[ISN] Why Worm Writers Stay Free

From: InfoSec News (isnat_private)
Date: Thu Dec 27 2001 - 23:17:21 PST

  • Next message: InfoSec News: "Re: [ISN] Fitting IT into homeland security"

    By Michelle Delio 
    2:00 a.m. Dec. 27, 2001 PST 
    Virus writers often act as if the Internet, the most public forum in
    the world, is their very own private playground.
    Law enforcement officials are amused and amazed by the many virus
    writers who carefully include identifying comments or credits in their
    code, and who often are found bragging about their skills and latest
    creations in newsgroups or on Internet Relay Chat channels.
    "Cyber criminals are like idiot Hansel and Gretels, scattering
    electronic breadcrumbs that lead straight to them," said retired New
    York City detective Pete Angonasta. "You just don't see this sort of
    behavior in other criminals. I've never seen a burglar leaving cute
    notes crediting the crime to himself. And I've never run across a
    burglar who puts up a self-promotional website or goes into a chat
    room to discuss the night's activities."
    But their high profiles seemingly do not make virus writers easier to
    apprehend. Virtually all captured coders either confessed or were
    arrested only after techies discovered their identities and informed
    Overworked and under-funded law enforcement officials rely heavily on
    tips from computer security experts to identify virus writers. But
    many computer experts are now too busy scrambling to survive in a
    tight economy to play cybersleuth. Providing products that protect
    against security holes and viruses can be a profitable business, but
    discovering the identities of virus writers is always charity work.
    So even though many viruses do contain laughably clear clues that
    could lead law enforcement agents directly to their writers, the
    authors of such electronic evils as Code Red, Nimda and SirCam
    probably won't be caught unless a curious geek with some spare time
    decides to do a good deed and track down the worm writers.
    The latest busted worm writers are four Israeli teenagers who have
    confessed to creating the Goner worm.
    According to credits in its code, Goner was called "Pentagone" by its
    creators. Israeli newspaper Ha'aretz Daily reported that DALnet IRC
    network administrators quickly discovered the virus writers chatting
    on a channel that the teenagers had cleverly named "Pentagone" and
    turned over the information to Israeli police.
    "Security people often run a search on the clues in a virus' code. The
    Pentagone channel was pretty easy to find and people were soon in
    there calling these guys idiots and assholes," said Sam Silverman, a
    systems administrator who checked the channel to find out more about
    the worm. "They admitted they wrote the worm, but said they didn't
    expect it to spread so far and fast."
    Jan de Wit, author of the Anna Kournikova worm, also said that he
    watched in growing alarm as the worm he released spread wildly on hard
    drives around the world. Hours after he released the worm, and shortly
    after releasing a PR statement on his website, de Wit turned himself
    in to local police.
    Onel de Guzman, the suspected author of the Love Bug, was caught when
    a teacher at the AMA Computer College in Manila realized that the worm
    was remarkably similar to a thesis project submitted by a student who
    dropped out after the thesis was rejected.
    The teacher contacted local authorities who, thanks to a tip from a
    group of cybersleuths, had already narrowed their search to AMA.
    "I know it looks like the feds are slacking off and waiting for these
    guys to be delivered to them, but it's the same with any crime,"  
    detective Angonasta said. "Despite the popular image of detectives
    cleverly ferreting out suspects, most cases -- from murder to mugging
    -- are solved because someone was really stupid and someone else
    noticed and told us about it. Detectives don't discover information as
    much as we collate it."
    Debra Weierman of the FBI's National Infrastructure Protection Center
    acknowledged that the NIPC works with thousands of computer security
    people around the world to track down worm writers, an activity she
    likens to "assembling a complex jigsaw puzzle."
    Weierman also said the FBI and other law enforcement agencies
    specifically ask computer users to report incidences of viruses to
    them, so that agents can track the origin and spread of the code.
    But few users report viruses to the NIPC, said Weierman, who assumes
    that businesses are afraid of bad publicity, and home users think that
    a single computer virus doesn't merit contacting the FBI.
    Some law enforcement officers also said that while viruses aren't
    considered to be a trivial problem, they aren't highest on the list of
    crime concerns either.
    "Essentially, unless someone hands the smoking gun to the police, they
    normally won't go out and try to find these (virus writers) unless
    they do a lot of damage," said Ian McCormick from the Canadian Police
    Information Centre. "Cybercrime squads are spread thin and are often
    mandated to follow up on issues like computer fraud crimes or kiddie
    porn traders rather then virus writers."
    Some security experts feel that law enforcement needs to begin taking
    virus writing far more seriously.
    "We need to do this, if for no other reason than to show it's possible
    (to track virus writers)," Russ Cooper, editor of security news list
    NTBugtraq, said.
    "Forget that it may be problematic to extradite the individual, or
    that they may be young, or claim to be doing 'research.' We need to
    catch them, and place them in a position whereby they are seen for
    what they are -- a terrorist," Cooper said. "The cost to our
    businesses, not to mention our way of life, is simply too high to not
    pursue these individuals."
    But even when writers are caught and brought to trial, the legal
    system often doesn't know what to do with them.
    De Guzman was released because the Philippine government had no laws
    specifically dealing with computer crime, and was unable to develop a
    case against him.
    De Wit was found guilty at his trial, and was ordered to serve 150
    hours of community service. He was also offered a job managing his
    hometown's computer systems by the mayor.
    David Smith, author of the Melissa virus, pleaded guilty in December
    1999 and still hasn't been sentenced. Six court dates have come and
    gone, and Smith remains out on $100,000 bail. His lawyer, Edward
    Borden, did not return calls requesting comment.
    "We're sending a mixed message," Graham Cluley, senior technology
    consultant for Sophos Anti-Virus, said. "On the one hand, we say virus
    writing is a crime; on the other, we don't really pursue it. These
    guys get fame, and often even job offers, after releasing a virus. We
    have to send a consistent message that virus writing is not a good
    thing, before it totally spirals out of control."
    Love Bug, AnnaK and Melissa were coded to spread quickly, but did no
    physical damage to systems. But over the past year, nastier worms like
    Nimda and Code Red have opened infected systems to attack by malicious
    The coders of the more malicious worms rarely leave clear clues in
    their code. But security experts like Richard Smith, who was
    instrumental in tracking down the authors of the Love Bug and Melissa,
    said it's not impossible to track down more surreptitious worm
    "But it wouldn't be easy," said Smith. "For Code Red and Nimda, you'd
    probably need to examine the server logs of infected computers to
    track all the way back to where the worm started. You'd need to find
    out who got it first, and from where. It would be a horrendous job."
    SirCam, the e-mail virus that clogged networks this summer, might be
    easier to track.
    SirCam contains this text in its code: "SirCam Version 1.0 Copyright
    2001 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico."
    Smith has a hunch that the author of SirCam is or was in Cuitzeo, and
    is probably a student. Cuitzeo is located 16 miles from Morelia City,
    which boasts a large university.
    The NIPC's Weierman said that all leads are being pursued.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Dec 28 2001 - 06:02:24 PST