Making Money in the New Old-Fashioned Way

Larry Wall once said, “Three great virtues of programming arelaziness, impatience, and hubris.” It appears the authors of aW32.Darksnow have taken this saying to heart. It also appears that theywere too impatient to read the other virtues he lists – diligence,patience, and humility. And they’ve mainly focused on the virtue oflaziness, by trying to find a way to make money using other people’scomputers (and electricity and bandwidth). Specifically, they wanted tomake money using other people’s computers to spoof “impressions” ofadvertising links. Without asking the people, of course. That would betoo much work. And they’d probably say no.

Of course, you can’t just set up a computer, and let a program sitthere and pretend to view Web pages. You’d need a lot of computers toreally make money. And the ad networks are smart enough to figure outthat someone probably isn’t sitting on their computer all dayrefreshing a Web page, so the virus writers couldn’t get any money forthis. Something sneakier was needed. First, a program to generate adimpressions. Check. Next, have it download a configurable file thattells it where to go to get the ad links. You need this configurable,so you can change it from time to time to avoid getting caught. Check.Next, a page hosting the ad links that you can view. Check.

But how to get it to spread to enough computers to make money?Discover a new exploit? But that would mean spending long hours lookingat the bits of someone else’s program, and/or long hours writing yourown program and testing it. Clever social engineering? That would meanspending long hours trying to understand what makes people do thethings they do. So the usual ideas were both out. Instead, it appearsthe virus writer popped in a CD from the 80’s (cassette tape?) andflashed back to office macros. These were easy enough to write. Ah, thegood old days for virus writers. They didn’t even have to look at anyhex back then…

But in today’s world, how do you get someone to run your macro?Well, you get the program to do it for you. So now we have thereproductive cycle for this threat:

Ad viewing program (W32.Darksnow) > creates Macro (O97M.Darksnow)> creates Ad viewing program (W32.Darksnow) and more macros – and soon.

However, some tricks were needed. Untrusted macros won’t run bythemselves anymore, so the Ad viewing program (W32.Darksnow) also hadto drop the security settings of Office. And the macro still fails toreproduce in a number of common environments. I guess maybe they shouldhave continued to read Larry Wall’s quote, and been a bit morediligent. Thankfully, they weren’t.