Memories of the Anna Kournikova worm

Filed Under: Law & order, Malware

Anna KournikovaIt's ten years ago today since the Anna Kournikova worm spread around the world, offering the promise of pictures of the Teutonic tennis temptress but in reality infecting your Windows computer with an email-aware worm.

The Anna Kournikova worm wasn't particularly sophisticated in design. It was a regular email worm written in Visual Basic Script (VBS), which forwarded itself via emails using details it harvested from your Microsoft Outlook address book.

The worm, which Sophos called VBS/SST-A (it was the media which dubbed it "Anna Kournikova"), didn't even involve any blood, sweat and tears for its Dutch creator, 20-year-old Jan de Wit. He simply downloaded from the internet a virus construction kit called VBSWG which generated his malware for him.

The real genius of the Anna Kournikova worm was not in its coding. It was in its social engineering.

Here's what an infected by the Anna Kournikova worm looked like:

Subject: Here you have, ;0)
Attached file: AnnaKournikova.jpg.vbs

Anna Kournikova worm email

It was the choice of Anna Kournikova as the bait which was so clever, and helped the worm spread around the world incredibly rapidly.

Because Kournikova was a world-famous sports star her appeal wasn't limited - like a TV or music star might - by whether you could understand what she said. Let's face it, who reading this has ever heard Anna Kournikova say anything?

Silent movie star Charlie Chaplin was famous around the world, in part, because he was an icon who crossed borders and languages. Well, individual sports stars can be very similar - they just have to be good at what they do (jump higher, run faster, hit a ball harder), and if they look gorgeous in a short tennis skirt all the better.

Top 10 Women Googled for in 2001It can't be overstated just how popular Anna Kournikova was in the late 1990s/early 2000s - not so much for her tennis playing (which, let's be honest, was very good but not really the world's best) but for her good looks. Indeed, by the end of 2001, Anna Kournikova was the eighth most popular woman searched for on Google.

So, all in all, Anna Kournikova was a very good choice for the worm's author. And very bad news for the millions of people around the world who had their computers infected by the attack.

And I say "people" advisedly, because it wasn't just men who found it irresistible to click on an email, seemingly sent to them one of their friends or colleagues, offering a picture of Anna Kournikova. I can only assume that many of the women who also had their computers infected by the worm presumed it had been sent to them as a joke - perhaps the picture was going to show Anna Kournikova with lumpy cellulite-ridden legs or eating a kebab?

Sadly, for all concerned, there never was an image of Anna Kournikova attached to the email. It was just a simple VBS worm, and there was no picture to see. The world had been duped - by a cunningly chosen filename.

Jan de Wit - who used the online handle "OnTheFly" - was arrested by authorities in the Dutch town of Sneek on February 14th 2001, after admitting to his parents that he was responsible for the malware that was affecting computers and clogging up email systems worldwide.

The following weekend, Sieboldt Hartkamp, the mayor of Sneek, caused controversy when he told newspapers that he was pleased with the attention the Kournokova worm had brought his town, describing the malware as a "joke":

"It is obvious that the young man is very capable and it is in our interest to employ people like him in our information technology department."

The mayor went on to say that he would be prepared to offer Jan de Wit a "serious interview" once his studies were completed. Working for an anti-virus company, I felt like banging my head against a brick wall when I heard this. After all, wouldn't it be better to teach youngsters the damage that can be caused by distributing malware rather than society applauding them and offering them jobs?

Furthermore, Jan de Wit had not demonstrated that he was "very capable". In fact, he had shown very limited programming knowledge as he had used a simple virus construction kit to help him create his malware! Most importantly, of course, he had proven himself to be ethically immature.

At de Wit's subsequent trial in September of 2001, despite anti-virus companies claiming that millions of computers had been affected, US investigators were only able to list 55 incidents of infection, totalling just $166,827 worth of damage. No doubt many firms were nervous of coming forward and going on the record as having suffered from the Anna Kournikova worm - which causes problems when attempting a prosecution.

However, the limited FBI evidence wasn't good enough to pass muster with the Dutch district court, who claimed that it lacked enough detail, and Jan de Wit was given a sentence of 150 hours community service.

You would have thought that that was a pretty good result for the creator of one of the world's most widespread viruses, especially as he could have received a maximum sentence of four years in jail.

But, astonishingly, Jan de Wit's legal team appealed the sentence arguing that the virus writer's career could be harmed. Personally I would have breathed a sigh of relief, and taken the 150 hours community service on the chin. A few weeks tidying it up gardens, sweeping the streets and picking up litter would seem a lucky escape to me.

Thankfully, common sense prevailed and the appeal was rejected, to the disappointment of de Wit's lawyer Theo Jansen:

"I hoped that he would be acquitted. My client never had the intention to cause damage."

Jan de Wit wasn't the greatest virus writer of all time, and his virus wasn't that sophisticated. But, like the Love Bug before it, it was immensely successful at using social engineering to trick users into clicking on its attachment.

These were the days of mass-mailing malware. They seem more innocent times than today, as they didn't typically involve stealing money from users - but they still disrupted business and home users' computers and clogged up email systems.

Malware was going to get nastier during the next decade, by no longer drawing attention to itself with high visibility mass attacks malware was about to get stealthy and financially-motivated.

PS. A footnote on the whole story of the Anna Kournikova worm. A couple of days after the worm started spreading around the world I got a phone call from an American marketing company who said that they represented Anna Kournikova.

The tennis player, not the worm.

"Would Sophos be interested in working with Miss Kournikova to do some promotion?", I was asked. "We could do some photo shoots of Anna holding your software - it could be great for business.."

"Sure," I replied. "How much would you pay us?"

It turned out that wasn't quite what he was thinking. When he told me how much money he expected us to pay for the use of Miss Kournikova's services, I knew exactly what to do.

I gave him McAfee's phone number.

, , , , , , ,

You might like

5 Responses to Memories of the Anna Kournikova worm

  1. Simon D Gardner · 1348 days ago

    This article is worth it just for the dig @ McAfee.

    • It wasn't really intended as a dig at McAfee.. I was just put on the spot and had to think quickly as to who I would most like to see giving $800,000 to Anna Kournikova. :)

  2. po8crg · 1347 days ago

    Anna Kournikova, being Russian, is not a "Teutonic temptress" - she's Slavic.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.