[ISN] The Hunt for the Worm Writers

From: InfoSec News (isnat_private)
Date: Fri Aug 10 2001 - 01:20:19 PDT

  • Next message: InfoSec News: "[ISN] DEF CON 9 - Open Letter to the community"

    By Michelle Delio 
    6:14 a.m. Aug. 9, 2001 PDT 
    Internet users have become all too familiar with SirCam and Code Red,
    but the creators of the two worms that have plagued the Internet this
    summer remain a mystery.
    If the FBI's National Infrastructure Protection Center has its way,
    the identities of those who wrote and released the malicious little
    bundles of code into the world will be known soon.
    "We are very serious about finding the authors of Code Red and
    SirCam," the NIPC's Debra Weierman said. "Intentional transmission of
    worms or viruses across the Internet is a felony. This is a major
    offense, not some inconsequential lark."
    Weierman acknowledged that finding a worm's author is often akin to
    assembling a complex jigsaw puzzle whose pieces are scattered all
    around the globe, but she said that the NIPC is confident that they
    will be able to track both worms' creators.
    "We have 4,000 security professionals around the world who are giving
    us information," Weierman said. "It's only a matter of time."
    Piecing together the puzzles of SirCam and Code Red requires a solid
    knowledge of the people who code worms. Without knowing who's who in
    the virus world, and why they do what they do, it's easy to miss
    crucial clues -- and make mistakes.
    On Wednesday, Frank Felzmann, the head of Germany's Federal Office for
    Information Technology Security said that he had tracked down the
    authors of Code Red.
    Felzmann was quoted as saying that the worm had been authored by 29a,
    "a hacking group from the Netherlands."
    But members of 29a said they are not from the Netherlands and did not
    have anything to do with Code Red.
    According to news reports, Felzmann said that 29a had taken credit for
    the worm in hacking newsgroups, but a search across Usenet on
    Wednesday only turned up a discussion by several Russian programmers
    who had momentarily confused a virus called "RedCode," whose code
    contains a credit to "Wintermute/29a," with Code Red.
    "Yes, Wintermute, a former member of 29a, coded a virus called
    RedCode," said Mental Driller, a 29a member. "But it is a primitive
    virus that only worked under DOS systems. It isn't in any way the Code
    Red virus that media has been talking about."
    Felzmann did not immediately reply to requests for comment.
    Some virus writers like to tuck a reference to themselves into their
    code, but so far no one has been able to discover any clues to the
    writer's identity in any of the three versions of Code Red that have
    spread across the Internet since the worm was first spotted in July.
    SirCam does appear to contain some pointers to its writer. A text
    string that fills the hard drives of some infected computers reads:
    '[SirCam Version 1.0 Copyright 2001 2rP Made in / Hecho en - Cuitzeo,
    Michoacan Mexico]'
    The town of Cuitzeo holds a big festival on Oct. 16, the same day that
    SirCam is programmed to virtually roll the dice on any infected
    computers. That day, SirCam will generate a random number that has a
    1-in-20 chance of forcing the infected machine to delete all the files
    on its hard drive. Weierman could not comment on ongoing
    investigations, but said the NIPC is studying all reports on both of
    the worms' contents carefully.
    "If the worm writer is not located in the U.S., the NIPC will alert
    local law enforcement and work with them to make sure the writer is
    held liable under local laws," Weierman said. "In the U.S., the
    authors of Code Red and SirCam would face a five-year sentence, a fine
    of up to $250,000 for each incident of damage, and perhaps civil suits
    from companies and people whose networks or computers have been
    Weierman said the NIPC relies heavily on the expertise of people
    around the world who are familiar with the computer underground "who
    network with us and share information."
    But most of the security firms that are working with the NIPC do not
    try to find worm writers.
    Internet Security Systems' X-Force team, which has been working
    closely with the NIPC on Code Red and SirCam, has no plans to try to
    track down the creators of the worms.
    "We don't deal in law enforcement, we just pass along the technical
    details as we discover them to the NIPC," said Dan Ingevaldson,
    X-force team leader.
    That sentiment was echoed by eEye Digital Security, the first security
    firm to identify the hole that Code Red exploits, and first to fully
    analyze all three versions of the Code Red worm.
    Marc Maiffret, chief hacking officer at eEye said his team had worked
    around the clock to provide their pieces of the puzzle to the NIPC.
    "The coolest thing had to be when one of the head FBI investigators
    called us and said they needed to know what the worm was going to
    attempt to do against the whitehouse.gov website and what could they
    do to stop it," said Maiffret. "They said they needed the information
    in 10 minutes because they were going to be briefing the White House."
    But Maiffret said the team is "not really focusing on trying to track
    down who coded the worms or anything like that. We leave that to the
    government guys."
    Only a few security experts, like Richard Smith of the Privacy
    Foundation, attempt to trace worm authors.
    Smith said he enjoys tracking virus writers -- "putting together all
    the puzzle pieces is fascinating," he said -- but hasn't had time to
    take a close look at either Code Red or SirCam yet.
    Smith thinks the NIPC could coordinate an effort to find Code Red's
    "Server and firewall logs indicate which machines are infected, so if
    the NIPC requested that everyone submit their logs, and examined each
    log for the first attack, they could probably figure out which machine
    was the first to begin spreading the worm," Smith said. "It would be a
    horrendous job, but I would bet the NIPC could do it."
    Smith said that worm hunters need a lot of patience and have to be
    willing to share clues with other hunters.
    Smith found the author of the Melissa worm by locating a "digital
    fingerprint," a distinctive piece of code, within the string of
    Smith then posted some information about the fingerprint in a
    newsgroup, and other posters pointed out similarities between
    Melissa's code and some virus creation kits that "VicodinES" had
    posted on the Web.
    Smith found the same digital fingerprints in VicodinES's kits as he'd
    discovered in Melissa, establishing a trail of virtual evidence that
    helped lead the FBI to David L. Smith, Melissa's author.
    "It's not too hard to locate one or two pieces of the puzzle," Smith
    said. "But it can be hard to put it all together into one big
    Looking at the whole picture may require the NIPC to go down some
    highways that they might not choose to travel.
    EEye's Maiffret was angry that his team wasn't included in the NIPC's
    big July 29 press conference on the return of Code Red.
    "We spent many, many hours holding NIPC's hand in private and they
    basically shunned us in public," said Maiffret. "Yeah, the NIPC
    screwed us. It's all political crap and the NIPC will never succeed
    until they get a lot more technical and a lot less political."
    "Maiffret's job title kept eEye out of the big press conference," said
    Rob Rosenberger of vMyths. "No one wanted a 'chief hacking officer' in
    the roundup so soon after (NIPC Director Ronald) Dick's senatorial
    Weierman said that many people who had contributed information about
    Code Red weren't included in the press conference, simply because of
    But Maiffret said that eEye would still continue to help the NIPC.
    "Actually, we're meeting with them again today to explain how Code Red
    II works."
    Meanwhile, to keep the spread of the Code Red worms from slowing down
    its cable Internet network, AT&T is blocking access to port 80 Web
    servers run by residential customers, a spokeswoman said Wednesday.
    "We are trying to protect our greater user population as a whole,"
    said AT&T spokeswoman Sarah Eder. The company provides cable Internet
    access to 1.35 million residential customers, she said.
    By blocking incoming traffic to Web servers, AT&T is effectively
    shutting down the websites, which residential customers are not
    supposed to be operating anyway, Eder said.
    "According to our official use policy, customers are not permitted to
    operate Web servers behind cable modems," she said.
    Commercial customers of AT&T's cable Internet service are not
    affected, she added.
    Reuters contributed to this report.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 06:43:13 PDT