The BadTrans Virus and E-conveyancing

January 1, 2002

In November 2001 a new e-mail virus, W32 BadTrans, spread rapidly across the Internet. The virus affected users all over the world but appeared to be particularly concentrated in the UK. I know this because one of the computers it infected belonged to me. MessageLabs, a company specialising in e-mail security, intercepted more than 28,000 e-mails infected with the same virus on 28 November alone. By itself this event would hardly merit further comment other than as an illustration of the exponential growth of e-mail borne viruses. However, the sophistication of the BadTrans virus and other similar viruses raises potentially worrying questions about the planned implementation of a system of e-conveyancing in England and Wales. To understand why this is so it is necessary to examine how BadTrans infects a computer. As a case study, my own experience illustrates just how efficient and dangerous such viruses have now become.

BadVirusday

I had confidently, if unwisely, assumed that I was immune from computer viruses. After all I had anti-virus software and a separate firewall installed on my PC. I did not open e-mail attachments that I was not expecting and no floppy disks were ever inserted in my PC without first being virus checked. I thought I was safe. As things turned out, I was wide of the mark in believing this.

How then does BadTrans infect a computer? In my case the story began much earlier in the year when my wife was looking for an unusual speciality beverage. Using the Internet she located a small supplier (which I will call Acme Ltd) offering a mail-order service. An order was placed by e-mail and the goods arrived immediately afterwards. Acme Ltd retained my e-mail address in the address book of their e-mail program.

Before examining how the infection took place some background technical information is needed. My operating system was Windows 98 SE with Internet Explorer 5 as the Web browser and Outlook Express as the e-mail client. These were backed up by anti-virus software and a firewall. Here I have to admit that, at that time, I wasn’t updating my anti-virus software every day or for that matter even every week. On the day my computer was infected it probably hadn’t been updated for several weeks. Updating anti-virus software every day used to seem to me rather excessive, although this is not a view that I now hold. I should add that the version of Internet Explorer (IE5) that I was using was a couple of years old. This was to prove a matter of some significance. Like many others I have always been reluctant to install software upgrades where the existing version was running perfectly. On top of that, I had never really paid much attention to the large number of updates and patches issued by Microsoft for products like Internet Explorer and Outlook Express.

On the morning of 18 November 2001 I connected on to my e-mail server to read my e-mail. Once I had connected to the e-mail server Outlook Express indicated that mail was being received. The download took longer than usual suggesting an e-mail with a large attachment. When it arrived I could see that the sender was Acme Limited. The e-mail had no title (and as it turned out no message) but was accompanied by what appeared to be a harmless notepad attachment. The receipt of a blank e-mail suggested to me that its attachment might contain a virus. The attachment certainly appeared innocuous although I was aware that it was possible to disguise the true nature of e-mail attachments so that an executable file could appear to be something else. At this point there was a flicker on the screen as what appeared to be the download warning panel appeared for a millisecond and then disappeared.

By now I was thoroughly alarmed. I had received an unexpected blank e-mail with an attachment. Even though I had not opened the e-mail or the attachment something appeared to have been downloaded onto my hard drive. Before I could attempt to launch a full virus scan the firewall produced a warning that a program called Kernel32.exe was attempting to connect to the Internet. Fortunately the firewall was configured to stop programs other than Internet Explorer and Outlook Express connecting to the Internet so this connection was prevented.

I had never heard of a program called Kernel32.exe. The name suggested a Windows system file. A quick check to see which files had been created in the previous 24 hours showed that Kernel32.exe and two others had been created within the last few minutes. A search on the Internet for information about Kernel32.exe revealed bad news – its presence indicated an infection by the BadTrans virus.

BadTrans and its BadBrethren

Once I was aware of the problem, removal of BadTrans was not that difficult. In due course, fairly promptly in fact, I downloaded the most recent update from my anti-virus software supplier and ran a full scan. This confirmed the presence of the virus, which I was then able to remove.

As BadTrans did not receive the same level of publicity as the Love Letter, Anna Kournikova or Code Red viruses, some readers may be unaware of its properties. In brief, BadTrans, which is known by a number of slightly different names, is a mass mailing e-mail virus or worm. Once a host computer is infected the virus then sends itself on to e-mail addresses obtained from the infected host. Since the release of the Melissa virus there have been a number of such viruses and on its own this story would hardly be worth recounting. I have already noted the way in which BadTrans obscures the true nature of the attachment containing the virus. What is particularly interesting about BadTrans is that it can, in the right circumstances, write a file to the target’s hard disk and then execute it without the need for any input from the user. The implications for solicitors when e-conveyancing is introduced are worrying.

The usual advice for avoiding infection by e-mail borne viruses is not to open any suspicious attachments. However with BadTrans it was not necessary to open the attachment to become infected with the virus. This is possible because of a flaw in Internet Explorer 5. Microsoft had long ago issued a patch for this vulnerability, which can be downloaded from their Web site. Whilst I was aware that it might be possible for an e-mail delivered virus to infect a computer even without an attachment being opened I had wrongly assumed that this was more of a theoretical problem than a practical one and had never updated Internet Explorer 5.

However, there is far more to BadTrans than its ability to infect computers merely by sending an e-mail. Kernel32.exe installed two additional files on my hard disk. One of these was a key logger. This type of software records data that a user types on the keyboard of an infected machine. The key logger installed by BadTrans was sufficiently sophisticated to record only certain types of data. Whether or not the logger records keystrokes appears to depend on the first three characters of the running programs title bar. If, for example, these are LOG (for Logon) or PAS (for Password) the data is recorded and then sent to one of a number of e-mail addresses. There are a number of other three character combinations that also activate the logger. BadTrans also appears to record the IP address of the affected machine. The outgoing e-mail is not sent using the victim’s e-mail program and so the victim is not even aware of what has happened.

That BadTrans was successful can be demonstrated by looking at one of the e-mail addresses to which compromised data was sent. One of these was located at a small ISP in San Francisco. The number of e-mails received was sufficient to affect the operation of e-mail at the ISP. According to some reports in the region of 100,000 e-mails were received at the address. The ISP itself obviously has no involvement with the virus. The contents of the received e-mails are, at the time of writing, the subject of a dispute between the ISP and the FBI with the ISP declining to hand them over to the FBI because of the confidential nature of their contents.

Another clever feature of BadTrans is that the return address for the e-mail is altered so that simply using the reply button on Outlook Express to send a reply to the sender asking why they have sent the e-mail will not work.

E-conveyancing and Viruses

Why then does BadTrans have implications for e-conveyancing?

E-conveyancing depends on digital signatures. In turn these rely on the security of the private key used to create the digital signature. If the private key or the passphrase/password used to generate it are compromised then the security of e-conveyancing is lost. Individual property transactions can involve enormous sums. Anyone who can gain unauthorised access to the network of a solicitor will have taken the first step towards being able to appropriate his digital signature and alter the register. Viruses such as BadTrans offer a way of remotely accessing solicitors’ computer networks. The Government has already given an indication that in cases where a solicitor is negligent in protecting his digital signature as a result of which the Register is altered then the Land Registry may look to the solicitor for an indemnity if compensation has to be paid.

How easy will it be for solicitors to avoid their networks being compromised by this kind of threat? There is no reason to doubt that the creation of clever viruses will not continue. Computer software is already extremely complicated and continues to become more complicated. As both operating system and application software increase in size so do the number of potential flaws that can be exploited by those who create viruses. It is sometimes suggested that the existence of security flaws in software is the fault of the manufacturers and that not enough effort is made to identify such problems before the product is released. Whilst such criticisms may be true to some extent, a combination of the complexity of software coupled with human ingenuity makes it inevitable that new and more sophisticated viruses will be developed and released. Given this, is it reasonable to expect that solicitors will be able to keep their networks secure?

The determination of the Government to introduce e-conveyancing makes this question all the more urgent for solicitors. The use of digital signatures puts the profession in a potentially dangerous position. With the growth of complex ‘blended’ viruses such as BadTrans it will soon become essential for solicitors to become experts on software updates and virus warnings as well as the law.n

Raymond Perry is a solicitor with Davies and Partners of Gloucester.