[ISN] FBI Skeptical on Internet Attack Source

From: InfoSec News (isnat_private)
Date: Thu Jan 30 2003 - 00:46:38 PST

  • Next message: InfoSec News: "Re: [ISN] Slammer Source Code Provides Clues"

    Forwarded from: ERRI-SIX <sysopat_private>
    
    http://www.washingtonpost.com/wp-dyn/articles/A60507-2003Jan29.html
    
    By Ted Bridis
    Associated Press Writer
    Wednesday, January 29, 2003
    
    WASHINGTON -- Leading experts on Internet security are skeptical that
    the FBI and other investigators will be able to track down whoever was
    responsible for last weekend's attack on the Internet.
    
    These experts, including many who provide technical advice to the FBI
    and other U.S. agencies, said exhaustive reviews of the blueprints for
    the attacking software are yielding few clues to its origin or the
    author's identity.
    
    "The likelihood of being able to track down the specific source of
    this is very unlikely," said Ken Dunham, an analyst at iDefense Inc.,
    an online security firm. "We don't have the smoking gun."
    
    The worm's author could face up to life in prison under new U.S.  
    anti-terror legislation passed two months ago, some legal experts
    said.
    
    Under the Cyber-Security Enhancement Act, prosecutors can seek a life
    sentence against hackers caught launching attacks that cause or
    attempt to cause deaths. An attack aimed at causing "serious bodily
    injury" could result in 20 years behind bars.
    
    "It would depend on the intent of the person who released this and the
    foreseeable harm it might cause," said Marc Zwillinger, a former top
    Justice Department cyber prosecutor. "It's not clear this is an act of
    terrorism."
    
    Many top experts believe the programming for the Internet worm was
    based on software code published on the Web months ago by a respected
    British computer researcher, David Litchfield, and later modified by a
    virus author known within the Chinese hacker community as "Lion."
    
    Litchfield, who works for NGS Software Inc., said Wednesday that he
    now appreciates the dangers in publicly disclosing such computer code.  
    He said he originally published those blueprints for computer
    administrators to understand how hackers might use the program to
    attack their systems.
    
    "One has to question whether the benefits are outweighed by the
    disadvantages," Litchfield said in a telephone interview from his home
    in London. "I'm certainly going to be more careful about the way in
    which anything is disclosed."
    
    The altered computer code was published in the online hangout for the
    Hacker Union of China, known as Honker, a group active in skirmishes
    between American and Chinese hackers that erupted in 2001 after the
    forced landing of a U.S. spy plane.
    
    But experts said it was impossible to say whether members of that
    Chinese hackers organization unleashed the damaging worm.
    
    "There are unmistakable similarities," said Neel Mehta, who studied
    the programming for Atlanta-based Internet Security Systems Inc. "It
    goes far beyond coincidence, but I'm certainly not going to say Honker
    did this."
    
    ISS said that its own analysis identified at least 247,000 infected
    computers worldwide, far higher than earlier estimates.
    
    Unlike attacking software used in some previous high-profile Internet
    disruptions, the latest code is exceedingly condensed and doesn't
    include references to hacker aliases or locations. It also used a
    transmission method that made it especially easy for its author to
    throw off investigators by falsifying his digital trail.
    
    "It's as bare bones as it gets," said Marc Maiffret of eEye Digital
    Security Inc. "There was just enough to break in and make it
    propagate."
    
    The blueprints for the destructive "Love Bug" virus, unleashed in May
    2000 by a Filipino computer student, included references within the
    computer code to his classmates and the university he attended. Those
    mistakes helped U.S. investigators track him within 24 hours.
    
    "It will be virtually impossible" for federal agents to trace the
    latest worm's author by studying blueprints or searching for the
    attack's origin, said Kevin Mandia, an investigator for Foundstone
    Inc. "It's not going to be easy at all."
    
    An FBI spokesman, Paul Bresson, acknowledged the challenges facing
    cyber investigators given the scarcity of clues tucked inside the
    computer code.
    
    All this doesn't mean investigators won't get lucky: Hackers routinely
    draw the FBI's attention by claiming credit for their online exploits
    in chat rooms. That's how the FBI traced attacks against major
    American e-commerce sites in February 2000 to a Canadian youth.
    
    "The kind of people who do this, fame and notoriety are the primary
    motivation," said Zwillinger, now with the Sonnenschein, Nath &
    Rosenthal law firm. "They don't derive financial benefit from
    unleashing a worm. If they can't claim credit, what's the point?"
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 03:25:31 PST