Hoaxes, myths,
urban legends





About us


Truth about computer security hysteria
Truth About Computer Security Hysteria

Rob Rosenberger

Kournikova cornucopia, part 2

Rob Rosenberger, Vmyths co-founder
Thursday, 15 February 2001 [continued from part 1] I NOTICE A lot of Kournikova stories include photos of Anna Kournikova. Does anyone else see the irony here? Think of Jimmy Olsen as he reads the newswire folders: "New virus spreads as picture of Russian tennis star. Photo attached." I can imagine him scratching his head. "Hey Clark, do you think it's safe to look at this AP photo?"
You know you made the big-time when Sports Illu­strated writes about your com­pu­ter virus.
You know you made the big-time when Sports Illustrated writes about your computer virus. Special congrats to Vincent Weafer (Symantec), who probably scored the first antivirus quote in a major sports magazine. Vinnie da man! Has the adrenaline worn off? Good. Sit back and ask yourself a few questions:
  1. Did you rush to update your antivirus software — only to find your vendor's website completely swamped by everyone else on the planet who suddenly wanted updates?
  2. Did you realize you're addicted to antivirus updates? (I recently coined the term "addictive update model" to describe it.)
  3. Did you receive more warnings about the virus, than the virus itself sent to you? How many corporate-wide email alerts did your computer security team send out?
  4. If your company shut down its email servers or disconnected itself from the Internet, did they do it to stop an attack — or did a fraidy-cat pull the plug as a precaution?
Kournikova's author uses "OnTheFly" as his CB handle. His press release soothes victims by noting "I never wanted to harm the people you opened the attachment. But after all: it’s their own fault they got infected with the AnnaKournikova virus, OnTheFly virus or watever they call it. To get rid of that virus, please visit the regular anti-virus sites. They all have some antdote right now." I offer genuine kudos to Wired correspondent Michelle Delio for snagging an "exclusive instant-messaging interview" with Kournikova's author. I'd love to know how she beat everyone else to the punch — and I suspect other news agencies want to know her secret, too. Sadly, Delio later blew it by linking directly to a virus creation toolkit in one of her stories. Good ol' Wired magazine: creating tomorrow's news today. UPI reporter Hil Anderson filed a newswire with this prescient comment: "the software industry, however, acted quickly and the Web was soon peppered with press releases announcing that a fix had been developed." Somebody out there recognizes a press release when it lands in their lap! We may yet find salvation.
AND SPEAKING OF reporters... I noticed something weird about the virus hysteria. On Monday, the media freaked out at the Internet atrocity unfolding before their eyes. On Tuesday, reporters smirked at the virus writer's press release. So tell me — how can a massive Internet atrocity vanish overnight?
On Monday, re­por­ters screamed about a looming Inter­net atro­city. On Tues­day, re­por­ters smirked at the virus writer's press re­lease. Tell me — how can a mas­sive Inter­net atro­city vanish overnight?
Come on! Don't we even get an "End of the World Canceled" headline? Well, perhaps it didn't completely "vanish." A few brave reporters covered the, uh, "anna-climax": I almost want to give an honorable mention to AP writer Anthony Deutch, who noted in passing at the bottom of his story "the outbreak was largely contained by Tuesday." Do tell. Reuters reporter Lisa Baertlein offered a hilarious comment: "One San Francisco analyst, who got a half-dozen of the Kournikova e-mails before his firm's server went down, wanted to know if people opened the e-mail attachment without a promise of a nude photo. When he learned that was the case, he laughed and said, 'Idiots.' " An Associated Press newswire quoted a devastating prediction from Kenny Liao (Trend): "If we look at the total number of users that have been reported to us and consider we are only contacting a small portion of the Australian population — the estimation would be more than 100,000 [infected Australian computer users]." Liao's estimate led Asia Pulse to file a story with the authoritative headline "Some 100,000 Australians Hit By Kournikova." This led the Xinhua news agency to report a complete meltdown of email service in Australia. "At least one million of the e-mails were still circulating around the country Tuesday night, international anti-virus research company Trend Micro said... Liao also warned companies to keep a look out for a new strand of the I Love You virus on Valentines Day Wednesday." Let's all bow our heads in memory of the land down under, where electrons flow and nerds do plunder... {sniffle} I don't know about you, but I'll miss Australia's participation in the Internet.
"[One man] wanted to know if people opened the e-mail attach­ment without a promise of a nude photo. When he learned that was the case, he laughed and said, 'Idiots.' "
We can't go another minute without reviewing many other great (and not so great) quotes from the Kournikova hysteria:
  • A ZDNN story quoted Alex Shipp (MessageLabs): "[Kournikova is] spreading twice as fast as the Love Bug." Then again, his company's comparison charts don't seem to support it in my eyes. MSNBC quoted him as saying "this one will be big." On Monday, anyway.
  • From ZDNet: "update your anti-virus software at least once a month." I quote it only because they used to recommend daily updates. What, did they find it too cumbersome to download 365+ software patches per year?
  • From a Wired story: " '[Anna Kournikova is] a very good looking woman. Every guy in the world is going to click on that attachment,' said Andrew Antipass, a systems administrator at Tekserve, a security firm."
  • An MSNBC story quoted Mikko Hypponen (F-Secure): "I think it's going to get worse before it gets better... It's spreading faster than any sample we've received this year. It's spreading almost as fast as LoveLetter."
  • A news.com story quoted Vincent Weafer (Symantec): "it's going to be more widespread than Melissa but less than the Love Bug."
  • A Chicago Tribune story quoted Steve Gottwals (F-Secure): "It's an old virus concept, but you put a pretty face and a nice pair of legs on it and people open it."
  • An ABC News story quotes Raemund Genes (Trend Micro): "it has been detected within major companies, big ones [this morning], almost every big one, because it's spreading through the PR agencies." One reporter [name withheld] who spoke to me described the various infected emails flowing in from PR firms.
  • An ABC News story quotes Robert Hermeryck (Trend Micro): "She is gorgeous... She's beautiful. Men and women alike want to look at her." (The tennis star, not the virus.)
  • A PA News newswire quotes Eric Chien (Symantec): "again we are urging companies to block attachments with double extensions such as .jpg.vbs." Okay, I'll bite. How do you configure Symantec's antivirus products to block double-extension exploits? (Hint: I asked a trick question.)
  • A PA News newswire quotes Graham Cluley (Sophos): "Our message to computer users is simple — think with your brain, not your groin," when you receive email attachments. Multiple news agencies quoted him on Kournikova's sex appeal: "[she is] the average fantasy of the guy who sits in front of the computer terminal."

LET'S SEE NOW, what else happened? Aha. Brightmail issued an embarrassing press release: "at approximately 10:00 AM Pacific Standard Time yesterday," it begins, "[we] identified the Anna Kournikova spamming virus. By 11:55 AM, the company had distributed a 'rule' to prevent it from reaching the 100,000,000 mailboxes within its customer base, among them users of Earthlink and AT&T WorldNet." Why did they need almost two hours to stop a 5yr-old threat? Clearly, their "experts" need to learn about double-extension exploits.
Brightmail needed al­most two hours to stop a 5yr-old threat. And they bragged about it! Clearly, their "experts" need to learn about double-extension exploits.
Check out this exploitation press release at the height of Kournikova hysteria. "WHAT: Computer Sciences Corporation (NYSE: CSC) cyber security expert available for interviews following recent high-profile virus and hacker attacks. WHO: Guy L. Copeland, CSC vice president... WHEN: Beginning February 13, 2001." Gotta move faster, Big Guy: the armageddon subsided before your accessibility date. Reporters then wanted to interview a 20yr-old in Europe, not some stuffy-shirt Beltway Bandit. Panda Software's daily email newsletter explained the 5yr-old threat of double-extension exploits. Predictably, the firm didn't recommend their own products to stop such a simple exploit. Their solution? Look for evil files with your eyeballs, not with antivirus software. Go figure. Steven Sundermeier (Central Command) bragged in a press release: "we are very pleased to announce that we received no reports of the Anna Kournikova Internet worm infecting our customers." Score another victory for proactive (not reactive) antivirus technology. Oh, I almost forgot. I received the following spam yesterday:
There is a new virus that is sweeping through computers all around the world! This virus is Very Contagious, and it is growing at a tremendous rate! However, this is Not a computer virus. It is excitement about the most exciting Opportunity on the Internet today. We are "Making Millionaires One Click at a Time!" $19.95 a month, No Sponsoring Required. For more information, please email: [address removed], and put "more info" in the subject box.
Please forward this information to anyone who sent you a Kournikova alert. They'd rather receive this email 25 times than not receive it at all...

[continued in part 3]