). The third theory is that this is in fact the second iteration of the Magic Lantern keylogger.

The first theory is supported by the simple fact that this sort of thing comes out on a fairly regular basis, and to assume that this virus is any different than the last 15 that have come out is pure conjecture --at least at first glance. The third theory is supported by the plethora of news releases that has accompanied the virus's release that tell of the FBI's Magic Lantern keylogger's inner workings. The operations are very similar in description, and a mass release through worm form is an effective means of distribution, despite the preferred method of delivery is reportedly the newly allowed "sneak and peek" method --however, distribution through an email virus does seem to be a bit unconventional, a bit of a kludge-type attack. Granted, the FBI's technology teams have proven somewhat clueless as to implementation of internet technologies in the past, but this tends to lack the type of precision the FBI needs, and seems like it could lead to the type of legal trouble the FBI could ill-afford.

All of this lends the most credence to the second theory, that it is most likely being used as an Infowar tool, to make individuals feel as if they are being singled out by the FBI or other government agencies since most virus detection systems alert the user of it and mention it's purpose. It may have originally started out as the tool mentioned in theory one, but it has quickly become the tool mentioned in theory two.


Post a Comment

<< Home