WebTV Flood Virus Attacks Newsgroups; WebTV Says It's Not a Virus
By Brian C. Bock & Laura Buddine (March 16, 2000)
UPDATE 3/21/00 [Editor's Note: WebTV is working on a fix for what they call the "malicious code attack." A WebTV spokesperson stated in a press release that the issue is not a virus, but rather is a malicious use of features of WebTV's Discuss feature. The problem affects owners of the original WebTV Classic. WebTV is currently working on a fix. Net4TV Voice is following the story and will provide further information and analysis in our next issue. -Dex]
Net4TV Voice has learned that a combination of "wtv-tricks" codes has been used to create a virus which exploits unsuspecting users to flood WebTV's newsgroups. The virus self-replicates by altering signatures and posting wildly in newsgroups, destroying ongoing discussions by pushing messages beyond the limited number of posts that can be displayed by the WebTV newsgroup reader.
WebTV users have told Net4TV that the "e-mail signature hack," previously reported in Net4TV Voice, is being used in combination with a WebTV-designed newsgroup posting code. The combination of codes creates a virus that alters users' e-mail signatures to insert the code, and posts messages to newsgroups without the user's knowledge. When other users view the postings, the codes are copied into their e-mail signatures and the virus replicates.
The virus takes advantage of existing commands built into the WebTV software to perform a combination of tasks WebTV had not anticipated. It functions much like a computer macro virus called Melissa, which caused e-mail problems for large companies and individual computer users. The Melissa virus used macros built into Microsoft Outlook, a Windows e-mail client. This virus uses the newsgroups for propagation; WebTV repeatedly has patched a similar code in e-mail to try to end its malicious use.
The newsgroup posting code is used by the WebTV browser to take input from a form and post it into a particular newsgroup. The sig hack also uses a legitimate WebTV signature change code, which enables users to enter text or HTML signatures that will appear at the bottom of their e-mails and newsgroup postings. Both of these codes, and a number of others, are called "wtv-tricks codes," and are necessary for the method by which WebTV has connected the user interface to the underlying browser software.
This virus is an exploitation of the fundamental structure of the WebTV browser. While attempting to attract development of web sites optimized for WebTV, WNI has touted to developers how easy and flexible WebTV development is. As an example they pointed to the browser interface, built entirely in HTML with WebTV extensions and proprietary tags.
WebTV is a "thin client" system in which only a small portion of the browser resides inside the WebTV settop box. The other part of the browser is on the WebTV Networks servers.
The malicious code combination can be inserted as commands directly into the e-mail signature or it can be part of a web page. The web page containing the virus can then be embedded in an e-mail signature using a standard HTML command. Users who have not created a custom signature may not realize that any change has been made because the codes do not visibly display in the newsgroup reader. An embedded web page could be designed without any visible content.
The virus is triggered when a user opens an infected newsgroup posting or e-mail, or a web page containing the codes, and replicates itself by altering a users' e-mail signature. The code then posts messages in newsgroups that the person who placed the virus designates. When other unsuspecting users click on the message to read it, or visit the web page, their signatures also become infected. Since newly posted threads push to the top of the thread list in the WebTV newsgroup reader, they are more likely to be read and are more likely to infect even more users.
When the virus is embedded in the signature from a web page, the person placing a copy of the virus can edit the page to change which newsgroups are targeted by the virus for cross-posting, and when the virus is active or inactive. Turning the virus on and off makes it more difficult to predict or track since it doesn't exhibit a regular pattern of behavior. The virus can be set to only alter the signature to include the embedded page so that no immediate result is obvious.
Then, hours or days later, the person placing the virus could turn the codes back on, and users whose signatures carried the embedded web page would inadvertently spread the virus further by cross-posting to an entirely different set of newsgroups. The infected user doesn't even need to visit the targeted newsgroups to infect them. These can be newsgroups anywhere--either behind the WebTV firewall in the alt.discuss hierarchy, or on Usenet. The virus is destructive because of its rapid replication, and just a single user could inadvertently post to an enormous number of newsgroups.
WebTV has long claimed to its users and to others that it could not get a virus. The system is immune to the Windows and Macintosh viruses that are spread on the Internet and through software swapping. The WebTV box also cannot receive downloadable, executable programs. In this case however, like Melissa, the virus simply uses the commands already in the software, and puts them together in a way that causes damage and self-replication.
This is the latest in a string of hacks that have exploited the wtv-tricks tags. Previously, malicious use of these codes has forced WebTV to make several patches in order to eliminate combinations of the codes that were being used to cancel user accounts, access unreleased games that WebTV was developing, and otherwise disrupt the service. In January, WebTV was forced to patch the
E-mail Hijack Code, a code similar to the current newsgroup posting code which is a key piece of this virus.
The infection is coming from a variety of sources with a number of people intentionally placing copies of the virus in various newsgroups and on their homepages. A user who was involved in posting and spreading the virus and the knowledge of how to use it has reported yesterday to his friends that he was terminated by WebTV's compliance department.
For more than a month, WebTV users have been reporting to WebTV's abuse department that their e-mail signatures have been hacked. The replicating newsgroup virus was reported by users to WebTV as early as Friday, March 10.
Net4TV Voice has spoken with WebTV Networks' communications staff over the last two days, and has supplied them with a sample of the code and a description of its operation. However, as of press time, WebTV remains unprepared to comment. Net4TV Voice has also contacted Waggener-Edstrom's "Rapid Response Team" that handles WebTV press relations, but has yet received no response.