For this week, I want to focus on some blog chatter about the latest malicious creation to come out of Russia, because, well, it amuses me. It probably shouldn’t, but it does.
According to malware that flirts with females or males seeking relationships online in order to dupe them out of their personal data., someone in Russia has created
CyberLover can conduct fully automated flirtatious conversations with chat-room visitors and dating sites to lure them into a set of dangerous actions such as sharing their identity or visiting Web sites rigged with malware. It can establish a new relationship with up to 10 partners in just 30 minutes and its victims cannot distinguish it from a human being.
“As a tool that can be used by hackers to conduct identity fraud, CyberLover demonstrates an unprecedented level of social engineering,” says Sergei Shevchenko, senior malware analyst at PC Tools. “It employs highly intelligent and customized dialog to target users of social networking systems.”
The sad thing is that the creators of CyberLover are certain to make money off this, since there are plenty of gullible people out there looking for love in all the wrong places.
Folks in the blogosphere are talking about how this thing comes close to passing the Turing Test, which I honestly had never heard of before today. According to an entry in Wikipedia, The Turing Test is a proposal for a test of a machine’s capability to demonstrate intelligence. Described by Alan Turing in the 1950 paper “Computing machinery and intelligence,” it proceeds as follows: a human judge engages in a natural language conversation with one human and one machine, each of which try to appear human; if the judge cannot reliably tell which is which, then the machine is said to pass the test. [On a slightly unrelated note, Turing, an English mathematician, logician, and cryptographer whose life ended in suicide, will be the theme of the RSA security conference in April.]
Technologist Brad Templeton writes about CyberLover and the Turing test in his Brad Ideas blog, noting how it may be having a successful run by fooling people in a language that is a second language to the target, and/or claiming that it is using a second language for itself. With English as the lingua franca of the Internet and world commerce, he notes, it’s common to see two people talk in English, even though it is not the mother tongue of either of them.
“It’s easier to see how a chatbot, claiming to not speak English (or some other ‘common’ language) very well — and Russian not at all — might be able to fool a Russian whose on English is meager,” he wrote, “though you have to be pretty stupid to give away important information within 30 minutes to a chat partner you know nothing about.”
Curt Monash, a leading analyst of and strategic advisor to the software industry, wrote in the Text Technologies blog that it might be fun to point two copies of the bot at each other and watch them chat each other up.
Meanwhile, a visitor to the Slashdot blogging forum was reminded of a bot he created years ago that would randomly send people messages until the person at the other end stopped responding.
It spewed out nonsense sentences and most people ignored them from the start, the blogger noted, but even those that didn’t quickly got the idea when it cycled back on the same message more than once. One time, however, he remembered “this one guy replying back to this bot as if it was a real person for almost two hours!”
What I’m reminded of, though, is a conversation I had with security luminary Eugene Kaspersky in October. During a visit to Kaspersky Labs’ Massachusetts office, I asked Kaspersky why so much malware comes from his homeland.
A dismal economy and lax law enforcement is fueling the problem, nudging Russian computer programmers into an underground market where easy money can be made creating programs used to steal credit card and Social Security numbers.
“[Russian hackers] don’t see themselves as doing anything criminal,” Kaspersky said at the time. Many Russian programmers compare themselves to weapons manufacturers — they build the technology but are not the ones using it. In other words, they’re not responsible if someone else is pulling the trigger. Meanwhile, Kaspersky said, the Russian economy is still shaky enough that people are looking for ways to make a steady living, and building malware for online gangsters is one way to do it.
And so you can expect a lot more of this malware in the new year and beyond.
My take: If you can’t see the person in front of you, it’s probably best not to flirt with them in the first place.
About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at firstname.lastname@example.org.