Return-Path: <sentto-279987-4139-1009517959-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 27 Dec 2001 21:41:08 -0800 (PST) Received: (qmail 10423 invoked by uid 510); 28 Dec 2001 05:39:46 -0000 Received: from n16.groups.yahoo.com (216.115.96.66) by all.net with SMTP; 28 Dec 2001 05:39:46 -0000 X-eGroups-Return: sentto-279987-4139-1009517959-fc=all.net@returns.groups.yahoo.com Received: from [216.115.97.164] by n16.groups.yahoo.com with NNFMP; 28 Dec 2001 05:38:39 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_1_3); 28 Dec 2001 05:39:19 -0000 Received: (qmail 50896 invoked from network); 28 Dec 2001 05:39:19 -0000 Received: from unknown (216.115.97.172) by m10.grp.snv.yahoo.com with QMQP; 28 Dec 2001 05:39:19 -0000 Received: from unknown (HELO red.all.net) (12.232.125.69) by mta2.grp.snv.yahoo.com with SMTP; 28 Dec 2001 05:39:19 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fBS5drn04035 for iwar@onelist.com; Thu, 27 Dec 2001 21:39:53 -0800 Message-Id: <200112280539.fBS5drn04035@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 27 Dec 2001 21:39:53 -0800 (PST) Subject: [iwar] [fc:Why.Worm.Writers.Stay.Free] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Why Worm Writers Stay Free By Michelle Delio, Wired News, 12/27/2001 <a href="http://www.wired.com/news/print/0,1294,49313,00.html">http://www.wired.com/news/print/0,1294,49313,00.html> Virus writers often act as if the Internet, the most public forum in the world, is their very own private playground. Law enforcement officials are amused and amazed by the many virus writers who carefully include identifying comments or credits in their code, and who often are found bragging about their skills and latest creations in newsgroups or on Internet Relay Chat channels. "Cyber criminals are like idiot Hansel and Gretels, scattering electronic breadcrumbs that lead straight to them," said retired New York City detective Pete Angonasta. "You just don't see this sort of behavior in other criminals. I've never seen a burglar leaving cute notes crediting the crime to himself. And I've never run across a burglar who puts up a self-promotional website or goes into a chat room to discuss the night's activities." But their high profiles seemingly do not make virus writers easier to apprehend. Virtually all captured coders either confessed or were arrested only after techies discovered their identities and informed authorities. Overworked and under-funded law enforcement officials rely heavily on tips from computer security experts to identify virus writers. But many computer experts are now too busy scrambling to survive in a tight economy to play cybersleuth. Providing products that protect against security holes and viruses can be a profitable business, but discovering the identities of virus writers is always charity work. So even though many viruses do contain laughably clear clues that could lead law enforcement agents directly to their writers, the authors of such electronic evils as Code Red, Nimda and SirCam probably won't be caught unless a curious geek with some spare time decides to do a good deed and track down the worm writers. The latest busted worm writers are four Israeli teenagers who have confessed to creating the Goner worm. According to credits in its code, Goner was called "Pentagone" by its creators. Israeli newspaper Ha'aretz Daily reported that DALnet IRC network administrators quickly discovered the virus writers chatting on a channel that the teenagers had cleverly named "Pentagone" and turned over the information to Israeli police. "Security people often run a search on the clues in a virus' code. The Pentagone channel was pretty easy to find and people were soon in there calling these guys idiots and assholes," said Sam Silverman, a systems administrator who checked the channel to find out more about the worm. "They admitted they wrote the worm, but said they didn't expect it to spread so far and fast." Jan de Wit, author of the Anna Kournikova worm, also said that he watched in growing alarm as the worm he released spread wildly on hard drives around the world. Hours after he released the worm, and shortly after releasing a PR statement on his website, de Wit turned himself in to local police. Onel de Guzman, the suspected author of the Love Bug, was caught when a teacher at the AMA Computer College in Manila realized that the worm was remarkably similar to a thesis project submitted by a student who dropped out after the thesis was rejected. The teacher contacted local authorities who, thanks to a tip from a group of cybersleuths, had already narrowed their search to AMA. "I know it looks like the feds are slacking off and waiting for these guys to be delivered to them, but it's the same with any crime," detective Angonasta said. "Despite the popular image of detectives cleverly ferreting out suspects, most cases -- from murder to mugging -- are solved because someone was really stupid and someone else noticed and told us about it. Detectives don't discover information as much as we collate it." Debra Weierman of the FBI's National Infrastructure Protection Center acknowledged that the NIPC works with thousands of computer security people around the world to track down worm writers, an activity she likens to "assembling a complex jigsaw puzzle." Weierman also said the FBI and other law enforcement agencies specifically ask computer users to report incidences of viruses to them, so that agents can track the origin and spread of the code. But few users report viruses to the NIPC, said Weierman, who assumes that businesses are afraid of bad publicity, and home users think that a single computer virus doesn't merit contacting the FBI. Some law enforcement officers also said that while viruses aren't considered to be a trivial problem, they aren't highest on the list of crime concerns either. "Essentially, unless someone hands the smoking gun to the police, they normally won't go out and try to find these (virus writers) unless they do a lot of damage," said Ian McCormick from the Canadian Police Information Centre. "Cybercrime squads are spread thin and are often mandated to follow up on issues like computer fraud crimes or kiddie porn traders rather then virus writers." Some security experts feel that law enforcement needs to begin taking virus writing far more seriously. "We need to do this, if for no other reason than to show it's possible (to track virus writers)," Russ Cooper, editor of security news list NTBugtraq, said. "Forget that it may be problematic to extradite the individual, or that they may be young, or claim to be doing 'research.' We need to catch them, and place them in a position whereby they are seen for what they are -- a terrorist," Cooper said. "The cost to our businesses, not to mention our way of life, is simply too high to not pursue these individuals." But even when writers are caught and brought to trial, the legal system often doesn't know what to do with them. De Guzman was released because the Philippine government had no laws specifically dealing with computer crime, and was unable to develop a case against him. De Wit was found guilty at his trial, and was ordered to serve 150 hours of community service. He was also offered a job managing his hometown's computer systems by the mayor. David Smith, author of the Melissa virus, pleaded guilty in December 1999 and still hasn't been sentenced. Six court dates have come and gone, and Smith remains out on $100,000 bail. His lawyer, Edward Borden, did not return calls requesting comment. "We're sending a mixed message," Graham Cluley, senior technology consultant for Sophos Anti-Virus, said. "On the one hand, we say virus writing is a crime; on the other, we don't really pursue it. These guys get fame, and often even job offers, after releasing a virus. We have to send a consistent message that virus writing is not a good thing, before it totally spirals out of control." Love Bug, AnnaK and Melissa were coded to spread quickly, but did no physical damage to systems. But over the past year, nastier worms like Nimda and Code Red have opened infected systems to attack by malicious hackers. The coders of the more malicious worms rarely leave clear clues in their code. But security experts like Richard Smith, who was instrumental in tracking down the authors of the Love Bug and Melissa, said it's not impossible to track down more surreptitious worm writers. "But it wouldn't be easy," said Smith. "For Code Red and Nimda, you'd probably need to examine the server logs of infected computers to track all the way back to where the worm started. You'd need to find out who got it first, and from where. It would be a horrendous job." SirCam, the e-mail virus that clogged networks this summer, might be easier to track. SirCam contains this text in its code: "SirCam Version 1.0 Copyright 2001 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico." Smith has a hunch that the author of SirCam is or was in Cuitzeo, and is probably a student. Cuitzeo is located 16 miles from Morelia City, which boasts a large university. The NIPC's Weierman said that all leads are being pursued. ------------------------ Yahoo! Groups Sponsor ---------------------~--> FREE COLLEGE MONEY CLICK HERE to search 600,000 scholarships! http://us.click.yahoo.com/G_L2TD/4m7CAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 21:00:00 PST