I’ve noticed a number of articles recently based on historical summaries of threats past – for instance, a ‘brief history of Apple hacking’ (see also my commentary for Infosecurity Magazine) and SC Magazine’s Ten Devastating Computer Viruses.
In general, I’m more fascinated by the fact that the media and the reading public are so taken with top ten lists – in fact, I’ve considered the phenomenon a couple of times with some seriousness, as in Perfect Ten: Truth and Prognostication – than I am by the prospect of putting my own lists together. Though I have done from time to time: sometimes with my tongue firmly glued to my cheek, as in this Top Ten of Top Tens post from 2010; sometimes with more serious intent, as in the blog series that was subsequently published as an ESET white paper (twice): Ten Ways to Dodge CyberBullets: Reloaded.
On this occasion, I thought it might be amusing and possibly even instructive to look at one of the ‘least devastating’ examples of malicious software. (This might even become a series, but I’m easily discouraged…) The mouse ball virus was invented by Dr Alan Solomon, a highly influential figure in anti-virus research at the time. When I say invented, I mean totally fabricated: the virus that found its way down your mouse cable and ate its little rubber ball was a standing joke on alt.comp.virus for years, not an example of the anti-virus industry writing all the viruses.
Just a minute, though: maybe the joke was on us. It appears that American taxpayers were stung for (at least) $2.7m dollars when the Economic Development Administration, part of the Department of Commerce, was notified by the Department of Homeland Security that it might have malware issues. According to Ars Technica’s summary of a Department of Commerce audit, it reacted by:
- Closing off its systems for two months so that it had no email service and no way for regional offices to access central databases. That $2.7m doesn’t include the costs from that exercise in self-isolation, by the way.
- Engaging an outside security contractor to investigate and advise: $823,000.
- Acquiring temporary infrastructure from the Census Bureau: $1,061,000.
- Spending $4,300 on destroying $170,500 worth of IT kit: printers, cameras and yes, mice,
as well as desktops. The intention was to destroy $3m worth of hardware, apparently. - Spending $688,000 developing a long-term response. Actually, on hiring contractors to develop a response.
It seems the EDA knew something about mice and malware that the rest of us didn’t. Or they came across the alt.comp.virus thread and took it seriously. Or Dr Solly wasn’t joking at all. In fact, given the technicalities of mouse ball replacement as described in what is alleged to be a genuine alert sent out to IBM field engineers in 1991, it seems a good thing that mouse ball technology seems to be on the wane. On checking my own office, I’m disconcerted to find that none of the mice I currently own has a ball at all, though they all glow a very vibrant red when you turn them upside down. Fortunately, it doesn’t seem to affect their performance – insert own red light joke here – though they do work better if you turn them the right way up.
Meanwhile, the Huffington Post reports that the Kremlin is investing in twenty electric typewriters for the generation of top secret documents while eradicating the risk of (direct) electronic data leakage. I hope someone’s told them about the golf ball virus.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
