Re: Any leads?

From: Crispin Cowan (crispin@private)
Date: Fri Sep 21 2001 - 12:18:23 PDT

Next message: Kuo, Jimmy: "RE: Any leads?"

Previous message: Jimmy Sadri: "Any leads?"
In reply to: Jimmy Sadri: "Any leads?"
Next in thread: Kuo, Jimmy: "RE: Any leads?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jimmy Sadri wrote:

>	I'm just curious if there are any leads on who 
>created this Nimda virus or even Code Red for that matter?
>I really hope they catch whoever it is and make an example
>out of them.  I don't appreciate having my bandwidth that
>I pay $$$ every month wasted by these "worms/viruses".
>
Don't hold your breath waiting. The authors of worms & viruses are only 
ever found when they engage in egregious stupidity, such as bragging 
about their achievements on chat rooms, or failing to erase the serial 
numbers that MS Office scribbles on Office documents.

The Melissa author was caught because he posted the infectious document 
from his own AOL account to a news group, rather than releasing it 
through a hacked account. His guilt was confirmed when the serial number 
in the document matched the PC in the dumpster outside his bedroom :-)

But Code Red and its derivatives is not an Office document, and 
therefore has no serial numbers. That investigators appear to have no 
leads months after Code Red appeared tells me that it was likely 
released to the wild from a compromised machine, or perhaps 
simultaneously released from multiple compromised machines. If the 
author(s) were good, then those compromised machines were initially 
attacked from other compromised machines. Likely all of these initial 
release vector machines have long since been wiped and re-installed, and 
the links to the author(s) have been cut.

Computer forensics is the opposite of physical forensics. With a 
physical crime, human activity leaves behind many tell-tale signatures: 
finger prints, hair, blood, semen, etc., all of which provide positive 
identification of individuals. Computer forensics is the opposite: you 
get no clues, except those which the attacker chooses to leaves behind. 
The attacker does not leave fingerprints, but may choose to leave a 
signature, taunting the investigator with "can't catch me!" Only stupid 
attackers leave signatures, and the attackers are getting smarter.

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html

Next message: Kuo, Jimmy: "RE: Any leads?"
Previous message: Jimmy Sadri: "Any leads?"
In reply to: Jimmy Sadri: "Any leads?"
Next in thread: Kuo, Jimmy: "RE: Any leads?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:25:36 PDT