[ISN] To catch crooks in cyberspace, FBI goes global

From: InfoSec News (alerts@private)
Date: Sun Nov 26 2006 - 23:28:42 PST


http://www.post-gazette.com/pg/06325/740139-96.stm

By Cassell Bryan-Low
The Wall Street Journal
November 21, 2006

ANKARA, Turkey -- On Aug. 16, 2005, a CNN television news bulletin 
alerted viewers that computers at the network's New York and Atlanta 
offices were infected with a new virus called Zotob. Soon, U.S. 
companies from coast to coast were hit.

Halfway around the world, two young computer hackers in Turkey and 
Morocco got spooked by the ensuing media coverage, but mocked the 
ability of authorities to track them down. "They can't find me," wrote 
Atilla Ekici, a 23-year-old Turk, in an email to his accomplice, a 
19-year-old Moroccan called Farid Essebar. "Ha, ha, ha," replied Mr. 
Essebar.

The U.S. Federal Bureau of Investigation, however, was already hot on 
their trail. The 98-year-old FBI, which has traditionally focused on 
domestic crime, is extending its reach beyond U.S. borders and boosting 
cooperation with other law-enforcement agencies in pursuit of 
cybercriminals, much as the agency has done in tracking down terrorists 
overseas.

The shift reflects the global nature of computer crimes, which include 
unleashing viruses, worms and other rogue programs onto victims' 
computers to disrupt them or steal information. As electronic borders 
between countries blur, hackers in one nation can easily commit crimes 
against individuals, corporations and governments on the other side of 
the world.

The FBI now ranks cybercrime as its third priority behind terrorism and 
espionage. Computer-based crimes caused $14.2 billion in damages to 
businesses around the globe in 2005, including the cost of repairing 
systems and lost business, estimates Irvine, Calif., research firm 
Computer Economics.

Building relationships with police in other countries is "the only way 
we are going to effectively get a handle on the problem," says 
Christopher Painter, deputy chief of the Justice Department's Computer 
Crime Section.

The FBI is running into limits fighting international computer crime. 
Cybercrooks remain difficult to pinpoint in part because hackers can 
hide their tracks by commandeering computers from afar and routing their 
activities through machines dotted around the world.

Even when the agency does find suspects overseas, local authorities 
sometimes lack the resources or laws to prosecute. In its pursuit of 
LoveBug, one of the first big international computer viruses, which 
spread around the world in 2000, the FBI located its creator in the 
Philippines. But he was never charged because local laws didn't specify 
the virus writer's activities as illegal at the time.

"The criminal community is winning," says Nicholas Ianelli, a security 
analyst at the CERT Coordination Center at Carnegie Mellon University, a 
federally funded group that coordinates responses to computer-security 
incidents.

But the agency is making some headway, thanks partly to a diplomatic 
offensive to enlist help from foreign agencies. It now has about 150 
agents deployed in some 56 offices around the world, including in Iraq 
and China, which deal with computer intrusions, as well as terrorism and 
other crimes. That has grown from about a dozen offices in the early 
1990s.

During the past two years or so, the FBI has also built up Cyber Action 
Teams, or CATs -- a group of about 25 people that includes agents, 
computer forensic experts and specialists in computer code, according to 
David Thomas, the deputy assistant director of the FBI's science and 
technology branch. Establishing the team has taken longer than expected, 
in part because of the challenges of hiring people with the right 
skills, Mr. Thomas says.

Earlier this month, the FBI announced the arrest of at least 16 
individuals involved in a credit-card theft scam as part of an 
investigation spanning the U.S., Poland and Romania. As part of the 
probe, the FBI temporarily posted several agents with Polish and 
Romanian police to assist with surveillance and information sharing.

Some overseas police agencies have noticed the change. The FBI is "much 
more open to interaction" than it was even a few years ago, says Kevin 
Zuccato, director of the Australian federal police's high-tech crime 
center. One FBI agent is even embedded full-time with Australia's 
high-tech crime center. Usually, FBI agents are posted within U.S. 
embassies and consulates abroad.

Police in other countries can also get touchy about defending their turf 
from outsiders, just as a local beat cop in the U.S. might resent 
interference from the FBI on a murder case. In 2002, Russian police 
accused an FBI agent with computer hacking after the agent seized 
evidence against two Russian hackers by downloading data from their 
computers in Russia without approval from local authorities. Russia 
hasn't pursued the charges, however, and the agent is still at the FBI. 
The two countries since then have worked on several cybercrime cases.

The FBI's overseas push is still a long way from winning the borderless 
battle against cybercrime. But as the tale of the Zotob virus shows, the 
agency is scoring some victories.

By Sunday Aug. 14, 2005, the FBI and antivirus software companies 
noticed that a virus called Zotob had started to spread. The virus 
infected computers by taking advantage of a weakness in some versions of 
Microsoft Corp.'s popular Windows operating system, causing them to slow 
or reboot repeatedly.

But that wasn't all: Zotob opened a door for other malicious software to 
be installed, such as "key-logging" programs that record what a PC user 
types into a keyboard -- a way to snatch credit-card numbers and other 
information that is sold to criminal gangs. Zotob hit some 100,000 
companies or more, some analysts estimate, including Time Warner Inc.'s 
CNN division and New York Times Co.

Even before the virus became famous by attacking CNN's computers, FBI 
Agent Erkan Chase and his colleagues were tracking the code. They 
discovered that the Zotob computer program had a signature line "by 
Diabl0". Mr. Chase, a 41-year-old former New York cop, recalled the 
nickname from another virus that he had started monitoring earlier in 
the year, called Mytob. That suggested the same person created both 
viruses.

Mr. Chase, who was overseeing the FBI's Cyber Action Teams at the time, 
checked in with the FBI's U.S. field offices and found that agents in 
Seattle had opened an investigation into Diabl0 after Mytob hit, linking 
him to an email account at Microsoft in nearby Redmond, Wash. With 
search warrants served on the software giant, Mr. Chase and his 
colleagues obtained emails between Diabl0 and another suspect using the 
nickname "Coder." They also received subscriber information and other 
evidence indicating the two were using computers in Morocco and Turkey, 
respectively.

In their email traffic, the tone of the hackers became cautious after 
media coverage of the virus, especially a local report in Turkey that 
authorities believed one of the hackers might be living there. The two 
suspects discussed whether to take precautions by getting rid of the 
evidence, by wiping or ditching their computer hard drives.

That raised the pressure on Mr. Chase to act quickly and try to arrest 
the two young men before it was too late. "We had to respond pretty 
quickly because we didn't want to get out there and find there was no 
evidence," he said.

Late afternoon on Aug. 18, 2005, just days after the virus hit, the head 
of the Turkish national police's cybercrime unit, Omer Tekeli, received 
a call from the U.S. Embassy in Ankara asking for help. The FBI teams 
only travel overseas at the behest of local authorities and don't have 
special powers to make arrests, but can offer technical and 
investigative assistance.

Mr. Tekeli agreed, and later that same day, an FBI agent from the 
Seattle office called to brief Turkish police on the details, including 
information they had gathered on Coder, Mr. Tekeli says. Mr. Tekeli's 
team soon identified Coder as Mr. Ekici, a farmer's son who had taught 
himself about computers at Internet cafes. Turkish authorities already 
knew of Mr. Ekici from an earlier investigation into a gang of 
credit-card thieves. Among other details, the FBI provided an email 
address for Coder that included part of Mr. Ekici's name as well as the 
equivalent of digital fingerprints that linked Coder's computer with Mr. 
Ekici's home address.

On Aug. 21, a week after noticing the virus, Mr. Chase left with a team 
of about a dozen people for Morocco and Turkey, flying in an FBI 
Learjet. The fact that Mr. Chase, whose mother is Turkish, spoke some of 
the local language helped smooth the process. After dropping half the 
group in the Moroccan capital of Rabat, Mr. Chase landed in Ankara, 
Turkey.

At the sparsely furnished offices of Turkey's cybercrime police, the FBI 
team handed over evidence they had obtained about the suspects from 
Microsoft and about 25 pages of analysis of the malicious code. FBI 
engineers gave a roughly hour-long presentation on how the code worked, 
complete with slides. In Rabat, meanwhile, emails provided by the FBI 
enabled Moroccan authorities to locate Diabl0 -- Mr. Essebar -- as well 
as an accomplice. Emails typically carry a unique set of numbers, known 
as an Internet protocol address, which identifies each computer 
connected to the Internet. Moroccan police were able to obtain the name 
and contact details associated with the Internet protocol addresses 
received from the FBI from a local Internet service provider.

The FBI's documents also helped local authorities swiftly secure arrest 
and search warrants. Concerned that the arrest of one suspect would tip 
off the others, Mr. Chase helped the two countries coordinate the raids. 
In the early hours of Aug. 25, Turkish police officers surrounded Mr. 
Ekici's home and took him into custody. About 2,000 miles away in Rabat, 
police moved in on Mr. Essebar and his accomplice. The FBI wasn't 
invited to be present at either of the arrests. Turkish and Moroccan 
authorities say that is because only local police are allowed to charge 
suspects under the respective national laws.

Mr. Ekici in Turkey had disposed of his computer hard drive so Turkish 
investigators weren't able to gather much evidence from his machine. But 
Mr. Essebar in Morocco only reformatted his hard drive, which wipes out 
files but let the Moroccan police's computer specialists recover most of 
them because copies often still exist.

Among the finds were copies of the code itself and other information 
identifying Mr. Essebar as Zotob's author. Police also found emails 
between Diabl0 and Coder discussing Zotob as well as the numbers of 
about 1,600 stolen credit cards.

In parallel, FBI specialists worked off a copy of the hard drive, 
searching for relevant emails and writing a piece of computer code on 
the fly to help them analyze the program. "We were able to use that 
information from Morocco and give it to Turkish authorities to further 
(their) investigation," says Mr. Chase.

In September of this year, a Rabat court sentenced Mr. Essebar, a 
Russian-born Moroccan national, to two years in prison for 
virus-writing, illegal access to computers and conspiracy to commit 
credit-card fraud. The court also sentenced his 21-year-old accomplice 
to one year in prison for conspiracy to commit fraud. A lawyer for Mr. 
Essebar couldn't be reached. At the time of the sentencing, news service 
Agence France Presse cited a lawyer for the defendants saying they 
planned to appeal.

Authorities allege Mr. Ekici, whom they believe met Mr. Essebar at a Web 
site for credit-card fraudsters, was responsible for disseminating the 
Zotob worm and intended to use it to steal financial information. But 
they say it is unclear whether he had time to swipe any information or 
profit from it given the speed with which they were able to arrest him, 
less than two weeks after the worm first spread.

The trial of Mr. Ekici, whom Turkish authorities have charged with 
unauthorized access to computers and disseminating a virus, continues in 
Turkey. He couldn't be reached for comment.

The Zotob case marked the first time foreign law enforcement has come to 
Turkey to assist in a cybercrime investigation, says Mr. Tekeli, the 
cybercrime unit chief in Turkey. Without the FBI's help, the 
investigation "would have been more difficult and more time consuming," 
he says. Hakim Aarab, an engineer in the Moroccan police's computer 
division, says because of the borderless nature of cybercrime, 
"international collaboration is an obligation, it's not an option."

(Guy Chazan in Moscow contributed to this article.)


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Sun Nov 26 2006 - 23:32:28 PST