http://www.wired.com/news/technology/0,1282,45956,00.html By Michelle Delio 6:14 a.m. Aug. 9, 2001 PDT Internet users have become all too familiar with SirCam and Code Red, but the creators of the two worms that have plagued the Internet this summer remain a mystery. If the FBI's National Infrastructure Protection Center has its way, the identities of those who wrote and released the malicious little bundles of code into the world will be known soon. "We are very serious about finding the authors of Code Red and SirCam," the NIPC's Debra Weierman said. "Intentional transmission of worms or viruses across the Internet is a felony. This is a major offense, not some inconsequential lark." Weierman acknowledged that finding a worm's author is often akin to assembling a complex jigsaw puzzle whose pieces are scattered all around the globe, but she said that the NIPC is confident that they will be able to track both worms' creators. "We have 4,000 security professionals around the world who are giving us information," Weierman said. "It's only a matter of time." Piecing together the puzzles of SirCam and Code Red requires a solid knowledge of the people who code worms. Without knowing who's who in the virus world, and why they do what they do, it's easy to miss crucial clues -- and make mistakes. On Wednesday, Frank Felzmann, the head of Germany's Federal Office for Information Technology Security said that he had tracked down the authors of Code Red. Felzmann was quoted as saying that the worm had been authored by 29a, "a hacking group from the Netherlands." But members of 29a said they are not from the Netherlands and did not have anything to do with Code Red. According to news reports, Felzmann said that 29a had taken credit for the worm in hacking newsgroups, but a search across Usenet on Wednesday only turned up a discussion by several Russian programmers who had momentarily confused a virus called "RedCode," whose code contains a credit to "Wintermute/29a," with Code Red. "Yes, Wintermute, a former member of 29a, coded a virus called RedCode," said Mental Driller, a 29a member. "But it is a primitive virus that only worked under DOS systems. It isn't in any way the Code Red virus that media has been talking about." Felzmann did not immediately reply to requests for comment. Some virus writers like to tuck a reference to themselves into their code, but so far no one has been able to discover any clues to the writer's identity in any of the three versions of Code Red that have spread across the Internet since the worm was first spotted in July. SirCam does appear to contain some pointers to its writer. A text string that fills the hard drives of some infected computers reads: '[SirCam Version 1.0 Copyright 2001 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico]' The town of Cuitzeo holds a big festival on Oct. 16, the same day that SirCam is programmed to virtually roll the dice on any infected computers. That day, SirCam will generate a random number that has a 1-in-20 chance of forcing the infected machine to delete all the files on its hard drive. Weierman could not comment on ongoing investigations, but said the NIPC is studying all reports on both of the worms' contents carefully. "If the worm writer is not located in the U.S., the NIPC will alert local law enforcement and work with them to make sure the writer is held liable under local laws," Weierman said. "In the U.S., the authors of Code Red and SirCam would face a five-year sentence, a fine of up to $250,000 for each incident of damage, and perhaps civil suits from companies and people whose networks or computers have been damaged." Weierman said the NIPC relies heavily on the expertise of people around the world who are familiar with the computer underground "who network with us and share information." But most of the security firms that are working with the NIPC do not try to find worm writers. Internet Security Systems' X-Force team, which has been working closely with the NIPC on Code Red and SirCam, has no plans to try to track down the creators of the worms. "We don't deal in law enforcement, we just pass along the technical details as we discover them to the NIPC," said Dan Ingevaldson, X-force team leader. That sentiment was echoed by eEye Digital Security, the first security firm to identify the hole that Code Red exploits, and first to fully analyze all three versions of the Code Red worm. Marc Maiffret, chief hacking officer at eEye said his team had worked around the clock to provide their pieces of the puzzle to the NIPC. "The coolest thing had to be when one of the head FBI investigators called us and said they needed to know what the worm was going to attempt to do against the whitehouse.gov website and what could they do to stop it," said Maiffret. "They said they needed the information in 10 minutes because they were going to be briefing the White House." But Maiffret said the team is "not really focusing on trying to track down who coded the worms or anything like that. We leave that to the government guys." Only a few security experts, like Richard Smith of the Privacy Foundation, attempt to trace worm authors. Smith said he enjoys tracking virus writers -- "putting together all the puzzle pieces is fascinating," he said -- but hasn't had time to take a close look at either Code Red or SirCam yet. Smith thinks the NIPC could coordinate an effort to find Code Red's author. "Server and firewall logs indicate which machines are infected, so if the NIPC requested that everyone submit their logs, and examined each log for the first attack, they could probably figure out which machine was the first to begin spreading the worm," Smith said. "It would be a horrendous job, but I would bet the NIPC could do it." Smith said that worm hunters need a lot of patience and have to be willing to share clues with other hunters. Smith found the author of the Melissa worm by locating a "digital fingerprint," a distinctive piece of code, within the string of commands. Smith then posted some information about the fingerprint in a newsgroup, and other posters pointed out similarities between Melissa's code and some virus creation kits that "VicodinES" had posted on the Web. Smith found the same digital fingerprints in VicodinES's kits as he'd discovered in Melissa, establishing a trail of virtual evidence that helped lead the FBI to David L. Smith, Melissa's author. "It's not too hard to locate one or two pieces of the puzzle," Smith said. "But it can be hard to put it all together into one big picture." Looking at the whole picture may require the NIPC to go down some highways that they might not choose to travel. EEye's Maiffret was angry that his team wasn't included in the NIPC's big July 29 press conference on the return of Code Red. "We spent many, many hours holding NIPC's hand in private and they basically shunned us in public," said Maiffret. "Yeah, the NIPC screwed us. It's all political crap and the NIPC will never succeed until they get a lot more technical and a lot less political." "Maiffret's job title kept eEye out of the big press conference," said Rob Rosenberger of vMyths. "No one wanted a 'chief hacking officer' in the roundup so soon after (NIPC Director Ronald) Dick's senatorial carpet-calling." Weierman said that many people who had contributed information about Code Red weren't included in the press conference, simply because of "logistics." But Maiffret said that eEye would still continue to help the NIPC. "Actually, we're meeting with them again today to explain how Code Red II works." Meanwhile, to keep the spread of the Code Red worms from slowing down its cable Internet network, AT&T is blocking access to port 80 Web servers run by residential customers, a spokeswoman said Wednesday. "We are trying to protect our greater user population as a whole," said AT&T spokeswoman Sarah Eder. The company provides cable Internet access to 1.35 million residential customers, she said. By blocking incoming traffic to Web servers, AT&T is effectively shutting down the websites, which residential customers are not supposed to be operating anyway, Eder said. "According to our official use policy, customers are not permitted to operate Web servers behind cable modems," she said. Commercial customers of AT&T's cable Internet service are not affected, she added. Reuters contributed to this report. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 06:43:13 PDT