Greeting card virus licensed to spread

The FriendGreetings electronic greeting card has all the hallmarks of a mass-mailing computer virus.

Learn more about viruses

The e-mail misleads a victim into downloading an application--ostensibly to view a Web card--and then sends itself to every e-mail address in the victim's Outlook contacts file. At least a few systems administrators have complained in Usenet postings that the mass-mailing e-card was to blame for swamping their network.

Yet the creators--Permissioned Media, a company apparently based in Panama--will be hard to prosecute: The viral card is protected by a license agreement that tricks unsuspecting users into clicking "Yes" and consenting to have the program send itself to all their e-mail contacts.

"They are deliberately trying to hide something in a wrapping that they know people won't read," said Vincent Gullotto, vice president of security company Network Associates' antivirus emergency response team.

Without the license agreement, the program would be considered a virus, but with the code wrapped in what could be a prosecution-proof vest, Gullotto is careful to avoid the term. "The unofficial name we have for it is a 'fishy program,'" he said.

The power of a button-click to transform a virus into a legal--albeit questionable--program has some attorneys worried that future Internet attackers could get protection using one of the software industry's best weapons: the click-wrap license.

"This is a legal hack," said Jennifer Granick, a lawyer and clinical director for the Stanford University Center for Internet and Society. "It really raises the problems of online licensing and contracting. Companies haven't wanted to admit (that problems exist), because they get to write the licenses and it benefits them."

The viral e-card is just the latest example of questionable software. In April, Kazaa users inundated Brilliant Digital Entertainment with complaints when they discovered that the most recent version of the company's 3D ad technology software, which is bundled with the Kazaa file-sharing program, contained licensing terms that allowed the company to claim "unused computing power and space" on a person's PC.

Another program, Gator, which tracks users and tailors ads to them, had been roundly criticized by users and advertisers alike.

Is it illegal?
However, if protected by a properly crafted license, such applications aren't actually doing anything that's legally considered wrong. In the precedent-setting case Specht et al. v. Netscape Communications, the court found that two tests must be satisfied for a license to be binding: The user must be aware of the license, and the user must be required to accept it in some way.

The license included in Permissioned Media's FriendGreetings e-card passes both tests.

The viral Web greeting card attracts users with an e-mail masquerading as a message from an acquaintance and stating that an e-card awaits at a Web site, such as " Friendgreetings.com" or " Friend-card.com." The e-mail contains a link that, when clicked, will begin to download the infectious program. A dialog box says the program is necessary to view the e-card.

The installer requires that the user accept two end-user agreements that contain the following text, among other legalese: "As part of the installation process, Permissioned Media will access your MicroSoft(r) (sic) Outlook(r) Contacts list and send an e-mail to persons on your Contacts list inviting them to download FriendGreetings or related products."

Many companies have already blocked access to Friendgreetings.com, but Permissioned Media has repeatedly changed the site's address and sent out a new batch of unsolicited e-mail to users.

"It's getting sneakier," said Alex Shipp, senior antivirus technologist for U.K.-based e-mail service provider MessageLabs. The latest iteration of the e-mail--the fifth, said Shipp--caused a spike in the number of messages blocked by the company's anti-spam filter this past weekend.

Yet, the license gave Shipp pause. "It's a very difficult call," he said. "It behaves exactly like a virus but because it has this disclaimer, some companies think they could get sued if they stop it like a virus."

In 1998, some antivirus companies started blocking a utility called NetBus, which allowed an administrator to control a remote system. Like BackOrifice, the utility soon became a favorite way for hackers to send commands to systems over which they had gained control. However, when the program's creator decided to start a company to sell the product, he hired a lawyer to go after any company that blocked the tool.

"Antivirus companies learned that they have to be careful what they block," Shipp said.

This time the lesson may be different, however; click-wrapped viruses may spotlight the flaws in the system.

The laws under which online vandals and cybercriminals are prosecuted specify that intrusions into computer systems have to be unauthorized. Yet, a Trojan horse or virus wrapped in a click-accept license could make the access authorized, and therefore not a crime.

"The question is that, when most people admit they don't read them, can licenses really give authorization?" said Stanford's Granick. "If you are a prosecutor in a cybercrime case, you argue not."

But courts may have a tough time justifying that what goes for Microsoft and Brilliant Digital shouldn't also go for any other programmer, including a virus writer, Granick points out.

Not everyone is so sure, however. Network Associates' Gullotto wouldn't bet just yet that the laws are what will be altered. Users might just have to adapt instead, he said.

"Times are changing," Gullotto said. "People have to know what they are opening up in e-mail."

[PhotoJimbo]

This is a frightening concept: We're arguing whether people should be forced to accept things they supposedly agreed to via mouse click, when most of them are incapable of understanding what they are agreeing to, especially when the agreement is written in a deliberately misleading manner.

Even Microsoft's agreements are so rediculously complicated, that an "average user" cannot possibly follow them, but they will always click "agree" to get the software, simply because there are no other options... There should be! Especially if the agreement gives away something of the clicker's.

Problem two here is that anyone can walk into anyone else's house and turn on their (usually unprotected) PC and make these agreements for them. It does happen, and will happen more as this thing grows. How badly should we hit these poor souls to punish them for their lack of security precautions?

The majority of people simply cannot grasp the concept a mouse click as a way to agree to something dangerous and legally binding, even if it is spelled out. The idea that a deliberately confusing
"agreement" containing obfuscated (or well hidden) dangerous portent should be mouse clickable & legally binding is pure stupidity, and should not be tolerated. I include most software agreements in this statement, but these particular things are deliberately disguised to look like messages from friends! Legalized theft disguised as a convenience! They now have the right to do anything they want to your computer because you agreed to read a post-card from a friend! This is Law made to protect those who least need it against those who most need it.

Anyone who wants to create legally binding agreements of a potentially dangerous magnitude (Very dangerous! These simple things bring down large networks at times.) should be forced to spell out the end results in very specific and simple language. Then have the mouse click be a temporary agreement with any action pending the return of a Signed Contract, and then get back to reasonable understandable business. I guarantee that If Microsoft inserted a small paragraph deep in their UA indicating that your click would give them your firstborn daughter, it would first take weeks to discover, and then years of debate to decide if it was legal. We've lost all reason in this nonsense. We're actually discussing Legalizing Network Damaging Viruses!

Right now it's funny when someone gets in trouble clicking on something that no-one could unserstand, and we laugh and say "S/He should have known better!" But No One Reads Those Things!

To give valid Legal Status and Support to Pirates who have have worked out legally clever schemes to take advantage of a bad situation is extreme misuse/abuse of the legal system. (But not uncommon! ;-) This is Sheer Madness! I think we love the debate more than reason itself.