Search

StarOffice Attracts its First Virus (and the press notices)

6/01/2006
Categories: OpenDocument and OOXML

I was sitting in the audience of an ISO/IEC meeting in Geneva, Switzerland about to give a presentation on the intersection of open source and open standards when I received an email with a link to this story at CNET.News.com:

Researchers at Kaspersky Lab have spotted what they believe is the first virus for OpenOffice, the open-source rival to Microsoft's Office productivity suite.

The virus, dubbed Stardust, is capable of infecting OpenOffice and StarOffice, which is sold by Sun Microsystems, a Kaspersky Lab researcher wrote on the Russian company's on Tuesday. "Stardust is a macro virus written for StarOffice, the first one I've seen," the researcher wrote. "Macro viruses usually infect MS Office applications."  The pest is written in Star Basic. It downloads an image file with adult content from the Internet and opens that file in a new document, according to Kaspersky's posting.

So far, Stardust is a proof-of-concept virus, which means that it was created to demonstrate that an OpenOffice virus is possible. The virus has not been sent out in the wild and is not actually attacking people's systems.

I did a quick and dirty blog entry then, which I'm updating now. 

Hmm.  Now that I have time to give this a closer reading, it appears that this bit o' malware has hit only StarOffice, not OpenOffice.  So while the conclusion may (or may not) be correct to say it can be adapted to hit OpenOffice, it's a stretch to assume that it was "created to demonstrate that an OpenOffice virus is possible."  If that was the goal, why not  _start_ by hitting an OpenOffice user, eh?

Be that as it may, you may recall that only a week ago I did an article about the  Word Trojan, and how the press reported it.  Through this new hack on StarOffice we have the opportunity to see how the press reports an equally (or less) insignificant attack on one version of ODF compliant software, so let's see what we see.

So far, the news about the StarOffice hit is running ahead of the Word Trojan, with 28 stories in the first day, on a Google News search of “Stardust AND openoffice OR staroffice,” as against only 11 in the same time period fo “word AND ginwui.”  The Web seems to find it a lot more interesting, too, with 157,000 hits in the first day, while the Word Trojan is at 195,000 hits after two almost two weeks.

So what else are the scribes saying?

As with the Word Trojan, more than 20 of the news articles so far are re-hashes, but some have more details.  Jeremy Kirk at PCAdvisor gives a more complete technical explanation than other news stories, and then adds the following to the basic story facts, having taken the time to contact the original source of the story to ask for more, such as (presumably) why the mention of OpenOffice had been made:

Since the virus has not yet been launched with malicious intent, a teenager hacker may have written it, said Roel Schouwenberg, senior research engineer for Kaspersky Lab. The virus uses macros to attack Sun’s office suite….

“We’re not hyping it,” Schouwenberg said. “The world is not coming to an end. It’s just a POC (proof-of-concept).”

But with a little tweaking, Schouwenberg said the code, which uses an old API (application programming interface), could be modified to affect OpenOffice 2.0, an open-source suite.

David Utter, at SecurityProNews.com (who also wrote about the Word Trojan), adds this to the basic facts:

Besides the cost factor, another pleasure of working with a Microsoft alternative has been the relative freedom from security issues that the MS Office crowd has to worry about regularly. That has changed now,…[quoting Schouwenberg:] “We’re not hyping it. The world is not coming to an end. It’s just a poc (proof-of-concept).”

That may be the case. But for those of us who use applications like OpenOffice regularly and have enjoyed a virus-free existence, it’s still a little disturbing.

Which is also the tack taken by Kevin McLaughlin at CRN.com, who to his credit also did some investigation and came up with some sources to quote:

Michael Cocanower, president of ITSynergy, a Phoenix-based solution provider, says the fact that virus writers are beginning to target open source applications will serve to dispel the myth of these applications being impervious to threats.

“Alternative platforms often brag about the fact that there isn’t a lot of malicious code floating around on their platforms, and therefore everyone should use them, and not Microsoft, which [they say] is full of holes,” said Cocanower.

“I don’t think anyone really thinks that open source apps are completely safe from attacks,” said Jeffrey Sherman, president of Warever Computing in Los Angeles. “Up to now, the theory of “security via obscurity” has reigned true, but as any open source program becomes more popular, that obscurity is going to dwindle.”

Productivity software suites have long been a target of virus writers, according to Tom Adelstein, an open source advocate and author of several books on Linux. “Kaspersky is making a big deal about this [proof of concept macro virus] because it [targets] open source,” Adelstein said.

Software built on the GNU General Public License is tight and not susceptible to invasion, added Adelstein. “There just isn’t a way to really attack Linux or OS X or any of the Unix variants — once you compile it, it’s like iron,” he said….

Well, I don’t know that I’m on board for tTom’s conclusion.  I was discussing the same topic with Microsoft’s Jason Matusow before we were on the same panel at the ISO/IEC conference, and he stated, if I recall correctly, that “Linux has 700 security issues; they just haven’t been exploited.”  I don’t know that I’d automatically accept that number, either, but (at the risk of being flamed) my guess is that it’s impossible to malware-proof any software – even Linux – especially if security isn’t the highest priority of the team that’s coding.

Some software does make a more attractive target, though, in the political sense, and it’s likely that Microsoft will present a far more frequent target than Linux for some time.  When the time does come for Linux to attract a more market-share representative amount of hacker attention, my guess is that the target will be the add-on software of a single distro vendor that has been seen to overstep its bounds, rather the Linux kernal.

Not everyone was in a highly serious mode.  At the VirusList.com Analyst’s Diary, it was a curiousity item:

I came across something interesting today: a macro virus which we’ve named Virus.StarOffice.Stardust.a   You might wonder what’s interesting about this – viruses have been around for a long time, and are starting to fade from the scene.  But if you look more closely at the name, you can see why I’m interested: Stardust is a macro virus written for StarOffice, the first one I’ve seen. Macro viruses usually infect MS Office applications…. We’ll have a description of it in the Virus Encyclopaedia soon.

True to its supermarket checkout lane namesake, Inquirer.com’s cheeky opening reads as follows in a few throwaway paragraphs by Nick Farrell:

The Open Sauce rival to Vole Office, Openoffice has come down with its first virus.

Vole Office?  Never mind.

ChannelRegister.co.uk, no slouch in the attitude category but with a reputation for more serious concern, had a re-hash, but get’s points for its Douglas Addams subtitle:  “Mostly harmless.”

So much for now.  After a week has run its course, I’ll return to this topic and do a final comparison to how the press treats a software virus that has targeted (one example of) ODF compliant software, as compared to an Open XML (to be compliant in the next release) software bit o’ mischief.

For further blog entries on ODF, click here

subscribe to the free Consortium Standards Bulletin
(and remember to Buy Your Books at Biff’s)